Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Cloud computing 2014: Moving to a zero-trust security model

Jaikumar Vijayan | Jan. 2, 2014
Snowden leaks aren't driving companies away from the cloud but the disclosures have made them a lot more careful.

By the end of 2014, Microsoft expects to have measures in place for encrypting data in transit between customer locations and its data centers, and while in transit between its own data centers.

Like Google, Microsoft says it plans to encrypt all stored data in the cloud

Several other cloud services providers, like Dropbox, Sonic.net and SpiderOak, have announced support for similar data encryption programs, and for features like 2048-bit key lengths and the "Perfect Forward Secrecy" method for future-proofing encrypted data.

Experts say such measures are vital to protecting data traveling between customer companies and cloud service providers.

Information in the classified documents about NSA attempts to weaken encryption algorithms, and to tap fiber links connecting service provider data centers provided much of the impetus for these efforts.

Key management and data ownership
The U.S. government's position in its dispute with Lavabit, a secure email services provider, that cloud service firms must hand over their encryption keys when asked, has focused considerable attention on key management and data ownership.

While encryption efforts by service providers are a vital part of improving cloud security, they only go so far, says Eric Chiu, president of HyTrust, a cloud infrastructure management company.

"Encryption is only as secure as its key management system," Chiu said. "While cloud providers may implement encryption, customers need to be aware that if providers hold encryption keys, it's still possible that they can access data — or provide the keys to someone who requests them."

Such concerns have sparked increased interest in approaches that let enterprise users of cloud services to own the encryption and cryptographic key management process while data is at rest, in use and in transit.

A growing number of vendors, including Vaultive, CipherCloud, TrendMicro and HyTrust, offer tools designed to make it easier for businesses to retain more control of their data while taking advantage of cloud hosted infrastructures and services.

CipherCloud, for instance, sells a gateway technology that lets companies encrypt data while in transit to and from the cloud and while stored. The gateway lets enterprises store encryption keys locally, and to interact with the encrypted data in the cloud.

Such technologies mean that government agencies would have to seek help from the owners of data to gain access. The goal is to eliminate the handing over of such keys to government agencies by cloud vendors without the knowledge of the data owners.

Security experts have long recommended using persistent encryption to secure data in the cloud. To date, adoption has been low due to the cost and complexity of key management. That may be changing.

"For enterprises that require true data privacy for compliance or internal purposes, we will see those companies implement encryption themselves, and maintain their own keys on premise," predicts Chiu.

 

Previous Page  1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.