Key Encryption In The Battle For Cloud Security


By Mike Barch

One of the major challenges that comes with cloud computing, especially for security professionals, is protecting sensitive data that’s stored in the cloud. Consideration also has to be given to various regulatory compliance requirements that have to be met. The most common way to secure this data is via encryption, but the question arises as to who should be responsible for maintaining the encryption keys.

With SaaS solutions, it can be difficult to separate encryption key management from the provider, so it’s up to each customer to explore available options. One of the main challenges is to implement encryption that doesn’t hamper user experience or performance. This, coupled with encryption key management, makes the situation very complex. Careful planning and consideration must go into deciding whether to leave the onus of managing encryption keys solely in the hands of the Cloud Service Provider (CSP), managing your own keys or even using a Key Management as a Service solution.

Encryption key management continues to be a contentious issue with SaaS providers. When the CSP is responsible for key management, it is up to the customer to ensure they’re asking the right questions of the CSP to ensure the security of their data. Some important questions include: which key management tools are in use, how are the keys accessed, and are there audit trails for access to the keys?

It’s also important to understand how multi-tenant environments will be handled. Private keys are typically provided to the customers for specific application access when the CSP is managing the keys for them, so there’s typically not much more that can be done outside ensuring the preceding questions have been answered. This is likely the best solution in cases where there’s no highly classified data being stored by the CSP.

If a client has a strong need to use a SaaS based cloud solution but has more stringent security requirements, using an encryption gateway such as CipherCloud or Vormetric is a viable alternative. By implementing an encryption gateway within their own network in between the SaaS client application which resides on their network, and the SaaS cloud application which is onsite at the CSP, the customer is able to remain in control of the encryption and keys at all times.

This encryption gateway solution will essentially encrypt specific database fields, emails or certain attachments before being forwarded to the SaaS cloud application. Therefore, all of the data stored at the CSP that was processed at the encryption gateway is encrypted. When the encrypted data needs to be retrieved from the SaaS cloud application, it is decrypted by the encryption gateway before being displayed in the client application. This solution has limitations since only certain types of files and database fields can be encrypted, however the customer can maintain ownership and management of their own encryption keys.

Using CipherCloud or Vormetric will provide the client with a detailed audit trail so not only is the key management in their control, it’s easy to trace activities back to a particular user.

In addition to third-party encryption solutions, we’ve recently seen a move by both SaaS providers as well as big-data distributors to offer encryption and key management natively, so their customers can protect their data without the added cost and integration work that sometimes comes with third-party solutions.

Examples include big-data distributors Cloudera and Hortonworks, each of which acquired encryption vendors last year that allow them to offer encryption to their customers as either a standard feature or as a premium service.

As cloud infrastructure and applications become more tightly woven into the fabric of most modern enterprises, encryption will increasingly be expected as a standard feature of most cloud offerings. As encryption assumes its rightful place in the cloud security toolkit, so too will the need for a key management system that supports a variety of cloud and encryption architectures and also scales to meet the demands of an elastic, on-demand infrastructure.

For large SaaS, IaaS and big-data providers, we are likely to see more native encryption options come to market as they look to meet customer demands for data protection. Also, it’s likely we will see Key Management as a Service and more on premise key management solutions such as the offerings being provided by Vormetric gain popularity.

For customers with strict internal security policies or those facing data residency requirements, on premise key management will remain a must, and for this group, third-party encryption vendors will still play a large role. Either way, we see third-party vendors evolving more towards key management and away from basic encryption, particularly as more customers adopt multiple cloud applications and may have a need for a centralized way of managing their keys.

For smaller SaaS providers, many may opt to integrate encryption gateways or third-party encryption and key management offerings directly into their products rather than expending the time and resources that Salesforce and Box likely did to develop with their own native offerings.

Regardless of how things play out, key management will remain a central issue in the battle for cloud data security.

About The Author
Mike Barch
Vice President Security Services
NTT DATA Services