When considering the major benefits of modern cloud computing, the lower operational overhead of the cloud should be high on anyone’s list. But when it comes to sensitive data — such as healthcare, finance, retail or government data — security measures are needed to ensure privacy and abide by regulations. Such security measures may be prohibitive in terms of operational overhead.
Companies are faced with finding the right balance between the lower operational overhead offered by the cloud and the higher operational overhead required by traditional cloud security.
The role of cloud encryption in cloud security
Moving to the cloud involves a number of perceived and real changes. Some of the changes are evolutionary. A modern cloud can resemble a data center in many of its management and security techniques. For example, modern clouds may offer identity and access controls, or they may offer built-in firewalls.
One big, revolutionary change is ownership of infrastructure. When you use a cloud, ownership of the infrastructure may mean you lose control of your project and control of your data. For sensitive workloads, maintaining ownership is essential.
Cloud encryption of data is the recommended best practice for keeping ownership. The recommendation is to encrypt the data and keep the encryption keys to yourself.
How to encrypt data and keep the encryption keys to yourself? Cloud providers have not yet come up with a good “cloudy” answer.
Some solutions increase the overhead of cloud computing
In the traditional large data center world, companies often achieved encryption and management of encryption keys with hardware appliances. A “Hardware Security Module” (HSM) is essentially a hardware box that is made tamper proof. For example, if anyone tries to open the box all the contents will be erased.
Even in the data center, these solutions were considered complex.
Lacking a better solution, cloud providers have tried to adapt hardware solutions to the cloud. This raises obvious issues: clouds are all about elasticity and flexibility, so how does a hardware solution fit in? Equally, clouds are about reducing operational complexity, so these hardware solutions were considered complex even by data center standards.
Software-defined encryption and key management
Everything in the cloud world is software defined, so why not encryption and key management?
The cloud does have a real Catch-22: When you encrypt data, you must save encryption keys somewhere. Saving them in the cloud defeats the whole purpose of encryption; saving them outside the cloud — in hardware — is, again, self-defeating, but in a different way.
Software-defined encryption and key management require new solutions. This is where two new technologies — split key encryption and homomorphic key management — come into the picture.
Split key encryption takes advantage of the benefits of the cloud while maintaining ownership of cloud encryption keys.. Data is encrypted; but instead of having one encryption key for each object (each disk, each file, etc.), you have two or more — all of which are required to decrypt data. At least one of these keys is kept “at home” with you. Gaining access to the “other” keys does not enable access to the data. Using this technique, you keep ownership to yourself.
Homomorphic key management is a technology that completes the picture. It encrypts the key that you own. And it keeps that key encrypted even when your system is running in the cloud; this way, everything stays secure when “at rest” and when “in use.” The result is that the key that guarantees your ownership is never on a virtual a disk in the cloud and never in virtual memory in the cloud.
Foundation for cloud security
Split key encryption and homomorphic key management are new technologies that lay a foundation for cloud security that is truly cloudy in nature. These technologies allow you to achieve compliance with all the major regulatory standards such as PCI or HIPAA. You can take full advantage of the great value of the cloud — low operational overhead, elasticity, flexibility— while having the strongest security for your data.
Gilad Parann-Nissany is the founder and CEO of Porticor Cloud Security. A pioneer in the field of cloud computing, he has built SaaS clouds, contributed to SAP products and created a cloud operating system. He has written extensively on the importance of cloud encryption and encryption key management for PCI and HIPAA compliance. Gilad can be found on his blog, Twitter, LinkedIn, and Google+ discussing cloud security.