The cloud can still be an unsettling place for many organizations reluctant to release the reins to their information, but encryption has helped calm some of those fears.
“Encryption makes sure that the minute they turn loose the data, they know it’s protected,” explained Jim Ivers, vice president for marketing for Covata, a data protection company. “People looking at cloud encryption are looking for an insurance policy,” he said.
Encrypting data in the cloud is part of a broader theme of cloud-based security services, a growing field according to Gartner. The research firm estimated that the cloud-based security services market was worth $2.1 billion last year and should grow to $3.1 billion by 2015. Ruggero Contu, a Gartner analyst, said in a statement that the strongest interest will be in encryption products from cloud security brokers. They “are relatively easy to deploy and have options for on-premises encryption management,” he said.
Interviews with eight providers of cloud-based data security services show that enterprises embracing encryption in the cloud want a number of things, including:
• Compliance. Government regulators and private sector groups such as the payment card industry are pushing organizations to encrypt their data.
• Protection. Data managers want to feel their data is safe from unauthorized eyes, whether those eyes belong to hackers, cloud administrators or government agents.
• Control. Companies want to control their data once it’s in the cloud. That often requires they possess the keys used to encrypt data stored in the cloud.
• Application compatibility. They want assurances that encrypting data won’t interfere with applications they need to conduct their business.
• Scalability. They want an encryption solution that continues to work as data demands on it grow.
Compliance is a top of mind concern for many companies mulling over moving their data to the cloud. “When clients approach me on the topic of encryption, it’s in the context of compliance,” said Robert Former, a senior security consultant with Neohapsis, an enterprise security and risk consulting firm. “They want to know can this product or other do the sort of encryption that will keep me compliant with frameworks like PCI or HIPAA.”
HIPAA, or the Health Insurance Portability and Accountability Act, authorizes the U.S. Department of Health and Human Services to make rules on the handling of health information data. PCI standards created by the payment card industry govern how payment card information and systems are secured.
Encryption can be a big carrot for organizations that need to comply with HIPAA. “If you screw up and release millions of records, HIPAA requires that you report the breach to the public, which can be a damaging thing,” said Willy Leichter, senior director for product marketing for CipherCloud, a data encryption company. “But if you can demonstrate that your data is encrypted properly and you’ve got the keys, no one else does, then, generally, there are exemptions from breach notification.”
The Quality Issue in Encryption
What is proper encryption? “Even the best encryption system in the world can be implemented poorly,” said Former, of Neohapsis. “That can actually be worse than having no encryption because you think you have encryption.”
For example, some developers use a technique called Electronic Code Book. It breaks a data store into 128-bit blocks and uses a single key to encrypt each block. The result is the cryptotext for words remains uniform across the blocks. So the cryptotext for “password,” for example, would be the same in all the blocks.
That makes it easy to crack the encryption by using a tool like a frequency test. If you know an encrypted file contains a list of user passwords, for instance, you can compare frequently appearing cryptotext combinations to a list of commonly used passwords. “That allows me to make some very quick and reasonable assumptions about what data produced the cryptotext,” Former said.
Those kinds of mistakes, though, are more likely to be made by a local implementation of encryption than by a reputable cloud provider. “Every single cloud implementation I’ve looked into is using a good implementation of crypto,” Former said. “The reason for that is that these are companies that understand they have a vested interest in being able to pass all kinds of compliance frameworks, and they need to be able to withstand every freaky crypto nerd in the world looking for a way to bust them.”
Cloud service providers also realize that encryption done right is a way to win more converts. “Encryption and strong security systems are a cloud enabler,” said Tim Bramble, director of product management for Cloudlink Tech, a cloud data security company. “Organizations would really love to realize the benefits of the cloud, but they’re concerned about security.”
“If everything is inside their bricks and mortar perimeter, they feel their data is safer,” Bramble said. “If it goes in the cloud, they suddenly feel more exposed.”
“By giving organizations the ability to encrypt their data and to maintain control of the keys to that encryption — that’s a very vital piece — you enable these organizations to leverage the cloud,” he added.
The Importance of Key Ownership
Many experts agree that, if at all possible, the keys to encrypted data should remain with the owners of that data. “There’s a good argument for smaller businesses to turn their keys over to their cloud provider because they’ll be safer in the cloud than on a server on a desk,” said Leichter, of CipherCloud. That’s not the case, though, for larger businesses.
Not having control of the keys to your encrypted data means someone else has the means to view that data. Moreover, that someone else can be compelled to let others look at the data through court order. “Any company I know doesn’t want Microsoft or Google or Salesforce making a decision on what to turn over to authorities,” Leichter said.
Another drawback to giving a cloud provider control of your encryption keys is they’ll still have them — and possibly your data — should you move on to another provider. If you have your keys, you don’t have to worry about traces of your data remaining with a previous provider. “You can ensure — even if you leave that environment — your data’s useless,” said Eric Chiu, president and founder of HyTrust, a cloud infrastructure control company.
However, it’s not always possible to shield your keys from your cloud provider. You may need the provider to perform analytics on your data for you or use the data in cloud applications. In those cases, it may be possible to limit access to your data without hamstringing your provider’s services. “If you encrypt pieces of information — credit card numbers, vendor IDs, names and addresses –individually, you can release only what’s needed to be done for the task at hand,” said Mark Nunnikhoven, principal engineer of cloud and emerging technologies at Trend Micro. “So if you can isolate your data and split it into chunks, you can decrypt and encrypt what needs to be used at any given time.”
The Human Factor
While an organization may breathe easier knowing its data in the cloud is encrypted, the technology isn’t a magic bullet. “It’s not a panacea,” said Rajiv Gupta, CEO of Skyhigh Networks, a cloud security service. “There are moments when encrypted data is in a clear state.”
“And even if you encrypt the data, if your account is compromised and someone masquerading as you accesses your keys as you, then they’ll have access to your data,” he added.
That’s why many hackers prefer to avoid tackling encryption and pick on softer targets. “Encryption is actually a red herring,” said Tal Klein, vice president of marketing at Adallom, a provider of cloud-based security services.
“What we’ve seen is that it’s easier to compromise the user than decrypt his communications,” he explained. “If I were trying to go after your files, which would be easier: go after your credentials or decrypt files?”
“Once I have your credentials, I’ve got access to everything you have access to whether it’s encrypted or not,” he added.
John P. Mello Jr., is a freelance writer specializing in business and technology subjects, including consumer electronics, business computing and cyber security. Follow him on Twitter: @jpmello.