05:10 PM
Connect Directly
Repost This

Crypto In The Cloud Secures Data In Spite Of Providers

With companies increasingly worried about their data in the cloud, a number of providers have cropped up to offer various types of encryption

Many studies have shown a chasm between cloud service providers and their customers regarding who is responsible for the security of the customer's data: Providers put the responsibility in the hands of the customer, but the customer usually disagrees.

According to a study conducted by the Ponemon Institute last year, for example, nearly seven in 10 cloud providers put responsibility for the security of a customer's data with the customer. Only three in 10 customers surveyed by Ponemon agreed.

"Providers are taking no responsibility," says Pravin Kothari, founder and CEO of CipherCloud, a cloud security provider. "If you are hosting in the cloud, you have no visibility into the cloud provider and no control over the data."

No wonder, then, that cloud encryption providers are becoming more popular. By encrypting data, customers can be assured that their information is safe, even in the event of a breach, but also from the cloud-service provider, as well. CipherCloud, for example, uses a Web proxy to encrypt data on its way to a supported software-as-a-service company, such as Salesforce. Other providers encrypt the applications running in a platform-as-a-service environment, while still others focus on encryption data in cloud storage or encryption infrastructure-as-a-service.

[ Cloud providers aren't quite there yet when it comes to keeping data as secure as traditional enterprise networks do, security experts say, and it pays to look at their DNA. See The Dark Side Of The Cloud. ] 

"The business problem is all about trust and control of data -- especially data at rest -- in the cloud," says Gilad Parann-Nissany, CEO and co-founder of Porticor, a company that focuses on encrypting data in the latter environments.

Just as cloud services are rapidly evolving, so are security services designed to encrypt data in the cloud.

As companies move up the cloud hierarchy from software-as-a-service to infrastructure-as-a-service, the technologies and solutions become more mature, says Dan Blum, vice president and distinguished analyst with Gartner. Encryption for storage in the cloud is the most mature solution, while encrypting specific fields in applications in the cloud tends to be the least mature.

The Key Is Management
The best solutions are those that allow the customer to control the keys, or part of the key, he says. By controlling the keys, the customer also controls access to the data, preventing even the cloud service provider.

"If all the information was encrypted, and it was done with a key that the customer controlled, even the cloud administrator might not be able to look at it -- that's the vision," says Blum.

Securely encrypting data is not the hard technological hurdle for cloud security services. Instead, the hard part is finding a way to securely manage the resultant keys, Porticor's Gilad says.

"In this day and age, if you take a half decent developer, everybody knows how to encrypt data," he says. "But where do you save the encryption keys? That's when it gets interesting."

Some providers store keys in the same cloud as the data, which is insecure. Others outsource key management to a third party, while others ask customers to manage the keys themselves. Porticor takes a hybrid approach, analogous to a safety deposit box in a bank, where the banker has one key and the customer holds the other. The technology allows the customer to be assured of their data's confidentiality, while at the same time easing key management.

Making Encryption Usable
Yet encrypting data in the cloud also poses some problems.

Encrypting data for use in software-as-a-service (SaaS) can limit its usability, Gartner's Blum says. Searching on fields containing encrypted data poses problems because strong encryption does not preserve the properties of the original plaintext. Finding entries in a customer database with similar last names is impossible, if the name field is encrypted.

"If you want the capability of searching and indexing, you have to weaken the encryption or add data transfers to make it work," Blum says.

Companies, such as CipherCloud, have found ways to allow some searching. Customers, for example, could search on exact matches for one or more fields, decrypt all the matching records locally, and then refine the search.

Another potential problem: Software-as-a-service providers may want access to the customers' data, especially consumer-focused services that employees bring to work, such as social networks. Encryption provider scrambls, for example, encrypts social-media posts in a way that allows consumers to control access to the data. Social-media companies will likely see the service as a threat, as users' posts are the currency of Facebook, Twitter, and other networks.

"If we believe that social media sites are a not a toy, but are really a utility, then there needs to be a mechanism for more secure, more controlled, communication," says Steven Sprague, CEO of Wave Systems, a maker of hardware-based digital security systems and the company that incubated scrambls as a startup.

Companies that have had data leaked via a social network are likely to strongly agree.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Gerry Grealish
Gerry Grealish,
User Rank: Apprentice
5/25/2012 | 2:58:37 PM
re: Crypto In The Cloud Secures Data In Spite Of Providers

JDoherty - you bring up a good point about the termination
of the SSL tunnel. -ŠThere is indeed a vulnerability once you get inside
the SSL terminator and not a lot of people appear to have given much thought to
this. Kudos to your team for developing a solution. The federal government
seems to be a good target market for your product.-ŠHowever, even if you
address this SSL termination problem, don't you still need to encrypt the sensitive
data before it gets to the cloud to prevent access by unauthorized cloud
administrators or rogue access from malicious third parties?-Š-ŠFor most
organizations, addressing the latter would seem to be of great importance, for
regulatory compliance as well as and brand preservation.

Quick question, for the Certes solution, are you using FIPS
140-2 crypto validation? That would seem to be the minimum requirement for the
federal government and any regulated industries.-Š

User Rank: Apprentice
5/18/2012 | 7:06:53 PM
re: Crypto In The Cloud Secures Data In Spite Of Providers

Another issue is protection of data in motion both to and inside
IaaS cloud networks.-Š

Some providers offer a secure VPN but this is problematic
because the security keys are owned by the provider and the encryption tunnel
terminates at the G«£front doorG«• leaving data exposed within the cloud network. This
protects the data across the WAN, but not within the shared cloud network, and
it leaves the information vulnerable to confidentiality and integrity breaches.
It also leaves virtual servers in the cloud potentially vulnerable to attacks
from other tenants in the cloud environment when the cloud providerG«÷s logical
separation of tenants breaks down through misconfiguration or other failures. IPsec
tunnels would provide adequate protection but point-to-point tunnels simply
donG«÷t work in the cloud. Applications architected for LAN environments often donG«÷t
encrypt connections to other servers, so they often need to be rewritten to
operate securely in the cloud.

We (Certes Networks) have recently announced and launched a
cloud version of our tunnel-less group encryption solution that provides data
in motion encryption that can scale to cloud deployments.-Š This solution recently resulted in us being
included as a Gartner Cool Vendor for Cloud Security G«Ű so while Dan Blum is
right in that the IaaS Security market is less mature than other areas, there
is a technology available that has leapfrogged other modalities in it efficacy.

User Rank: Apprentice
5/8/2012 | 7:58:07 PM
re: Crypto In The Cloud Secures Data In Spite Of Providers
I fully agree with Pravin Kothari on the need for enterprises to assume concern for data residency and privacy when using cloud applications and equally, on the issues that were framed regarding key management. -ŠOne way to circumvent these challenges is to evaluate tokenization as an option. With tokenization, clear text data is replaced by a surrogate value - the same sort of approach that has been used in PCI DSS space for years now. With tokens there are no keys to manage and the data truly remains resident behind the enterpriseG«÷s firewall. -ŠThis is an added benefit when an organization is required to adhere to specific data residency regulations. -Š

In addition to the vendors cited here, readers may also want to evaluate PerspecSys. -ŠWhile it offers SaaS functionality preservation when using various encryption approaches (including FIPS 140-2 validated modules) it also offers the use of tokenization as a means of securing data before it goes to the cloud. -Š
Kevin Bocek
Kevin Bocek,
User Rank: Apprentice
5/8/2012 | 6:08:19 PM
re: Crypto In The Cloud Secures Data In Spite Of Providers
To CJones concern over encryption key ownership: I've heard others concered about placing encryption keys in cloud along with data. Providers like CipherCloud let you keep encryption keys and crypto proceses behind your firewall. You own your keys and control over data.
Gerry Grealish
Gerry Grealish,
User Rank: Apprentice
5/8/2012 | 2:15:16 PM
re: Crypto In The Cloud Secures Data In Spite Of Providers

Interesting article and
perspectives shared by Gartner.-Š PerspecSys is a leading solution provider
in this space.-Š While it offers SaaS functionality preservation when using
various encryption approaches, including FIPS 140-2 validated modules, it also
pioneered the use of tokenization as a means of securing data before it goes to
the cloud.-Š With tokenization, clear text data is replaced by a surrogate
token-Š- the same sort of approach that has been used in PCI DSS space for
years now. But the breakthrough is that the "sort" and full "search" capabilities
of the SaaS application are retained. -Š-ŠWith tokens there are no Keys
to manage and the data truly remains resident behind the enterpriseG«÷s firewall
G«Ű a real benefit when an organization needs to adhere to Data Residency
regulations. -ŠRegardless of the protection method G«Ű via tokenization or
FIPS 140-2 certified encryption providers G«Ű the PerspecSys approach is one
where standard application functionality is preserved.-Š PerspecSys feels
that forcing an enterprise to choose either the functionality that users demand
or the protection that is required is an unfair proposition and our-Šdesign principle is to be able to-Šsatisfy both needs of the organization.

User Rank: Apprentice
5/8/2012 | 10:31:01 AM
re: Crypto In The Cloud Secures Data In Spite Of Providers
I see a catch 22 here.-Š Someone please explain if I missed something.-Š You put data in the cloud and you want to make sure that it is secure so you encrypt it with a key and move it to the cloud.-Š Now the data is in the cloud and secure; but, there is a problem because the data is not readable due to encryption.-Š So you have to push the key to the cloud to unencrypt the data.-Š When you are finished with the data, it is reencrypted with the key.-Š This is the same issue as hard drive encryption.-Š The most likely way someone is going to get your data is to exploit a vulnerability you should have patched on a server or one of your IT administrator's laptops.-Š

I agree that it is necessary and solves the problem of having someone at the cloud provider copying or removing a drive.-Š I just don't see this as a comprehensive solution.-Š How about encryption for the whole virtual cluster?-Š One key for everything.-Š Now there is a scary thought.
Register for Dark Reading Newsletters
White Papers
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web