Putting Data In The Cloud? Retain Control

At the beginning of Stanley Kubrick's epic, "2001: A Space Odyssey," apes benefit from the use of technology, in the form of a club. By the end of the movie, however, humans are threatened by the technology used to help them survive in the stars, the artificial intelligence HAL.

In some ways, this technological arc -- from tool to master -- is an apt allegory for companies entering the cloud, Davi Ottenheimer, president of security consultancy Flying Penguin, plans to argue in his presentation at the B-Sides Security conference in Las Vegas next week. Firms seeking greater efficiency and more features may rely on the technology of a cloud provider, leaving themselves vulnerable to a single security incident.

In his presentation, Ottenheimer plans to draw illustrate the need a more secure approach to clouds using the themes from "2001: A Space Odyssey."

"The central question for companies is, 'Do you have control?'" Ottenheimer says. "The fight between the humans and HAL in a nutshell is the fight between the customers and the cloud provider. Humans reliance on the tools to survive in space is almost their undoing, and reliance on cloud services can similarly be a firm's undoing."

Reliance on cloud vendors' security has led to a number of high profile breaches. In March, marketing service provider Epsilon reported a massive breach of its systems that led to more than 100 large companies -- including such giants as Citibank, JPMorgan Chase and Walgreens -- sending out warnings to their customers.

Dropbox is another example. Individuals can put business-sensitive data into the cloud storage service, where anyone with access to the server could potentially read the file because it uses a central encryption key. While the design of the cloud service allows third party's to access their users' accounts to offer interesting services, it also leaves the data much less secure than a system that encrypted the data before sending it into the cloud, Ottenheimer says.

A number of companies are providing encryption services to secure data inside the cloud. CloudSwitch, for example, allows companies to run their software and store their data in a private or public cloud in its own encrypted network. Another company, CipherCloud, allows companies to use other services, such as Salesforce.com, but encrypt their data.

"Companies are really helped ... by just thinking out how to protect their data," says Varun Badhwar, vice president of business development for CipherCloud, a security provider. "Once they have figured data protection out, then they are better off, because their cloud applications can be used the way they want to."

For companies that want to roll their own solution, turning to encryption standards such as the Symmetric Key Services Markup Language (SKSML) can help secure data before shipping it off to a cloud provider's facility.

Ottenheimer stresses that cloud services themselves are very useful, but the ones that require a company to give up securing its data are dangerous. "You can centralize everything, as long as you don't give up control," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.