Crypto In The Cloud Secures Data In Spite Of Providers

Many studies have shown a chasm between cloud service providers and their customers regarding who is responsible for the security of the customer's data: Providers put the responsibility in the hands of the customer, but the customer usually disagrees.

According to a study conducted by the Ponemon Institute last year, for example, nearly seven in 10 cloud providers put responsibility for the security of a customer's data with the customer. Only three in 10 customers surveyed by Ponemon agreed.

"Providers are taking no responsibility," says Pravin Kothari, founder and CEO of CipherCloud, a cloud security provider. "If you are hosting in the cloud, you have no visibility into the cloud provider and no control over the data."

No wonder, then, that cloud encryption providers are becoming more popular. By encrypting data, customers can be assured that their information is safe, even in the event of a breach, but also from the cloud-service provider, as well. CipherCloud, for example, uses a Web proxy to encrypt data on its way to a supported software-as-a-service company, such as Salesforce. Other providers encrypt the applications running in a platform-as-a-service environment, while still others focus on encryption data in cloud storage or encryption infrastructure-as-a-service.

[ Cloud providers aren't quite there yet when it comes to keeping data as secure as traditional enterprise networks do, security experts say, and it pays to look at their DNA. See The Dark Side Of The Cloud. ] 

"The business problem is all about trust and control of data -- especially data at rest -- in the cloud," says Gilad Parann-Nissany, CEO and co-founder of Porticor, a company that focuses on encrypting data in the latter environments.

Just as cloud services are rapidly evolving, so are security services designed to encrypt data in the cloud.

As companies move up the cloud hierarchy from software-as-a-service to infrastructure-as-a-service, the technologies and solutions become more mature, says Dan Blum, vice president and distinguished analyst with Gartner. Encryption for storage in the cloud is the most mature solution, while encrypting specific fields in applications in the cloud tends to be the least mature.

The Key Is Management
The best solutions are those that allow the customer to control the keys, or part of the key, he says. By controlling the keys, the customer also controls access to the data, preventing even the cloud service provider.

"If all the information was encrypted, and it was done with a key that the customer controlled, even the cloud administrator might not be able to look at it -- that's the vision," says Blum.

Securely encrypting data is not the hard technological hurdle for cloud security services. Instead, the hard part is finding a way to securely manage the resultant keys, Porticor's Gilad says.

"In this day and age, if you take a half decent developer, everybody knows how to encrypt data," he says. "But where do you save the encryption keys? That's when it gets interesting."

Some providers store keys in the same cloud as the data, which is insecure. Others outsource key management to a third party, while others ask customers to manage the keys themselves. Porticor takes a hybrid approach, analogous to a safety deposit box in a bank, where the banker has one key and the customer holds the other. The technology allows the customer to be assured of their data's confidentiality, while at the same time easing key management.

Making Encryption Usable
Yet encrypting data in the cloud also poses some problems.

Encrypting data for use in software-as-a-service (SaaS) can limit its usability, Gartner's Blum says. Searching on fields containing encrypted data poses problems because strong encryption does not preserve the properties of the original plaintext. Finding entries in a customer database with similar last names is impossible, if the name field is encrypted.

"If you want the capability of searching and indexing, you have to weaken the encryption or add data transfers to make it work," Blum says.

Companies, such as CipherCloud, have found ways to allow some searching. Customers, for example, could search on exact matches for one or more fields, decrypt all the matching records locally, and then refine the search.

Another potential problem: Software-as-a-service providers may want access to the customers' data, especially consumer-focused services that employees bring to work, such as social networks. Encryption provider scrambls, for example, encrypts social-media posts in a way that allows consumers to control access to the data. Social-media companies will likely see the service as a threat, as users' posts are the currency of Facebook, Twitter, and other networks.

"If we believe that social media sites are a not a toy, but are really a utility, then there needs to be a mechanism for more secure, more controlled, communication," says Steven Sprague, CEO of Wave Systems, a maker of hardware-based digital security systems and the company that incubated scrambls as a startup.

Companies that have had data leaked via a social network are likely to strongly agree.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.