Regaining Control Of Data In The Cloud

With a growing mobile workforce, more employees using their personal devices for work, and closer relationships with partners, sensitive data continues to move outside of the corporate firewall, whether businesses approve or not. Cloud services have become a major pathway for that data: Business teams are collaborating online, while workers are storing data in file-sharing services to continue working on the road.

Securing that data is not easy. The proliferation of mobile devices has led to scalability issues with both encryption and key-management technology. Rather than deal with the complexity of such security technologies, workers are likely to attempt an end run and use their own solutions, without giving security much thought. Fighting back against those forces with traditional encryption products is difficult because they do not scale to large number of users and devices.

"You are now encrypting any and all data with a key," says Adam Ghetti, co-founder and chief technology officer of Social Fortress, a data-protection service and technology provider. "The scalability of the security architecture is a problem -- traditional architectures, especially."

Companies looking to use encryption services and better access management to take back control of their data need to encrypt all data that leaves their networks, and yet not let the process slow down their workers.

Different security providers are approaching the problem differently. Social Fortress, which started as a way to give social-network users more control over their posts, is piloting projects in healthcare and finance, allowing fine-grained protection of data. Each piece of data gets its own key, independent of the device or user, and will be stored encrypted in whichever cloud service the business uses.

The model works especially well for data that plugs into an existing software-as-a-service application, such as Salesforce.com, or to place access controls on Facebook posts and tweets on Twitter.

Companies need to first evaluate what requirements they have and focus on what makes sense for their company. Most importantly, businesses need to make sure that, even in the event of a breach or leak, their data is safe, says Mark Bower, vice president at Voltage Security, a data-protection firm.

"It boils down to the fact that a data breach is going to be an inevitable event -- the strategy then has to shift to making a breach meaningless to the attackers and have zero impact to the business," Bower says.

[Quantifying different mobile risks could help enterprises decide what kind of technology and practices they need to support the mobile-security policies. See How Does Mobility Change IT Risk Management?.]

A key component to securing a company's sensitive data is to integrate the security in how employees work.

"The biggest culprit in undermining data-security policies are people who are e-mailing things that they should not be e-mailing and moving things where they shouldn't," says Tim Matthews, senior director of security product marketing at Symantec.

Last week, Symantec announced two encryption products that aim to help lock down data that could be leaked through e-mail or cloud storage. As part of its Symantec O3 push, the company added e-mail encryption add-ons for popular mobile devices, allowing messages and attachments to be secured, without forcing users to use special applications. The company also added an encryption solution for consumer storage solutions, such as Dropbox, often used by workers.

In a survey released in conjunction with the announcement, the company found that 55 percent of workers did not know whether their businesses had a cloud-security policy.

Other providers, such as Vormetric, use appliances that encrypt and manage keys for the company while their data is stored in the cloud. As an encryption gateway provider, the company's service encrypts and decrypts the data on the fly, keeping out of the user's way.

"Encryption underpins a lot of the security in the cloud, but what you are doing in terms of encryption depends on the delivery model of cloud services," says Todd Thiemann, senior director for product marketing at the company.

Yet Social Fortress's Ghetti warns that encryption gateway solutions, by concentrating certain operations in a single system or network of systems, can undermine the robustness of a cloud service.

"What you have done in a lot of cases is that you have limited the majority of the value of going to a cloud service because you are taking all that data and all that traffic and bringing it back in to the enterprise," he said.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.