GP
Cloud computing is increasingly becoming part of the enterprise IT landscape. In fact, a recent cloud security survey conducted by HP reveals that 70 percent of all respondents say their company is using some form of the cloud. The study also found that cloud penetration jumps to 80 percent for enterprise-size organizations. With such dramatic growth figures, it is no wonder that enterprise companies are carefully reviewing cloud security policies’ implication on cloud data. Here’s another fact from that same survey: While more than half of those using the public cloud are confident that critical and sensitive data can be secured in the public cloud, 16 percent of all companies in the cloud reported at least one public cloud breach in the past 12 months.
So, does this mean that migrating data and apps to the cloud inherently harms your security policies?
Cloud security and the shared responsibility model
Simply put, leading cloud vendors are providing a highly secure infrastructure, most probably on par or stronger than security measures implemented in many enterprise datacenters (a fact that might explain the sense of security expressed in the HP survey). The problem is that cloud security is a shared responsibility. While the cloud vendor will own and manage security for virtualization and other elements it manages, it is the customer’s responsibility to implement security measures around the data. Security measures will vary according to the cloud type (Software as a Service clouds will allow limited control, while Infrastructure as a Service clouds will provide more flexibility with regards to security tools implementation), but one fact is constant: It is your responsibility to secure your data.
When it comes to comparing the old datacenter and the new cloud, chances are that the infrastructure you rely on is even more secure in the cloud. Cloud providers such as Amazon Web Services or HP Helion have more resources to invest in the infrastructure than most companies operating a datacenter. And since the responsibility to secure the data is yours both in the datacenter and in the cloud, it seems that you are only improving your policies by relying on a public cloud.
Software is the new hardware
As you’d expect, cloud computing added a significant complexity to enterprise security policies. Let’s take encryption and management of the encryption keys, for example. In the datacenter, you managed and secured your own keys, so their fate was always in your hands.
In the cloud, some companies find themselves having to trust third parties with their keys, which presents a problem both to security policies and to regulatory compliance. Other companies have been storing their keys in the cloud, alongside their data. In case of a breach, the key is exposed along with the data. And some are trying to force existing on-premise solutions such as Hardware Security Modules (HSM) to the cloud encryption strategy.
Cloud security solutions
There’s a need for a fundamentally different approach for cloud data encryption, one that leverages the benefits of the cloud (software only, scale as you grow, pay as you go) without compromising security and compliance requirements for data ownership and split-knowledge. One example is the use of split key encryption with homomorphic key management.
The split key method, as its name implies, splits your encryption key in two “shares.” One share is managed by a key management service, and one share remains always in the customer’s control. This way, even if one share is hacked or compromised in some way, it is useless without its counterpart.
With homomorphic key management, the customer’s project master key share is itself encrypted. This way, even while it is in use in the cloud, it is safe.
Combining these two innovations ensures that your cloud security policies are the strongest in the industry. Hackers cannot break them. Employees of cloud providers have no access to them. Even subpoenas cannot access your data; the worst they can do is get half of the key, which is unusable without the half that is always in your possession.
Strengthening Cloud Security Policies
In fact, migrating data out of a physical datacenter and into the cloud can potentially strengthen your security policies, not weaken them. That is because:
In a cloud, infrastructure is maintained by greater resources
By using split key encryption and homomorphic key management, no one can get your encryption keys
Compliance with regulations such as healthcare’s HIPAA and finance/ecommerce’s PCI DSS can be achieved with these cloud security precautions.