The concept of cloud computing is becoming more widely used by large enterprises and small to medium-sized businesses due to the reduced costs and increased efficiency cloud environments offer in a difficult economy. Although cloud computing is gradually becoming mainstream within organizations of all sizes, there still remains the concern over data security and encryption, especially in the public cloud. This concern is still an issue despite the fact that public cloud services have implemented several strategies for protecting data in the public cloud. There are a few basic methods which are commonly deployed in the public cloud to protect data; however, many enterprises are looking for specific management strategies for public cloud environments. The basic choices which are currently offered by public cloud service providers include providing encryption services to public cloud users which requires trust in the cloud service provider (CSP,) or enterprises can choose to trust their encryption to a third party service. The other option is to create an encryption management system on a server which is in-house. Trusting the encryption to a third party or tracing a management system back to an in-house data center takes away the flexibility advantages of using a public cloud environment. So what’s the answer?
Cloud Specific Technology
Using the public cloud environment especially with Infrastructure as a Service (IaaS) or Platform as a Service (PaaS) requires data security and encryption management that are cloud-specific. By using cloud-specific technology, the concerns related to data security and encryption is shifted to a system which is specifically designed for the cloud infrastructure as opposed to being applied on top of it.
One of the new cloud specific encryption technologies is known as homomorphic encryption, which provides cutting edge cryptography for improved data security in public cloud environments. This type of cloud specific encryption technology has not yet been released however, it is in the works and provides a way to reassure enterprises that sensitive data is never exposed when using a public cloud infrastructure.
Homomorphic encryption allows a computer to perform mathematics on data which is encrypted without having to review the data itself. At the moment, this technology is in the experimentation phase and cannot be implemented due to the massive resources which are required to perform this type of encryption. As experimentation progresses, homomorphic encryption will become of a viable option for enterprises seeking to manage the encryption of sensitive data.
Another type of cloud-specific data security technology that is under way is known as split-key encryption, which allows for encryption key management in the public cloud without having to sacrifice trust. And by adding partial homomorphic encryption it makes the split-key technology all that much more secure.
Split-key encryption technology works similar to the key system used for a safe depository in a bank. There are two keys, one of which is provided to the deposit box holder and the other which is held by the financial institution. The contents of the box can only be accessed using both keys.
Split key encryption technology is similar to the scenario provided above in that data is protected by two encryption keys. One key is kept with the public cloud service provider with the second key held by the user for each specific disk or data object. The encryption key which is kept by the cloud service provider utilizes partial homomorphic encryption. In other words, the key is left in its unencrypted form yet it is completely effective when used with split key encryption technology. This is because the virtual master key held by the public cloud service provider can perform math without any knowledge of the actual data. This allows the computer to perform calculations with the encryption key held by the enterprise.
Homomorphic encryption used in conjunction with split-key encryption technology is currently an advanced cloud-specific security strategy which provides enhanced data protection and security that makes it more resistant to hacker exploits. Each disk is encrypted with an individual key that is split into two parts.
The key that is held by the enterprise is not known to the cloud service provider. The encryption key held by the cloud service provider does not reside anywhere in the cloud yet it is effective when used in conjunction with the specific disk encryption key which is held by the enterprise. As the application accesses the stored data the CSP uses both parts of the key to encrypt and decrypt the data. Since the key held by the CSP contains partial homomorphic encryption the data is protected from intrusion or theft.
Be Part of Our Cloud Conversation
About the Guest Author:
Aeyne Schriber has more than two decades of accumulated experience in IT security, computer technology, and internet marketing, including technology education and administration field both on the public school and college level. She works worldwide helping companies establish an online presence from small businesses to large enterprises. Her skills as a published copywriter and marketer also include consulting and training corporate personnel and entrepreneurs. To find out more, visit www.digitalnewmediamarketing.com