The latest global survey on cloud security by the Ponemon Institute has revealed that to overcome mistrust of the cloud, encryption before the cloud exceeds the use of encryption within the cloud.
Some 37% of more than 4,000 respondents in seven countries said their organisation encrypts data temporarily as it is transferred over the network between the enterprise and the cloud.
Another 31% said their organisation encrypts data persistently before it is transferred to the cloud provider, such that it remains encrypted within the cloud.
Conversely, only 22% say encryption occurs within the cloud, either by the organisation itself or by the cloud provider.
Moving encryption to the cloud
However, this will change over time, with fewer people using encryption in the enterprise and more using it in the cloud, according to Richard Moulds, vice-president of strategy at Thales e-Security.
“One of the huge downsides of using encryption in the enterprise – assuming the cloud is insecure – is that you are very much diminishing the value you can get out the cloud,” he told Computer Weekly.
If organisations are only ever sending encrypted data to the cloud, they are limiting themselves to low-level functions such as file-sharing, archiving and backup, said Moulds.
“But if you want to use the cloud for data processing, data analytics, filtering, searching – you can’t do any of that if data is encrypted,” he said.
According to Moulds, there is minimal value in cloud-based encryption with cloud-based encryption keys – encryption in the enterprise limits what can be achieved in the cloud, while the ideal would be encryption in the cloud, but keys stored in the enterprise.
“This last approach means enterprises can get all the benefits of the cloud, yet retain control over their data by retaining control over the encryption keys,” he said.
Moulds believes it is likely in future that the entire datacentre will be outsourced to the cloud, and the only thing retained by the enterprise will be the key manager, and thereby the only means to access the data.
“As long as you can deliver those keys selectively into the cloud, you can unlock data selectively to be processed to squeeze the maximum value out of the cloud,” he said.
This is approaching the notion of enterprise rights management, where enterprises are handing out keys to cloud-based applications on a need-to-use basis.
“This is pretty sophisticated, but it is where I think we have to get to,” said Moulds.
Read more on cloud security
Encryption key management
The ideal state of encryption in the cloud and keys released by the enterprise on demand is not without it challenges.
The only way that can be achieved is if there is a standard mechanism for cloud applications to request an encryption key and for that key to be delivered within set policy constraints.
“Finally, there is a standard for doing that – the Key Management Interoperability Protocol (KMIP) – which has attracted considerable interest in the context of cloud encryption,” said Moulds.
Although KMIP is just a protocol, he believes it will be a “catalytic technology” because it abstracts, for the first time, the issues of managing keys from the things that use keys.
“In the past, there was always a proprietary binding, but the cloud is not about proprietary anything. It is about using your instances in Amazon today and in Rackspace tomorrow, but that is possible only if there is a standard way of delivering keys to applications in the cloud, like the KMIP standard,” said Moulds.