Ashvin Kamaraju, VP of product development and partner management, Vormetric
April 01, 2013
Opinion

Decoding the cloud

Ashvin Kamaraju, VP of product development and partner management, Vormetric
Ashvin Kamaraju, VP of product development and partner management, Vormetric

Unfortunately, data security and regulatory compliance requirements do not evaporate in the public cloud. The challenge of controlling access to sensitive information remains the same. In response, three approaches have emerged: enterprise encryption services, cloud service provider encryption services, and encryption gateways. Choosing the right one depends on the type of cloud delivery model involved – software-as-a-service (SaaS) or infrastructure-as-a-service (IaaS) – and the mandates that govern the data being placed in the cloud.

Enterprise encryption services for cloud service providers (CSP) encrypt sensitive data in IaaS environments, typically via a software agent sitting in the cloud – while encryption key management remains on premise. This approach can encrypt the entire mounted storage volume, or encrypt and control access to specific files in the CSP. The more granular file-level approach provides separation of duties within the enterprise, while both volume- and file-level approaches protect against bad actors attempting to compromise data in the public cloud. 

CSP encryption services are similar to enterprise encryption services, except that the CSP holds the encryption keys. While this might seem convenient, it does pose security issues since there is no separation of duties for anyone accessing the data. Furthermore, an enterprise will not know if the CSP has handed the keys and data to a third party. 

Encryption gateways encrypt data flowing from the enterprise into SaaS offerings, like Salesforce.com and Gmail. This approach can provide security for data in SaaS environments, while allowing the enterprise to maintain control of the data. 

Encryption gateways lend themselves to SaaS offerings where the SaaS provider does not provide encryption or the enterprise wants to maintain control of the data. Meanwhile, enterprise and CSP services are best suited for encrypting and controlling access to sensitive data in IaaS environments. There are variations of the above approaches, but understanding their core differences will enable organizations to choose the one best suited to their business and technology requirements.

From the April 2013 Issue of SCMagazine »
Related Articles
Related Topics
close

Next Article in Opinions

Sign up to our newsletters

More in Opinions

Spotting the "black swans" of security

Spotting the "black swans" of security

How can it be that firms can feel confident in their security technology investments and their people, yet ultimately still believe that they remain at great risk?

Me and my job: Blake Frantz, Center for Internet Security

Me and my job: Blake Frantz, Center for ...

A brief Q&A with Blake Frantz, director of benchmark development, security benchmarks division, Center for Internet Security (CIS).

BlackBerry back in the game

BlackBerry back in the game

Thanks to BYOD, gone are the days of one single mobile device manufacturer or model to support, says Dimension Data Americas' Darryl Wilson.