Ashvin Kamaraju, VP of product development and partner management, Vormetric
Ashvin Kamaraju, VP of product development and partner management, Vormetric

Unfortunately, data security and regulatory compliance requirements do not evaporate in the public cloud. The challenge of controlling access to sensitive information remains the same. In response, three approaches have emerged: enterprise encryption services, cloud service provider encryption services, and encryption gateways. Choosing the right one depends on the type of cloud delivery model involved – software-as-a-service (SaaS) or infrastructure-as-a-service (IaaS) – and the mandates that govern the data being placed in the cloud.

Enterprise encryption services for cloud service providers (CSP) encrypt sensitive data in IaaS environments, typically via a software agent sitting in the cloud – while encryption key management remains on premise. This approach can encrypt the entire mounted storage volume, or encrypt and control access to specific files in the CSP. The more granular file-level approach provides separation of duties within the enterprise, while both volume- and file-level approaches protect against bad actors attempting to compromise data in the public cloud. 

CSP encryption services are similar to enterprise encryption services, except that the CSP holds the encryption keys. While this might seem convenient, it does pose security issues since there is no separation of duties for anyone accessing the data. Furthermore, an enterprise will not know if the CSP has handed the keys and data to a third party. 

Encryption gateways encrypt data flowing from the enterprise into SaaS offerings, like Salesforce.com and Gmail. This approach can provide security for data in SaaS environments, while allowing the enterprise to maintain control of the data. 

Encryption gateways lend themselves to SaaS offerings where the SaaS provider does not provide encryption or the enterprise wants to maintain control of the data. Meanwhile, enterprise and CSP services are best suited for encrypting and controlling access to sensitive data in IaaS environments. There are variations of the above approaches, but understanding their core differences will enable organizations to choose the one best suited to their business and technology requirements.