Architecture, Cloud

2014: The year of encryption and the summer of key management

January 29, 2014

In the technology world, if 2013 was the year of broken trust and data leaks, 2014 will be the year of encryption.

Revelations of wide spread surveillance and increasing data breaches have driven individuals and organizations to demand stronger security for critical data. Meanwhile, economic uncertainty has driven organizations of all types towards cloud-based models. In most organizations today, there is simply no excess budget to be spent on expensive, inflexible hardware and storage solutions. As such, the overall hardware IT market is flatlining. Simultaneously, maturing cloud security propositions and the allure of technologies such as mobile and big data, which are naturally inclined toward cloud deployment, have moved cloud technology forward at a breakneck pace.

In order to unlock the floodgates, we need to address the security concerns of moving everything to the cloud. Fortunately, cloud providers today are heavily invested in addressing this issue. Providers are committed to defining the roles of each player; essentially creating a security responsibility matrix for what the customer is responsible for and what the provider is responsible for.

Compliance and policy are reactive, constantly chasing the tail of the technologies that are two to three years ahead. Regulators both at an industry level and in government will need to scramble to update existing regulation to cover cloud scenarios. Evidence of such has already surfaced with the expansion of the California data breach disclosure laws to include online account credentials and password reset information. Often such leadership in California has a ripple effect across the whole U.S.

As regulations and in-house risk management strategies around encrypting cloud data progress, the conversations around securing the cloud will evolve beyond whether or not the cloud is secure. Conversations will expand to cover topics such as validation, certification and how exactly cloud security will be measured.

Uncertainty around trust in the cloud brings about a security conflict, with a simple solution: encryption and proper key management. More and more technology providers will offer encryption for various types of applications. Eventually, we will see the web become increasingly dark with encrypted data.

The hype over encryption will be quickly followed by the recognition that encryption is actually quite easy; what is more complex is effective key management. Failure to ensure proper key management gives rise to business continuity concerns, the threat of trashing your data, and brings into sharp focus the fact that whoever holds the keys actually has control over the data. Key management standards could take center stage as keys are managed in one place (the enterprise) but are used somewhere else (the cloud). It will be critical for cloud providers who find themselves in possession of customer keys to responsibly delegate control of those keys to avoid the liability and responsibility for managing them. So while 2014 may be the year of encryption, the summer of 2014 will be all about key management.
prestitial ad