Most SaaS providers claim to provide encryption, but typically only the transmission is encrypted using SSL. Although this standard technology provides a good protection of transmission data, the usage data that is stored in the cloud platform does not get so much attention.
A variety of companies have specialized to provide encryption services for SaaS providers. One of them was Navajo Systems, a company that was acquired by Salesforce.com in August 2011.
Navajo developed Virtual Private SaaS (VPS) technology, which was available as a cloud service or appliance. The data was encrypted by VPS before it was sent to the application. For the user, this was completely transparent. The control of critical data was given to the customer, and the encrypted data in the cloud was unreadable for the cloud provider and anybody else.
This way has been good to avoid conflicting interests by having a separate encryption service provider. The capabilities of Navajo Systems will be integrated into a new feature called Data Residency Option (DRO). This will give Salesforce customers the possibility to decide whether sensitive data should be stored in the cloud or on-premises. Other CRM providers such as SugarCRM or Microsoft provide a similar feature.
The move from data encryption to data residency has also been made by PerspecSys, a cloud platform provider for data privacy, residency, and security. As stated in its blog, encryption of the data is not a viable option. Their two main reasons for keeping sensitive data on-premises instead of encrypting data in the cloud are:
- Regulatory requirements: Depending on the home country of a customer, legal regulations might apply. Several countries are not allowed to transfer data to foreign sites, where their law does not apply, independent of whether the data is encrypted or not.
- Moore’s law: With the growth of transistors placed on an integrated circuit, the performance of devices constantly increases. Encryption algorithms that are considered safe today, will likely easily be decrypted by tomorrow’s home devices.
At this point, I wondered, is the answer to the question in the title really just: Yes, encryption can be done by using an encryption service, which keeps the encryption keys on-premises. This way minimizes the value of your cloud solution, because encrypted data cannot be used in search or analytics functions. The other possibility is to store sensitive data on-premises, with a similar impact on search and analytics.
Then, I discovered a technology called homomorphic encryption that is appearing on the horizon: The idea is quite simple: An homomorphic cryptosystem can perform a mathematical operation on the ciphertext (encrypted information), and then decrypting the result produces the same answer as performing the same operation on the plaintext (unencrypted data). Mathematicians have debated on this topic for more than 30 years. Craig Gentry, an IBM researcher, was the first to invent a scheme that provides full homomorphic encryption. The bad news is that the time needed to compute results is not practical at the moment, although the function grows linear and runs in polynomial time. It will take approximately five to ten years to make it widely useable.
Until then, customers rely on their cloud service provider and third-party services.
Fortunately these providers and services do a very good job, because there has been no big data theft from a public SaaS provider so far.