There are many technologies in IT today that are used for encryption of data at rest. Every presentation I sit through on the topic discusses the key management of the solution and how key management is a huge, complex issue, and how each product does it better.
This is all good information to have in an enterprise, but once these encryption and key management technologies are applied to the cloud this becomes even more complex.
When I present the topic of encryption and the cloud to customers I like to focus on the public cloud, an infrastructure as a service (IaaS) in particular. This case is the most complex and has the most pitfalls. I’m going to try and outline some things to think about as a consumer of such a cloud.
These patterns can be extended of course to software as a service (SaaS) and platform as a service (PaaS) offerings, though when you constrain the boundaries with these other types of services the security aspects and solutions are a bit more bound by the technologies and what the cloud service provider can offer.
The biggest issue to consider is not so much how the encryption is being done, but what the business requirements are for key ownership. If the encrypted data is in the cloud, is it going to be ok to also store the keys in the same cloud?
I have seen many customers that have the requirement to move to infrastructure in the cloud, but their security teams have dictated that encryption keys cannot leave the customer premise.
This means that easy solutions like Windows Encrypting File Systems (EFS) or Linux ecryptfs encrypted directories and dm-crypt encrypted partitions cannot be used. Even things like a Nirvanix CloudNAS device with encrypted object storage cannot be used. All of these encryption technologies work, and work well for encryption, but they rely on the encryption keys being stored in the guest operating systemOS that is also performing the encryption.
Is this acceptable for the workload that has an encryption requirement?
If that isn’t acceptable, what can be done?
There are other solutions in the cloud that rely on encrypting agents that fetch keys from an external key server. These types of solutions cause even more complexity.
Vormetric File Encryption and Trend Micro SecureCloud are two similar solutions. I leave the detailed comparison up to the reader, but conceptually, both have key managers TCP/IP connected to agents somewhere. On the surface it seems Vormetric is a proponent of keys under customer control, with a customer managed key server, and Trend Micro while offering a key server also is pushing their SaaS cloud key server solution.
- Is it sufficient security to have keys separated from encrypted data, by storing them in a different cloud?
- Will having a key server under my control satisfy my security concerns, and my data encrypted in another cloud?
- What’s the networking look like in the above picture? Will security be ok having a key server serving keys over the Internet?
My intent is not to answer the security questions, but instead to give a picture of what encryption and key management can look like in the cloud, and what an IT security team needs to think about. It all comes down to what is being protected and what sort of governance controls over your data you are willing to relinquish in order to leverage all the benefits of the cloud. I also have not even started to discuss technologies that are closer to the storage area networkSAN and more in the realm of the cloud service provider’s ownership. Things like DS8000 encryption, or Brocade switch level encryption.
Note: There is already a blog post on how to take advantage of the filesystem encryption types.