The era of “just trust us” as far as your cloud security goes is effectively over. That's not to say for risk-averse organizations that security has not persistently remained at the top of the list of the concerns about cloud-based services. Instead, what we have seen is a growing level of comfort with the cloud at security-conscious organizations because a class of service providers now exist that provide security technologies, programs, processes and ongoing monitoring as an integral and critical component of their service. The lingering question for organizations that see a compelling set of reasons to move their commodity infrastructure (such as email) to the cloud, is how to retain ownership and control of their data without sacrificing functionality?
The Cloud Security Alliance (CSA) has played a pivotal role in defining and specifying a comprehensive set of controls that are required for cloud service providers (CSPs) to secure their environments (extending to physical security, monitoring and patch management). Where the cloud service provider provides transparent reporting against third-party frameworks such as the CSA's Cloud Controls Matrix moving to the cloud may actually yield information security economies of scale. Even for larger organizations, the CSP's investment in security could reinforce the benefits of having commodity IT infrastructure and operations provided by a CSP.
However, as CSPs secure their platforms and environments, the structural challenge of cloud computing crystallizes. The challenge lies in not only trusting the CSP to hold up security commitments -- but also providing a mechanism for end-users to retain ownership and control of data when it resides and is processed in the cloud.
Certainly, methods exist to encrypt data in place at CSPs at the operating system, database or volume tier. These methods allow the CSP to provide an independent mechanism to separate administration of customer environments from the management of the encryption keys. But what happens when the data is processed? The data must be decrypted for server-side processing– at which point the data is in the clear within the CSP's environment. The higher in the computing stack, the more critical it is that the roles and responsibilities are delineated and enforced.
Even though the data resides on their infrastructure, CSPs are compelled to maintain that an organization retains responsibility for its own data. As the CSA notes in its most recent email-as-a-service guidance, it is critical to understand that the customer, and not the cloud service provider, is responsible for the necessary security and encryption protection controls.
The importance of understanding roles and responsibilities is also illustrated through the issue of unauthorized data disclosure. Intersecting with concerns about international data residency, the privacy and protection of emails in the cloud (as well as the scope of existing legislation like the Electronic Communications Act of 1986) are likely to remain a hotly contested area for some time. Cloud providers have to comply with US legislation that mandates they turn over customer data when served with a subpoena. When the end-user retains the encryption keys however, the CSP will hand over only useless gibberish. In order to gain access to the data, law enforcement agencies or other interested parties must re-submit the request to the data owner.
Once cipher text is incorporated into a software-as-a-service (SaaS) application, some of the features of the service are no longer operational since these server-side processes like search, sort and index cannot function against an encrypted “blob.” To fulfill the need for cloud data ownership and control while maintaining service functionality, encryption of data-in-use is required. Encryption of data-in-use is distinct from point-to-point encryption in that the data remains encrypted even when in use.
When encryption is applied prior to data transmission over the WAN it is protected across the data's lifecycle: in transit, at rest and in use. The encryption scheme maintains content characteristics allowing server-side operations. The solution is completely transparent to the end user and does not require modifications to the remote application. Data remains unreadable to the cloud service provider while application functionality is preserved.
This approach addresses not only current security, compliance and unauthorized disclosure concerns, but also serves the need to independently insulate the data from the cloud service provider's environment while preserving server-side processes.