How can I be sure no-one will snoop into my cloud-based data?

Sponsored By: Rogers

One of the biggest inhibitors of public cloud use is the fear that data will not be secure. After all, it’s the “public” cloud, and who knows what evil lurks there.


The Enterprise Connectivity Series
Future-proofing your business

Why managed Wi-Fi makes sense for business

Reducing the cost and complexity of network security

How upgrading your network can deliver a competitive advantage

Keeping it simple: Tackling infrastructure complexity

Three ways businesses can shed the burden of managing mobile devices and data

It is, to some extent, a valid concern. Data stored in the cloud is no longer safely within corporate data centre walls. Even if it resides in a professionally managed facility such as a Rogers data centre that adheres to best practices, it’s still not your facility. However, there’s one precaution that can help put those fears to rest: encryption.

Even if encrypted data can be accessed, all the culprit will see is gibberish, unless he has the encryption keys. But there are best practices associated with encryption, too, and unless they’re followed, you won’t get good results.

First, the data must be encrypted in all three of its possible states: in transit (moving over the wires), at rest (sitting in storage, either in your data centre or in the cloud), and in use. If it’s not, it could be intercepted in its native state and compromised. Second, the encryption keys must be protected. As soon as anyone has both data and keys, the information is vulnerable.

To complicate matters, there are other constraints. It goes without saying that whatever encryption is used should be standards-based, and it must support both structured and unstructured data. It also should not break functionality in applications – for example if searching and sorting can’t be performed in Salesforce, the software won’t work properly. That’s counter-productive.

Key management can be a challenge too. The cloud provider should not control the encryption keys — the customer should. That way, if a government or legal entity demands access to a dataset, the customer – who owns the data – will be in control. If the provider holds the keys, it can be compelled to grant access to customer data without the customer’s knowledge. It’s ugly, but it’s legal.

There are several ways in which encryption keys can be secured. Customer Managed Keys (CMK) give customers sole control over the ability to manage the encryption keys used to protect their data in the cloud, ensuring it can’t be accessed by anyone, including the provider, without customer consent. Another approach uses split key encryption in which the master key is held by the customer, to prevent unauthorized access. Each data object is encrypted with a key that has two parts: the master key and the second “banker” key.

These are but a few of the things to think about when contemplating encryption for data security. The Cloud Security Alliance, an organization dedicated to promoting security best practices in the cloud, has published a white paper detailing further considerations. It’s well worth a read.

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Sponsored By: Rogers

Lynn Greiner
Lynn Greiner
Lynn Greiner has been interpreting tech for businesses for over 20 years and has worked in the industry as well as writing about it, giving her a unique perspective into the issues companies face. She has both IT credentials and a business degree.