Encryption is not new - in fact, systems for ensuring message secrecy have been around for millennia. What is new is the unprecedented variety of options that enterprises now have at their disposal to encrypt data and the potential complexity that brings. The rise of cloud computing means there's now another chair at the table – the cloud service provider – which requires a new examination of trust models.
Of course, effective cryptography depends not only on the ability to encrypt data, but also the management and control of the keys to decrypt and make sense of the information. While the cloud presents significant economic and operational benefits for enterprises, it also poses a substantial security risk. Organisations must decide how much control they are willing to relinquish to their cloud provider - where should data be encrypted, and crucially, who should hold the keys.
A recent Encryption in the Cloud study found that 53 per cent of enterprises are already transferring or planning to transfer sensitive data into the cloud - yet over half say they don't know what steps are taken by their cloud provider to secure their sensitive data. In addition, there appears to be a great deal of confusion about who has primary responsibility for protecting sensitive data in the cloud environment.
The general perception, for 41 per cent of respondents, is that security is the responsibility of the cloud provider. Meanwhile, 29 per cent believe it to be the responsibility of the user while 22 per cent think users and providers should take joint responsibility.
This confusion and lack of trust in cloud providers has resulted in a knock-on effect on how and where enterprises are choosing to encrypt their data - 35 per cent of businesses now encrypt data before it enters the cloud, where it will remain encrypted. Although theoretically the safest option, this cautious approach significantly restricts the value the cloud can deliver. For example, you cannot search, filter, or perform analytics on encrypted data.
As enterprises seek to juggle the balance between trust and control, and ownership of encryption and key management, an ‘encryption quadrant' begins to emerge:
The Encryption Quadrant
[click to enlarge]
1. Keep Control
Both encryption and key management are done in the enterprise
For those enterprises sceptical of cloud security, this is the safest option. By neutralising sensitive data there is minimal risk of loss or abuse. Only encrypted data is sent into the cloud where it is useless to an attacker - anyone that needs access to the data must come to you for the keys.
Verdict: Although this is the most secure scenario, it does limit some of the benefits of the cloud; data can be stored but that's about all.
[Turn to next page]