Share this content on Facebook!
06 Aug 2013

Cloud security, sensitive data and the responsibility question

Instance-managed encryption is only acceptable for test/development systems you know will never go into production Instance managed encryption means the encryption keys are kept on the virtual disk. In other words, anyone with access to your cloud instance, has access to your encryption keys hence to your data. In addition, specific cloud operations, such as disk snapshots, will snapshot the encryption keys with it. For sensitive data in public cloud computing choose a system with protection for keys in volatile memory (RAM). Dont use a clouds native encryption capabilities if you have any concern that a cloud administrator is a risk As I see it, there are two great points here, one relates to cloud security concerns, the second is interesting for compliance visit cloud information reasons. Protecting keys in RAM (the security concern) is actually not a simple thing to achieve. We have worked extremely hard to create a mechanism which keeps the encryption keys encrypted themselves, even while in use in RAM. To do so, we have used partially homomorphic encryption techniques (fancy name, I know), a world first implementation of such technology to a cloud security product (you can read more about it here , or download the Porticor white paper for additional information). Now for the second point; using the IaaS providers native cloud encryption capabilities means theres a risk that someone (an employee) within the cloud data center can potentially read your data. While an obvious security risk, this is also a compliance issue as certain regulations (for example PCI) mention separation of duties as a core compliance requirement. CIO, CTO & Developer Resources Pick a product designed to handle the more dynamic cloud computing environment.

Microsoft Helped NSA Bypass Cloud Encryption: Report

security Then there's the PCI DSS a worldwide information security standard every organisation must be aware of if they are to protect their credit card and customer account data from unauthorised access and abuse. To meet the PCI specification, companies must protect card data from logical or physical access, and use access controls to separate the duties between administrators and users who access credit card numbers. For businesses, understanding how they should be compliant and meeting regulations for protecting sensitive data in the cloud is one thing, but acting on it is another, and whether down to ignorance or sheer neglect, some organisations have been severely penalised for their failings. The keys to the door Another interesting aspect of the Ponemon/Thales e-Security report is the question of cloud encryption and particularly key management.The research suggests that both encryption and formal key management strategies are becoming more common among cloud users. This is a promising sign, especially as in most cases where encryption is being applied, the enterprise manages its own keys. What is a concern however, is the reported shift to key management being a shared responsibility between the cloud provider and the cloud user. This strikes at the heart of the responsibility question.

Cloud Security Cloud Key Management Cloud Encryption  clouds 250X188 Cloud Encryption: How to choose an IaaS encryption solution news organization released more details on the documents provided by Snowden. "Microsoft helped the NSA to circumvent its encryption to address concerns that the agency would be unable to intercept Web chats on the new Outlook.com portal," said The Guardian report. Additionally, the "agency already had pre-encryption stage access to email on Outlook.com, including Hotmail," reported the paper. With the help of the FBI, Microsoft also reportedly helped the NSA give PRISM easier access to its cloud storage service, SkyDrive. Also ensnared in this latest controversy is Skype, the company's massively popular voice and video calling service. "In July last year, nine months after Microsoft bought Skype, the NSA boasted that a new capability had tripled the amount of Skype video calls being collected through Prism," revealed the report.

Cloud Encryption Firm CipherCloud Raises $30 Million in Funding

A large part of CipherClouds partnership strategy involves the company teaming up with enterprise cloud computing heavyweights like Amazon Web Services, Google, Microsoft Cloud, and Salesforce. CipherCloud Gateway is available as a service or virtual appliance, providing a range of security features including tokenization, activity monitoring, and malware detection. As part of the venture funding investment deal, John M. Jack, board partner at Andreessen Horowitz and former CEO of Fortify Software, will join CipherClouds board of directors. Since its inception in 2010, CipherCloudhas rapidly grown its customer base to 40 enterprise clients in eight countries, protecting 1.2 million cloud application users and 100 million customer records. The companys cloud encryption and tokenization gateways enables enterprises tosecure private data in real time before it is delivered to the cloud, without affecting performance of the cloud application. Using CipherCloud Connect AnyApp and CipherCloud Database Gateway,customers can extend data protection to hundreds of third-party cloud and private cloud applications and databases. When I founded CipherCloud it was clear to me that the entire enterprise market was accelerating its move to the cloud, said CipherCloud founder and CEO Pravin Kothari.



Comments

There isn't any comment in this page yet!

Do you want to be the first commenter?


New Comment

Full Name:
E-Mail Address:
Your website (if exists):
Your Comment:
Security code: