There is an old adage IT of particular relevance to data security in cloud services that goes: if it moves, encrypt it. Today, of course, it would probably be edited slightly, to read: if it exists as data, encrypt it. This is particularly relevant as the stories continue to emerge surrounding the US NSA PRISM saga, and countries start to view with each other as the best `safe haven’ for securely storing data.
And when it comes to cloud services, even some of the recommended encryption technologies are not that useful. As the PRISM saga has already shown, the US authorities have legal rights, under laws such as the Foreign Intelligence Surveillance Act (FISA) to access data stored on US-based systems. With cloud data often traversing the world when routed from place to place, regardless of where it is actually stored, data in transit can be argued to be `in’ a country and therefore legally accessible to the authorities, without the knowledge of the owners of the data.
Indeed, the European Union is getting in on the act with renewed energy being put into plans for EU-wide data privacy laws. The EU Vice President and Commissioner for Justice, Viviane Reding, has called the PRISM saga ` wake-up call that should boost efforts to strengthen existing privacy laws.
Reding has recently issued an appeal for member states to move forward on a data protection bill that includes cloud service providers, and place the bill on the agenda of an EU summit in the autumn.
But when it comes to data security in the cloud, legislation is always likely to lag behind developments out in the field, so as Paige Leidig, senior vice president at CipherCloud points out, the real need is that EU and global businesses need to resolve data residency issues themselves and protect their sensitive information in transit and at rest with cloud service providers.
“This underscores how critically important it is that businesses control and secure their own data in the cloud, and not rely solely on their cloud service provider,” he said. “It boils down to encrypting sensitive information in the cloud and making sure the business retains exclusive control of their encryption keys. This is the only way to prevent any cloud service providers from revealing confidential information without involving the information owner.
In his view, retaining and controlling the keys to encrypt and decrypt the information means any EU or global business can immediately prevent unauthorised access to their information in the cloud.
This then raises some interesting questions on possible new encryption technologies there are coming along that might further the cause.
CipherCloud claims to be providing encryption security to more than 1.2 million users and more than 100 million customer records around the globe. Its services are available on Microsoft Office 365, Google Gmail, Amazon Web Services (AWS) and many other leading cloud service providers. It delivers an open platform with security controls such as encryption, tokenisation, cloud data loss prevention, cloud malware detection, and activity monitoring. Users also retain control of their encryption keys, so no one else can access their information.
There is a possible argument growing that the encryption key approach still has some weaknesses, however, for if it can be obtained, the data values become available. There is now discussion growing on other approaches, such as homomorphic encryption.
This approach would seem to be well-suited to the collaborative services model that underpins an increasing about of cloud service delivery. In essence, it allows disparate services, from different service providers, to be chained together to deliver a result without exposing any real data to participants. A multi-stage retail transaction, for example, would include not just the transaction between the customer and retailer, but also the retailer’s transactions with supplier, logistics service providers, banking institutions and the rest – all in real time.
Homomorphic encryption shows promise as a means of processing these transactions without leaking data along the way.