Bad pun, but true. I originally talked about this in this post.
Actually, the encryption itself is straightforward. It’s the management of keys that has to be done correctly. Hard ? Yes. Impossible? No. Will market forces provide workable solutions? Yes. The dollars in play are too great.
Some of the emerging solutions will allow you to keep your keys, not the Cloud-service provider. In this case, the Cloud-based provider doesn’t really have your data. Just a random pile of bits. You remain in control of the keys at all times. There are also various approaches where providers sit in the middle of your transactions and encrypt/obfuscate (your choice) data on the fly as it is saved to / retrieved from the cloud provider. Not only is additional protection provided for your information, but it also provides defense-in-depth separation of your information when multi-tenant infrastructure is used by the Cloud provider (e.g. when your data is stored on the same SAN/NAS appliance as your competitor)
There are multiple approaches to how this will be done depending on what level of Cloud service we are talking about. At the IaaS layer, this could be done with kernel driver modules embedded in the Linux/Windows workload that encrypt data as it is written to/from the IaaS file system. At the PaaS layer, this could be a service for applications written on the platform. At the SaaS layer, it could be a feature of the software provider or provided via a third party with the gateway model described above.
Doing encryption right may be hard, but market forces and innovative smart people will (and are) offer multiple approaches to address this in 2010.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.