Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Encryption Will be a Key Foundation for Cloud Security

by Neil MacDonald  |  February 22, 2010  |  5 Comments

Bad pun, but true. I originally talked about this in this post.

Actually, the encryption itself is straightforward. It’s the management of keys that has to be done correctly. Hard ? Yes. Impossible? No. Will market forces provide workable solutions? Yes. The dollars in play are too great.

Some of the emerging solutions will allow you to keep your keys, not the Cloud-service provider. In this case, the Cloud-based provider doesn’t really have your data. Just a random pile of bits. You remain in control of the keys at all times. There are also various approaches where providers sit in the middle of your transactions and encrypt/obfuscate (your choice) data on the fly as it is saved to / retrieved from the cloud provider. Not only is additional protection provided for your information, but it also provides defense-in-depth separation of your information when multi-tenant infrastructure is used by the Cloud provider (e.g. when your data is stored on the same SAN/NAS appliance as your competitor)

There are multiple approaches to how this will be done depending on what level of Cloud service we are talking about. At the IaaS layer, this could be done with kernel driver modules embedded in the Linux/Windows workload that encrypt data as it is written to/from the IaaS file system. At the PaaS layer, this could be a service for applications written on the platform. At the SaaS layer, it could be a feature of the software provider or provided via a third party with the gateway model described above.

Doing encryption right may be hard, but market forces and innovative smart people will (and are) offer multiple approaches to address this in 2010.

5 Comments »

Category: Cloud Information Security Next-generation Security Infrastructure     Tags: , ,

5 responses so far ↓

  • 1 Michael Lambrellis   February 24, 2010 at 1:27 am

    > There are also various approaches where providers sit in the middle of your transactions and encrypt/obfuscate (your choice) data on the fly as it is saved to / retrieved from the cloud provider.

    Sorry, but doesn’t this just transfer the need for trust from the cloud provider to the “obfuscation” provider? Additionally, you now have to trust their “obfuscation” technology (the efficacy of which most clients are not in a position to independently verify).

  • 2 Margaret Dawson   February 24, 2010 at 11:00 am

    You are spot on, Neil. Encryption of the data in the cloud (both in motion and at rest) is vital, but most people don’t realize they need to ask any cloud vendor (whatever the flavor of “aaS”) about its key management process. How is the key protected, stored, audited, managed, changed, etc. Also, it’s smart for the vendor (particularly if they are PCI compliant) to utlize KEK (key encrypted keys). Nice to chat security with you again!!

  • 3 Neil MacDonald   February 24, 2010 at 3:43 pm

    Michael, good points.

    Agree that if you choose an approach with another provider in the middle performing the encryption/obfuscation then you now must trust their ability to manage your keys (and in the case of obfuscation, their alogorithms).

    On the first point, indeed I have seen cases where the client trusts the intermediary more than the cloud provider – so this model works. This is just one example of an emerging market of cloud brokers that my colleage, Daryl Plummer, writes about and trust of the broker (and a single point of accountability) is part of the appeal of this type of model. Also – agree completely on the algorithms and John Pescatore made this point recently in his blog on striping/ obfuscation and ecnryption. If used, fhese need to be subjected to public scrutiny.

  • 4 Neil MacDonald   February 24, 2010 at 3:47 pm

    Margaret,

    It will also depend on what layer of cloud infrastructure we are talking about. At the IaaS layer, we don’t have to be dependent on the cloud-provider to do this. There are solutions that we can package within the VM and place in the cloud that are transparent to the IaaS provider.

    At other layers, (like hupspan PaaS) we are much more dependent on the *aaS provider to enable this.

    Neil

  • 5 Philam Osi   March 2, 2010 at 2:35 am

    I agree, doing encryption is not easy. It is vital for companies who are adopting this emerging technology to be more knowledgeable to avoid complicated issues or risk of their businesses.

    People around the globe are debating about this cloud computing.