Bad pun, but true. I originally talked about this in this post.
Actually, the encryption itself is straightforward. It’s the management of keys that has to be done correctly. Hard ? Yes. Impossible? No. Will market forces provide workable solutions? Yes. The dollars in play are too great.
Some of the emerging solutions will allow you to keep your keys, not the Cloud-service provider. In this case, the Cloud-based provider doesn’t really have your data. Just a random pile of bits. You remain in control of the keys at all times. There are also various approaches where providers sit in the middle of your transactions and encrypt/obfuscate (your choice) data on the fly as it is saved to / retrieved from the cloud provider. Not only is additional protection provided for your information, but it also provides defense-in-depth separation of your information when multi-tenant infrastructure is used by the Cloud provider (e.g. when your data is stored on the same SAN/NAS appliance as your competitor)
There are multiple approaches to how this will be done depending on what level of Cloud service we are talking about. At the IaaS layer, this could be done with kernel driver modules embedded in the Linux/Windows workload that encrypt data as it is written to/from the IaaS file system. At the PaaS layer, this could be a service for applications written on the platform. At the SaaS layer, it could be a feature of the software provider or provided via a third party with the gateway model described above.
Doing encryption right may be hard, but market forces and innovative smart people will (and are) offer multiple approaches to address this in 2010.