The do's and don'ts of safeguarding cloud-based data with encryption
A good way to secure sensitive data in the cloud is encryption. But there are trade-offs.
Computerworld - One of the biggest stumbling blocks for companies contemplating entrusting a cloud-computing vendor with their data is the risk of unintended data exposure. A lot of data is sensitive. It might contain employees' financial information, patients' statutorily protected health information, other regulated information or proprietary intellectual property. Quite often, companies feel more control when they keep that sort of data in-house. But the risk that a cloud vendor might not handle your information as securely as you'd like can be mitigated.
One good way to do that is with encryption. An encryption algorithm encodes data, rendering it unreadable to those who don't possess the decoding key. The idea is that, if encrypted data falls into the wrong hands, it will be of little or no use without the encryption key. This can help mitigate concerns related to the data being hacked or even being legitimately accessed by a government, which is a particular concern when the data center where the data is being stored by the cloud vendor is located in a foreign country.
If you're depending on encryption to protect your cloud-based data, you'll need to determine how the cloud vendor facilitates encryption. Questions to ask include the following:
* Does the cloud vendor encrypt your data both at rest and in transit?
* What level of encryption does the cloud vendor employ (128-bit, 256-bit, etc.)?
* Who has access to the encryption key (customer, cloud vendor, third parties, key escrow)?
* What encryption standards have been employed by the cloud vendor? For example, Federal Information Processing Standard (FIPS) 140-2?
*How are encryption keys managed, and where is the encryption key located?
This last question is particularly important because sloppy handling of the key can negate the value of encryption. For example, in December 2011, SpecialForces.com was hacked by the hacktivist group Anonymous). SpecialForces.com's data was encrypted, but those diligent Anonymous folks hacked in again, found and accessed the encryption keys, used them to decrypt the data obtained during the initial hack, and posted that data on the Web for public viewing.
Even when used and configured appropriately, encryption isn't always a silver bullet. As with most risk mitigation strategies, there's a trade-off between costs and benefits. Risk might go down with encryption, but adding encryption typically increases the total cost of using a cloud solution. What's more, adding encryption can result in slowed or diminished performance due to the extra steps introduced into the process. And in reducing one risk, an entirely new one is introduced: If the encryption key is lost, the data can no longer be decrypted and essentially becomes useless, even to the customer.
Other columns by Thomas Trappler
- NASA's cloud audit holds value for all
- Who can pry into your cloud-based data?
- Does your cloud vendor protect your rights?
- Software licensing in the cloud
- For credit card handlers, cloud computing guidelines just got clearer
- Regulations and the cloud: HIPAA modification provides clarity
- Certification programs are making it easier to know all about a cloud vendor
- The do's and don'ts of safeguarding cloud-based data with encryption
- For a good cloud contract, start with an RFP
- It takes a team to create a good cloud contract
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
Red Hat Enterprise Linux - The Original Cloud Operating System
Linux adoption is growing against a number of measures, such as the
number of supercomputers that run Linux and the size of the contributing...
- OpenStack Hype vs. Reality: CIO Quick Pulse Open-source architecture can enable IT departments to build infrastructure-as-a-service (IaaS) clouds running on standard hardware.
- Maximize Strategic Flexibility by Building an Open Hybrid Cloud Choosing how to build a cloud is the biggest strategic decision IT leaders will make this decade. It determines their organizational competitiveness, flexibility,...
- ESG: The IBM FlashSystem 840: Technical Evolution to Deliver Business Value In this whitepaper, you will learn how this high-speed storage technology has tremendous potential to support I/O-intensive and/or latency-sensitive applications.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources... All Cloud Computing White Papers | Webcasts