Cloud computing 2014: Moving to a zero-trust security model
Snowden leaks aren't driving companies away from the cloud; but the disclosures have made them a lot more careful
Computerworld - The leaking of classified documents detailing the data collection activities of the U.S. National Security Agency earlier this year reignited some long-standing concerns about the vulnerability of enterprise data stored in the cloud.
But instead of scaring businesses away from using hosted services, as some experts predicted, the leaks about the NSA spy programs are driving some long overdue changes in enterprise and service provider security and privacy policies.
When Edward Snowden first began spilling details of the NSA's surveillance practices to selected reporters in June, industry analysts had expected that the revelations would put a severe crimp on plans for cloud deployment.
For instance, the Information Technology & Innovation Foundation in August said the leaks could cause U.S. cloud providers to lose 10% to 20% of the foreign market to overseas competitors -- or up to $35 billion in potential sales through 2016.
Another industry group, the Cloud Security Alliance, predicted a similar backlash due to concerns by Europen companies that thje U.S. government would access to their data.
Six months later, the impact appears to be less severe than expected.
Despite some reports of slowing sales of cloud services by U.S. vendors to overseas companies, experts now expect that the Snowden leaks will have little effect on long-term sales. The business benefits of using cloud-based services continue to supersede enterprise fears of government snooping.
At the same time though, the detailing of classified NSA spy programs has prompted an increased emphasis on cloud data security and protection that's expected to grow further in 2014.
The leaks hammered home just how little control companies have over data stored in the cloud, said Richard Stiennon, principal at consulting firm IT-Harvest. "There is a fundamental shift to a zero-trust model in the cloud." The disclosures showed enterprises that "there cannot be any chink in the trust chain from internal resources to the cloud and back."
Analysys say IT security officials are looking at several key areas, such as data encryption, key management and data ownership, regionalization, and the need for increased government transparency, to improve cloud security.
Encryption has gained a lot of attention since the Snowden leaks. Major service providers like Microsoft, Yahoo and Google set the tone by adding end-to-end encryption of data they host and manage for customers.
For instance, Google Cloud Storage now automatically encrypts all new data before it's written to disk. Such server-side encryption will soon be available for older data stored in Google clouds.
Since the NSA programs were disclosed, Microsoft has announced that it plans to ramp up encryption support for various services, including Outlook.com, Office 365, SkyDrive and Windows Azure.
By the end of 2014, Microsoft expects to have measures in place for encrypting data in transit between customer locations and its data centers, and while in transit between its own data centers.
Like Google, Microsoft says it plans to encrypt all stored data in the cloud
Several other cloud services providers, like Dropbox, Sonic.net and SpiderOak, have announced support for similar data encryption programs, and for features like 2048-bit key lengths and the "Perfect Forward Secrecy" method for future-proofing encrypted data.
Experts say such measures are vital to protecting data traveling between customer companies and cloud service providers.
Information in the classified documents about NSA attempts to weaken encryption algorithms, and to tap fiber links connecting service provider data centers provided much of the impetus for these efforts.
Key management and data ownership
The U.S. government's position in its dispute with Lavabit, a secure email services provider, that cloud service firms must hand over their encryption keys when asked, has focused considerable attention on key management and data ownership.
While encryption efforts by service providers are a vital part of improving cloud security, they only go so far, says Eric Chiu, president of HyTrust, a cloud infrastructure management company.
- Enterprises increasingly look to the private cloud
- Without the cloud, Microsoft may lose grasp on the enterprise
- How the cloud can make IT shops more innovative
- Business users bypass IT and go rogue to the cloud
- HP looks to ease enterprise IT cloud fears
- Afraid of the cloud? How to handle your fears
- 5 reasons why Google can catch Amazon in the cloud
- Public cloud market ready for 'hypergrowth' period
- Cloud security concerns are overblown, experts say
- Cloud computing 2014: Moving to a zero-trust security model
- Mission Critical: Managing Mobile Applications & Content Smartphones, tablets and other mobile devices have become embedded in enterprise processes, thanks to the consumerization of IT and a new generation of...
- Planning for Mobile Success Many organizations are seeing clear and quantifiable benefits from the deployment of mobile technologies that provide access to data and applications any time,...
- The Challenges and Opportunities of Mobile Application Development Nearly all business users now demand mobile devices--their own or company-owned--along with anywhere access to corporate applications and data. What turns mobile devices...
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily... All Privacy White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!