Cloud computing 2014: Moving to a zero-trust security model
Snowden leaks aren't driving companies away from the cloud; but the disclosures have made them a lot more careful
Computerworld - The leaking of classified documents detailing the data collection activities of the U.S. National Security Agency earlier this year reignited some long-standing concerns about the vulnerability of enterprise data stored in the cloud.
But instead of scaring businesses away from using hosted services, as some experts predicted, the leaks about the NSA spy programs are driving some long overdue changes in enterprise and service provider security and privacy policies.
When Edward Snowden first began spilling details of the NSA's surveillance practices to selected reporters in June, industry analysts had expected that the revelations would put a severe crimp on plans for cloud deployment.
For instance, the Information Technology & Innovation Foundation in August said the leaks could cause U.S. cloud providers to lose 10% to 20% of the foreign market to overseas competitors -- or up to $35 billion in potential sales through 2016.
Another industry group, the Cloud Security Alliance, predicted a similar backlash due to concerns by Europen companies that thje U.S. government would access to their data.
Six months later, the impact appears to be less severe than expected.
Despite some reports of slowing sales of cloud services by U.S. vendors to overseas companies, experts now expect that the Snowden leaks will have little effect on long-term sales. The business benefits of using cloud-based services continue to supersede enterprise fears of government snooping.
At the same time though, the detailing of classified NSA spy programs has prompted an increased emphasis on cloud data security and protection that's expected to grow further in 2014.
The leaks hammered home just how little control companies have over data stored in the cloud, said Richard Stiennon, principal at consulting firm IT-Harvest. "There is a fundamental shift to a zero-trust model in the cloud." The disclosures showed enterprises that "there cannot be any chink in the trust chain from internal resources to the cloud and back."
Analysys say IT security officials are looking at several key areas, such as data encryption, key management and data ownership, regionalization, and the need for increased government transparency, to improve cloud security.
Encryption has gained a lot of attention since the Snowden leaks. Major service providers like Microsoft, Yahoo and Google set the tone by adding end-to-end encryption of data they host and manage for customers.
For instance, Google Cloud Storage now automatically encrypts all new data before it's written to disk. Such server-side encryption will soon be available for older data stored in Google clouds.
Since the NSA programs were disclosed, Microsoft has announced that it plans to ramp up encryption support for various services, including Outlook.com, Office 365, SkyDrive and Windows Azure.
By the end of 2014, Microsoft expects to have measures in place for encrypting data in transit between customer locations and its data centers, and while in transit between its own data centers.
Like Google, Microsoft says it plans to encrypt all stored data in the cloud
Several other cloud services providers, like Dropbox, Sonic.net and SpiderOak, have announced support for similar data encryption programs, and for features like 2048-bit key lengths and the "Perfect Forward Secrecy" method for future-proofing encrypted data.
Experts say such measures are vital to protecting data traveling between customer companies and cloud service providers.
Information in the classified documents about NSA attempts to weaken encryption algorithms, and to tap fiber links connecting service provider data centers provided much of the impetus for these efforts.
Key management and data ownership
The U.S. government's position in its dispute with Lavabit, a secure email services provider, that cloud service firms must hand over their encryption keys when asked, has focused considerable attention on key management and data ownership.
While encryption efforts by service providers are a vital part of improving cloud security, they only go so far, says Eric Chiu, president of HyTrust, a cloud infrastructure management company.
- Cloud security concerns are overblown, experts say
- Cloud computing 2014: Moving to a zero-trust security model
- Amazon hiring 'top secret' IT staff as it fights for CIA work
- Empire state ends IT empire building
- No, your data isn't secure in the cloud
- Snowden revelations may cost U.S. cloud providers billions, says study
- DHS shifting to cloud, agile development to boost homeland security
- Cloud computing's big debt to NASA
- Coke bottler picks SaaS over SAP
- Inmate data paroled from mainframe
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Mobile Applications Case Study: 8 Billion Transactions a Day The story documents how the online brokerage company tradeMONSTER created a custom mobile app and the success gleaned from this initiative. Also covered...
- Who's afraid of the big (data) bad wolf? Survive the big data storm by getting ahead of integration and governance functional requirements This paper provides a detailed review of the best practices clients should consider before embarking on their big data integration projects.
- Understanding big data so you can act with confidence Automating information integration and governance and employing it at the point of data creation helps organizations boost confidence in their big data.
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- Mobile Apps and Devices Slash Customer Cycle Time Consolidated Engineering Laboratories' field employees used to collect data on triplicate forms that were sometimes hard to read and difficult to manage. After... All Privacy White Papers | Webcasts