By saying that encryption is not enough for cloud security, I don’t mean that you also need other types of protection like server security, identity management, etc. I think most people deploying cloud computing plan to implement more than encryption for security. What I mean is that encryption alone is not enough in an encryption solution when it comes to cloud environments.
Of course, industry-standard encryption is essential, but it’s table stakes. When dealing the multi-tenant nature of the public cloud, or even the inter-departmental shared resources of a private cloud, how encryption keys are stored and accessed is at least equally as important to securing data.
Policy-based key management can limit where and when data can be accessed. For example, some data privacy regulations specify that data can only be accessed in certain geographic locations. With the public cloud, service providers can have multiple data centers across different regions, and may move data without the customer’s knowledge for availability or to make the best use of resources. In these circumstances, encryption with policy-based key management can help ensure that data is only accessed in permitted locations.
Yesterday at VMworld, Trend Micro gave a presentation on “Dealing with Data Mobility—What to Do When Your Data Decides to Leave” (see Trend Micro’s VMworld activities). This presentation was inspired by Dan Crowe’s blog on data motility. Both discuss how to address the movement of data in the cloud, using encryption as well as other approaches.
When using shared computing environments, you also want to limit which servers can gain access to your data. When a server makes an encryption key request, the encryption solution must be able to authenticate the server. And server authentication can go beyond identity-based validations and include integrity checks as well, ensuring that the requesting server has up-to-date security in place before releasing the encryption keys.
Trend Micro SecureCloud offers all of the components discussed above with simple, policy-based key management, and unique server authentication using identity-based and integrity-based validation. This week, Trend Micro announced that SecureCloud now works with Trend Micro Deep Security for more in-depth integrity checks. Deep Security is a server security platform that protects physical, virtual, and cloud servers. SecureCloud communicates with Deep Security to get the security status of a requesting server before releasing keys. If Deep Security determines that a requesting server has out-of-date or inadequate protection, or has been compromised by an attack, keys are not released. Keys can also be revoked or redistributed as the security status of a server changes.
Key ownership is another important element in encryption solutions. If you only want to apply encryption to a particular public cloud service, accessing encryption through the service provider can be an easy add-on when available. However, if you want an encryption solution that can be used with data stored in physical, virtual, and cloud servers, and even across cloud vendors, then you’ll want to retain key ownership in a solution that lets you manage encryption across all of those deployments. This also maintains a separation of duties between you and your service provider. And there are different key service options, such as on premise or through a SaaS solution, depending on what best meets your needs.
So the “encryption” in an encryption solution is really just the beginning. Encryption for the cloud must be more context aware and let you more granularly control data access.