The passage of data to the cloud - who protects it and who manages that protection?

Opinion by Dan Raywood

Research was released earlier this week around encrypting data in the cloud and the management of it.

Research was released earlier this week around encrypting data in the cloud and the management of it.

The Ponemon Institute research, sponsored by Thales, had some rather interesting findings within it, such as that half of the 4,000 business and IT managers surveyed said that they currently transfer sensitive or confidential data to the cloud environment and that 61 per cent of respondents believe cloud adoption has increased their companies' security posture.

Richard Moulds, vice president of product strategy at Thales e-Security, told SC Magazine that the concept boils down to three areas: what is happening now; who is responsible for protecting data; and who is looking after the keys.

He said: “It is the less sophisticated industries that are moving data to the cloud, as they believe the hype or they are more secure, as they know how to do it selectively so they are relatively safe. There is a clear correlation between those putting data in the cloud and security practitioners doing it with clear understanding.”

Two of the findings did catch my eye, and they were around where data encryption is applied and who manages the encryption keys. The research found that 38 per cent of respondents said that their organisations rely on the encryption of data as it is transferred over the network (typically the internet) between the organisation and the cloud, 35 per cent said that the organisation applies persistent encryption data before it is transferred to the cloud provider, while 27 per cent said that they rely on encryption that is applied within the cloud environment.

The question of who manages the encryption keys when data is transferred to the cloud found that 36 per cent of respondents said that their organisation has primary responsibility for managing the keys, while 22 per cent said that the cloud provider has primary responsibility for encryption key management.

I turned to some encryption vendors in this sector to gauge their opinion on some of these findings. Kevin Bocek, VP of marketing at CipherCloud, who recently detailed its concept for encrypting data in the cloud to SC, said that he felt that the research should raise alarms everywhere; specifically that 60 per cent of UK organisations did not know how their cloud provider is protecting their data.

He said: “This indifference is an Information Commissioner's Office (ICO) fine waiting to happen. The ICO is levying £100,000 and more for failing to educate staff on data protection after simple accidents with paper and post. What fines will the ICO levy for an organisation that doesn't know how their cloud provider is protecting data?”

Paul Ayers, VP of EMEA at Vormetric, also commented on the regulatory stance in this instance, saying that enterprise perceptions are evolving in response to more ICO fines, and the proposed European Union Data Protection Regulation.

He said: “While some enterprises look to their cloud service provider to manage encryption, what comes to light when you dig deeper is that the answer depends on specific circumstances – and what the cloud service provider terms of service say around data protection. For Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS) environments, it is typically the responsibility of the cloud service provider, while for Infrastructure-as-a-Service (IaaS) the enterprise typically needs to own security.

“This report touches on a topic near and dear to UK and European enterprises as they look to consolidate computer resources and leverage the cloud while adhering to local data protection regulations. Encryption and key management are essential tools that enable enterprises to consolidate data centres and take advantage of the cloud, while still meeting regulatory requirements.”

Speaking to Elad Yoran, CEO of Vaultive, I asked him what he thought of the findings around where data encryption is applied. He said: “It doesn't surprise me. I think that half do not know that a solution exists and it is a question of education and ownership, as you trust a cloud provider to do a good job for service.

“You can believe that a cloud provider is doing a reasonable job when it comes to implementing security and industry best practise, but ownership and control are not addressed. I believe that companies should have ownership of their data if they use the cloud. Some people see it as best practise, I see it as important.”

I also put this question to Brian Spector, CEO of CertiVox, who said that businesses have got to encrypt their own data before sending it to the cloud and have more control of their keys.

This led to discussion of the findings around who manages the encryption keys when data is transferred to the cloud. Yoran said: “I would argue it is never the responsibility of the cloud provider. It is my data, my R&D and my business plan in there and I want to maintain the ownership of the keys, it should never be the responsibility of the cloud provider.

“If data is ever decrypted at the cloud provider level, I would argue that the company who owns the data has lost that data, as once data is decrypted, a lot of bad things can happen.”

In regard to keys management, Spector said this is a grey area. He said: “If you are in a regulated industry it costs, so you need a capability to control keys and recover encrypted data. If a cloud provider has access to keys or has access to cloud data, why are you putting the data out? This is a grey area with key management as long as we use PKI.”

While some people may look at the Ponemon research with a degree of scepticism, it did address the realities of a modern issue – how and when to encrypt and who does it.

The process of encryption is one thing, but doing it for externally-hosted data is a newer process and as for who manages the keys, well surely this is a no brainer?

One final statistic was on how much visibility decision makers had regarding cloud security. The research found that almost two-thirds of respondents did not know what cloud providers were doing in order to protect the sensitive or confidential data entrusted to them.

Moulds said: “It is hard to decide your security posture, can your cloud provider determine your protection? If you lose your data you have to deal with the customer relationship as it is still your brand.

“When you lose data to the cloud, who is responsible? Do you still own it, it has been loaned to the cloud but does the cloud own it and do they protect it?”

This research was pretty enlightening, and in my view worth reviewing should you be interested in putting data in the cloud or be doing it already.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events