Thales Blog

Cloud Computing And Encryption

January 15, 2012

The rapid advances in computing platforms and technology has provided significant resources, capacity, and processing capabilities to companies across a wide variety of industries. It provides a greater level of flexibility in a cost-effective manner. In a budget conscious business environment, improving network capacity and stability while maintaining a keen eye on the bottom line will always win support from the boardroom. In September 2011, Forbes published an article entitled “The Economic Benefit of Cloud Computing,” in which the author went so far as to describe the rapid adoption of cloud technology as “a significant shift in the business and economic models for provisioning and consuming information technology (IT) that can lead to a significant cost savings.”The advent of cloud computing, though, brings with it concerns about security and compliance. Can an organization achieve both business and compliance objectives using cloud computing platforms?

Questions about “security in the cloud” have plagued the platform. Security experts have debated the utility of the cloud in the face of repeated, increasingly sophisticated attacks by data thieves. In fact, securing data in the cloud is possible. Recent research from the Weizmann Institute at MIT suggests that it is possible to analyze data while it is still encrypted, producing an encrypted result that can later be decrypted. This work is still relatively nascent, but that does not mean that security and compliance are out of reach for present-day implementations of cloud platforms.

When evaluating a solution to help protect data in the cloud there are a number of factors that should be considered. Following is a list of a few of the more prominent concerns. It is also important to remember that data in the cloud should be afforded the same level of protection as data that would be resident in an organization’s own environment. It should be noted that this list is not exhaustive, but merely representative of issues that should be addressed.

Accountability and Separation of Duties – Protecting data in the cloud means that only those with appropriate authorization should be allowed to access the data. This should be enforced by the proper use of credentials. IT administrators, for example, should be able to perform their tasks without necessarily accessing sensitive data.

Granular Controls - Data should be protected at all levels. That means that protection of the data should be enforced through encryption (preferably at the file level), access control policies, and the ability to audit usage at the server instance level, process, and user layers.

Comprehensive Coverage – It is not sufficient to protect only structured data. Sensitive data takes on a variety of forms and a comprehensive solution will allow an organization to protect that data, regardless of what form it takes.

The introduction of new technologies to the business world can be very exciting, particularly if they bring with it both economic and operational advantages, as well. It is important, however, to ensure that these new technologies are adopted in such a way that they do not compromise the level of security surrounding sensitive data.