As the Snowden leaks continued to cause mayhem throughout 2013, many in the cloud industry started to panic. They asked, will customers trust US vendors again? Has the government just cost us scores of non-American customers?
Their anxieties were somewhat justified. Forrester Research went as far to say US cloud, hosting and outsourcing providers could miss out on $180 billion because of the damage done. But there has not been a mass exodus from the world’s biggest public clouds, whether they belong to Amazon, Microsoft or Google.
The initial ire of chief information officers and security heads at their vendors appears to have transformed into pragmatism, which in turn has spawned an increased interest in cloud encryption. One of the biggest problems with cloud (particularly after Snowden) is trust, but the vendors realised if they can crack the problem of trust and security in the cloud through encryption, they can carry on using the same products that appeared to be under threat in the fallout of the surveillance storm.
“The ability to properly protect their data from exposure and surveillance, while simultaneously leveraging the cloud, is the true key to competitiveness moving forward,” says Andy Heather, vice president in EMEA for Voltage Security. “In order to do so, a data protection programme should be developed that ensures privacy and security can be effectively balanced, while still allowing the organisation to leverage the business benefits of moving to the cloud.”
Such a programme, once chief information officers have decided what cloud data they want encrypted, should first revolve around quality key management. If a third-party can provide customers with adequate end-to-end encryption tools, whilst granting them the keys, IT chiefs don’t have to worry so much about government snoops calling on cloud providers to cough up data. Any information they do get will be garbled nonsense and, given how the Snowden revelations also showed how difficult intelligence agencies were finding cracking encryption, they won’t be able to decrypt it.
“There are solutions out there that allow you to do just this – they encrypt your data before it leaves your control, and allow you to retain the key, while still letting the cloud provider operate, search and index that data; technically it’s known as ‘format and operations-preserving encryption’,” says Paul Simmonds, CEO at The Global Identity Foundation and board member at CipherCloud, a cloud encryption service.
“The key here (if you pardon the pun) is who retains the keys - critical to any encryption solution is key ownership, [especially] to the auditor who asks ‘how do you guarantee this data is secure” the answer is ‘because I and not the third party have the key’.”
While key management is critical when choosing a cloud encryption product, IT heads will also want something that is compatible with all cloud services being used within a firm. “As an ex-CISO, I would only want a single strategic product that does all my cloud encryption needs across multiple vendors and is extensible to the latest, greatest cloud service my company wants to implement,” Simmonds adds.
Equally important is checking the quality of encryption standards on offer. “In many ways the key to effective cloud encryption is not just in the use of good encryption algorithms but also in implementation and management of the overall encryption infrastructure and that you as the customer has sole control on that,” Honan says.
“It is important to remember that not all cloud providers may be able to offer encryption, or indeed support third party encryption tools, with their product or service.
There will be increasing nervousness around use of any standards approved by NIST. The organisation has attracted criticism over flawed protocols that the NSA was implicated in abusing. Security company RSA defended itself over claims it took $10 million from the agency to include the flawed Dual Elliptic Curve Deterministic Random Bit Generator in its products by saying it was only following NIST advice. Even though they’re not using flawed standards, most vendors in the cloud encryption market appear to be using NIST-approved mathematics. As a case in point, CipherCloud says it uses “NIST validated-cryptographic algorithms”. The association may be enough to deter the most paranoid.
The big question for IT, though, is who to punt for, if anyone, in this increasingly busy market. Despite the emergence of CipherCloud as one of the frontrunners, Honan says there are no apparent customer favourites. That’s largely because companies are still trying to figure out whether they should encrupt their cloud data in the first place. “As of yet I am not hearing any products being mentioned a lot as the focus is still on should we, or can we, encrypt our data given the latest revelations rather than what shall we use to do this,” he says.
As for competitors, Vaultive, which used to focus largely on Microsoft cloud products, expanded support to various big name Software-as-a-Service products in November, including Box and SAP SuccessFactors. NCrypted also launched earlier this year, but it’s currently only focused on cloud storage services. It’s not dissimilar to the cloud file encryption BoxCryptor has been doing for some time.
American and British vendors could be inadvertently affected by the degradation of trust in US and UK companies, however, as most of the Snowden leaks have implicated intelligence bodies and companies in the long-time allies. It may be time for European firms on the continent to rise up, though few have emerged.
“A lot of trust has been lost with third party providers, in particular US and British providers. Vendors need to look at rebuilding that trust by being as open and transparent as they can on how their systems work, how data is encrypted, what algorithms are there, what access the vendor has to the data and also be transparent with their clients regarding how they deal with interception requests from law enforcement,” Honan adds.
Some, though, may see the extra layer of security an expense too far. “On a large SaaS implementation, add a ball-park figure of 15-20 per cent to the cost of your cloud service for best-in-class security,” adds Simmonds. If you thought cloud was all about saving money and getting extra security without having to fork out for it, think again.
