We all observe basic security practices in our daily lives and they work for us, generally. The keys to a house should be owned and managed by the resident, not the house builder or the landlord, because the resident owns the assets within the house.
When it comes to assets in terms of the enterprise data sent across to the cloud providers, whether it is infrastructure, platform or software as a service, the ownership and more importantly, the control of this data should rest with the enterprise.
It is the cloud service providers, akin to the house builders, who should enable security by fitting good locks on the doors and windows. An important data protection control in this enablement for enterprise information security is encryption, and key management is an integral part of encryption, as a key chain is for a set of locks in a house.
In the wake of recent disclosures on clandestine mass electronic surveillance programs by governments, the problem of data ownership and encryption has gained much needed visibility. Hence, encryption and key management have received higher priority amongst the features requested by enterprise customers.
Encryption should not be limited to a checklist exercise to comply against various regulatory requirements. For cloud data protection against the ‘new-world’ threats, it is not enough if the cloud service providers offer encryption using their own keys.
The keys should be generated and managed by the ‘residents’.
The Current State of Keys
Last month, Amazon S3 announced an important feature that lets users provide their own keys to encrypt data on Amazon S3. This new feature is accessible via the S3 APIs. This covers object storage for data at rest. Similar user control features are needed for block storage, identity management and database before looking at the memory.
Encryption, and hence key management, are involved in various aspects of cloud services i.e. access keys, secret keys, SSH keys, certificates, VPN keys and others. This requires a dedicated function within the management platform.
The dedicated key management function within OpenStack is called Barbican. As Matt Tesauro from RackSpace, described it last month at OWASP AppSec Europe 2014, “Barbican is a crucial bit of software that we needed to do right (for OpenStack). One of the things we wanted to solve was how to give developers a method to manage secret data like config files or API keys”. Jarret Raim from Rackspace is the Program Technical Lead for Barbican and the project is available since the Havana release to provide a single key management platform for the various components in OpenStack.
For SaaS providers and more importantly, their customers, the control is more difficult as the cloud service provider is responsible for the network, the hardware, the OS and the application. There are a few providers that Gartner calls Cloud Access Security Brokers who offer data protection and data residency security. Unlike traditional perimeter network security devices, these brokers enables selective controls like encryption, tokenisation or masking amongst other distinguishing features like analytics and policy-based controls. Adallom is one of the providers that features rich anomaly detection and advanced behavioral engine. Skyhigh Networks, who make cloud security software, raised a $40 million Series C round last month from investors. Similarly, NetSkope, CipherCloud, PerspecSys and CloudLock provide their own solutions.
In the big data world, Cloudera acquired a security provider, Gazzang, that specializes in encryption and key management for Hadoop and MongoDB clusters amongst other big data technology.
With the increased need to secure the data in the cloud, the data protection landscape is bound to mature with further improvements in security controls, better technologies that scale and integration features to automate.
Enterprises need to invest wisely in their data security strategies in terms of robustness and longevity. With increased awareness around security and privacy, the enterprise product roadmap has to integrate security within their cloud and big data investments. This will require semantic understanding of the cloud services consumed by the enterprise.
One thing is certain – security in the cloud will get busier and the enterprises need to get their keychains ready!
Feature image via Flickr on Creative Commons