Cloud Encryption: It’s All About the Key Management

Last updated: 16 May 2016

Cloud Encryption - Key Management IconFor security professionals, one of the primary challenges that arises with cloud computing is that they are faced with somehow protecting resources that, to varying degrees, they no longer have control over and for which traditional security controls like firewalls and IPS devices are ineffective.  However, regardless of which cloud model you adopt – IaaS, PaaS, SaaS, hosted private cloud, etc. – one thing you can still have some control over is your data.  But how to accomplish this when the data lives – at least part of the time – in someone else’s infrastructure?

As in other sectors of security, the emergence of cloud computing has breathed new life into certain long-existing security technologies, and in recent years, we’ve seen a ‘rebirth’ of encryption as a primary way to ensure that sensitive data remains protected even outside the corporate confines.  Encryption is arguably one of the oldest security tools and has been around for a millennia, but its complexity has often meant encryption has been relegated to the background and reserved for only the most stringent use cases.

Cloud has changed that.

As in the pre-cloud world, encryption does come with some potential drawbacks.  One of the main challenges is to implement encryption in a way that allows critical application features to still function normally, and also without impacting performance, uptime, and perhaps most importantly, the user experience.

The second major challenge, and arguably the more important one, is key management.  How you handle encryption keys, share them securely with others, rotate them, etc. is critical, since whoever controls the keys literally owns the data – history has given us plenty of examples of how either weak crypto or bad key management can be worse than having no encryption in the first place.

With respect to cloud security – and SaaS applications specifically – the issue of key management has been somewhat contentious.  A number of vendors have emerged in recent years that provide encryption for various SaaS applications using a gateway model that intercepts traffic en route to SaaS applications and encrypts sensitive data.  Most importantly, these vendors are able to do so in a way that most of the functionality of the SaaS app is preserved, and customers retain control of the keys on their own premises to ensure that nobody at the SaaS provider can access critical data – either maliciously, or perhaps in the event of a legal order.  The primary potential drawbacks to this approach are that it can be costly, both in terms of hardware and integration work, and application performance can be affected (particularly when applications are updated).

In addition to third-party encryption solutions, we’ve recently seen a move by both SaaS providers as well as big-data distributors to offer encryption and key management natively, so their customers can protect their data without the added cost and integration work that sometimes comes with third-party solutions.  Examples include big-data distributors Cloudera and Hortonworks, each of which acquired encryption vendors last year that allow them to offer encryption to their customers as either a standard feature or as a premium service.

Among SaaS providers, Box also offers its own native encryption, and earlier this year introduced a premium version that allows customers to maintain control over their encryption keys by physically separating them from Box’s internal servers and admins.  The most recent example is Salesforce’s launch of native encryption – called Platform Encryption – as part of its new Salesforce Shield premium security offering.  Platform Encryption has a variety of interesting features and has been architected in a way that makes it extremely difficult to be misused by Salesforce employees.  However, customers don’t have the option of keeping their encryption keys on their own premises, which may be OK with many customers, but not those facing strict compliance or data residency requirements.

The $64k question, then, is how many customers fall into each camp?  Cloud security is still at an early stage of development, and the market’s acceptance of Box’s EKM and Salesforce’s Platform Encryption should provide interesting test cases for how the cloud data-protection industry will unfold over time.  For the near-term, however, we think it’s likely that several models will co-exist, with both native and third-party offerings, as well as both provider-managed and customer-managed keys.  Either way, as cloud infrastructure and applications become more tightly woven into the fabric of most modern enterprises, encryption will increasingly be expected as a standard feature of most cloud offerings.  And as encryption assumes its rightful place in the cloud security toolkit, so too will the need for a key management system that supports a variety of cloud and encryption architectures and also scales to meet the demands of an elastic, on-demand infrastructure.  After all, whoever controls the keys, controls the kingdom.

Regardless of which camp you may fall in, historically, ‘good enough security’ has been, well – good enough.  Too many organizations have been content to check off compliance boxes and move on.  However, we are seeing increasing evidence that this may be changing, and the seemingly endless parade of data breaches may be causing more companies to think about implementing security best practices rather than just doing the bare minimum.   That said, our guess is that for the time being, the lack of an on-prem key management option is not a deal killer for the majority of customers.

For large SaaS, IaaS and big-data providers, we are likely to see more native encryption options come to market as they look to meet customer demands for data protection. But how will they handle key management?  Will they follow Salesforce’s lead and keep the keys to themselves, or adopt Box’s model and let customers keep control?

As mentioned earlier, for customers with strict internal security policies or those facing data residency requirements, on-prem key management will remain a must, and for this group, third-party encryption vendors will still play a large role.  Either way, we see third-party vendors evolving more towards key management and away from basic encryption, particularly as more customers adopt multiple cloud applications and may have a need for a centralized way of managing their keys.

For smaller SaaS providers, many may opt to integrate third-party encryption and key management offerings directly into their products rather than expending the time and resources that Salesforce and Box likely did to develop with their own native offerings.

Regardless of how things play out, key management will remain a central issue in the battle for cloud data security.

Larger SaaS, IaaS and big-data providers are likely to deliver more native encryption options as they look to meet customer demands for data protection, and many will opt to architect their offerings with an on-premise key management option.  Smaller SaaS providers with less internal resources and expertise may opt to integrate third-party encryption and key management offerings directly into their products.

Garrett Bekker is a Senior Analyst in the Enterprise Security Practice at 451 Research, drawing on more than 15 years of enterprise security experience. For more security insights from Garrett, follow him on Twitter via @gabekker and read his 451 Research reports.

If you would like to learn more about addressing the security risks the cloud can introduce, read our white paper, Securing Data in Virtualized Data Center and Cloud Environments.

Leave a Reply

Your email address will not be published. Required fields are marked *