It's common for solution provider customers to want to embrace cloud computing solutions, but yet hesitate to employ them because of security concerns. That's especially true when dealing with clients that must adhere to strict compliance regulations. (For more on that, see "How To Boost Business Selling GRC Solutions In the Cloud.") In this blog, the director of product marketing, Credant Technologies, discusses how to address the security concerns customers typically have when considering cloud services. — Jennifer Bosavage, editor
Cloud computing manages to simultaneously be perhaps the fastest growing technology in the industry, while still being one of the least understood. Providing the ability to provision IT services on demand in a scalable, elastic and often abstracted way, cloud is clearly changing not just the language of business computing, it’s changing the entire conversation. While there are many models and services comprising what we loosely call ‘cloud,’ they all offer business users the opportunity to quickly, easily and cheaply gain access to computing resources and services as they need them – and for only as long as they need them. In today’s economy, it’s not surprising that business and IT leaders are sitting up and taking notice.
With all those benefits, you might expect that everyone is embracing cloud services. However, there still remain some significant barriers to widespread adoption of all things ‘cloud.’ Most significant are security and its much-maligned half-sibling, compliance.
Many organizations that we speak to are afraid of the risks of moving sensitive data into the cloud – and with good reason. While the benefits of cloud certainly accelerate your business ability to meet new challenges and embrace new opportunities, the very nature of cloud offerings can introduce a number of unknowns, especially when it comes to highly regulated or valuable information such as credit card data, healthcare information and sensitive intellectual property. The regulatory and business environment has become very unforgiving of serious data breaches, and that trend is continuing with state and national level breach notifications, industry penalties, and a growing consumer disquiet about identity theft.
Thankfully, one of the oldest known security technologies offers a solution to a number of the newest security and compliance problems facing businesses that wish to move to the cloud – encryption. Encryption provides protection for sensitive information in a way that is both secure and well understood. It forms a core element of many of today’s secure communication methods and is essential in protecting information in transit and at rest from prying eyes and accidental disclosure. Encrypted information is essentially valueless without the key to decrypt it, and that’s why encryption is now seen as the best way to accelerate the adoption of cloud computing for organizations nervous about breaches.
Critical concerns that customers will cite tend to revolve around both accidental disclosure of information and malicious attack. Among those concerns:
* What if another system in the vendor’s cloud infrastructure is breached? Can an attacker then access my information too?
* What if a competitor is using the same cloud provider, can I trust that my information is safe?
* How do I know if a rogue administrator at the provider, or one of their partners, isn’t going to steal my information?
* How will I prove to auditors that my information is safe if it is stored remotely in a cloud?
By encrypting both the virtual machines and the data stored on them, customers of cloud service providers maintain a vital degree of protection in the event of a serious breach – up to and including actual physical loss of the system or the activity of a malicious insider. It’s no surprise that a recent survey reported 71 percent of auditors preferring encryption as the best way to protect information resources.
When discussing encryption, it’s important to understand that ultimately all encryption solutions stand or fall on key management. Without the keys to decrypt information, attackers are left with nothing more than unreadable junk. As such, key management – where the keys are stored, how they are stored and who has access to those keys is the foundation of any encryption approach.
When thinking about cloud security offerings, the most important area, therefore, is how the keys will be secured. Vendors of cloud services, and those who are building product offerings on other organization’s clouds, must have a sound grasp of where and how to implement encryption to protect the information and systems that my organization is entrusting to their care. The good news is that there are many organizations that focus on providing both expertise and technical solutions for encryption.
So, when looking for a partner or a solution to include encryption, here are a few pointers:
* Do they understand encryption and key management as a core competency?
* Do they have experience in working with solution providers, resellers and consultants to offer industry-strength solutions?
* Do they have a clear strategy for helping me embrace cloud when I am ready?
* Can they demonstrate an understanding of the regulatory landscape and pressures that I face?
* Do they have the capability to provide secure key management even in highly complex environments and can they integrate encryption management for cloud services (including private cloud) into the broader enterprise infrastructure?
It’s certainly true that the markets for cloud services are still emerging and the demand among customers is still building, but by showing that you understand the key data security challenges, and how to overcome them, you will position yourself well for long term, trust-based partnerships that will truly help your customers embrace this important, game-changing technology.