Page 2 of 2
While Canellos said the NSA's activities have come up in just about every conversation he's had with clients and partners in recent months, the concern level isn't high -- yet. "We're not hearing a lot of concern from customers right now, and part of that is because companies feel their encryption standards are strong enough," he said. "But companies are taking notice, and people are still trying to process all of the information."
Still, the NSA revelations are having a positive effect, Canellos said. "It's raising a level of awareness about security, which is good for us," he said. Kothari agreed, saying security technology has shifted in recent years from antivirus protection to encryption, and the NSA news will only accelerate that shift. In fact, Kothari said, an argument can be made that corporate data is actually safer in the cloud.
"It's much harder today, I think, to crack cloud data storage because you have to get past both the cloud provider and the corporate network," Kothari said. "You can be more secure in the cloud today, but you need to encrypt your data before you send it up there."
So in light of the recent NSA news, what's to be done? How can cloud security firms protect client data from prying eyes, whether it's government agents or cybercriminals?
HighCloud's Pate says vendors and solution providers need to stress basic principles about strong encryption standards and basic key management. HighCloud, for example, uses multilevel AES (advanced encryption standard) 256-bit encryption.
"There's encryption, and then there's encryption," he said. "If you're using an encryption key that's smaller than 80 bits then, yes, it's theoretically possible for the government or anyone else to easily crack those codes using brute-force techniques."
An 80-bit key in a symmetric algorithm is equivalent to a 1,024-bit asymmetric encryption key. Therefore, AES 256-bit encryption is equivalent in strength to 15,360-bit asymmetric encryption.
CipherCloud also uses AES 256-bit encryption. Kothari said any 1,024-bit length encryption is unsafe and can be cracked by a powerful computer. Therefore, he said, his company "highly recommends" at least 4,096-bit lengths for Internet communication.
In CipherCloud's case, the company also hands over the encryption keys to the customer; therefore, CipherCloud will never be able to hand over the encryption keys to the government or anyone else because it doesn't possess them. "Key management becomes a big issue," Kothari said. "These keys shouldn't be shared with anyone, regardless of who's asking for them."
In addition to stronger encryption standards and better key management, PerspecSys' Canellos also recommends taking a multi-layered approach to cloud security. For example, PerspecSys combines encryption technology from third parties with its own token system.
"We think tokenization is becoming more mainstream and we're using it as an alternative to just using encryption," Canellos said. "With tokens, there's no algorithm to place a back door."
While the recent NSA revelations may have caused concern within the security community and customers, NSA whistleblower Edward Snowden told The Guardian that strong encryption standards are still a safe bet to protect data. Cloud security firms agree.
"Strong encryption still works," Pate said. "Even Snowden said the government couldn't crack high-level encryption."
PUBLISHED SEPT. 20, 2013