There’s been a great deal of talk going on about cloud computing. The benefits are clear, because organizations realize that the network is an extension of their data center and that they can avoid many of the scalability and capacity problems of the past. The fundamentals of the concept are compelling and real.
Yet there is still a great deal of trepidation, especially when it comes to security. That’s because that the concept of cloud computing needed to be tested first. The first generation of cloud computing services addressed whether the infrastructure made sense. Was it possible to build the types of services with the quality and reliability of an in-house application?
I think we’re turning the corner on the first generation and that’s why people are talking about security. We’ve moved past whether the concept is feasible. Now we need to know if it’s practical and safe. The second generation of cloud computing applications will test whether a good security model can take shape to alleviate customer concerns that stand in the way of mainstream adoption.
One thing that we’ve learned from the past is that although encryption is a good thing, there’s a lot of ways to do it poorly. Today, many organizations struggle from rash decisions to deploy encryption without thinking about all of the aspects of management. The ongoing requirements to track, manage and safely recover encryption keys can pose formidable challenges as administrators struggle with the growing burden.
Now that we’ve turned our eyes towards the cloud, we have a rare opportunity to take a step back and envision how we could do security right in the first place. Companies can build out an ideal environment with data protection considerations built in before going live.
When we look at both the internal deployment of encryption and the cloud security model, although the situations are different, the solution to both problems is the same. In the first, the pain manifested from a proliferation of key management tools that led to unforeseen operational costs and internal complexity. Applying a strategy of enterprise key management to eliminate duplicity and simplify the administrative model of encryption keys leads to both a more efficient and less costly environment.
The same approach should be at the forefront of cloud security. It’s clear that encryption and identity is essential to the cloud security model – there’s network transport security (SSL/TLS), data integrity (digital signature), data privacy (encryption) along with the challenge of ensuring that only the right people have access to data (authentication). In order to get the key material lined up for sustained operations, organizations should consider the requirements for proper key management before putting these technologies in place.
Having had the experience of what poor key management feels like, organizations should do the right thing with their cloud strategy and make sure that they ask the right questions to their cloud service providers. It isn’t really about whether or not the service has encryption or not. The better question is whether there is the proper key management in place to administer the security for all of the cloud initiatives to come.