Since next week is Halloween, and Rafal Los recently blogged about how most enterprise security discussions are FUD-filled (i.e., filled with Fear, Uncertainty, and Doubt) horror stories, I decided to use Tales from the Crypt as the theme for this blog post.
Tales from the Encrypted
One frightening consequence of the unrelenting trend of the consumerization of IT, especially cloud computing and mobility, is that not all of the organization’s data is stored within its on-premises technology infrastructure, or accessed using devices under its control. With an increasing percentage of enterprise data constantly in motion as a moving target in a sometimes horrifyingly hyper-connected world, data protection and data privacy are legitimate concerns and increasingly complex challenges.
Cryptography has a long history that predates the Information Age, but data encryption via cryptographic computer algorithms has played a key (sorry, I couldn’t resist the pun) role in the history of securing the organization’s data. But instead of trying to fight the future of business being enabled by cloud and mobile technologies like it was the Zombie Data-pocalypse, we need a modern data security model that can remain good for business, but ghoulish for the gremlins, goblins, and goons of cyber crime.
Although some rightfully emphasize the need for stronger authentication to minimize cloud breaches, data encryption is often overlooked—especially who should be responsible for it. Most cloud providers use vendor-side encryption models, meaning that their customers transfer non-encrypted data to the cloud, where the cloud vendor then becomes responsible for data encryption.
The Data Encryption Keeper
However, as Richard Jarvis commented on my previous post, “it’s only a matter of time before there’s a highly public breakdown in the vendor-side encryption model. Long term, I expect to see an increase in premium, client-side encryption services targeted at corporate clients. To me, this will offer the best of both worlds, and will benefit both cloud vendors and their clients.”
I have to admit that in my own security assessments of cloud computing solutions, I have verified that the cloud vendor was using strong data encryption methods, but I didn’t consider that the responsibility for cloud data encryption might be misplaced.
So perhaps one way to prevent the cloud from becoming a haunted house for data is to pay more attention to who is cast to play the role of the Data Encryption Keeper. And perhaps the casting call for this data security role should stay on-premises.