Cloud security is gaining a renewed focus, now that Apple founder Steve Wozniak has issued a stern warning about Cloud security risks. In response, numerous vendors have lined up to say that if you’re concerned about the security of your data in the Cloud, the simple solution is to encrypt them. In fact, there’s a new crop of Cloud gateways — appliances that go in your corporate DMZ and encrypt all traffic to the cloud, decrypting it on the way back. So, you can encrypt all your data in the Cloud with nobody being the wiser. What could be simpler?
There remain two central problems with encryption in the Cloud. The first is key management. It is absolutely essential that you maintain your private keys on premise, because all a hacker needs to do if you put your private key in the Cloud is steal it — since you can’t encrypt your private key. The good news here is that there’s no requirement that you put your private keys in the Cloud or use your Cloud provider’s private key. But relying upon your Cloud provider to manage a private key for you is like locking your valuables in a hotel room. They are as secure as the maids are honest.
But even if you maintain your private keys on premise, there’s still a problem with encrypting all your data in the Cloud: you can’t do anything with them (other than store them and move them around) as long as they’re encrypted. If you want to get any value from those data, you must either decrypt them in the Cloud or pull them back to your on-premise environment for processing. (There are technologies for working with encrypted data while they’re still encrypted, but those approaches aren’t ready for prime time yet).
If all you want to use the Cloud for is to store your data, then this limitation isn’t a problem for you. But sometimes you’re required to actually do something with your data. For example, HIPAA healthcare regulations allow for putting data in the Cloud as long as they’re secure. But the regulation also requires making the data available for statistical analysis (say, for nipping epidemics in the bud). But there’s no practical way to perform such analysis in the Cloud without decrypting the data first.
The Cloud’s security failings may be overblown, and on-premise environments and Private Clouds have their own security issues as well, but it’s important to understand just what security the Cloud does — and more importantly, does not — offer. Do I agree with the Woz? More or less, but even more important: I believe it was a good thing he expressed this opinion, if only to solicit defensive responses from Cloud security vendors.