The economics of cloud computing is definitely appealing. However, security is of course of paramount importance when deploying mission-critical applications in the cloud. There can be no trade-offs between improved accessibility, performance, and the integrity of an organization’s most valued data.
Cloud security, with specific focus on key management, is sure to be one of the main questions asked by any enterprise as it considers moving applications and storing data in the cloud. The concept of cloud computing is full of complex considerations as organizations first begin their journey. How will their all-important keys be managed and will the data be encrypted to a high standard?
Cloud providers take the role of key management very seriously. There are multiple solutions that store credentials inside and outside the cloud within a secure infrastructure depending upon the purchasing organizations cloud security needs. Many providers are concerned about data security, not only from the point of view of malicious intent, but also from a legal perspective.
Is the data encrypted to a level sufficient to avoid access by potential hackers? Is it possible for an independent attorney to provide a legal instrument such as a subpoena to gain access to data through the cloud system? Organizational system separation is maintained by some cloud security providers. This ensures that a third party would find it impossible to access a single, integrated system, potentially resulting in critical data compromise.
Sustainability is very important, as it pertains to the day-to-day operations of a cloud security company. A meaningful and logically solution is required when it comes to key management. Appropriate questions must be asked of a cloud service provider and the selection of appropriate partner should only be made on the basis of a clear understanding of the integrity of the entire solution. The process of hosting, administering, and allowing access to the relevant keys should be clear-cut and watertight.
Some key management and cloud security items to consider:
- Advanced Encryption Standards should be used for keys to protect from acts of malicious intent. All customer encryption and authentication credentials in should be stored in an AES256-encrypted database with no encryption keys stored in the credentials management zone.
- Unique keys should be used or each customer to ensure that no 2 customers will have access to each other’s applications or data
- Keys should be stored outside the cloud infrastructure provider and only used when necessary. The public cloud infrastructure should be viewed as hostile territory.
- The cloud provider or management solution provider should have no staff access to keys or sensitive data.
- File system and backup encryption should also be considered for sensitive data.
The benefits of public cloud infrastructures have been well documented; scale, flexibility, and reduced capital expenses & operational costs. Cloud security will continue to evolve and improve and be high priority to an enterprise that have tight IT policies and procedures. As security becomes more widely understood, acceptance of the model will increase and more and more benefits will be realized.
Comments