demonishen - Fotolia

Cloud data encryption options: How service providers address security concerns

Service providers can address their customers' cloud security concerns by offering a range of cloud encryption options.

Even as companies move more workloads to the public cloud, security remains a primary concern. Questions regarding who has access to customer data, where it is stored and how it is protected can thwart customers' cloud adoption plans, particularly in highly regulated industries like financial services and healthcare. But cloud service providers that offer cloud data encryption options to address these concerns can benefit as much as their customers can.

"Moving to the cloud is disruptive. We've seen a lot of companies under pressure to move to the cloud rapidly, but they are very concerned about privacy and regulatory compliance," said Willy Leichter, global director of cloud security at CipherCloud.

These concerns are evident in the results of the 2015 Vormetric Insider Threat Report. According to Ovum, an analyst firm that contributed to the report, "Cloud and software as a service (SaaS) providers need to step up to earn the trust of their enterprise clients and justify their presence in this lucrative market."

Who owns the cloud data encryption keys?

It appears that the fastest way service providers can gain their customers' trust is to provide encryption services and give customers ownership of the encryption keys. The Vormetric survey found that the top improvement that would increase adoption of cloud was just that, with 55% of respondents saying they would want to manage keys on-premises and 52% at the cloud provider.

From a best practices perspective, if you own the data, you need to own your own key. That's the highest level of security for you as an enterprise.
C.J. Radfordvice president of cloud, Vormetric

Ownership of cloud data encryption keys is a critical point. "There's a lot of suspicion when the data is in the cloud around who will be accessing it by subpoena or hacking or what have you. Customers want the subpoena to come to them and not the cloud provider so they make the decision as to what to release," Leichter said.

Christopher Hertz, founder and president of New Signature, a cloud and managed services provider based in Washington D.C., agreed that key ownership is a concern for some customers. "Microsoft has always encrypted data in the cloud -- at rest, in motion, in transit. So everywhere your data went it was already encrypted," he said. "The knock, customers might say, is Microsoft owns the encryption key."

Hertz asserts that these customer concerns are unfounded and that Microsoft has no interest in customer data or in handing data over to the government. "They would lose their business if they did that," he said.

Leveraging the cloud provider's native capabilities

For some customers, having data encrypted in the cloud -- regardless of who owns the key -- is a security improvement. "A lot of customers today are not encrypting data at all on their servers. By moving to the cloud, they are getting out-of-the-box a level of security via data encryption that they've never gotten before," Hertz said.

Still, there are some customers that have a legitimate business reason for wanting to maintain ownership of their encryption keys. "It's all about managing risk," explained C.J. Radford, vice president of cloud for Vormetric. "From a best practices perspective, if you own the data, you need to own your own key. That's the highest level of security for you as an enterprise."

For those customers, New Signature offers Vaultive's cloud data security and encryption platform, which sits between the cloud service provider and on-premises client, and encrypts and decrypts data as it moves back and forth between them.

However, Hertz said cloud service providers like Microsoft and Amazon are increasingly addressing key ownership concerns by enabling customers to encrypt data with their own key. Regarding Vaultive, he said, "It's a great solution, but it's less and less likely customers will end up using something like this, because [cloud data encryption] will be a native capability in all of the cloud solutions."

Cloud data encryption options: third-party products

Not everyone agrees with Hertz's sentiment. Vormetric provides its encryption product to Rackspace, Radford said. By addressing customers' privacy and security concerns, Vormetric helps Rackspace sell services to enterprises in regulated industries. "[Vormetric] gives the customer more comfort when sending workloads from on premises into the Rackspace environment, but by giving key ownership to the enterprise, it also reduces Rackspace's own liability," Radford said.

He explained: "By putting the controls around customer data that resides in their environment, Rackspace narrows the scope of things that can go wrong in the environment in terms of a data breach. If they're deploying Vormetric correctly, they reduce the threat landscape, and reduce their own risk and liability."

Another benefit pertains to subpoenas. "It also allows a service provider to comply with local laws, but the reality is if the entity wants to access the data, they need to talk to a customer who owns the key," Radford said.

Ideally, service providers should provide several different cloud data encryption options for protecting data and help customers determine which is best for them, Radford advised. This may mean using the cloud provider's native capabilities or it may mean deploying a third-party platform, depending on the customer's risk tolerance and the sensitivity of the data.

Next Steps

Find out what partners are doing to ensure their cloud offerings protect customer data.

Read about filling security gaps with centralized cloud data encryption.

Learn more about the importance of public cloud encryption.

Dig Deeper on Managed security for the cloud