With the numerous encryption options available, it is difficult to understand the difference between them all, let alone which option is right for your company. There is no need to pore over encryption algorithms to decipher the differences, however, because the process is much simpler than that, according to Rich Mogull, founder of Securosis.
In a recent SearchCompliance webcast titled Pragmatic Cloud Encryption, Mogull said that there are three components that are crucial to understanding available encryption options:
When it comes to these components, it's more about the where than the what, he says. "The location of these components is what defines your encryption system," Mogull explained.
Once companies are familiar with these encryption system components and their related needs, they can decide between the encryption options available to them. To help explain these options, Mogull discussed three possible volume storage encryption choices for the Infrastructure as a Service cloud model.
The first encryption system style is what Mogull called instance-managed. "This is where the key management and the encryption engine are all within an instance itself," Mogull said. "Typically, this only works when connecting to an external storage volume."
Mogull warns that instance-managed encryption has a low security level and is "not something you are ever going to want to use in a production environment." However, it does have its benefits: Although it doesn't provide the best security, it can be helpful for developers as a stub or in training situations, he added.
The next encryption system model is external key management. In this option, the encryption engine is running in an instance, there is an external engine, and the keys are managed externally. "The key is provisioned to the instance when it is needed for actual connecting and decrypting the drive," Mogull explained, calling this option the most common option for encrypting volume storage.
The final volume storage encryption option is using a proxy, but Mogull said that he is "not seeing [it] used practically in customer environments."
When it comes to choosing which option will work for your business, "you want to use external key management to the best of your ability," Mogull said. While instance-managed may be the easiest option, it doesn't provide as many security benefits as external key management, he added.
Watch part two of this webcast to learn more about the main components of cloud encryption and the options for encrypting volume storage. Then visit SearchCompliance to catch up on part one or move forward to part three, where Mogull continues his discussion on pragmatic cloud encryption.