Data security is an important issue for all enterprises that use cloud computing, so CIOs must understand the numerous cloud encryption options. In part three of the Pragmatic Cloud Encryption webcast, Securosis founder Rich Mogull goes into detail about various cloud encryption methods.
SaaS encryption options
For example, Mogull discusses some of the encryption options for Software as a Service (SaaS) cloud models. "We typically see on the Software as a Service side two different options for encryption that have come out," he said. These two options utilize either a proxy or an API. The proxy model is the most common option that companies are currently using, but Mogull warns that he doesn't recommend it because it will "quite likely break the functionality of that SaaS provider."
"I think what we really need is more cloud providers to offer native encryption with the ability for us to manage our own keys," Mogull said. "I don't think long term, for encryption, that this proxy model is going to be the best thing to do."
Mogull suggests that when it comes to SaaS encryption options, cloud providers should encrypt the data but the company should manage the encryption key. The problem is that most cloud providers that include native encryption also manage the key. "If the cloud provider manages the keys, just understand that all you're doing at that point is checking a box for compliance. It doesn't actually improve your security in any meaningful way," Mogull said.
App encryption options
Mogull also discusses two main options for app encryption. The first option is to have a built-in encryption engine in your application,"and each of the instances in your application will connect to a key management server, get the keys provisioned that they need and do the data encryption/decryption within your application stack," he said.
The second option, which Mogull usually recommends, is to "use separate instances for the encryption engine and those connecting separately outside of that to your key management infrastructure." This way, when an application receives sensitive data, it sends it off to an encryption layer and then to storage.
Tokenization vs. application encryption
An alternative to app encryption is tokenization. "Instead of just encrypting the data itself, you're actually replacing the sensitive data with a token that is the same field size and format as the data that you're working with, but is not the actual sensitive data," Mogull said. When the data is needed, the token is then matched to the correct piece of data in a tokenization database.
Watch part three of this webcast to learn more about cloud encryption options. Visit SearchCompliance.com to catch up on parts one and two or continue to part four, where Mogull discusses key management and distribution.