While virtually all organizations from small businesses to large enterprises to government departments see cloud as a critical element of their IT strategy, the reality is that for many years to come, applications and computing will be actually distributed on a hybrid cloud architecture. The hybrid cloud is a heterogeneous environment that includes both the private cloud (virtualized enterprise datacenter) and a variety of public clouds that customers will change out or add to the mix as needs evolve and faster, cheaper, better and speciality-focused providers emerge.
Regardless of the cloud deployment model, all predictions assert that cloud is the next generation computing paradigm. But, if this is true, what’s holding things up? Why aren’t more critical workloads running in the public cloud? Is it possible there’s a storm brewing in the cloud?
Security and the cloud
While this radical IT transformation to the cloud takes off, several wrenches are thrown into the works, including cyber surveillance, concerns about data remanence, strengthened regulatory compliance laws, shared multi-tenant infrastructure and advanced cyber-attack vectors. As organizations look to take advantage of the cloud, recent headline news expose the real-world risk of intellectual property theft, customer PII disclosure, compliance fines and insider data leaks. In a model where organizations are seemingly giving up some of their IT control, the questions from the boardroom start. Who is looking at our data? Are we still in compliance? What if we want to change providers? How well are we protected against data lost and theft? While some of these issues are more perception than reality – the bottom line is that moving critical enterprise workloads to the cloud requires careful planning. These issues are all driving the need for a new class of security designed for the hybrid cloud – one that is easy to deploy, scales on demand, is adaptable, requires minimal specialized IT training and ensures business agility is not impacted by burdening users with cumbersome tasks.
Encryption as a Service
Encryption is not a new technology and is broadly deployed on the Internet for securing connections for activities including online banking, shopping and even accessing e-mail accounts. Encryption of enterprise data however, is less commonly deployed and has traditionally been reserved for “elite” organizations with highly skilled IT staff, big budgets, targeted use cases and implementations that place the burden of deciding when and what to encrypt on the end user. But with the advent of virtualization, computing technologies and transformation in how security is deployed, next-generation data encryption solutions optimized for the cloud have emerged which offer Encryption as-a-Service (Eaas), providing any type of organization with a simple way to secure their sensitive cloud data. Encrypting data in the cloud can address a broad range of concerns by protecting data from peeping eyes and data theft as well as providing a pragmatic way to destroy your data when you leave a cloud provider.
EaaS use cases are quite numerous but some examples include securing hosted virtual desktops and associated user data, securing content repositories such as Microsoft (News - Alert) SharePoint, protecting the integrity of boot volume images, encrypting critical workgroup files, folders or even securing entire application stacks in very sensitive work environments. In all cases, EaaS is an elegant and effective solution to segregate and protect data in a multi-tenant cloud architecture.
While there are different technical approaches, EaaS typically involves the cloud service provider deploying a virtual storage encryption appliance that logically resides between the customer’s application/workload and cloud providers physical storage array. Provisioning /deployment is easy as customers simply need to mount the storage encryption appliance as the target storage location using standard interfaces such as NFS, CIFS & iSCSI. Encryption key control is a critical element of a cloud data security strategy as the key manager ultimately determines who has access to encrypted data. Best-practices extend key control to the customer and require enterprise-side software to define and manage security policies. More mature EaaS offerings will provide the ability for the customer to extend data encryption to secure workloads in other parts of their cloud including the private data center or even other public cloud instances. As a result, the customer has a single security management plane across their entire hybrid cloud.
EaaS offers cloud customers a simple data security solution that solves some of the top concerns with moving enterprise workloads to the cloud - all available without up-front CAPEX expenditures. In essence, by instilling trust and removing barriers, EaaS becomes a cloud-enabler. For cloud service providers, EaaS enables new value-added services to be offered on top of existing as-a-Service offerings driving new revenue streams and providing competitive differentiation from other service providers in a crowded marketplace.
Different strokes for different folks
While cloud service providers will be eager to offer turnkey EaaS as an attractive add-on to their suite of Everything-as-a-Service (XaaS) offerings, many organizations are becoming increasingly comfortable deploying their applications within the public cloud and often find this the best approach to meet their business needs. IaaS offerings from providers such as Amazon AWS and Microsoft Azure offer highly automated cloud computing deployment models and management tools that dramatically reduce complexity and ease the provisioning, management and even payment effort for customers. Deploying a data security solution is as straightforward as deploying any other IaaS software. A quick review of the AWS Marketplace shows a host of vendor software offering easy to deploy Amazon Machines Instance’s (AMI’s) including CRM, ERP, reporting, databases, and collaboration for example, and alongside these business applications customers can also purchase virtual storage encryption AMI’s to secure their IaaS data.
Whether your cloud strategy involves simply backing-up enterprise data to an offsite service provider or is as elaborate as building a multi-tenant hybrid cloud that includes a mix of private data center and multiple public clouds to support a heterogeneous group of internal departments, data encryption designed specifically for virtualized environments offers a simple and effective approach to securing sensitive data.
Mike Byrnes serves as AFORE Director of Marketing with 20 years’ experience in technology product marketing with a focus on internet security and business communication systems.
Edited by Stefania Viscusi