Cloud services often enable companies to be more flexible and cost-efficient, but there’s a certain amount of risk when dealing with a third-party, which concerns continue to be a major barrier in moving workloads to the cloud. Too often, cloud providers have the power to access customer data without them knowing.
To ensure that cloud providers don’t have unnecessary access to data, Ottawa-based cloud security and management solution provider AFORE has created CloudLink Secure VSA, a suite of services that provide encryption across different public and private cloud services. It also ensures their encryption keys remain in the hands of the right people.
It supports hypervisor and cloud platforms such as Amazon Web Services, Microsoft Azure, and VMware vSphere, vCloud Director, and vCloud Hybrid Service.
Adding Encryption Where It Wasn’t Before
The core idea behind CloudLink’s virtualized security appliance and management software suite is that it ensures data is encrypted no matter where it goes – wherever it flows between a user and the cloud, or between clouds. The cloud encryption services ensure that everything stored in the cloud remains encrypted and that keys aren’t available to service providers.
“It allows customers to bring their own security as they go to the cloud,” says Mike Byrnes, product marketing director at AFORE. “They can deploy AFORE products on their own or they have purchase them from a service provider, but they always retain control of the encryption keys. So, even though the cloud service provider is hosting the workloads, nobody can see that data because they’re holding the keys back in the enterprise.”
Between CloudLink SecureVSA and CloudLink SecureAPP, AFORE provides encryption to everything from storage and Disaster-Recovery-as-a-Service, to business applications and virtual desktops. AFORE creates secure container around specific applications, and makes operating system images tamper-proof, essentially allowing companies to lock down configurations.
What’s Wrong with the Current Encryption of Cloud Services?
Tim Bramble, AFORE’s director of product management, says that CloudLink provides a crucial addition to IaaS. In terms of their security commitment, these providers “secure the underlying infrastructure and make sure you’re protected from other tenants seeing your data,” but when it comes to encryption, they don’t have sophisticated key management.
For instance, Amazon S3 offers encryption with keys that AWS maintains. Bramble says this is like handing over your home keys to someone you barely know. But it’s not good enough that customers have access to the keys, the keys need to be properly managed, and not just tucked under the doormat for anyone to get.
“The trouble, and where things fall down is with the key management,” he says. “In encryption systems, key management is the number-one thing. If your key is under your doormat…it doesn’t matter if you have 15 locks.”
This is why AFORE built advanced encryption policy management capabilities into CloudLink, including key management tools for policy management that ensure only authorized people have access. It provides protection not just from the service provider, but other individuals on the network.
CloudLink’s management application, CloudLink Center, provides a “single pane of glass” that lets administrators view, manage, and run reports on data access.
“We have thought very clearly about the key management and we provide an easy-to-deploy but very secure method of managing those keys,” Bramble says.
Freeing Web Hosts and Cloud Providers from Managing Keys
AFORE sells directly to enterprises, governments and end users, and EMC will also be using AFORE as the foundation of its Encryption-as-a-Service offering it’s planning to launch in May. But AFORE also does significant business with cloud service providers.
“Cloud service providers are a nice [customer segment] because they’re the ones offering Infrastructure-as-a-Service, Disaster-Recovery-as-a-service, Desktop-as-a-Service,” Byrnes says. “So, overlaying encryption as a value added service for all their existing ‘as-a-service offerings’ is a very nice fit.”
Furthermore, he says, many hosting providers simply don’t want to be in the business of managing keys. “We talked to a lot of service providers that said: ‘I don’t want to manage the keys, I don’t want the liability. So even if the customer doesn’t care, I want [the customer] to manage the keys.’”
With encryption becoming more standardized and employing open-source technology, it might be tempting for organizations to build their own solutions. However, the ability to get key management wrong is a major deterrent and can present risks.
Moving Cloud Providers without Leaving Readable Data Behind
AFORE’s approach to encryption deals with the problem of fragments of data remaining on hard drives in the cloud, which Byrnes says is a top concern for many businesses considering cloud. By keeping control of encryption keys, companies can bypass this concern altogether.
“If their data’s been encrypted, and they own the encryption key, they can just delete the encryption key when they’ve moved their data to another cloud,” he says. “Even if there are fragments of data, it’s in ciphertext, which can never be deciphered by Amazon or anybody else on that cloud.”
This ensures that companies can move away from cloud providers they’re unhappy with, without subjecting themselves to risk.
Trust Your Cloud Provider? How About Your Government?
A lot of companies considering cloud services are asking themselves if they can trust outside cloud administrators. Furthermore, with the NSA espionage scandal in recent memory, many companies are worried that their service providers may be secretly providing data to government bodies.
Brambles says, “Organizations are coming to the realization that if they don’t want their data seen, they really can’t put the trust completely for the data itself in those organizations even if they are encrypting it, because the simple matter of a subpoena and Amazon has to cough up that data.”
Of course, if data is encrypted within the cloud, and the cloud provider doesn’t have keys to give over to authorities, it means that a company has to be contacted directly for the encryption keys if a court grants a warrant or subpoena to access data.
Building Trust to Provide New Services
Proving to users that their data is only decipherable to themselves is a way that cloud and hosting providers can provide trust to clients, and help them meet their security and regulatory requirements. It can even pave the way for new and enhanced services.
And as companies begin to link data with more applications and adopt sophisticated hybrid cloud models, it becomes more important to focus on securing data rather than setting up security perimeters.
“Our focus is really data-centric, and about securing the data itself,” Brambles says. “And we go all the way up to application-level data protection. You don’t care about where that data is going anywhere anymore when it’s encrypted. The focus moves away from perimeter and allows you to focus on the data you’re concerned about.”
This means that when administrators can roll out new applications, the data should stay visible only to authorized individuals and applications. And the encryption keys are never left to service providers.