Every Cloud Needs a Silver Lining

Gilad Parann-Nissany

Subscribe to Gilad Parann-Nissany: eMailAlertsEmail Alerts
Get Gilad Parann-Nissany: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Cloud Security Cloud Computing cloud budget  cloud security just right How Much Should You Spend on Cloud Security?Cloud adoption rates are growing.  Gartner forecasts that by 2016 this growth will increase to become the bulk of new IT spend.  A lot of money is at play in the cloud computing landscape.  However, cloud security (and its cost) is still considered a significant barrier to cloud adoption. As organizations strategically target the cloud as the future infrastructure, the costs and benefits of cloud security must be taken into account.  The operational overhead and financial expense of cloud security, combined with the effectiveness of the security solution, should be carefully considered.

But how much cloud is there in proposed “cloud security” solutions and how do traditional physical systems affect the overall cost?  How do you find the “just right” balance?

Cloud Security, Cloud Flexibility, and Cost

Today’s cloud security resources pose a juxtaposition between security and flexibility.   Physical security solutions – hardware – are the incumbent, yet less flexible, option. While managing some data security elements outside the cloud might contribute to the overall security of the system, it severely hinders cloud benefits such as:

  • Elasticity
  • Automatic provisioning
  • Pay as you go billings

When adding the operational overhead and cost elements into the equation, physical solutions not only negate the benefits of migrating to the cloud, they also become cost-prohibitive for many companies migrating to the cloud.

Let’s explore the security/flexibility/cost tradeoff as it relates to cloud encryption, a key component in any cloud security protocol. Implementing a hardware-based encryption appliance inside the data center might look like the right choice from a security perspective, but the tradeoff is significant. Such systems are limited to specific applications (i.e. integrates with specific databases and SaaS solutions), and limit the ability to process, analyze or search data while in the cloud, because the data has been encrypted on premise. Financially, such solutions are not cloud friendly either. It is expensive to acquire and time-consuming to manage a hardware-based solution.

Hardware-based encryption solutions do not fit the cloud computing model.

But operating in the cloud, especially if your business must comply with regulations like HIPAA or PCI DSS, comes with an obligation to securely encrypt your data.

An alternative to hardware-based models is trusting your cloud provider to encrypt the data for you.  This method is indeed cloud enabling and cost effective, but compromises the effectiveness of your security as you no longer maintain full control of your data.  For this reason, having the cloud provider control your data encryption in the cloud will not be approved by most regulations. More importantly, this option is not considered a security best practice.  As evidenced by the recent breach at Target, in which debit card pins were under attack, your data is not secure unless you are in full control of your encryption keys.

We find ourselves in a Goldilocks-like conundrum: If hardware-based models are too expensive and cloud-provider encryptions are not secure enough, where is the “just right” solution?  And…how much does it cost?

A “Just Right” Cloud Security Model

Pardon the pun, but if the “too hard”ware model and the “too soft” encryption by cloud providers were to have a “just right” baby bear – it would be this:

A new cloud security technology that balances the best of both worlds:

A 100% cloud based secure and compliant environment offered in a pay as you go economic model.

Split-Key encryption implements a “Swiss bank” approach, in which an encryption key is split in half. One half of the encryption key is provided to the data owner.  The second half is managed by a secure virtual key management system, and only the combination of both keys can “lock” or “unlock” the safe – encrypt or decrypt data in the cloud. The key itself is then homomorphically managed so that it never exists in the cloud in unencrypted form.  Because only one half of the key is managed in the cloud – the entire encryption key is never visible to the cloud provider or to the encryption vendor (you may want to download the white paper to read more about this technology).

Secure encryption is achieved.

Nobody except the data owner controls the data.

Costs are a fraction of traditional hardware-based systems.

Typically, it is the importance of the data (financial or patient information, HR or even “just” sensitive intellectual property) that defines the proper security measures and costs. Security technology is constantly adjusting and adopting to cloud computing.  New technologies significantly lower the financial barrier of entry (see pricing example here), and enable companies of all sizes to adopt the cloud and maintain the highest security standards while doing so.

The post How Much Should You Spend on Cloud Security? appeared first on Porticor Cloud Security.

Read the original blog entry...

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.