Cloud computing 2014: Moving to a zero-trust security model

Jaikumar Vijayan| Computerworld

The leaking of classified documents detailing the data collection activities of the U.S. National Security Agency earlier this year reignited some long-standing concerns about the vulnerability of enterprise data stored in the cloud.

But instead of scaring businesses away from using hosted services, as some experts predicted, the leaks about the NSA spy programs are driving some long overdue changes in enterprise and service provider security and privacy policies.

When Edward Snowden first began spilling details of the NSA’s surveillance practices to selected reporters in June, industry analysts had expected that the revelations would put a severe crimp on plans for cloud deployment.

For instance, the Information Technology & Innovation Foundation in August said the leaks could cause U.S. cloud providers to lose 10% to 20% of the foreign market to overseas competitors — or up to $35 billion in potential sales through 2016.

Another industry group, the Cloud Security Alliance, predicted a similar backlash due to concerns by Europen companies that thje U.S. government would access to their data.

Six months later, the impact appears to be less severe than expected.

Despite some reports of slowing sales of cloud services by U.S. vendors to overseas companies, experts now expect that the Snowden leaks will have little effect on long-term sales. The business benefits of using cloud-based services continue to supersede enterprise fears of government snooping.

At the same time though, the detailing of classified NSA spy programs has prompted an increased emphasis on cloud data security and protection that’s expected to grow further in 2014.

The leaks hammered home just how little control companies have over data stored in the cloud, said Richard Stiennon, principal at consulting firm IT-Harvest. “There is a fundamental shift to a zero-trust model in the cloud.” The disclosures showed enterprises that “there cannot be any chink in the trust chain from internal resources to the cloud and back.”

Analysys say IT security officials are looking at several key areas, such as data encryption, key management and data ownership, regionalization, and the need for increased government transparency, to improve cloud security.

Data encryption

Encryption has gained a lot of attention since the Snowden leaks. Major service providers like Microsoft, Yahoo and Google set the tone by adding end-to-end encryption of data they host and manage for customers.

For instance, Google Cloud Storage now automatically encrypts all new data before it’s written to disk. Such server-side encryption will soon be available for older data stored in Google clouds.

Since the NSA programs were disclosed, Microsoft has announced that it plans to ramp up encryption support for various services, including Outlook.com, Office 365, SkyDrive and Windows Azure.

By the end of 2014, Microsoft expects to have measures in place for encrypting data in transit between customer locations and its data centers, and while in transit between its own data centers.

Like Google, Microsoft says it plans to encrypt all stored data in the cloud

Several other cloud services providers, like Dropbox, Sonic.net and SpiderOak, have announced support for similar data encryption programs, and for features like 2048-bit key lengths and the “Perfect Forward Secrecy” method for future-proofing encrypted data.

Experts say such measures are vital to protecting data traveling between customer companies and cloud service providers.

Information in the classified documents about NSA attempts to weaken encryption algorithms, and to tap fiber links connecting service provider data centers provided much of the impetus for these efforts.

Key management and data ownership

The U.S. government’s position in its dispute with Lavabit, a secure email services provider, that cloud service firms must hand over their encryption keys when asked, has focused considerable attention on key management and data ownership.

While encryption efforts by service providers are a vital part of improving cloud security, they only go so far, says Eric Chiu, president of HyTrust, a cloud infrastructure management company.

“Encryption is only as secure as its key management system,” Chiu said. “While cloud providers may implement encryption, customers need to be aware that if providers hold encryption keys, it’s still possible that they can access data — or provide the keys to someone who requests them.”

Such concerns have sparked increased interest in approaches that let enterprise users of cloud services to own the encryption and cryptographic key management process while data is at rest, in use and in transit.

A growing number of vendors, including Vaultive, CipherCloud, TrendMicro and HyTrust, offer tools designed to make it easier for businesses to retain more control of their data while taking advantage of cloud hosted infrastructures and services.

CipherCloud, for instance, sells a gateway technology that lets companies encrypt data while in transit to and from the cloud and while stored. The gateway lets enterprises store encryption keys locally, and to interact with the encrypted data in the cloud.

Security experts have long recommended using persistent encryption to secure data in the cloud. To date, adoption has been low due to the cost and complexity of key management. That may be changing.

“For enterprises that require true data privacy for compliance or internal purposes, we will see those companies implement encryption themselves, and maintain their own keys on premise,” predicts Chiu.

Vaultive, CipherCloud and the other vendors say they are seeing a marked increase in enterprise interest in their technologies due to the NSA surveillance disclosures.

Regionalization

The Snowden data leaks could also accelerate regionalization of cloud services.

Data residency requirements and fears of hosting data on U.S.-based servers and infrastructures could prompt non-U.S. customers especially to increasingly look to use cloud providers closer to home.

Enterprises in China and the Asia-Pacific region in particular appear to be more apprehensive about U.S. service providers and technology since the NSA disclosures, Stiennon said. Many are expected to start looking at regional and local options for hosting needs.