@CloudExpo Authors: Pat Romanski, Elizabeth White, Liz McMillan, Yeshim Deniz, Zakia Bouachraoui

Related Topics: @CloudExpo, Agile Computing, Cloud Security

@CloudExpo: Blog Feed Post

Cloud Encryption for Cloud Providers

Where does it make more sense to integrate the encryption solution?

As part of our cloud strategy, we’ve recently released a VMware version of our cloud security offering. It allows cloud providers using VMware, as well as the cloud users themselves, to create an encrypted environment within minutes, while eliminating the complexity around encryption key management in the cloud without compromising trust and confidentiality.

During this process we’ve engaged in many conversations with the cloud providers’ community to better understand their requirements, and equally important – their customers’ requirements. We’ve identified some interesting patterns with regards to cloud data security, which I thought would be beneficial to share.

Where does it make more sense to integrate the encryption solution?
One repetitive issue we’ve discussed with cloud providers’ was the ideal location for virtual encryption integration. In other words – where should the actual encryption and decryption of the data occur? One approach is to integrate encryption as close as possible to the storage layer. This view seems at first natural, to people who are used to physical data centers and the separation between compute and SAN storage. It allows encryption of the entire storage area, but it puts control of encryption – and especially encryption keys – in the hands of the provider instead of in the hands of their customers.

Integrating encryption on that level eliminates the end user’s ability to maintain control of the encryption for his own environment, and keeps encryption at the cloud provider level. In other words, the customers will have to compromise on confidentiality.

We’ve found that bringing cloud encryption “closer” to the customer, enables the cloud provider better flexibility in meeting customers’ requirements, answering the confidentiality needs, and provides the option to bill customers for data encryption they consume (for example by integrating the Porticor solution into the cloud UI).

Key Management as a Service
Cloud Key Management is a much discussed issue. While data encryption can be achieved in more than one way (via a Virtual Appliance, client side full disk encryption, Database field level encryption, TDE – Transparent Data Encryption, etc…), the encryption key-management remains a significant challenge. We’ve found that many of the cloud providers we’ve talked with were comfortable consuming our split-key technology as a service. Their claim was: “as long as the split-key technology works so customers are the only one who control the data, and as long as you can prove high availability, scalability, and security,  there’s no point for us providing key management services”. (For further reading on our key management technology, click here).

VMware Security Cloud Security Cloud Key Management Cloud Encryption  cloud keyboard Cloud Encryption for Cloud Providers

Automating the encryption process
With regards to automation, cloud providers have several requirements; on the encryption level, the solution should allow full integration to the existing cloud-flow provided by the cloud provider so the customers can easily consume encryption as needed. In addition, the encryption solution must be seamless to the application to avoid a scenario where upgrading the encryption layer, affects the application layer. An additional requirement is for automated key management, to enable users, should they choose to do so, to create additional encrypted disks automatically without creating a key-pair for each and every disk, yet as before, without compromising trust and confidentiality of customers’ cloud data.

To conclude: the need for cloud data encryption is on the rise, requiring cloud providers to provide secure yet innovative solutions. Cloud providers are looking for solutions that can mitigate their exposure and secure their customers’ data, but at the same time will be flexible enough to allow encryption on the customer level, and at the same time enable the cloud provider to charge for this added value service. The main data encryption requirements expressed by cloud providers are for a strong and secure solution which at the same time does not compromise cloud elasticity and flexibility.

Ariel Dan is co-founder at Porticor Cloud Security.

Read the original blog entry...

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.

CloudEXPO Stories
A valuable conference experience generates new contacts, sales leads, potential strategic partners and potential investors; helps gather competitive intelligence and even provides inspiration for new products and services. Conference Guru works with conference organizers to pass great deals to great conferences, helping you discover new conferences and increase your return on investment.
Using new techniques of information modeling, indexing, and processing, new cloud-based systems can support cloud-based workloads previously not possible for high-throughput insurance, banking, and case-based applications. In his session at 18th Cloud Expo, John Newton, CTO, Founder and Chairman of Alfresco, described how to scale cloud-based content management repositories to store, manage, and retrieve billions of documents and related information with fast and linear scalability. He addressed the challenges of scaling document repositories to this level; architectural approaches for coordinating data; search and storage technologies, Solr, and Amazon storage and database technologies; the breadth of use cases that modern content systems need to support; how to support user applications that require subsecond response times.
Poor data quality and analytics drive down business value. In fact, Gartner estimated that the average financial impact of poor data quality on organizations is $9.7 million per year. But bad data is much more than a cost center. By eroding trust in information, analytics and the business decisions based on these, it is a serious impediment to digital transformation.
With more than 30 Kubernetes solutions in the marketplace, it's tempting to think Kubernetes and the vendor ecosystem has solved the problem of operationalizing containers at scale or of automatically managing the elasticity of the underlying infrastructure that these solutions need to be truly scalable. Far from it. There are at least six major pain points that companies experience when they try to deploy and run Kubernetes in their complex environments. In this presentation, the speaker will detail these pain points and explain how cloud can address them.
Containers and Kubernetes allow for code portability across on-premise VMs, bare metal, or multiple cloud provider environments. Yet, despite this portability promise, developers may include configuration and application definitions that constrain or even eliminate application portability. In this session we'll describe best practices for "configuration as code" in a Kubernetes environment. We will demonstrate how a properly constructed containerized app can be deployed to both Amazon and Azure using the Kublr platform, and how Kubernetes objects, such as persistent volumes, ingress rules, and services, can be used to abstract from the infrastructure.