Decouple an App From the OS Before You Move to the Cloud

Virtual Application Appliances

Subscribe to Virtual Application Appliances: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Virtual Application Appliances: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

VAA Authors: Destiny Bertucci, Ray Parker, William Schmarzo, Pat Romanski, Gilad Parann-Nissany

Related Topics: Cloud Computing, VMware Journal, Datacenter Automation, Virtual Application Appliances, Java in the Cloud

Blog Feed Post

Cloud Encryption for Cloud Providers

Where does it make more sense to integrate the encryption solution?

As part of our cloud strategy, we’ve recently released a VMware version of our cloud security offering. It allows cloud providers using VMware, as well as the cloud users themselves, to create an encrypted environment within minutes, while eliminating the complexity around encryption key management in the cloud without compromising trust and confidentiality.

During this process we’ve engaged in many conversations with the cloud providers’ community to better understand their requirements, and equally important – their customers’ requirements. We’ve identified some interesting patterns with regards to cloud data security, which I thought would be beneficial to share.

Where does it make more sense to integrate the encryption solution?
One repetitive issue we’ve discussed with cloud providers’ was the ideal location for virtual encryption integration. In other words – where should the actual encryption and decryption of the data occur? One approach is to integrate encryption as close as possible to the storage layer. This view seems at first natural, to people who are used to physical data centers and the separation between compute and SAN storage. It allows encryption of the entire storage area, but it puts control of encryption – and especially encryption keys – in the hands of the provider instead of in the hands of their customers.

Integrating encryption on that level eliminates the end user’s ability to maintain control of the encryption for his own environment, and keeps encryption at the cloud provider level. In other words, the customers will have to compromise on confidentiality.

We’ve found that bringing cloud encryption “closer” to the customer, enables the cloud provider better flexibility in meeting customers’ requirements, answering the confidentiality needs, and provides the option to bill customers for data encryption they consume (for example by integrating the Porticor solution into the cloud UI).

Key Management as a Service
Cloud Key Management is a much discussed issue. While data encryption can be achieved in more than one way (via a Virtual Appliance, client side full disk encryption, Database field level encryption, TDE – Transparent Data Encryption, etc…), the encryption key-management remains a significant challenge. We’ve found that many of the cloud providers we’ve talked with were comfortable consuming our split-key technology as a service. Their claim was: “as long as the split-key technology works so customers are the only one who control the data, and as long as you can prove high availability, scalability, and security,  there’s no point for us providing key management services”. (For further reading on our key management technology, click here).

VMware Security Cloud Security Cloud Key Management Cloud Encryption  cloud keyboard Cloud Encryption for Cloud Providers

Automating the encryption process
With regards to automation, cloud providers have several requirements; on the encryption level, the solution should allow full integration to the existing cloud-flow provided by the cloud provider so the customers can easily consume encryption as needed. In addition, the encryption solution must be seamless to the application to avoid a scenario where upgrading the encryption layer, affects the application layer. An additional requirement is for automated key management, to enable users, should they choose to do so, to create additional encrypted disks automatically without creating a key-pair for each and every disk, yet as before, without compromising trust and confidentiality of customers’ cloud data.

To conclude: the need for cloud data encryption is on the rise, requiring cloud providers to provide secure yet innovative solutions. Cloud providers are looking for solutions that can mitigate their exposure and secure their customers’ data, but at the same time will be flexible enough to allow encryption on the customer level, and at the same time enable the cloud provider to charge for this added value service. The main data encryption requirements expressed by cloud providers are for a strong and secure solution which at the same time does not compromise cloud elasticity and flexibility.

Ariel Dan is co-founder at Porticor Cloud Security.

Read the original blog entry...

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.