Sean McGrath of InformationWeek recently confirmed that the rise of the public Cloud as a “de-facto standard” has prompted businesses to ask new questions about their respective security procedures.
“The answer to numerous security questions and concerns lies, of course, in encryption,” he explained.
“The earliest forms of cryptography were found in hieroglyphs carved into monuments of the Old Kingdom of Egypt in 1900 BC. Up until the 1970s, secure cryptography was the preserve of government agencies, but the advent of asymmetric cryptography brought highly secure encryption into the public arena.”
McGrath describes bring your own encryption (BYOE) as a security model that offers Cloud customers complete control over the encryption of their data. This is accomplished via the deployment of a virtualized instance of a customers’ encryption software – in tandem with the application a business hosts in the Cloud.
The BYOE paradigm segues neatly into the “bring your own key” (BYOK) concept, where encryption keys are stored away from the Cloud and controlled solely by the customer. Essentially, this means the Cloud service provider (CSP) cannot access the data without the master key, even if it is legally forced to do so.
“While it’s still early days for BYOE and BYOK, ensuring security has never been a more paramount issue,” added McGrath. “Public Cloud offers efficiencies and scalability, the likes of which have never been seen before; but its extraordinary benefits must be balanced against the increasingly complex security landscape.”
Commenting on the above-mentioned article, Paul Kocher, the President and Chief Scientist of the Rambus Cryptography Research division, says the ultimate objective of BYOE and BYOK is to provide customers with control over their own security.
“However, customer involvement in key management is at most a very small step; as the customer’s total control over security is still very limited since in most cases the keys get transferred to the servers themselves,” said Kocher. “Likewise, customer-defined (and owned) crypto software running on Cloud servers doesn’t do much if the server itself isn’t secure. As a result, there isn’t much of a reduction in the number of people and systems involved that are critical for security – while customer security needs remain largely unmet.”