„Security“ and „Cloud“ are often seen as mutually exclusive. Many CIOs live in fear losing control over their data despite the claims by cloud providers that sensitive information is in fact in safe hands with them. But once data gets replicated, it gets harder and harder to keep them under lock and key.
Many organizations hesitate to enter the era of cloud computing because they want to keep their data on a tight leash. Most products in the realm of cloud security fail to address these worries. And while federated identity management, coding security into new software, and security service level agreements may from the groundwork for application security in the cloud, they do not ensure that the data cannot be read by the provider himself.
For that, data would have to be encrypted. Yes, there are Rights Management products out there that can do this with different degrees of success. In fact, ways of controlling access through Rights Management have been around for years, for instance in order to protect software (from Microsoft, Apple and others) as well as in consumer applications such as Pay TV, Video on Demand, digital music, etc.
But how would cloud applications deal with encrypted data? Typically, such apps are created today using Web Service architecture which means that individual components can be classified as trustworthy or not-no-trustworthy. One way would be to keep the data locked up but to allow trustworthy component to be opened using a decryption key. This could be done by sending an online request to the company’s key management server. This substantially reduces the overall risk, and transactions can be documented for auditing purposes. A typical instance of this approach in action can be found in many health care telemetric infrastructures.
However, business processes to day tend not to terminate at the company gate but instead to reach out into the supply chain to allow the exchange of data with partners and affiliates. If that partner is running different Rights Management software, some kind of translation process must be implemented. Unfortunately, that kind of interoperability remains to be developed.
Ideally, of course, it should be possible to process encrypted data directly without first having to unlock them. A number of researchers are working on just that, but their solutions aren’t ready for market yet. However, hopes are high, so continue watch this spot!