IT Security in and for the Cloud is one of today’s hottest topics. Unfortunately, it is almost as complicated as the Cloud itself, spanning from Identity Management and logging intelligence to data encryption. This article explores the various scenarios and demonstrates both strengths and weaknesses.
Vendors both like to invent and employ hype expressions to describe their technologies, and it is clear why: They want to make their products stand out from the rest. It's been that way since the earliest days of modern computing, and it goes especially for the field of IT Security. Remember "Endpoint Security" or "Perimeter Defense"? But now, with Cloud Computing all the rage, the industry is straining to reach new heights of hyperbole.Sadly, no one seems to be answering the real questions, which are: How do you make the Cloud secure, and is there a substantive difference between IT Security outside and inside the Cloud? The going argument, which will do very well as a starting point for this article, is that by moving to the Cloud, IT loses control of their data. This is the argument you hear from most CIOs and CSOs today in order to justify their reluctance to adopt cloud-based strategies or to outsource parts or all of their computing to external service providers. And yes, it's a pretty strong argument.
Others seem resigned to their fate. That's just the way it is, these people say - you just have to get used to total transparency and the loss of privacy and trust your Cloud provider. Providers on the other hand are trying gain trust by following some set of "industry best practices".
Cloud Security - where's the light at the end of the tunnel?
Of course, the providers know there really are no arguments to justify their pretentions to trustworthiness, much less a way for them to really guarantee the confidentiality of the data they are entrusted with. So the best thing for them to do is haul out a plethora of top-notch security measures that have been more or less successful in the past, like identification, authentication, fine-grained rights management, SIEM (Security Information and Event Management), compliance tools and encryption.
But what does this old-fashioned brand of IT Security protect the data from? From external threats, of course - the same way companies protect data on their internal systems today. However, this is beside the point. The challenge in the world of Cloud Computing is how to get your data into the Cloud in the first place without running undo risks since these security mechanisms don't really care who is actually processing the data at any given time.
The only way to solve this problem is through DRM (Digital Rights Management) or, even better, through IRM (Information Rights Management, also known as Enterprise DRM). Documents that are protected by IRM can be blithely sent off to the Cloud, since they can only be decrypted by authorized users according to policies laid down beforehand.
IRM beats classical encryption hands down since it allows you to give permission to use the data retroactively without having to touch the data itself at all. To do the same thing in a traditional encryption scenario would mean revealing the key or the password.
IRM brings many benefits. For instance, you can limit the visibility of the data to certain times or even geographically by using modern location-based systems. And if the application supports this feature, you could make only certain passages editable; the rest of the document cannot be changed.
By separating rights management (which usually involves some kind of identity management) from enforcement through selective, flexible encryption you can develop very sophisticated rules and policies which could even be offered as a Cloud-based service themselves.
A good example of an area that would greatly profit from am IRM approach to Cloud architecture is healthcare. The new German eHealth Card will support telematics systems in which the patient data can be protected by IRM, thus giving the patient full control over who gets to see his records.
Every man for himself
The big drawback of IRM in its present form is the lack of common standards or in fact of any real standards at all. Almost every vendor - first and foremost Microsoft, Adobe and Apple - have chosen to take a different path towards IRM and DRM, thus locking in existing customers and creating huge entrance barriers for others, since one system won't work with any other.
Creating industry-wide standards is an imperative, but it won't happen overnight. A good idea would be to develop some kind of "intermediate IRM" that would enable the exchange of documents between different formats through some kind of "IRM middleware" which would form the basis for the IRM handling of corporate information and thus achieve true Cloud Security.
There are a number of specialist vendors in the IRM market today, some using technology supplied by the big players, others travelling the proprietary route. As a rule, these niche systems do a very good job of handling complex and differentiated policies. This is convincing from a technological viewpoint, and it provides compelling arguments for the security people. However, most solutions is use today get along with rather simply policies which make them easy to scale and administer.
Finding common ground for IRM and DRM
Naturally, the vendors of IRM solutions hesitate to compare their products with "old-fashioned" DRM technology (read: "content protection"). We feel that there is some common ground. After all, DRM is rather prevalent already and has established itself for instance in the realm of video-on-demand (Maxdome, Microsoft), music distribution (iTunes) and apps (virtual every app store for smartphones uses some form of it). Yes, there exists a community of crackers who know how to get around DRM protection, but they are seldom criminally inclined.
It would be interesting to see what the success factors for DRM systems are and how they might play in the Cloud space. And it turns out they do: most large-scale DRM systems are engineered to protect information (usually digital content) in mostly uncontrolled environments.
As a rule, these systems already allow distributors to create simple policies governing the type of devices that can be used for access (such as set-top boxes or MP3 players) and exactly when they may be used. Apple, for instance, lets customers of its iTunes store retroactively change the settings for a certain song or clip to "home use" so they can be seen or listened to by other members of the family on different devices. These models all have in common that they allow policies to be both flexible and straightforward.
This begs the question of whether IRM policies really should be forced to take every imaginable scenario into account, or whether the market would profit from the far simpler policy model of DRM to protect data and administer the systems.
Gradually getting there
No matter which course is taken, DRM and IRM are poised to become important building blocks in future Cloud strategies, so the earlier vendors and service providers adopt them the better. At least this would give users a way to store and at least partially process data in the Cloud without running undue risks.
However, it is still very early days for the processing of encrypted information since this involves removing the protection most IRM systems provide today. This is the Holy Grail of Cloud Security since it would mean that we can all start storing all of our data - HR, CRM and even analysis results - in the cloud without having to worry ourselves sick. Getting there will eventually involve some kind of "homomorphic" encryption, but that is an area in which research is just beginning to get under way.