As we see more and more organizations starting to outsource their data to services such as Amazon and Telco-based cloud environments, there is an increased importance around the security of the actual data that resides in these environments. In some cases, organizations are moving business-critical and privacy sensitive data off-site to take advantage of reduced infrastructure costs, but in some cases, to leverage the security postures of the cloud providers themselves.
However, since most of these providers leverage multi-tenant environments, there is an innate need to protect the databases that reside in these segregated spaces in order to prevent the accidental (or maliciously intended) of breaches due to lack of security policies or the increased sophistication of VM attacks. This brings up the question about whether an encryption or DLP solution implemented will help to reduce the potential of attacks, and who should be responsible for making sure these measures are in place to help protect these assets. To put it simply, encryption is a recommended solution to help secure these environments, but there are key considerations to keep in mind.
It is always recommended to leverage best practices for key management when using any encryption or decryption product. It is imperative to obtain technology and products from credible sources and that you maintain your own keys or use a trusted cryptographic service through a proven hosted provider.
Regardless if you wish to maintain key scoping at the individual or group level, or supplement group access through an off-the-shelf technology such as DRM that runs at the endpoint such as email, hard disk, and folder encryption, it is imperative that the organization maintains control over the algorithms, rather than the cloud provider. I recommend that you also shy away from re-inventing the wheel through the creation of proprietary encryption algorithms, or leveraging standards such as DES as they are can easily be broken. However, layering object security (such as SQL grant and revoke statements) is a great way to help prevent access even to the encrypted resources. Oh, and encrypting a primary key is just asking for trouble, since once you start down that path, every foreign key will need to be encrypted.
If your business utilizes processes that leverage cloud-based data, or require the need to run analytics on it, then consider developing cloud resources on platforms such as Hadoop which facilitate such functionality.
More information on encryption of cloud resources can be found in the Cloud Security Guidelines document located on the Cloud Security Alliance’s website at http://www.cloudsecurityalliance.org.