Encryption practices vary widely in the cloud

Get a provider's encryption details before turning over your data

Fears of data exposure continue to make enterprises hesitate when considering cloud computing services, and encryption is one way to reduce the risk that sensitive data could be compromised via a cloud provider. However, the methods that cloud vendors use for encryption vary considerably and that has an impact on how secure your encrypted data really is, cautions Thomas J. Trappler, director of software licensing at the University of California, Los Angeles.

There are different encryption standards used by different providers, and some providers encrypt data in transit, as well as data at rest. Some use 128-bit encryption and others use 256-bit. The encryption key may be held by any combination of third parties, the vendor and key escrow. The keys can be managed in different ways, and if they are handled poorly it can cancel out the benefit of encryption.

"Even when used and configured appropriately, encryption isn't always a silver bullet," Trappler writes in a post at Computerworld. "As with most risk mitigation strategies, there's a trade-off between costs and benefits. Risk might go down with encryption, but adding encryption typically increases the total cost of using a cloud solution. What's more, adding encryption can result in slowed or diminished performance due to the extra steps introduced into the process."

Some alternative methods for making exposed data useless are being developed by cloud providers. One makes use of distributed file systems, in which files are broken up into many pieces and stored on different computers at different sites. Another uses data masking to obscure the relationship between sensitive data and related information.

For more:
- see Thomas J. Trappler's post at Computerworld

Related Articles:
How to steal cloud computing capacity
How to write security into a cloud contract
Customers on the hook for data security in the cloud