How do you secure data in the cloud? The answer is “it depends”. What type of cloud are you talking about – IaaS, PaaS, or SaaS? Public or Private? What services or applications are you running? What data do you want to protect? Following up on the things I learned at RSA, one statement I heard makes sense now. Specifically, a couple weeks ago Chris Hoff surprised me when, talking about data security in the cloud, he tweeted:
Really people need to be thinking more about app-level encryption.
Statements like that normally make the information-centric security proponent in me smile with glee. But this time I did not get his point. Lots of different models of the cloud, and lots of ways to protect data, so why the emphatic statement?
He answered the question during the Cloudiquantanomidatumcon presentation. Chris asked “How do you secure data in two virtual machines running in the cloud?” The standard answer: PKI and SSL. Data at rest and data in motion are covered. With that model in your head, it does not look too complex. But during the presentation, especially in an IaaS context, you begin to realize that this is a problem as you scale to many virtual machines with many users and dispersed infrastructure bits and pieces. As you start to multiply virtual machines and add users, you not only create a management problem, but also lose the context of which users should be able to access the data. Encryption at the app layer keeps data secure both at rest and in motion, should reduce the key management burden, and helps address data usage security. App layer encryption has just about the same level of complexity at two VMs; but its complexity scales up much more gradually as you expand the application across multiple servers, databases, storage devices, and whatnot. So Chris convinced me that application encryption is the way to scale, and this aligns with the research paper Rich and I produced on Database Encryption, but for slightly different reasons.
I can’t possibly cover all the nuances of this discusion in a short post, and this is big picture stuff. And honestly it’s a model that theoretically makes a lot of sense, but then again so does DRM, and production deployments of that technology are rare as hen’s teeth. Hopefully this will make sense before you find yourself virtually knee deep in servers.
Reader interactions
2 Replies to “Random Thoughts on Securing Applications in the Cloud”
You had me until the comparison to DRM.
Did you mean PKI and SSL or PGP and SSL?
Security is about a desired end state, not as much about the means to achieve that state. This post implies they are more strongly coupled then I think they are.
When I think of data at rest encryption, I think “I need to encrypt stored data”, not “I need to use a piece of hardware that will automatically encrypt the bits on it”. If the latter makes sense, fine, if it causes me to manage too many keys, then I’ll look for a choke point to encrypt and store on plain old drives. Either way, I can find multiple solutions to a problem that give me my goal and pick the best one. I don’t just think “PKI and SSL”, and I don’t think everyone else does either.