Cloud providers have always struggled with the perception of data security challenges within their cloud environments, but recent news -- specifically, Edward Snowden's revelations regarding the National Security Agency -- have highlighted the gaping holes that can exist within IT security. Providers must strengthen their defenses to boost their customers' confidence.
Many providers employ various techniques to ensure their cloud environments can meet customers' compliance mandates and industry requirements for data security. Some cloud providers offer dedicated infrastructure to segment customer data and conduct frequent auditing of their environments. Other providers are turning to cloud encryption techniques to bolster their cloud security strategies.
"Encryption is an increasingly significant form of data protection in a post-Snowden world," said Jay Heiser, research vice president at Stamford, Conn.-based Gartner Inc.
Cloud encryption easing security, privacy fears
This year will be the year of cloud encryption, and not just the encryption techniques the industry is used to, said Marc Vael, international vice president of ISACA, an international professional association focused on IT Governance, and chief audit executive for Smals, a Belgian IT organization.
"Customers are starting to challenge not only how safe data is in transit, but also while in residence," Vael said. "You might be able to transfer data under encryption, but you eventually have to decrypt it, so there are always weaknesses."
More on cloud encryption
Encrypted cloud storage options for enterprises
Ensuring data security with cloud encryption
Enterprises want cloud compliance, encryption
Providers consider cloud encryption a powerful security technique, but the highly mathematical approach to security hasn't historically been easy to deploy, he said. "Cloud providers have to first figure out which encryption algorithm to use, and then make sure they are providing the right level of service to their customers -- they can't have the data getting slower because of encryption technology," he said.
"When [encryption] works, it works great, but sometimes it's believed to be impractical, because it can make other features -- like search -- difficult," Gartner's Heiser said.
Some providers are developing their own cloud encryption techniques, but security vendors are also offering "accessory encryption products" for Software as a Service and Infrastructure as Service providers. These third-party products can help providers boost security for their customers, without having to install and use encryption on their own.
IBM recently received a patent for a data encryption technique -- referred to as the "efficient implementation of fully homomorphic encryption." The homomorphic encryption technique scrambles data, and then allows the data to be processed without having to decrypt it first, the company said. Data is never out in the open, which will be an especially strong feature for cloud environments, said J.R. Rao, director of security research and member of IBM's Academy of Technology.
"Security and privacy is important, and a lot of people are relying on third-party services today," Rao said. "Connections like these make it possible to provide privacy guarantees for cloud services."
Cloud security: Be transparent with customers
Cloud providers may be trying to step up their security game in light of recent high-profile data breaches in order to appeal to the concerns of end customers, but business data has always been a target in the cloud, Rao said. "Sensitivity might be at an all-time high, but at the end of the day, there are liabilities that come along with exposing customer data, and many different industry regulations that providers have always had to be prepared for," he said.
In addition to offering technical security controls -- such as cloud encryption and auditing -- providers must be transparent about their security plans and procedures and be able to prove them through their service-level agreements, ISACA's Vael said.
"Providers can't just say 'we are secure and you have to believe us' anymore. They have to provide more information about the methods they have in place -- like cloud encryption -- and they must be ready to talk about their future security strategies and how they plan to move forward," he said.