Encryption has gained a lot of attention since the Snowden leaks. Major service providers like Microsoft, Yahoo and Google set the tone by adding end-to-end encryption of data they host and manage for customers. For instance, Google Cloud Storage now automatically encrypts all new data before it's written to disk. Such server-side encryption will soon be available for older data stored in Google clouds.
Since the NSA programs were disclosed, Microsoft has announced that it plans to ramp up encryption support for various services, including Outlook.com, Office 365, SkyDrive and Windows Azure. By the end of 2014, Microsoft expects to have measures in place for encrypting data in transit between customer locations and its data centers, and while in transit between its own data centers.
Like Google, Microsoft says it plans to encrypt all stored data in the cloud
Several other cloud services providers, like Dropbox, Sonic.net and SpiderOak, have announced support for similar data encryption programs, and for features like 2048-bit key lengths and the "Perfect Forward Secrecy" method for future-proofing encrypted data.
Experts say such measures are vital to protecting data traveling between customer companies and cloud service providers. Information in the classified documents about NSA attempts to weaken encryption algorithms, and to tap fiber links connecting service provider data centers provided much of the impetus for these efforts.
Key management and data ownership
The U.S. government's position in its dispute with Lavabit, a secure email services provider, that cloud service firms must hand over their encryption keys when asked, has focused considerable attention on key management and data ownership.
While encryption efforts by service providers are a vital part of improving cloud security, they only go so far, says Eric Chiu, president of HyTrust, a cloud infrastructure management company. "Encryption is only as secure as its key management system," Chiu said. "While cloud providers may implement encryption, customers need to be aware that if providers hold encryption keys, it's still possible that they can access data -- or provide the keys to someone who requests them."
Such concerns have sparked increased interest in approaches that let enterprise users of cloud services to own the encryption and cryptographic key management process while data is at rest, in use and in transit. A growing number of vendors, including Vaultive, CipherCloud, TrendMicro and HyTrust, offer tools designed to make it easier for businesses to retain more control of their data while taking advantage of cloud hosted infrastructures and services.
CipherCloud, for instance, sells a gateway technology that lets companies encrypt data while in transit to and from the cloud and while stored. The gateway lets enterprises store encryption keys locally, and to interact with the encrypted data in the cloud. Such technologies mean that government agencies would have to seek help from the owners of data to gain access. The goal is to eliminate the handing over of such keys to government agencies by cloud vendors without the knowledge of the data owners.
Security experts have long recommended using persistent encryption to secure data in the cloud. To date, adoption has been low due to the cost and complexity of key management. That may be changing.