Recent Microsoft research shows that almost two-fifths of companies will start paying for cloud services within three years. Pioneers in privileged identity management, whilst the economic imperative of migrating data to a cloud resource is clear to see, organisations also need to revisit their data encryption resources before making the leap.
Microsoft’s research notes that 39 per cent of SMBs expect to be paying for cloud services by the time 2014 rolls around – and there’s no doubt that many other firms will be using some of the free cloud resources that are now available.
Our observations suggest that organisations of all sizes – and not just SMBs – can overlook aspects of their data encryption needs for cloud data, as they focus on the cost savings that accrue from cloud migration. I would say that security accountability and transparency of how customer data and cloud system security are being handled by cloud vendors is also suspect.
The important thing to realise with cloud resources is that firms are effectively losing direct control over their own data and this makes the task of compliance – under an increasingly complex set of rules, such as PCI DSS – all the more complex.
And it’s also important to understand that, where cloud data storage is involved, businesses need to take a centralised management approach to data encryption, in order to give IT staff maximum control, with minimal impact on operations and productivity.
The challenges to the cloud users and providers will be the management of encryption systems including encryption key management. There are also potential issues with trying to index data that is in encrypted form in the database, so encryption approaches will have to examine not only data in flight (point to point encryption) as well as data at rest (databases and other forms of storage). For SMB and many others, this will be a new experience.
The process of planning for migration of storage and allied systems to a cloud platform should be welcomed and not regarded as a chore by IT staff as it is a clear opportunity to re-appraise their organisation’s data encryption systems. Unfortunately, SMB customers are unable to judge the competence of larger providers of cloud services, and applications for the cloud rarely have data encryption as either a base or optional offering. Consequently, the model of the future of cloud will be ‘trust me.’
This is because research suggests that they are taking the intelligent approach of re-investing some of the cost savings that the cloud brings to their data storage platform by enhancing the encryption of data at all points in their business.
Put simply, this means implementing data encryption across any endpoint – desktops, laptops, handheld devices and removable media – and implementing full disk encryption where appropriate. This ensures that any and all data that flows to and from a cloud resource is fully protected.
Microsoft’s research shows that SMBs are now joining a growing number of enterprises in adopting the financial benefits of the cloud. They should all, however, be cautious of adopting a solution that does not encrypt data on a centralised basis, as they might wind up failing to meet their compliance requirements as a result.