''We need to be cautious that, similar to the promises of PKI several years ago, the market is ready and the technology robust enough to service client demands' <\/p>\n<\/p>\n
In a bid to reassure customers following revelations of government intelligence agency snooping in 2013, cloud service providers including Google and Amazon have rushed out free automatic server-side encryption on their cloud services - and not before time. <\/p>\n
The move has been seen by many as a positive one for companies that are mandated to protect customer data when running a business application on Google, but it could equally be argued that encouraging them to leave encryption in the hands of the cloud provider is a step in the wrong direction. <\/p>\n
While it's obvious that Google and others are covering their own backs and jumping on the marketing opportunity of NSA-related paranoia by having these security processes in place, it's not exactly clear just how adequate their server-side measures are. <\/p>\n
After announcing in August last year that it would be automatically encrypting all data on its cloud storage platform before it is written to disk, Google added that it would still advise data to be encrypted at the user end for those who prefer to manage their own encryption keys, emphasising that the responsibility for risk management still legally lies with the customer. <\/p>\n
Jamal Elmellas, technical director at data security specialist Auriga, strongly advises that organisations should be wary from the outset of cloud providers with proprietary encryption software and mechanisms, especially those that retro-fit encryption to their already established solutions. <\/p>\n
Encryption should be intrinsic to the solution, says Elmellas. It should be considered from the outset by the provider, and this enables them to offer a solution which applies the most appropriate type of encryption to the right parts of the infrastructure. <\/p>\n
Processes, logging, auditing and total involvement by the customer are a few of the ways that risks can be minimised when outsourcing encryption, but for companies handling sensitive data, encrypting everything themselves may seem like the safest bet. <\/p>\n
However, as Elmallas explains, this option opens up a whole new complex set of considerations. <\/p>\n
<\/p>\n