Encryption as an enabler: the top 10 benefits

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

If deployed correctly, encryption does not need to be a headache. Instead, encryption can be an enabler to achieve the flexibility, compliance and data privacy that is required in today's business environments.

In a world that's moving toward virtualization and cloud, the need for encryption is even more important, and the need for organizations to retain control over data, particularly in cloud environments, is paramount. Here are the top 10 benefits for those considering encryption:

1. Encryption helps move to the cloud. Everyone is concerned about moving sensitive data to the cloud, and most organizations believe the cloud is not as safe as their own data center. If your data is in the cloud, it's not only possible that strangers might see it, but your data could be sitting on the same storage as your competitor's. Imagine how much that treasure chest could be worth.

[ DO'S AND DON'TS: Safeguarding cloud-based data with encryption ]

Encryption can make it possible to leverage the benefits of infrastructure as a service while still ensuring the privacy of your data. You should ensure data is encrypted in flight, while in use and at rest in storage. By retaining control of your encryption keys, you're still in control, even when data has left your building. If the service provider makes copies of your VMs, only encrypted data is copied. And at all times, you determine when to deliver, or revoke, the keys.

2. When you own the keys, you can easily decommission/deprovision. Would you put your jewels in a safe and give a stranger the key? Would you have your data encrypted in the cloud and have the cloud service provider own the keys? Probably not the most secure option.

Organizations want to take advantage of the cloud for its cost and flexibility. Part of this value is the ability to spin up or decommission servers, as business needs change. But what happens if you want to leave your service provider? You want to be sure you can get your data back, but you also want to make sure you're not leaving sensitive data behind. How many copies or backups of your VMs has your service provider created so that they can achieve their operational uptime SLAs? It's simply impractical for a CSP to retrieve and delete every copy if you decide to leave.

3. Encryption helps achieve secure multi-tenancy in the cloud. In virtualized cloud environments, multi-tenancy is what drives costs down and increases flexibility. Why dedicate one enterprise-level server to one workload when it can serve many? While virtualization is not new and organizations have taken advantage of its virtues for years, having your VMs and applications running on the same physical servers as other departments or organizations raises some security concerns.

Not only do virtualized servers become richer targets, but if those machines are running in a public cloud infrastructure, you have limited control over who "shares" your hardware. And while strides have been made solving many of the network segmentation issues, another major security challenge still exists: What happens to your data within the storage fabric? If you encrypt data before it enters the cloud, and retain control of the encryption keys, you can ensure your data is safe, regardless of its neighbors.

4. Encryption key services prevent service providers from accessing your data. If the service provider has both your encrypted data and your encryption keys, it is able to access your data. To avoid this problem, encrypting your data in the cloud and holding your own keys just makes sense. However, many organizations simply don't want to manage encryption keys, no matter how easy the key management solution is. They have concerns around backup, availability and disaster recovery. This is where a third party comes into play. Why not have your encrypted data with one service provider and have your keys managed by a different service provider?

"Data security as a service" solves many of these challenges by making sure that key servers are always accessible -- always backed up, replicated and protected from disaster. It's a win-win situation. The service provider holding your data doesn't own your keys. The security service provider holding your keys doesn't have access to your data. Encryption now becomes a simple option.

5. Encryption helps you meet regulations. The Payment Card Industry (PCI) has strict guidelines to ensure protection of cardholder data. We all use credit cards and understandably want assurance that our information is safe. Naturally, encryption is a major piece of the PCI Data Security Standard (PCI DSS). But there's also HIPAA/HITECH, regulations that mandate protection of healthcare information. Once again, encryption is a critical part of the standard.

Although not all standards mandate encryption, it's highly recommended. And given the high cost of breach notification and the fact that DLP technology is always revealing sensitive data in places you wouldn't have thought of, doesn't encryption just make sense? After all, we wouldn't shop online without it.

6. Encryption provides safe harbor from breach notification. Did you know that there are data breach notification laws in 46 of the 50 states? The cost of breaches continues to escalate: The average cost to an organization for a data breach was $5.5 million in 2012.

If a data breach occurs and personally identifiable information is lost, the breached party must notify all individuals who are impacted. Just recently, Global Payments indicated in its quarterly SEC filing that the company expects to pay $94M to address its 2012 security breach of 1.5 million credit and debit card numbers. Some of the states have a safe harbor clause from public notification if the stolen data is encrypted and if the encryption keys are not compromised. Therefore, deploying encryption and robust key management could save you millions of dollars in the event of a breach.

7. Encryption gives services providers a competitive edge. As a cloud service provider, you are a guardian of your customers' applications and data. Thieves are getting smarter and regulations are getting more stringent. The good news is that security technology is also getting better.

Encryption and key management software, designed specifically for virtualized environments, can help you significantly improve your security posture, attract new customers, and expand your business with existing clients. This allows you to:

  • Gain competitive advantage and differentiation
  • Expand revenue potential to customers with sensitive or regulated data
  • Protect customer data against access by unauthorized users
  • Satisfy data residency and privacy requirements
  • Reduce hardware costs through cryptographic multi-tenancy
  • Assure customers that they can de-provision securely without leaving data behind

Newer encryption technologies are easy to deploy and offer robust APIs that allow for transparent integration into the CSP environment.

8. Encryption provides confidence that your backups are safe. In October 2012, a bank reported the loss of two backup tapes that may have exposed personally identifiable information for about 260,000 of the bank's 8 million U.S. customers. In 2011 there was a massive data breach affecting 4.9 million individuals who received services from a provider of healthcare services to active and retired military personnel. Once again, the data breach occurred as a result of lost backup tapes.

These are not isolated cases. A simple Google search will show many more examples of backup tapes that go missing. Now what would happen if the data on these tapes or other backups were encrypted? The answer is quite simple -- nothing! Without access to encryption keys, extremely powerful computation and knowledge that is beyond the ability of most people, there is next to no chance of retrieving any data from these backups.

9. Encryption allows you to secure your remote offices. Many organizations have remote offices, which, by their very nature, are not very secure. The opportunity for physical theft of computers and storage is very real. Many of these organizations have sensitive data sitting on these servers unprotected. Just think about it. Financial planners, tax accountants and other service organizations all have important data sitting in their offices. And these are many of the same organizations that are afraid of data leaving the building and going to the cloud.

Well-trained IT staffs are often scarce at these sites, so remote management from the data center becomes the norm. Encrypting data on these servers helps against theft or accidental loss of data, and today's encryption solutions have even broader capabilities. Imagine only delivering encryption keys to remote data during office hours, ensuring that the data is completely unusable to anyone once the lights go out.

10. Secure outsourcing and licensing. The flexibility of virtual machines has opened up a new world to many organizations. Instead of shipping software packages, why not just ship the virtual machine? After all, it's just a set of files and the ease with which a VM can be spun up reduces the complexity of supporting different operating system versions and platforms. Organizations that are outsourcing often ship virtual machines. Many companies are also shipping their applications as physical or virtual appliances. When companies outsource, the VM may contain company IP such as program source code. For the application developer, shipping software via VMs creates a licensing challenge.

In both cases, the important data could be encrypted, the application stack can be configured to meet the security needs of the company shipping the VM. By holding keys in your data center, you control access to the data. Encryption and strong key management can help you meet these challenges.

Steve Pate is CTO and co-founder of HighCloud Security, bringing 25 years of designing, building, and delivering file system, operating system, and security technologies, with a proven history of converting market-changing ideas into enterprise-ready products.

Read more about wide area network in Network World's Wide Area Network section.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
New Year's resolution: ‘I will eliminate passwords’ in 2017
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.