Virtualization and Cloud executives share their predictions for 2014.  Read them in this VMblog.com series exclusive.

Contributed article by Jeff MacMillan, CEO and Founder of KeyNexus

Keys to the Future: Standardization of cloud-based encryption will drive innovation in key management solutions

In 2013, cloud security was discussed extensively by the industry, but major implementations of encryption in the cloud are still relatively immature. While security risks to data continue to increase, cloud and software-as-a-service (SaaS) providers are realizing end users will demand more robust security solutions than are available today. Without investment in a new generation of cloud security, security remains an invisible barrier to many enterprises considering moving mission-critical applications and data into the cloud. 

For cloud services, encryption is often incorporated, but best practices for key management are just beginning to emerge. Whether you call it the "Snowden-effect" (thanks to the infamous government document leaker) or point to the problems that third-party products have had keeping private data private, the end result is that many businesses no longer trust cloud/SaaS providers with their keys.

Three developing, yet powerful, trends will fundamentally transform how people manage data in the cloud: 

• Encryption Required: Not only will businesses increasingly demand that encryption be offered by most Cloud and SaaS platforms (or "baked-in" to current offerings), they will simply expect encryption as an obvious requirement to do business in the cloud. This expectation will put pressure on solution providers to enhance their offerings and raise the bar on cloud security in general.

Additionally, best practices such as those published by the Cloud Security Alliance (CSA), recommend a separation of "lock" and "key" in the cloud. Encryption keys should be stored in a different location than the data; doing otherwise is likened to locking your house but leaving the key in the lock.

• Regulatory Auditing: Businesses, especially those pursuing compliance with various industry and government regulations (such as privacy laws, SOX, HIPAA, and PCI), increasingly want to own and manage the encryption keys used on their Cloud/SaaS platforms of choice. Key management procedures require sufficient uniformity and transparency to verify compliance; hence the desire for businesses to own their keys.

Businesses want assurances that cloud providers cannot access their keys or share them with the government without notification. Cloud/SaaS providers who are now trying to directly embed encryption into their platforms will not be able to offer this level of assurance.  Likewise, cloud vendors and SaaS providers won't want the liability of key storage and will outsource key management to a third-party vendor or simply hand over the encryption keys to customers directly.

• Trusted Key Management Administrators: Although businesses want to own and manage their keys, many would prefer a secure cloud-based approach to avoid bringing security infrastructure in-house while moving data and applications to the cloud.
  

Businesses want the security and assurances of Hardware Security Models (HSMs) without the high capital cost or requirement of hosting them in-house. Keys stored in-house must be accessible to their cloud applications (i.e. Internet facing) which poses constant security risk. Additionally, many enterprises don't want to worry about ensuring the keys are highly available 24/7 to their cloud operations.

Tomorrow's Cloud: Ubiquitous Encryption - Centralized Key Management

The reality is that true security means encryption keys need to be stored separately from the cloud data. For cloud providers, this means creating new pathways for storing keys and designing methods of correlating those keys with the associated customer data. However, the majority of cloud providers (both public and private) don't want to be left holding the keys.

Individual cloud/SaaS vendors also can't manage different types of encryption keys across multiple platforms. Aside from just using cloud vendors (AWS, Azure, RackSpace), businesses also are regularly using dozens of SaaS solutions (Salesforce, DropBox, Evernote). These businesses want a single service that can easily and efficiently manage their many sets of keys from dozens of cloud/SaaS platforms in a secure, centralized location.

Summary of Predictions:

In the near future, most cloud and SaaS platforms will offer encryption as a basic feature and the platform providers will enable customers to manage their own keys "off-platform" for compliance and as a security best-practice. Customers will then have to manage dozens (or even hundreds) of sets of keys. The logistical management of these keys will present challenges and could risk the security of the data as businesses take short-cuts for important procedures like key rotation.   

Secure, highly-available cloud-based key storage services will enable the integration of the key management process to provide customers with a single key management platform. As the key management market continues to mature, we expect to see extensive growth of encrypted cloud usage across all sectors.

### 

About the Author

Jeff is the founder of KeyNexus, a cloud-based key storage service for businesses and developers. KeyNexus is using an innovative approach to key management to help businesses achieve true security and compliance. He's also a founding member of the Canadian Cloud Council. Previously, Jeff was a Combat Systems Engineering Officer in the Canadian Navy. Connect with him on LinkedIn.