This content is part of the Essential Guide: A CIO's guide to cloud computing investments

Essential Guide

Browse Sections
Get started Bring yourself up to speed with our introductory content.

Cloud compliance, data protection top reasons for encryption

Cloud computing has changed many aspects of enterprise operations in recent years, but one thing it should never alter is a company's commitment to data security. The cloud can be a great business resource, but only when proper steps have been taken to ensure that information remains protected.

The most popular way to ensure this security is by using cloud encryption, according to Rich Mogull, founder of Securosis.

"One of the best tools that we have at our disposal to protect our information as it's moving around in the cloud … is encryption," Mogull said during a recent SearchCompliance webcast titled Pragmatic Cloud Encryption.

But in order to use encryption correctly, companies must understand how it benefits their cloud computing model, Mogull explained. The first step is determining how company data is stored in the cloud. This will depend on the cloud provider and whether the cloud computing model is Infrastructure as a Service (IaaS), Platform as a Service, or Software as a Service.

In IaaS, for example, there is physical storage followed by layers of abstraction and management, and then either volume storage or object storage. Mogull describes volume storage as a virtual hard drive, whereas object storage is like "a file system with an API layered on top."

The architecture may change for each cloud computing model, but the need for encryption does not. In part one of this webcast, Mogull discusses the four main reasons for encryption when it comes to IaaS cloud models. The first is to protect snapshots -- these information back-ups become extremely portable once in the cloud and could leave data exposed if not encrypted.

The second reason he gives is to protect against cloud administrators who may be able to see company data. Mogull describes this as a "low risk," but is still a concern for some companies.

The third reason, on the other hand, is one of the most important and obvious reasons for encryption: to achieve compliance. Often, regulations such as HIPAA/HITECH require cloud encryption for a company to be compliant.

Mogull's list of reasons for encryption ends with the discussion of protecting against what he calls "seizure spillage" in IaaS. Since cloud computing has a "shared tenancy" model, company information in the cloud could be exposed if the cloud is seized. Encryption, however, would help protect that information.

Watch part one of this webcast to learn more about the basics of cloud architecture and how encryption is vital to cloud computing security. Then visit SearchCompliance to view part two, where Mogull continues his discussion on pragmatic cloud encryption for the digital age.

Text by Aislyn Fredsall, editorial assistant. Let us know what you think about the story; email Ben Cole, site editor. For IT compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

View All Videos