Why encryption doesn't solve the data sovereignty debate
Summary: If encrypted data is random, then sending it to the cloud should be able to sidestep the data sovereignty debate. But the necessary cost of encrypting everything has simply put this solution out of reach.
There is a long-standing argument that encrypting all data sent to the cloud could make the data sovereignty debate irrelevant, enabling Australian companies to make use of cheaper, offshore clouds.
The basis of the argument is that data, once encrypted, is random and cannot be read, so the problem is shifted toward the issue of key management — which can be solved by ensuring that keys remain onshore.
But security vendors Trend Micro and Sophos, and systems integrator CSC, have argued that encrypting everything isn't necessarily the answer for everyone, and that doing so would come at too high a cost.
At a media briefing, Trend Micro vice president for Data Centre and Cloud Security Bill McGee stated that encryption brings about additional challenges that have flow-on effects in terms of scaling a cloud solution, and the financial implications that brings.
"At some point, deduplication does not work on encrypted data, so then you're going to pay a storage cost," he said. He added that this could blow out significantly for larger datasets, and doesn't even take into consideration the additional network costs.
CSC Global Security Solutions CTO Gordon Archibald said that his company's role, as a systems integrator, is to ensure that the level of security meets the risk profile of the businesses. This includes covering a minimum level of risk, but also not over-covering the business, so that they don't pay for what they don't need.
"If they did pay for it, what we would do is help them understand [things like their] risk profile — where is your data, how is it encrypted, where is it used, where is the key — and we'd create them a risk profile that's right for their business. What's right for [the Department of] Defence is slightly different to what's right for a health fund [or] for manufacturing."
Archibald said that it would be rare to see anyone whose business is at such a high risk that they need complete encryption.
"Depending on what your threat profile is, you may want to go down the full-encryption path, but at the moment, what we're selling in our datacentres, we're not fully encrypting the data," he said.
In fact, Sophos managing director for Asia-Pacific, Stuart Fisher, told ZDNet that he has never seen anyone even consider the idea.
"I don't think every piece of information in an enterprise needs to be encrypted under any circumstance. That's not the intent, and I don't think there's any organisation, government or otherwise, that would consider encryption of every piece of data."
To make matters more complicated, McGee said that even if a company were serious enough to undertake such measures, technology changes so quickly that entire datacentres may need to be updated, as processing power could increase to a point where encryption becomes easy to break.
"It's a slightly more esoteric argument, but it is fair that the data can be around for years and years ... when it comes to a disk drive. So there's the 'is it strong today, is it going to be strong 10 years from now'."
All three organisations agreed that while encryption is an important tool in the security industry, its real power comes in the form of protecting data that is not at rest.
"Do you need to encrypt every piece of data in the datacentre? No, I don't think that's the case, but you don't have to have a physical breach of a physical datacentre to have a loss. That's not the risk. The risk is a mobile user that leaves their laptop in a hotel room unsecured, [or] an email that's misinterpreted or caught," Fisher said.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
But It Does
There are products in the market place that do this at object (file/document) level already and are cost effective starting at as little as $20 per month
It will not be long and solutions from these organisations will include options at a data level.
But in general terms, the Cloud is fantastic for many reasons, just not the place to store personal and business critical information...
Security outsourcers huh?
Encryption is a great thing to use...
I have to completely disagree about this statement. Anyone who has seen the news reports each week about the latest companies and governments that have been cyber attacked and hacked, should realize the 'better to be safe' attitude is much wiser than the 'worry about it later' attitude, or 'it's not going to be us' attitude, or the 'we can't afford it attitude' and any other excuse which can be given to not do as much as you can to safeguard your computer data.
This is a very small sample of places that have been hacked:
Automatic Data Processing Inc. (ADP)
BP
Baker Hughes Inc.
Bank of Swiss
Billabong
Booz Allen Hamilton, a frequent contractor for the US military
CIA (Central Intelligence Agency)
Citibank
Citigroup Bank
Commerce Bank
ConocoPhillips
Domino’s Pizza (www.dominos.co.in)
Exxon
Google
HBGary, a technology security company and frequent contractor for the US government.
Hyundai Card/Hyundai Capital Co., an auto finance provider in South Korea
InfraGard and IRC Federal, both are F.B.I. contractors
Lockheed Martin
Marathon Oil Corp.
Mitsubishi Heavy Industries, a Japanese military contractor
Mobil Corp.
Oak Ridge National Laboratories
Public Broadcasting Service (PBS)
RSA
Royal Dutch Shell
Sony
Sovereign Bank
The International Monetary Fund
The United States Senate
Twitter
US Bank
Visa and Mastercard credit card accounts in the US
World Health Organisation (WHO)
Yahoo
Zappos, a division of Amazon
**List copied with permission from the Nuwave Backup Blog: http://nwbackup.net/wordpress/computer-security/
The simple fact is that Everyone is a target, no matter if you are one person, a small business, a business as large as Google and even government agencies around the world. So it is best to encrypt all your data or encrypt as much as possible.
And as Paul Waite states, encrypted backups can cost under $20.00. In fact, Nuwave Backup has a plan for $13.00 a month, for example. So it really is affordable for those who are serious about their computer data security.
Hacking as suggested by sg1efc...
So I think the questions simply are whether is your information important? do you employ some form of data classification? Is it necessary to encrypt then?
I agree...,
The reason why I advise people to try to encrypt everything, if possible, is that if you encrypt only a part of a hard drive, for example, but sometime you accidentally or inadvertantly save something 'important' to a section of your hard drive that is not encrypted, then that saved data is vulnerable (a hacker can read it) if you are hacked. My policy is encrypt everything you can, to be on the safe side, whenever possible. :-)
Re: as processing power could increase to a point where encryption becomes
And you don't have any business data that needs to remain confidential for longer than, say, 5-10 years, anyway.
Yep,
but please