Rick Harvey

CTO, Lockbox


Upcoming Events

Where the Cloud Touches Down: Simplifying Data Center Infrastructure Management

Thursday, July 25, 2013
10:00 AM PT/1:00 PM ET

In most data centers, DCIM rests on a shaky foundation of manual record keeping and scattered documentation. OpManager replaces data center documentation with a single repository for data, QRCodes for asset tracking, accurate 3D mapping of asset locations, and a configuration management database (CMDB). In this webcast, sponsored by ManageEngine, you will see how a real-world datacenter mapping stored in racktables gets imported into OpManager, which then provides a 3D visualization of where assets actually are. You'll also see how the QR Code generator helps you make the link between real assets and the monitoring world, and how the layered CMDB provides a single point of view for all your configuration data.

Register Now!

A Network Computing Webinar:
SDN First Steps

Thursday, August 8, 2013
11:00 AM PT / 2:00 PM ET

This webinar will help attendees understand the overall concept of SDN and its benefits, describe the different conceptual approaches to SDN, and examine the various technologies, both proprietary and open source, that are emerging. It will also help users decide whether SDN makes sense in their environment, and outline the first steps IT can take for testing SDN technologies.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up

See more from this blogger

Why Client-Side Encryption Is Critical For Cloud Privacy

The old tale "The Emperor’s New Clothes" can be applied to the current state of cloud security. Like the gullible emperor, people rely on cloud services to live their online lives and are too trusting in what companies try to sell. Big cloud companies often market fancy-sounding security and encryption features -- like the invisible fabric the emperor could not see but was made to believe was there.

These cloud providers tout “the most secure” or “NSA-proof” services, but leave out the most vital detail: encryption is only one thread in the security and privacy fabric. The only way to close the loop on data privacy is to take a look at where keys are stored.

More Insights

Webcasts

More >>

White Papers

More >>

Reports

More >>

One cloud storage provider touts its server-side encryption as freeing customers from the hassle and risk of managing their own encryption and decryption keys. In reality, this leaves the user’s information vulnerable to snoops. When you aren’t managing your own keys, you don’t have control over your data.

Essentially, letting a company manage your encryption keys is handing over your protection, or clothes, like the emperor wearing the invisible wardrobe. Your data is left vulnerable to outside attacks and elements because the server or company dictates what happens to your data.

Today, many cloud service providers deliberately provide server-side security to maintain control. But server-side security requires trying to defend everywhere user data is stored: every disk, every server, every link, every router, and every database. Security is only as good as the weakest link, so it only takes one tiny mistake, vulnerability or mishandling for there to be a data breach; the Snapchat hack earlier this year is an example of what can happen.

This focus on infrastructure security is fundamentally weak. Pieces of security don’t add up to overall security. Individual “bits” might be strong (e.g., SSL for links, disk encryption for storage), but the space between the bits might be vulnerable (i.e., data coming off links or off disks is unencrypted). Hackers don’t attack individual components; instead, they attack tiny vulnerabilities between components, processes, or human control.

For cloud users to control everything “client-side,” they must make a paradigm shift from infrastructure protection to data-centric protection (where the encryption keys are held client-side rather than server-side). Client-side encryption is just like putting data in a tamper-proof box: The contents will remain protected regardless of who handles it, how the box is transported or where it is stored. The data is protected anywhere, everywhere and remains individually encrypted until the user with the key unlocks it.

[Read about an industry effort to develop a framework that provides secure connectivity from any device to cloud applications in "Cloud Security Alliance Launches Secure Network Effort."]

Client-side cryptography allows users to protect their own data with individual, per-file encryption and protect access to that data with user-controlled keys. Note that the encryption, decryption and key management are all done on the end user’s computer or device, meaning the data in the cloud only exists in its encrypted state. This level of encryptions makes the data safe from all the usual cloud risks, including hacking, rogue administrators, accidents, complicit service providers, and snooping governments.

It’s also important to emphasize document-level encryption, because if a person sends a file of multiple documents and there’s only one layer of client-side encryption, someone may still be able to break the cipher. Think of it as locking every room in the house rather than merely the front door. Document-level encryption and client-side key management gives users both security and privacy.

Privacy is user empowerment. Privacy in the file-sharing world is only possible when users can protect their data with client-side encryption and control who accesses that data with user-controlled keys. Data-centric security and privacy is holistic, end-to-end and user-to-user.

The secure file sharing industry must reject the false claims of server-side key management, or the invisible fabric of privacy, and finally provide real clothing for customer data in the form of client-side key encryption.


Related Reading


Network Computing encourages readers to engage in spirited, healthy debate, including taking us to task. However, Network Computing moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Network Computing further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | Please read our commenting policy.
 
Vendor Comparisons
Network Computing’s Vendor Comparisons provide extensive details on products and services, including downloadable feature matrices. Our categories include:

Research and Reports

Network Computing: April 2013



TechWeb Careers