Cloud security awaits encryption breakthroughs

Many companies are both collaborators and competitors — a couple of pharmaceutical companies that cooperate on standards, for instance, might otherwise be strong competitors in the marketplace.

So how do you ensure that there is a limited amount of information sharing — and leakage — in such cases when competitive co-tenants coexist within a public cloud infrastructure?


Related coverage:

How to tame roaming data in the wilderness of the cloud

In the cloud, good policy enforcement makes good neighbors


Developments in encryption technology could help strengthen identity and access rights in these instances.

A common and popular approach is claims-based identity management, which gives users access to data for a certain purpose, for a bounded period of time and with limited availability to transfer that data to any other party.

“You want to limit data sharing, so that speaks to the notion of claims-based access,” said Dan Reed, corporate vice president of technology, policy and strategy and leader of the eXtreme computing group at Microsoft.

Other developments in encryption technology, including public key cryptography and key management, will refine data access rights in multitenant cloud computing systems, said Reed, who spoke June 16 on a panel sponsored by the Brookings Institution about evaluating the Cloud Computing Act of 2011.

A hot topic now in cryptology research is fully homomorphic encryption, Reed said, or the ability to do computations on data that is encrypted. Currently, data can be encrypted when it is stored, but when it is decrypted, it is in the open and vulnerable to intrusion or mischievous behavior.

The holy grail of public key cryptography is to apply those computations while the data is still encrypted so only the owner of the data controls access. “That is an active area of research in cryptography now,” Reed said.

There have been some phenomenal advances during the past few years, but nothing is deployable now, he noted.  But continued investment in research in this area is needed, Reed said, noting that the National Institute of Standards and Technology is playing a role in pushing forward standards.

About the Author

Rutrell Yasin is is a freelance technology writer for GCN.

Reader Comments

Tue, Jul 26, 2011

There's no magic bullet here folks. The use of cryptography - be it encryption, signatures, etc. - reduces the problem to a key management issue, which itself can be intractable depending on the trust model and size of the populous. Moving to attribute based access control, or policy based access control, just leads to an attribute or policy management issue. Again, no magic bullet. If you want to *responsibly* share information sharing, you have to work hard to ensure your information, your people, and your non-person entities (e.g., devices, servers, and *services*) are uniquely identified, attributed, and attested. It's hard work and nobody wants to do it the same way, which destroys interoperability and secure information sharing.

Tue, Jul 19, 2011 Janine

This form of technology EXISTS today and is being utilized by our Airlines, Utility Companies, Pharma, Finance and Banking Organizations for 5 years now. So why haven't you been made aware of it? DHS, CBP, DOD etc. are simply hand-tied, limited by beliefs and processes which bind them. Unfortunately blinding them! Due diligence has been thrown out the window. Attention has been focused on bid processes and vendor opportunities rather than a desire to appreciate all of the options. Rather than seeking alternative solutions, decisions are being made within a confined frame of reference. In this case an alternative approach and methodology has yet to be considered. The most disheartening fact: our government agencies have denied themselves the information required to make the best possible informed decisions for themselves and our country.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above