While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
The Bureau of Alcohol, Tobacco, Firearms and Explosives will move the majority of its applications out of data centers and into a commercial cloud over the next two years, says Walter Bigelow, chief of the ATF IT Systems Management Division.
To ensure agency data remains secure, ATF will rely on cloud encryption gateways as part of its security posture.
“To maintain security, it will be mandatory that anything we move to the cloud will be encrypted, whether in storage or in transit,” Bigelow says.
Cloud encryption gateways are technologies implemented between users and the cloud that intercept and either encrypt or tokenize data before it reaches the cloud provider.
The user maintains control of the encryption keys or token vaults, securing the data while it’s in transit or in storage in the cloud. Since the cloud provider doesn’t have the encryption keys, data is safe even if hacked.
The technology is deployed as a stand-alone appliance or hosted service.
“These gateways open the way for increasingly sensitive applications and data to move to the cloud,” Bigelow says. “They also simplify contractual negotiations with cloud providers by reducing concerns about the number of their staff that have to be cleared for security.”
The Internet is replacing corporate and organizational networks. Cloud encryption gateways provide the new kind of security that this shift requires, says Joe Paiva, CIO of the International Trade Administration.
“Cloud encryption gateways give me a way to trust what I know can’t be trusted,” he says. “Now I know that even if one of my cloud providers gets hacked, my data is safe because the hacker can only steal encrypted information that the cloud provider can’t even decrypt.”
The gateways protect data against cybercriminals but also against intrusions from other government entities that may be legal, but unwanted, Paiva says.
“Using this technology is an imperative in organizations like ours — no one really has a choice,” he says.
Public and private sector organizations are increasingly encrypting data for the cloud services they use, says Ed Ferrara, vice president and principal analyst at Forrester Research.
“The control offered by cloud encryption gateways makes them a very important approach for addressing data security in the cloud,” he says. “The technology is proven at this point.”
Ferrera says the high cost of encryption gateways, along with the need for key management technology, is slowing adoption. He predicts the price will come down as competition grows among manufacturers and service providers that offer the gateways, especially as more organizations turn to them for security.
Cloud providers typically deliver encryption gateways. It will be straightforward for agencies and companies that use cloud services to adopt them, Paiva says. He sees trouble for organizations that have customized services.
“If you use Microsoft Office 365 or Salesforce.com, you choose an encryption gateway that supports them,” he says. “It will be harder for organizations that have added custom-coded applications on top of a services platform.”
At ATF, the impact on legacy systems is the main concern related to implementing cloud encryption gateways.
“We’ll find out if there’s anything we need to do to make it work,” he says. “There will be a learning curve as there is with any new technology, but we won’t move to the cloud without the gateways. Security is the priority.”