By Hongwen Zhang, Wedge CEO and Chair Security Working Group, CloudEthernet Forum - Monday, April 6, 2015
"The idea of encryption is as old as the concept of written language, but with the spread of literacy, ever more care had to be taken to make sure that only the privileged few can read the hidden message. Today’s encryption typically relies on some sort of “key” to unlock and make sense of the message it contains, and that adds a new level to the problem: now the message is secure, the focus shifts to protecting the key.
In the case of access to cloud services: if we are encrypting data because we are worried about its security in an unknown cloud, why then should we trust the same cloud to hold the encryption keys? Hot on the heels of BYOD – or “Bring Your Own Device” to the workplace – come the acronym for Bring Your Own Key (BYOK).
Microsoft recently announced a new solution using HSMs (Hardware Security Modules) – so that an enterprise customer can use its own internal HSM to produce a master key that is then transmitted to the HSM within the Windows Azure cloud. This provides secure encryption and means that not even Microsoft can read it – because they do not have the master key hidden in the enterprise HSM.
It is not so much that enterprises cannot trust Microsoft, but more to do with legal complexities. In the wake of Snowden revelations, it is becoming known that even the best protected data might be at risk from a government or legal subpoena demanding to reveal its content. Under this BYOK system, however, Microsoft cannot be forced to reveal the enterprise’s secrets because it cannot access them itself, and the responsibility lies only with the owner.
This is increasingly important because of other legal pressures that insist on restricting access to certain types of data. A government can, for example, forbid anyone from allowing data of national importance to leave the country – no simple matter in a globally connected IP network. There are also increasing legal pressures on holders of personal data to guarantee levels of privacy."
For the full article, please see NetworksAsia.net.