Even when used and configured appropriately, encryption isn't always a silver bullet. As with most risk mitigation strategies, there's a trade-off between costs and benefits. Risk might go down with encryption, but adding encryption typically increases the total cost of using a cloud solution. What's more, adding encryption can result in slowed or diminished performance due to the extra steps introduced into the process. And in reducing one risk, an entirely new one is introduced: If the encryption key is lost, the data can no longer be decrypted and essentially becomes useless, even to the customer.
Meanwhile, cloud vendors themselves are developing and deploying alternative techniques for rendering compromised data useless. Examples include these two:
* Distributed file systems -- Individual files are essentially split into multiple pieces and stored on multiple machines in multiple locations. The idea is that if any one data element falls into the wrong hands, it will be of little or no value without access to the remaining parts of the file.
* Data masking/obfuscation -- The relationship of sensitive data to related data elements and/or data subjects is obscured, rendering the data useless should it be inappropriately accessed.
Any company thinking about adopting a cloud-computing service should identify the mechanisms for addressing data risks that the vendor uses or supports, determine which meet the customer's needs and ensure that those are codified in the contract as minimum requirements.
* * *
Interested in learning more about cloud computing risk mitigation via contract negotiation and vendor management? Then please register for my seminar Contracting for Cloud Computing Services March 25-26, 2013 in Los Angeles. I look forward to seeing you there.
Thomas Trappler is director of software licensing at the University of California, Los Angeles, and a nationally recognized expert, consultant and published author in cloud computing risk mitigation via contract negotiation and vendor management. For more information, please visit thomastrappler.com.