I was approached recently by a journalist from The Independent newspaper, to comment on the remarks made by Eric Schmidt from Google. Mr Schmidt had asserted that, in the not too distant future, the teens of today may find themselves having to change their names in order to escape their online past, mostly as a result of sharing far too much ill-considered material and commentary on social networking sites.
We discussed what form technology could take that could facilitate safer sharing of information, how technology could enable us to establish ownership and control over the content we share online and I suggested an evolution in encryption. It struck me that there is a similar need in the world of business.
As enterprises edge closer to the use of third party services, whether it be for data processing, storage, archival or in online workspaces; we are increasingly entrusting our confidential material into the hands, or more accurately the disk space, of external organisations and we face some uncomfortable questions. How can I maintain control of my data in the cloud? What if I want to change cloud providers? How can I verify my data is really destroyed when terminating a service provider? What happens if my service provider goes out of business? How can I comply with security best practices, internal governance and compliance rules in the cloud? How can I guarantee only I have access to my data?
In most cases cloud providers cannot afford to implement granular security for their customers, not only is it too costly but it quickly becomes unwieldy too. If security is implemented at a hardware level then suddenly the provider's infrastructure begins to fall in scope of the audit of each of their customers, if implemented at a software level it becomes a configuration management nightmare as well as an audit one.
We as corporate entities have a responsibility for our data and we need tools that we can effectively manage and configure to help us deliver on that responsibility. In the cloud, especially the public cloud the security model has to shift from being perimeter and network centric to being data centric. Enterprises need the ability to segment their data away from other cloud customers and crucially away from the service provider. Service providers need that too, otherwise they risk inheriting some serious liability. Of course secure perimeters still need to be established, networks and machines still need hardening but we need to build out security from the inside out, starting with data.
In the same way that simple, transparent identity-based encryption would be a useful tool for the Facebook generation, helping them assert rights and retain control over their collection of interesting mobile snaps, similar technology will answer these concerns for enterprises.
Properly architected data encryption, encryption that operates transparently and is engineered for the cloud, encryption that is managed by the customer and not the service provider would be a business enabler. It would accelerate adoption of cloud services, drive down costs, and allow regulatory and legislative compliance and it means you no longer have to worry about how you're going to delete the cloud.