Flexibility stressed for encryption and key management in the cloud

Virtustream,  an infrastructure-as-a-service (IaaS) provider focused on the enterprise, says the key to meeting demand for encryption in cloud services is to offer lots of options.

Virtustream, a Bethesda, Md., company that launched in 2009, has integrated multiple vendor's products in ways to support encryption of data at rest and in motion between the cloud and the customer's on premises applications or mobile systems. Its focus is on customers that often host large-scale ERP applications, and that include the likes of Goodyear Tires, Domino Foods and Kawasaki. One thing Virtustream has learned over time is that integrating encryption for such companies is best done as the "on-boarding" process begins to shift on-premises IT assets to the cloud.

"People rightly perceive certain risks when they're outsourcing to service providers," says Pete Nicoletti, chief information security officer for the IaaS provider. The challenge is to show that the IaaS virtual-machine-based data center can be at least as secure as the customer's data center and preferably more so, he points out.

[RELATED:VMware, Citrix and Microsoft virtual desktops get encryption security]

One tool that Virustream uses is Vormetric's data encryption and key-management software tailored for cloud environments.

Nicoletti says the process Virtustream typically follows is to install Vormetric in applications the enterprise has on site that might communicate with other customer applications in the cloud. The purpose is to ensure not only that data is encrypted but that only certain designated apps can access those that customers maintain in the Virtustream cloud.

Encryption key management plays a big role here, says Nicoletti, because "if you have the encryption keys, you have the keys to the kingdom."

The Vormetric data security management component is hosted in the Virtustream facilities and Nicoletti says experience has shown that customers are diverse in how they want their encryption keys to be managed. Some prefer the key escrow approach to key rotation, while others want to hold the keys, and some even let Virtustream manage -- or co-manage -- the keys in use. Virtustream has a "two-man rule" in which logging into the system requires two people.

Virtustream makes a point of ensuring all network connections and backups are encrypted, including virtual-machine images. The IaaS provider hopes this kind of effort will result in it becoming accredited under the federal government's FED RAMP.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com

Read more about wide area network in Network World's Wide Area Network section.

Tags cloud computingMicrosoftinternetVMwarebethesdaVirtustreamWide Area Network

Show Comments