The Case for Data Encryption in the Cloud

One of the main concerns people have when they need to store data and run applications in the cloud is the security. Despite the fact that cloud providers usually have very good security schemes, there are some questions one needs to ask when moving data that is in one’s own data center to the cloud.

Some of the questions are:

– How do you know that some of the cloud provider’s personnel will not attempt to look at your data?

It is well known that most data theft happens from inside a company. Your company may have very good procedures to minimize this risk, but do you know what the procedures are at the cloud provider?

– What happens when a drive with your data fails?

Do you know about this failure? Do you know what happens with this failed drive?

In general, it is quite easy to retrieve data, even from failed drives. This problem becomes even bigger if you do periodic snapshots. Imagine you have a volume with data. This is typically replicated on 2 or 3 drives. You do snapshots once a day. Each snapshot is also replicated to another 2 or 3 drives. After a mere 30 days, your data is spread on about 100 different drives at different locations! After 90 days, you have your data on 300 different drives!

For many companies, the solution is to avoid the cloud. This solution is obviously expensive in terms of flexibility and business economics.

Some cloud providers allow you to encrypt the data. While this is a much more secure option, the encryption keys are still managed by the cloud provider, so people could actually access your data if they wanted to.

We, at Zadara Storage, came up with a new concept called VPSA (Virtual Private Storage Array).
Each VPSA is like a SAN/NAS array, but in the cloud. Each user has full control of his/her VPSA; this allows the user to encrypt the data and also manage the encryption keys. The encryption keys are stored encrypted with a password that only the user has. Each user can encrypt the keys in such a way that nobody, including people at the cloud provider, can decrypt.

Where is the password stored? It is NOT stored anywhere!

Due to the dual controller configuration of each VPSA, both controllers have the password in memory. In the event one virtual controller fails, the volumes are transferred to the other controller. If both controllers fail, the user will need to reenter the password.

This scheme allows each user to encrypt the data with a password that only this user knows.

Finally, what happens with data in flight? Can somebody read the data while it is going from the VPSA to cloud instance? Zadara Storage also supports IPsec for data in flight.

With Zadara Storage, you don’t need to rely on the procedures of the cloud providers for failed drive disposals or background checks of their people. You are the only person that can read the data!

We believe this allows users to store data and run applications in the cloud with peace of mind.

Share This Post

More To Explore