One of the major impediments to using the public Cloud as data storage for enterprise data is data security. While most cloud vendors provide encryption of data in the cloud, the encryption keys also reside with the vendors. The organizations whose data is in the cloud thereby lose control of security management and have a lot to lose if these keys fall into the hands of malicious hackers.
Cloud Integrated Storage (CIS), an offering with Open Enterprise Server, provides complete control over how customer data is kept secure in a public cloud.
CIS is a hybrid cloud solution that makes it possible to migrate enterprise data from the OES servers to a public or private cloud using predefined policies. One of the unique features provided by CIS is how it supports the encryption of the data in the cloud while giving full ownership of the encryption keys to the customer. While the encrypted data can remain in the public cloud, the encryption keys reside on-prem, within the customer's secure network, thereby nullifying any chances of data reaching the hands of cybercriminals.
This is a very important offering considering that most cloud migration products store the encryption keys in the cloud, along with the data.
Data Encryption with CIS
An encryption policy must be configured in CIS if a customer opts for migrating encrypted data to the cloud. A pool of keys is generated depending on the pool size provided by the administrator. The pool size can be any integer value between 128 and 65536. The policy also allows an administrator to select a key size of 128 or 256 bits. If an administrator has chosen a key size of 128 bits and a pool size of 65534, 65534 unique keys are generated, each of 128 bits. Multiple such pools can be generated. The generated keys are stored in an on-premises database.
When a file is getting migrated to the cloud, CIS chunks the file in 4MB parts. Each chunk has a unique identifier. This chunk identifier is then passed to an algorithm that uses hashing and other techniques to assign one encryption key from the pool to that chunk. This key is used to encrypt the chunk data. The encrypted data is next uploaded to the cloud as an object, and the object id along with the encryption id for the key, is stored in the CIS database on-premises.
The algorithm ensures that all the encryption keys in a pool are evenly used across the chunks migrated to the cloud. This way, compromising keys and eventually data in the cloud becomes almost impossible.
During the recall of a migrated file, the encrypted chunk is first downloaded from the cloud. Next, the encryption key is looked up in the database and used to decrypt the data. All this happens on-premises, thereby keeping all customer data secure.
Doubts about data security in the cloud are one of the major inhibitors for any customer to migrate data to the cloud. However, if the data is on the cloud, the cost savings are too large to be overlooked. Cloud Integrated Storage, with its unique proposition of storing encryption keys on-premises, while the encrypted data stays secure in the cloud, enables the customer to have the best of both worlds.
Detailed Information about how to configure encryption with CIS is available here.
We’d love to hear your thoughts on this blog. Comment below.
The Micro Focus IM&G team
Know your data | empower your people | drive your future