A Trustworthy Cloud Guarantees Data Privacy and Chain of Custody
Trust, applied to the cloud, means that, even though organizations no longer have physical custody of their files, by embedding security into the document itself they have the means to secure sensitive documents so that they can be shared and still remain private.
Thu, September 26, 2013
Network World — This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.
Employees are increasingly turning to consumer grade file sharing services such as Dropbox for business activities, and even if that use is sanctioned by IT, custody remains a challenge because, although the enterprise still owns the data, custody moves to the cloud provider. It is difficult, if not impossible, to maintain visibility and control over data in the cloud and prove chain of custody. Complicating the situation, data can be compromised without IT's knowledge, since they may not even be aware that documents are being stored and shared in the cloud.
What's needed is a trustworthy cloud. A Trust in the physical world is achieved through relationships and contracts, and enforced using oversight and punitive action in response to a breach of trust. Building on the concept of trust, trustworthiness is a model that uses carefully designed and implemented technology, policies and reputation networks to achieve data security. Applied to the cloud, it means that even though organizations no longer have physical custody of their files, by embedding security into the document itself they have the means to secure sensitive documents so that they can be shared and still remain private.
Trustworthiness uses low-level cryptographic algorithms to enforce policies, revoke access rights and monitor access activities. It is defined and controlled exclusively by the data owner without any intervention from the cloud service provider. In a trustworthy cloud scenario, authorized users have visibility into groups and documents--limited by their role--but in a manner that doesn't weaken the cryptography or open the system to additional attacks. This approach prevents the misuse of cloud data from going undetected by creating a comprehensive audit trail of who is accessing files.
When content is stored in a trustworthy cloud, policies set up by the data owner are enforced by a solution provider without the solution or cloud provider ever having access to the data itself. A This is called zero knowledge and relies on advanced federated key management technology.
Zero knowledge-based document sharing enables collaboration across organizational boundaries using any cloud storage provider, since federated cryptography is attached to the content rather than depending on the cloud container. For IT, it provides the ability to accommodate the growing popularity of BYOC (bring your own cloud) for business document sharing, while maintaining the visibility and control required for Governance, Risk Management, and Compliance. As an added benefit, the Trustworthy Cloud does not force users to adopt new tools or impose changes to an organization's existing security and audit infrastructures.