Forrester Research Community recently posted an interesting blog post on the topic of Data sovereignty and Encryption http://community.forrester.com/message/14682
It questions whether homomorphic encryption can address Cloud Data Sovereignty problem. It correctly identifies that the process of encrypting the data by the clients, retaining the key and moving the data to the public cloud could address the issue whenever homomorphic encryption becomes a reality.
Note that homomorphic encryption is a form of encryption where a specific operation performed on the plaintext is equivalent to operations performed on the encrypted data (ciphertext).
Homomorphic encryption holds some promise, but it’s not yet commercially feasible due to extremely slow performance where a query can take hours to search through a typical dataset i.e. thousands of records.. It does not support some of the key operations such as ordering of data, which is required for most cloud applications as users are used to grouping and viewing data in certain order e.g. alphabetically sorted list of contacts.
The issue is beyond data sovereignty (aka data residency). Enterprise data in the cloud today is exposed to many of CSA’s Top-7 Cloud Threats, such as provider’s malicious insiders, insecure API, account hijacking, etc. Dropbox security breach, for example, was even worse where they simply left all data accessible w/o password checks. I think cloud may be secure enough for small to mid-size clients, but it does not fully meet the needs of enterprises today, since there is not much done to secure the data as cloud providers are still using traditional technology and focusing primarily on network security and access controls. Most databases in the cloud are using plaintext due to their dependency on search and sort operations. Even if they encrypt some of the data, the encryption key is always with the providers so the data remains accessible to their insiders. Hence cloud adoption in enterprises today is seen only in pockets with few applications despite of their strong desire to use much more cloud services.
There’s a saying that every computer problem can be solved by adding a layer of indirection. Let’s add a gateway to the mix with innovative technology for on-the-fly encryption to secure data in the cloud. Such an on-premise cloud gateway performs encryption and tokenization on an item-by-item or word-by-word basis as data is proxied. The data can then be sent and stored in a cloud-based application and platforms. Clients can choose from various encryption and tokenization algorithms to enable required functionality such as search, sort and reporting. Due to application awareness dependency, this technology is limited to more popular cloud services, however, these vendors are gradually adding more cloud integration and toolkits to “do it yourself “ for your cloud service. Such innovative technology provides the needed additional layer of data security while addressing data privacy, sovereignty and compliance requirements.