Don't depend on trust to protect data in cloud: Startup Porticor addresses key management

Linda Musthaler
By | March 09, 2012

Posted in: Network Security Trends

In one survey after another, we see that security concerns are a top inhibitor to cloud adoption. Companies want to get the flexibility and cost advantages of cloud computing, but there’s often trepidation about putting data on servers that are outside a company’s own data center. Cloud security is an issue of trust and control.

Startup company Porticor just released a product that addresses the concern about data at rest in the cloud: a split key encryption solution where the cloud customer is the only one who ever knows the master key.

The basic problem of encrypting data in the cloud is where to store the keys. An enterprise wouldn’t want to store the keys on a disk in the cloud; they could be vulnerable to hackers. Allowing the vendor to store the keys means putting trust in a third party. An organization could bring the keys back into its data center, but that seems to negate some of the advantage of outsourcing data center services to the cloud.

Porticor uses the metaphor of the Swiss banker to explain its offering. Think of a personalized bank vault that has two keys: one is held by the customer, and the other is held by the “banker,” or in this case, the Porticor Virtual Key Management Service.  The customer actually has one key per project, which is usually an application. Porticor has thousands of keys, one for each file or disk belonging to that project.

Here’s the unique part of the solution. The keys, which are split between the customer and Porticor, are themselves encrypted by the customer’s master key, which only the customer holds and knows. Therefore, Porticor holds project keys but it can’t read them because they are encrypted. The only additional requirement on the enterprise end is to secure the master key.

Porticor’s solution works with any cloud implementation, but partnerships with Amazon Web Services (AWS) and RedHat facilitate implementation with those services.

For example, to set up encryption for a project on AWS servers, you would launch the web-based Porticor Virtual Private Data (VPD) and specify a preferred geographic location for data storage and create a master key.

After specifying the master key, the enterprise can create encrypted disks in its environment within AWS. The keys are created and split between the master key and the encrypted “banker’s” key. After that, the disks can be mounted and used.

It takes just minutes to create a trusted system that is completely controlled by the master key held only by the customer. Existing unsecured disks can be attached to the Porticor Virtual Private Data product and automatically detected and encrypted.

Porticor says this is military grade security since only one party – the customer – holds the master key to unlock the data. The master key only needs to be accessed when the entire server cluster is rebooted, which should be a rare occurrence. When new application servers are created, they inherit the encryption automatically through the VPD.

You May Also Be Interested In: