Amazon Web Services (AWS) evangelist and security expert Steve Riley used his presentation at the RSA Conference this week to float the idea of a Simple Encryption Service. Users would issue an application programming interface (API) call that generates a key to access their data, and this key would be stored in a hardware security module (HSM) or key store in AWS.
"Is this something you would use?" Riley asked the audience. A few hands went up out of about two hundred in the room. Had the session been in front of AWS users, the count may have been higher.
Riley said he hears from many customers interested in a service like this. "What would we need to do to make a managed encryption service work well for you?" he asked.
Amazon already offers two-factor authentication for its cloud computing services, along with recently completing a SAS 70 Type II accreditation. That, however, is not enough for paranoid enterprise IT shops, according to Randy Bias, founder and analyst of CloudScaling.
Security pros in the audience huddled after the session and poked holes in Riley's proposed service. This is exactly what the AWS evangelist was hoping for, and a signal that perhaps the company is trying to offer more transparency around its infrastructure and services. The company has been criticized for a lack of transparency in the past.
A security strategist with a well-known online payment service said that HSMs did not solve the problem entirely and might be difficult to scale. He suggested AWS create key servers in memory rather than on disk. A passphrase would then be required to access the HSM and pull out the required key.
"Ideas like this are exactly what we need to keep pushing the industry forward," said Jim Reavis, executive director of the Cloud Security Alliance.
Cloud security summed up
In general, Riley said the industry needs to move to a new security model based not on location and ownership but on encryption and signatures, SLAs and auditable security standards.
"Data likes to move," said Riley, as he asked the audience to hold up their smartphones, BlackBerrys and other mobile devices. He said AWS was paying close attention to CloudAudit.org and is interested in participating in the Cloud Security Alliance, as long as it is doesn't "stifle innovation."
A spokesperson from CompTIA stood up during the middle of Reavis and Riley's session and claimed all the problems of security in the cloud have been solved.
"It's all been done, I wrote it all for CompTIA," this person said. "At least take a look at it."
Reavis was not persuaded: "People that believe it's all been solved are going in the wrong direction," he said.
Jo Maitland is the Executive Editor at SearchCloudComputing.com. Contact her at firstname.lastname@example.org.