Cloud computing has gained a significant adoption in enterprises and small-to-medium businesses (SMB) in the recent years. The adoption of cloud computing in enterprises and SMBs range from cloud watchers, beginners, explorers, to cloud focused. FIG. 1A is a schematic 100a based on a report by RightScale in 2014 indicating the proportion of organizations using cloud computing. As shown in FIG. 1A, 94% of the organizations sampled use the cloud. However, only 18% of the enterprises sampled and 26% of SMB sampled are cloud focused, which means that these organizations have most of their info-communication technology (IT) workloads outsourced on the cloud. The others are cloud watches, beginners, or explorers. The primary reason why organizations do not fully adopt the cloud in their IT infrastructure is because of lack of security. FIG. 1B is a table 100b based on the report by RightScale highlighting the major challenges faced by organizations. As indicated by FIG. 1B, the major challenges for cloud computing are security and compliance.
A case study has been carried out on the financial institutions (FIs). The FI industry has been a first mover in looking at cloud services (Top 10 Gartner Client Inquiries in Cloud Computing). According to IBM Global CIO Study 2009, the FI industry adopted cloud computing faster than any other industries. Chief Information Officers (CIOs) from different industries, including FI industry, have tremendously increased their focus on cloud computing. According to IBM Financial Service Survey Whitepaper 2010, 75% of FI respondents agree that the primary barrier to public cloud adoption is security. The Gartner report indicates that the FI industry has been proactively on security.
Key concerns from FIs include identity and access management (existing enterprise auth2× framework may not extend to the cloud), data protection (making sure data is controlled and secure, solving inherent data isolation problems in multi-tenancy environments), meeting federal regulations and compliance (complying with straight privacy laws against the ability to audit encryption, security controls, and geo-locations), and trust (cloud service providers (CSPs) are required to deploy data management tools that provide visibility across the cloud to ensure the policies are being enforced, making sure that the CSPs can provide a secure architecture, e.g. secure application program interfaces (APIs) and establishing root of trust).
In summary, one of the security concerns of organizations is the management of the cryptographic keys of encrypted data when uploading to the cloud for either processing or storage. Organizations face a dilemma of keeping the cryptographic keys within the organization's control but not been able to process the data on the compute nodes of the cloud, or to trust the cloud service provider to keep the cryptographic keys safe within the service provider's infrastructure.