Currently there exist several security regulations and regulatory policies that are associated with regulating the access and use of certain types of “sensitive” data associated with individuals such as payment data, health related data, and various other types of financial and personal data. These security regulations and regulatory policies include, but are not limited to: the Payment Card Industry Data Security Standard (PCI DSS); the Health Insurance Portability and Accountability Act (HIPAA); and the Sarbanes-Oxley Act, among others. Many of these security regulations and regulatory policies require specific access protocols, technical controls, regular reporting, and audit trails, related to the accessing and transport of, use of, and processing of, various types of data.
The recent emergence of “cloud computing”, including Software as a Service (SaaS) computing models, Platform as a Service (PaaS) computing models, and Infrastructure as a Service (IaaS) computing models, has created several challenges with respect to implementing and establishing compliance with existing regulatory policies. For instance, using “public clouds”, an “enterprise”, or business that processes sensitive data subject to regulatory policies and/or regulations, currently has little or no control of the data at the network, compute, and storage level at the provider. As a result, while still being required to comply with the regulatory policies, and prove that the data is being handled/processed in accordance with the regulatory policies and regulations, the enterprises often do not have the control of the data at the network, compute, and storage level necessary to deploy any technical controls, such as, firewalls, VA, configuration checks, and AV, that are widely used in the traditional on-premise data centers that were historically under the control of the enterprise. Consequently, while many enterprises want to adopt the public cloud as their computing model, they are hesitant because of their concerns about security and compliance with various security regulations and regulatory policies.
Encryption is a compensating control that is currently proposed to implement some security standards such as enforcing privacy. However, currently, the most efficient data encryption in public cloud computing environments takes place at the enterprise, or, at best, divisional or large group level through deployments at enterprise gateways such as e-mail and web traffic. As a result, currently, relatively few encryption keys are shared by multiple individuals accessing the encrypted data. Consequently, current systems do not typically comply with the principle of least privilege necessary to meet the requirements of several compliance regulations, for instance see PCI DSS Requirements: 7, 8, 10.
In order to meet the least privilege requirements, encryption keys must be assigned that are unique to a defined user, or, at most, a defined small group of users, that are legitimately charged with accessing and/or processing the data, i.e., that “own” the data. As a result, to meet the least privilege requirements, numerous encryption keys are required that are uniquely associated with individuals, or very small groups of individuals. This ensures that only a designated user, or small group of users, owning the data can access the data when it is stored in the public cloud as encrypted data. In addition, since the encryption key provides access to only a small portion of the data, if the encryption key is compromised, only a small defined sub-set of the data is potentially compromised.
Unfortunately, using current security data systems, generating and using numerous encryption keys that are uniquely associated with individuals, or very small groups of individuals, places a significant burden on the enterprise's agents, i.e., the individuals accessing and processing the data, each time the data is accessed and/or saved at the enterprise level, and or sent to the public cloud.
As a result of the situation described above, many enterprises that could benefit significantly from the use of a public cloud computing model currently do not employ public clouds because of their uncertainty regarding security and security compliance standards, and the inefficiency of involving their employees and/or agents in burdensome security compliance procedures. This is not only inefficient for the enterprises themselves, but is also ultimately inefficient for commerce and the end consumer.