Server virtualization, the practice of running multiple “instances” of a server operating system on one physical host server, has enabled tremendous economies of scale for public cloud service providers who can “guest” many customers on one piece of hardware. In earlier days, the one-to-one relationship between customers and server hardware units rendered a remote solution too expensive as the entire cost of the server had to be passed somehow to the customer. Now each customer pays a small fraction of the cost of the server they share with others.

Multi-Tenancy

Using the analogy of living in an apartment building rather than a private home, this strategy is often referred to as “multi-tenancy.” 

Naturally, there are concerns around multi-tenancy. Some are concerned that data mingling will occur between server instances from different tenants, or that there will be “data leakage” between instances. These are the kinds of concerns that cause some customers to hesitate to adopt public cloud services like Microsoft Office 365.

Tacit best practices requires constant skepticism. Let's assume the worst case that today’s virtualization technology cannot fully protect multi-tenants from mingling of their data with others. Were that the case, what would be a viable strategy to enable companies to enjoy the significant cost savings available from public cloud software and infrastructure as a service?

Simple. Encrypt the Data.

Any good internet-based solution encrypts data in transit from one host to another, but what about when the data is at rest in cloud storage?  The economies available from the cloud are obvious, but many people hesitate only because they’re concerned about the safety of their data when it is stored “outside our four walls.” The solution that will allow you to take advantage of the cloud with confidence is to simply encrypt the data in cloud storage, and you keep the key. 

Elad Yoran, CEO of Vaultive, whose product encrypts data at rest, explains that the responsibility for data is shared between the customer and its cloud provider along some very specific lines.  The customer is responsible for selecting the right Cloud Provider. The Cloud Provider is responsible to properly execute on the technologies that enable security from hackers, malware, viruses, and other threats. But at the end of the day, the customer alone has responsibility for owning and controlling their data.

Yoran suggests that the only way the customer can control the data in storage at a cloud provider’s data center is to encrypt the data and not share the key with the provider.This way, should any data link or mingle with another instance in a multi-tenant environment, the other environment will find it to be useless gibberish.

Prevent Unauthorized Disclosure

Another compelling reason Yoran points to for encrypting data at rest is what he refers to as “Unauthorized Disclosure.” Major cloud providers like Microsoft, Google and others make it very clear in their contract that any government subpoena for data served to them will be complied with immediately. This means that the government can access your data without notifying you.

If your data is encrypted at the cloud provider, the government will also find useless gibberish until it obtains the key... from you. You will still have to comply with any subpoena, but at least now you will know about the access and can react accordingly.

If you’re considering a migration to cloud services like Microsoft Office 365 and concerns about data leakage are holding you back, consider encrypting the data at rest.