Tech Talk: Security and the Cloud
David Shaw, contributor to the OpenPGP standard and Nasuni Core Engineer, talks about security and encryption as it relates to cloud storage.
What we were trying to do was, before cloud storage you know there was this sacrosanct notion that your data was in your own building, in your own four walls. You had policies in place for managing that – and you could understand, that. With cloud storage, you’re changing this. You’re moving it outside your four walls. So what we wanted to do with our security system was as much as possible make it as if the data was still within your four walls by putting this virtual wall around it using our security system.
The idea is that to make this barrier wall around your data, we encrypt your data using a customer-supplied key. And we at Nasuni don’t have that key, we don’t want access to your data, we don’t need access to your data to do what we do.
You want to be the person in control of the key. You don’t want the vendor of the controller to have a copy of the key, you don’t want to have the cloud vendor who actually does the physical storage to have a copy of the key, the key is yours, and the key is your protection of your data. You should be the only person who has a copy of it and no one else should need a copy to do their job.
A common mistake made when building any sort of system is that you design your whole system and when you’re finished, or sort of towards the end, you make it secure – you add security - sometimes referred to as you “sprinkle the magic security pixie dust” on it and you’re finished. We didn’t want to do that. We wanted to bake it in from the start so that from day one it was going to be secure. And for a similar reason, we don’t have the ability to turn off the security. It’s built in to the system, it’s always on, and it is always secure.
The encryption is a piece that people tend to pay attention to. It’s the one where you get to have the big numbers and the math. Everyone starts to make the comparisons about the number of atoms in the universe and all the zeros and all that – which is great, but there’s actually a million and one design decisions, like “oh wait, we have to do it this way” – “We have to delete files in such a way.” The security actually touches everything down to why we have different Amazon buckets for every customer.
So in a way it comes back to the walls around the data. You want walls around the data to protect you from everybody. Walls to protect you from another customer of ours, walls to protect you from the random person trying to break in – you want to have protection against us.
It comes down to a case of “the only way in is with the key – we don’t have the key – so therefore we can’t get in.
Up Next: Security Overview