Cloud Vendors Won’t Tell You This…
Innocent customers are falling prey to a trap set by cloud vendors these days. Here is how it works: A cloud vendor offers data-at-rest encryption service at no or little cost to their customers. The customer is enthralled by the initial offer. Who wouldn’t be? What the customer fails to realize that once they take advantage of the cloud vendor’s generous offer, they are in fact getting locked into that cloud platform for a very long time. Let’s look at an example.
Let’s assume that a customer is using Amazon’s EC2 platform. The customer also needs to comply with the HIPAA Act or the PCI DSS mandates as they store regulated information in their cloud servers. The customer notices that they can encrypt their data using Amazon’s data-at-rest encryption offering. Let’s assume that the customer takes advantage of this offering as it doesn’t cost much. Amazon not only encrypts their data but also offers to manage the associated data encryption keys. At this juncture the customer is really happy, however, this happiness doesn’t last for a long time because the customer finds out that Google Compute Engine (GCE) has added a compelling set of features that could potentially cut down the development time in half. Now the customer wants to switch to the GCE platform.
Here are steps that the customer has to go through in order to move from Amazon to GCE:
- Decrypt their data on the Amazon cloud platform first
- Move their unencrypted data sets over to Google Compute Engine
- Learn how to use Google’s data-at-rest encryption solution
- Re-encrypt their data using Google data-at-rest solution
- And hope and pray that nothing goes wrong during the move that could lead to a data leak while the data sets were unencrypted
All of this means extended downtime, stress and wasted money depending on the size of the data set that is being moved. I would venture to guess that many customers will just stay put instead of going through the hassle. What is the root cause of this problem? The customer had made a strategic mistake of allowing their cloud provider also become their data encryption/key management provider. The fact that each cloud provider uses their own data-at-rest encryption solution which is limited to their own cloud makes it impossible to move encrypted data across different cloud platforms. On the other hand if the customer had used a neutral third party data encryption/key management service, similar to what Server General offers, then they could have preserved their ability switch cloud platforms with ease. The Server General service eliminates the need to decrypt/re-encrypt the data sets while moving across different clouds platforms. Moreover, the encryption keys remain the same even though your data has jumped cloud platform boundaries. Not being able to move encrypted data sets freely across different cloud platforms is going to become a significant problem as more and more customers make use different clouds to fulfill their compute needs.