Q&A with Gilad Parann-Nissany of Porticor - Page 2
VSM: Why is it so difficult to secure data and meet audit and compliance control requirements in a virtual environment?
GPN: Securing data-at-rest is considered less risky when it is located within the four walls of a private data center. But once data is moved to the cloud and virtual environments, the question becomes “who do I trust?” For example, can I trust the cloud provider with my encryption keys? Probably not, and it is definitely not recommended to store the encryption keys with the data itself. How about trusting a third party vendor? Recent attacks on RSA and VeriSign show that the security vendors themselves are vulnerable to attacks, as well.
VSM: Aren’t there current solutions already available addressing these issues?
GPN: There are some solutions out there, but traditional data security solutions require costly software licenses and operational overhead. Other cloud encryption solutions put enterprises’ encryption keys in the hands of the security vendor or cloud providers. The current solutions are an evolution of security technologies into the cloud virtualization era, and are not necessarily built for the cloud, or with the cloud in mind.
VSM: What is different about your solution? Why is this important?
GPN: Porticor’s patented Virtual Key Management service, with breakthrough split-key encryption technology and built for homomorphic key encryption, keeps the encryption key in the customer’s control, not in the control of the security vendor or cloud provider. This is the first time such techniques have been used in a commercial product. Also, Porticor provides a cost-effective virtual appliance that requires no encryption or key management experience to encrypt customers’ entire data layer with the proven AES 256-bit encryption algorithm within minutes.
With Porticor’s VDP, each data object, such as a disk or file, is encrypted with a unique key which is split in two: a master key and a specific key. The master key is common to all data objects of one application, and remains the sole possession of the application owner and is unknown to Porticor; while the second specific key is different for each data object and is stored by the Porticor Virtual Key Management Service. As the application accesses the data store, Porticor uses both parts of the key to dynamically encrypt and decrypt the data. When the master key is in the cloud, it will be homomorphically encrypted – even when in use – and can never be seen in the cloud.