Why end-to-end encryption holds the key to trusted clouds

Whether dealing with public cloud providers or on-premise virtual private clouds or with partners and end users, the notion of trust must be at the center of managing many-to-many relationships in the cloud.

For this to happen, businesses must first gain greater clarity on the levels of security offered by different cloud service providers (CSPs).

So, to spur the adoption of cloud computing across industries, a cloud security standard dubbed the Multi-Tier Cloud Security Standard for Singapore (MTCS SS) has been launched in the island republic.

“This standard increases clarity around the security service levels of cloud providers, while also increasing the level of accountability and transparency from these companies,” says the executive deputy chairman of Singapore’s Infocomm Development Authority Steve Leonard.

For example, a low-risk, public-facing website could rely on a tier-1 certified CSP, while more sensitive business and personal data might require a tier-2. While the standard is voluntary, CSPs participating in public cloud service bulk tenders from the government are required to obtain MTCS SS certification.

A certified CSP is expected to apply encryption policies to sensitive information in-transit and in-storage; implement encryption for non-console administrative access; and ensure that the transportation and addressing of information in electronic messaging are protected and accurately transmitted.

Cloud trust concerns

In the cloud-based security market, Gartner has identified encryption to be an area of growth and forecasts that the cloud-based security services market will rise to USD3.1 billion in 2015 from USD2.1 billion in 2013. 

“Specific controls, such as encryption, are becoming vital to the adoption of cloud computing,” says Kelly Kavanagh, principal research analyst at Gartner. “However, trust concerns and regional variations mean that providers will have to assess each market opportunity carefully before deciding which to focus on.”

For CIOs in Singapore, the Personal Data Protection Act coming into force on July 2 and the prospect of a million-dollar fine for breaches of privacy are hastening them to protect confidential data stored in the cloud.

According to a recent survey by specialist recruitment firm Robert Half, 57% of CIOs in Asia Pacific believe security risks are the biggest problem with cloud technology.

Half of the 407 CIOs in Singapore, Australia, Hong Kong and Japan are also concerned about legal implications of a privacy breach of personal customer data stored in the cloud while 37% of them are anxious about potential data loss or theft in cross-border data transfers.

Requirements of the trusted cloud

Clearly, trust concerns have made protecting customers’ personal and confidential information one of the top initiatives for service providers such as banks, SaaS application providers and cloud providers.

However, the use of Secure Socket Layer (SSL) to protect customer’s PIN and other sensitive data transmission between the web browser and the web server can be open to malicious attack, as evidenced by the Heartbleed bug compromises.

Hence, the Cloud Security Alliance (CSA) is helping organizations address information security risks over the access of, transfer to, and securing of cloud data. Among the control domains of its Cloud Controls Matrix 3.0 standard is encryption and key management.

Drawn from a wide range of industry-accepted security standards, regulations, and control frameworks such as the ISO 27001/2, the standard advocates policies and procedures; business processes; and technical measures in using encryption protocols to protect sensitive data in storage and data in transmission as per applicable legal, statutory, and regulatory compliance obligations.

The Hong Kong Monetary Authority also expects financial institutions (FIs) to apply strong end-to-end encryption (E2EE) to the transmission of highly sensitive data, such as customer passwords, so that data is encrypted all the way from customers’ devices to the FI’s trusted internal networks for processing the data.

Similarly, banks and financial institutions adhering to the Technology Risk Management guidelines issued by the Monetary Authority of Singapore are encrypting sensitive or confidential information, including sensitive payment card data, to preserve their confidentiality and integrity in storage and transmission.

End-to-end encryption prevents leakage

Indeed, E2EE preserves both data confidentiality and integrity, a critical element of the trusted cloud, by preventing intermediaries, such as cloud or internet service providers from tampering with the data.

E2EE secures the channel between the client’s access device and a hardware security module (HSM) located in a physically secure location within the organization. So, passwords and other sensitive data are encrypted at the client’s access device and can only be decrypted for verification by the HSM and not even the organization’s applications and servers.

One vendor that has delivered proven end-to-end encryption for data and password protection to address potential data leakage vulnerabilities in web servers and on the network is i-Sprint Innovations. A key benefit for application developers is that i-Sprint’s AccessMatrix Universal Authentication Server (UAS) E2EE solution takes low-level complex coding out of E2EE authentication integration with HSM and front-end component for encrypting the user password during user login.

“Our proven end-to-end encryption for Transaction Data and Password Protection solution has been designed to address the potential data leakage vulnerabilities in web servers and on the network, i-Sprint’s CEO, Albert Ching, says.

The AccessMatrix UAS and HSM as an integrated solution works like a tamper-resistant vault. In an internet banking application, this secure domain delivers end-to-end password protection from encryption at the customer’s PC all the way through to decryption and verification at the bank’s HSM.

“With the right technology and approach, online security breaches such as the recent Heartbleed bug can be mitigated. i-Sprint provides tested and proven solutions designed to address such potential internal and external data leakage vulnerabilities and identity theft on the Internet,” says Ching

i-Sprint’s authentication and E2EE security solutions have been deployed by leading financial institutions across the region – including Bank of China, Taiwan’s Cathay United Bank and Malaysia’s AmBank – to bolster application security, data protection and compliance with security guidelines issued by central banks in Asia Pacific. The company’s software also secures the Inland Revenue Authority of Singapore’s e-tax platform.