Enterprises with servers deployed in bare metal cloud environments want to benefit from the ability to accommodate expanding processing needs or spikes in demand for information processing. However, moving sensitive data into the cloud means that it could be compromised in response to lawful requests for information such as those highlighted by news around the US National Security Agency’s “PRISM” program.
While enterprises may encrypt sensitive information while at rest, a security gap remains because the information is unprotected and “in the clear” when in use. A lawful request to the service provider, such as those used in the NSA PRISM program, can compel the provider to hand over data unbeknownst to the enterprise data owner.
Organizations reducing business delays often want the utilize the public cloud for rapid or cost-effective deployment, yet information security concerns or the prospect of lawful requests for information may remain a significant barrier. Bare-metal cloud offerings provide a way to quickly scale processing power, but security and confidentiality concerns have previously obviated this option.
Bare-metal cloud computing provides an attractive option for enterprises needing to quickly provision hardware capacity when existing co-location environments lack additional capacity. While bare-metal clouds can provide the necessary elasticity of processing power, enterprises deploying in these environments typically have a shared security responsibility with the cloud service provider. Shared responsibility translates into shared access to servers and data. If a government entity with a lawful request for information approaches the cloud service provider, the cloud service provider can be compelled to comply without informing their enterprise customer.
Even if the information is secured with encryption while in storage with encryption keys stored on the enterprise premise, the government entity simply has to request the server memory along with a copy of the encrypted data. The server memory can be parsed to obtain the encryption keys for data at rest, and then the encrypted data at rest can be deciphered with the encryption key. All of this can occur even though the encryption key is stored and managed on the enterprise premise. In this scenario, a lawful request for enterprise data would be fulfilled by the cloud service provider without the enterprise knowing that such a request had been received.
PrivateCore vCage protects sensitive information located in bare metal clouds, enabling enterprises to securely deploy servers in an environment that would otherwise be off-limits due to security concerns. The PrivateCore software-only security solution encrypts all memory contents, mitigating against the possibility of compromised data-in-use even in the face of lawful requests for information. In the event of a lawful request for information such as those used in the NSA PRISM program, the enterprise would be aware of the request since the government entity would have to approach the enterprise data owner to obtain any clear text information.