Just announced today, the AWS Storage Gateway is offered as an on-premise virtual machine image to which the customer attaches its own storage arrays. Data written via iSCSI to the on-prem gateway is then automatically replicated up to the Amazon cloud. There, it acts as a secondary copy in case the on-prem storage fails, and of course the cloud copy is accessible to cloud-based applications as well. It’s a smart model.

What about security? As usual, the devil is in the details. Some of the details are documented here. Commendably, during replication, the data traverses an encrypted tunnel (SSL). As well, when the data is received by Amazon’s storage gateway proxy in the cloud, it’s encrypted before it’s written to permanent storage.

However, since Amazon has access to the encryption keys, that protection buys you checkbox compliance, but not much more. After all, whoever has access to the keys can decrypt the data, and that includes rogue system administrators, or even Amazon itself if under duress (subpoena, national security, etc.).

If the data is subject to regulation that says it must be encrypted, this feature probably meets that bar. But if the data has value or sensitivity above and beyond that, a different approach is required.

One option is to ensure that the data written to the on-prem storage device is already encrypted. That can be accomplished by placing an encrypting proxy between the device and the rest of the on-prem data center. Data read through the proxy will be decrypted, while data propagated up to the cloud will remain encrypted (and then be encrypted again in the cloud, but that’s okay).

One example of such a proxy is SecurEntity, a software library available from JW Secure. More information is available here.

No Comments »