Talking from a user’s perspective, there is a serious buzz being echoed in the industry about the responsibility of encryption and to “whom” this should be tasked? Once again, the real concern isn’t about the technology to be used, rather it’s the privacy and legality of the issue that has been raised over again and again.
Simply, you just can’t afford your data on the cloud to be open for everyone and anyone, whereas, you also wouldn’t want your data to be managed by someone you don’t trust. So, privacy and legality of Cloud encryption is still a hot debated topic in professionals and users around the world.
As far as I can imagine, there can be two simple ways to tackle the issue (mind it that these ways are not always available for all users). Firstly, let’s imagine that you have a financial data that you want to store on cloud. Your available options include getting your data encrypted through different encryption solutions (PGP is one good solution). Alternatively, if you are lucky enough that you have a cloud provider kind enough to encrypt your data for you without any encryption keys. The later solution is much faster and affordable as you don’t have to get into buying and using of encryption technologies in the latter one, however, as mentioned; not everyone is lucky enough to have these solutions for their data encryption.
Another serious concern regarding data encryption in cloud is the bearer or owner of encryption keys. The real debate remain that whether the cloud provider or the end user should bear the rights of encryption keys (something a legal expert could shed his expert opinion). Though I am in no way a legal advisor who can give my expert opinion on this issue, still being a student and user of cloud technology I can claim that cloud provider should have nothing to do with the encryption key and that the authoritative encryption key should be possessed by the user (so he always stays confident about the privacy of his data).
Now, contrarily, if the cloud provider holds the encryption key with himself, it means that he have the same control over your data as you posses (in fact, he would be having more control over the data than you because he could change the key anytime he wants; leaving you feel vulnerable all the time). It also means that you are always dependent upon the provider who can not only access and view your data but also control your access and in any case can remove your account. It also means that your data will be available to provider for sale, misuse or hack. In worst cases, a hacker breaching into the cloud can hack your data and use it for God knows what purposes.
This is not it; things get more interesting when we bring into perspective the law enforcement agencies in to the scenario. Now, supposedly your provider holds your encryption key and for any reason if law enforcement agencies want the access, they can easily compel the provider to give in the details, leaving you compromised with unsecured data. Here it is important to remember that this might not be a personal attack by law enforcement agencies and that they might need it for a broader perspective, still you are left with unsecured and naked data(something that you would definitely hate and regret).
All of the above mentioned cases are purely scenario based assumptions, listed to make you realize the vulnerability of cloud technology without proper and authoritative encryption key. The topic remains open to debate and one can present different arguments in favor or against the aforementioned scenarios. However, the only lesson one can take from these scenarios is to make sure the safety and privacy of his/her data over cloud and to try to protect their data with their own encryption keys.
