Encryption in Cloud Computing
This article makes the important argument that encryption — where the user and not the cloud provider holds the keys — is critical to protect cloud data. The problem is, it upsets cloud providers’ business models:
In part it is because encryption with customer controlled keys is inconsistent with portions of their business model. This architecture limits a cloud provider’s ability to data mine or otherwise exploit the users’ data. If a provider does not have access to the keys, they lose access to the data for their own use. While a cloud provider may agree to keep the data confidential (i.e., they won’t show it to anyone else) that promise does not prevent their own use of the data to improve search results or deliver ads. Of course, this kind of access to the data has huge value to some cloud providers and they believe that data access in exchange for providing below-cost cloud services is a fair trade.
Also, providing onsite encryption at rest options might require some providers to significantly modify their existing software systems, which could require a substantial capital investment.
That second reason is actually very important, too. A lot of cloud providers don’t just store client data, they do things with that data. If the user encrypts the data, it’s an opaque blob to the cloud provider — and a lot of cloud services would be impossible.