Unisys is announcing a cloud service protected by a double-encryption scheme that it says has earned high government security ratings.

Unisys Stealth service encrypts data as it moves in and out of the Unisys cloud using a double encryption technique. An encryption key generated for each session is used to encrypt the data using 256K AES encrytpion and a separate session key generated to encrypt header information. Only header information needed to route the packets are left unencrypted.

Unisys calls this technique bit splitting and says it is complaint with Federal Information Processing Standard (FIPS) 140 and is being reviewed for the international Common Criteria standard Evaluation Assurance Level 4.

By encrypting header information Stealth hides from eavesdroppers even the protocols being sent, making it more difficult for attackers to sort out data streams that they might want to capture and try to decrypt later, Unisys says.

The Stealth service also encrypts data in storage using the dual-encryption. The keys are persistent rather than session oriented and are stored in a secure appliance at customer sites. The keys are exchanged between the appliance and Stealth software agents running within virtual partitions within the Unisys cloud that are dedicated to individual customers.

The stored data is also split so half is stored on one physical location and half is stored in a second location, and then a redundant copy of each half is stored in separate locations.

Customers classify their data and restrict access to it based on communities of interest, which are groups of users as defined by customer policies. Administrators of Unisys Stealth service have no administrative rights to access customer data. “It cannot be seen or read by our administrators, period,” Unisys says.

The service goes a way toward addressing some of the security concerns customers have about using cloud services, particularly the security of data at rest and data loss prevention.

Tim Greene is senior editor at Network World.