In my recent conversation with Dr. Eric Cole of the SANS Institute (“Old remedies don’t work on new threats; SANS panel will discuss alternative medicine”), Cole stressed the importance of data encryption, especially in the cloud. His advice: Encrypt the data and manage the keys in such a way that no one but you has access to the keys.
Encryption vendors have taken that message to heart and they are now delivering many different options on how you can protect your data, whether it’s within your own network or in the cloud. In addition, many solutions are geared toward helping companies meet a variety of compliance mandates covering data residency, information privacy, and industry-specific regulations (such as PCI DSS for merchants; HIPAA and HITECH for healthcare providers; or ITAR for defense contractors; etc.).
Though cloud adoption is accelerating at a rapid pace, many companies still identify security as their top concern and reason for not moving applications into the cloud. As an issue, security really boils down to a handful of questions that don’t necessarily have easy answers:
- Who can access my data? Best practices (as well as many laws and regulations) dictate that only people who have a legitimate need should have access. When data is stored in the cloud, or used in a SaaS application, it’s quite likely that the cloud provider’s employees would have access when they are performing routine IT operations such as data backups or replication across data centers for disaster recovery. While these operations are necessary to protect the data, they are not a legitimate reason for workers to have access to data in the clear.
- Is my data obfuscated? In the event that an unauthorized person (or computer) is able to breach the data, it should be indecipherable so that it cannot be read, used or monetized. The most common obfuscation technique is encryption, but tokenization is a viable option under many conditions. However, in the cloud and in particular in SaaS applications, both encryption and tokenization can be problematic if the user organization can’t perform necessary functions (like search or sort) on data that is encrypted or tokenized. It’s a Catch 22 — data has to be protected, but it can’t be used easily if it is protected “too well.”
- Where is my data? In certain countries (such as Switzerland) and regions (such as the European Union), organizations are prohibited from allowing private data to leave the physical borders of the country/region. This can create quite a challenge in cloud environments where data is often replicated across multiple geographically diverse data centers to ensure availability. While data may originate in the EU, it could inadvertently end up in the U.S. if the cloud provider distributes data to multiple data centers.
Over the course of my next few posts, I’ll present some of the new or interesting options available to you for encryption and tokenization for cloud-based data. Unfortunately I can’t possibly be totally comprehensive with this list because there are so many solutions now coming to market. In addition, many cloud storage providers offer their own encryption services. In my next few posts, I plan to write about solutions from Gazzang, PerspecSys, Vaultive, Vormetric and Porticor, so stay tuned to learn how you can get good data security in the cloud.