The regulatory pressure being placed on enterprises today is unprecedented. Factors including globalization, the advancement of technology and large scale failure of controls have driven data security and the manner in which data is shared, transported and retained, to become an integral component of governance.
Given the many regulations and standards that enterprises must consider, how can enterprises leverage the economy and efficiency of cloud computing while maintaining the data security, control and compliance advantages of on-premise computing? With regulations imposing a number of limitations, can organizations that are required to uphold these regulations still benefit from the cloud?
Data Security and Protection: The cloud introduces a broad range of security threats, including the possibility of the cloud provider being hacked, the potential for malicious actions by a rogue employee of the cloud provider and intermingling of data in a compromised multi-tenant environment.
Regulatory Compliance: Enterprises are subject to an array of regulatory requirements including federal laws such as SOX, varying state data protection measures, The Patriot (News - Alert) Act, international laws like the EU Data Protection Directive, and industry-specific regulations (HIPAA, GLBA and PCI DSS). There are also a number of good practices and standards (COSO, COBIT, NIST, ISO, CCM (News - Alert)) that enterprises adhere to in order to best protect data.
Data Residency: Businesses that have an international presence are faced with the daunting task of complying with the multitude of growing privacy and data residency regulations. To comply, enterprises often pay cloud providers a premium to add costly infrastructure in each jurisdiction. Furthermore, most providers are unwilling to duplicate infrastructure in all jurisdictions, making it difficult for customers to comply.
Unauthorized Data Disclosure: In the U.S., personal information is protected under the Fourth Amendment; however once it is shared, it is no longer protected. Until legal guidelines are established to address the application of the Fourth Amendment in cloud computing, uploaded data is not considered private. Cloud providers must comply with subpoenas and other requests by the government to turn over customers’ data, including data subject to attorney-client privilege. Often, the cloud providers notify customers that data was turned over to the government after the fact, if at all.
Smart Encryption Technology Addresses the Concerns
Encryption of data-in-transit and data-at-rest has long been recognized as a best practice. However, these two states of encryption are no longer sufficient, as they do not protect data while it is being processed in the cloud. As usage of cloud applications has evolved, so must the standards and best practices that are applied. Adding an additional state of encryption – encryption of data-in-use – enables data to be dynamically processed by providers while remaining in its encrypted form. This empowers the enterprise to retain full control during the entire process, including when the data is out of its network and in the cloud.
Encryption of data occurs before it goes to the cloud provider. Cloud data encryption companies can generate cryptographic data to complement industry standard 256-bit encryption, which preserves certain characteristics of the data so it can be searched, sorted, indexed, and otherwise processed without ever being decrypted while at the provider. If a malicious actor obtains access to the data, they will only see encrypted text. Similarly, in the case of data intermingling in a multi-tenant environment, the other organization will always only see cipher text. The enterprise maintains control of the encryption appliance and the encryption keys to assure that data cannot be decrypted by anyone else.
Smart encryption can also be deployed in geographically distributed environments. Organizations with multiple data residency requirements can deploy and maintain an instance of the encryption appliance in each jurisdiction. Once the data is encrypted with keys that are maintained in that jurisdiction, the encrypted data can lawfully reside in any location. The paradigm shifts from requiring the data to remain locally to requiring the encryption keys to remain locally.
Encryption also protects enterprise data from unauthorized access by a third party or the cloud provider, while enabling disclosure requests to be managed independently by the enterprise –without placing the cloud provider in the position of disclosing customer data. The cloud provider will turn over customer data when presented with a subpoena or other government request. However, with the application of advanced encryption, all data was encrypted before the cloud provider received it and they cannot decrypt that data. Therefore, when complying with an order, the cloud provider can only turn over cipher text. If the government wants to decrypt the data it must go to the organization that owns the data, just as it does today.
Edited by Brooke Neuman