Moving a company’s sensitive data to third party clouds complicates the risk landscape where it operates each day. Because sensitive data is of enormous value to a hacker, cloud defense is a business imperative.
In order to understand what concerns should be included in a cloud security strategy, it must be understood what can’t be afforded to lose and what sensitive data should stay out of the cloud. Businesses migrating to the cloud are being advised to lock down any sensitive data before it leaves their premises, which is why more companies are deploying encryption.
Cloud providers are even upgrading their encryption levels, reinforcing the relevance of encrypting sensitive data in the cloud for security and compliance with privacy regulations worldwide. Once a company has committed to encrypting its data, it must decide how, to what extent and which data to encrypt.
Enterprises needn’t encrypt all of their data in the cloud. After all, that would be an expensive and counterproductive undertaking. Data needn’t be encrypted in the same way either.
What works for names may not work as well for social security numbers. For functionality’s sake, credit card numbers may need their formats preserved in ways that mailing address information does not.
Therefore, they should consider a variety of options as part of their cloud encryption solution.
1) Index tokens and pads
They replace data with cryptographic tokens or encrypt and decrypt them using single-use, randomly generated private keys.
2) Strong cryptography
PCI defines it as encryption based on “industry-tested and accepted algorithms”, for example AES, which is used in conjunction with strong key lengths and proper key management practices.
3) Data storage life cycle management
Encryption in the cloud can only be considered truly secure and effective if it persists throughout the lifecycle of the data stored in the cloud.
How can a company truly know the lifecycle of its data if a third party cloud service provider (CSP) is storing its data? Uncertainties surrounding archive, backup and the timely deletion of data, either on your schedule or upon the organisation’s request, make determining the lifecycle of information stored in the cloud a difficult affair.
To get around this issue, the business needs to make sure that no matter how long its data lives in the cloud, it is the only one that holds the keys to it – and therefore is the only one that can access it.
4) Data access control
As researchers discussed in the International Journal of Engineering and Advanced Technology, storing data in the cloud results in security risks since “the cloud data can be accessed by everyone.” It then notes that “a prevention measure is needed to secure the data from unauthenticated users or intruders”. Encryption in the cloud alone may not fully mitigate these risks.
Making encryption work
A business migrating to the cloud should ensure it fully secures its data by properly encrypting confidential information according to industry recommendations, which include using AES 256 bit encryption, the gold standard, and, as an additional security control, exclusively retain the keys.
It must also ensure that whoever holds the encryption keys in your own organisation is justified in having access. For that reason, granular data access control policy is a must.
With these critical elements in a cloud information protection programme, valuable information is strongly protected even in the event of a breach – and that can only be a good thing.
Sourced from Paige Leidig, SVP at CipherCloud