The move by large US cloud providers to upgrade their encryption levels speaks to the relevance of data encryption in the cloud for securing sensitive data and complying with data privacy regulations worldwide.
Encryption isn't a yes or no, cut and dry matter. Once you've committed to encrypting your data, you must then figure out how, to what extent and which data you must encrypt. Keep these guidelines in mind as you develop your cloud encryption strategy.
Realise you have options for encryption
Not all your data will require encryption in the cloud, nor should it. That would be an expensive and ultimately counter-productive undertaking. Nor should all your data be encrypted in the same way.
What works for names may not work as well for social security numbers; for functionality's sake, credit card numbers may need their formats preserved in ways that mailing address information does not.
Because of these conditions, your cloud encryption solution should provide a variety of options, including:
- Index tokens and pads, which replace data with cryptographic tokens or encrypt and decrypt them using single-use, randomly generated private keys.
- Strong cryptography, which PCI defines as encryption based on "industry-tested and accepted algorithms," for example AES, used in conjunction with strong key lengths and proper key management practices.
- Data storage life cycle management: encryption in the cloud can only be considered truly secure and effective if it persists throughout the life cycle of the data stored in the cloud.
But when it comes to data stored by a third-party cloud service provider (CSP), how can you truly know the life cycle of your data?
Uncertainties surrounding archive, backup and the timely deletion of data, either on your schedule or upon your request, make determining the life cycle of information stored in the cloud a difficult affair. To get around this issue, you need to make sure that no matter how long your data lives in the cloud, your organisation is the only one that holds the keys to it – and therefore is the only one that can access it.
That way, when you've decided that the time has come to destroy your data, all you need to destroy is your key. Deleting that key will "digitally shred" your data, rendering it useless to prying eyes no matter how long it exists in the cloud.
As researchers discussed in the International Journal of Engineering and Advanced Technology, storing data in the cloud results in security risks since "the cloud data can be accessed by everyone."
It then notes that "a prevention measure is needed to secure the data from unauthenticated users or intruders." Encryption in the cloud alone may not fully mitigate these risks, either, since any CSP insider with the encryption key can access the data.
What does this all mean?
To start, fully secure your data by encrypting confidential information in the cloud in the appropriate manner for the designated fields. As an additional security control, exclusively retain the keys.
You must also ensure that whoever holds the encryption keys in your own organization is justified in having access. For that reason, granular data access control policy is a must.
As you look for ways to implement effective encryption in the cloud to secure your data and ensure regulatory compliance, make sure your cloud information protection program includes these critical elements.
Without them, your data's about as safe as a fortune stored in a vault to which too many people have the keys.
- Paige Leidig has 20 years of experience in technology, marketing, and selling enterprise application solutions and managing trusted customer relationships. As SVP of Marketing, he is responsible for all aspects of marketing at CipherCloud.