Going Further Than Encryption for Data Regulation in the Cloud
Moving information from enterprise data centers or in-network servers to a cloud environment is often chosen as a means to offload IT maintenance costs, provide a higher degree of physical safeguards and facilitate easier scaling to accommodate business growth. But, among the main reasons for selecting a cloud strategy is to facilitate easier sharing of information with business partners, customers and others inside and outside the organization. However, when that information includes regulated data, special attention is needed.
Compliance and the Cloud
Leading cloud storage providers offer access controls, permissions and audit trails. And, data may be encrypted while at rest in their system. These safeguards can be employed to provide security for the enterprise’s information.
However, any party handling certain types of sensitive information such as personal medical or financial information must ensure they are compliant with governmental and industry regulations. To comply, it is necessary to track where the regulated data resides, and, when and with whom that data is being accessed, whether it is encrypted or not. A few examples help make this clear:
- The Health Insurance Portability and Accountability Act (HIPAA) requires maintaining a list of everyone who has viewed a file containing Personal Health Information. Hence a methodology must be implemented to determine which files share patient data in a cloud collaboration solution.
- The Payment Card Industry Data Security Standard (PCI DSS) requires that Personal Account Numbers are encrypted everywhere. Even though the cloud storage provider may encrypt this data at rest, a more comprehensive solution might be to restrict the placement of this data to selected cloud files or prevent it from being moved to the cloud in the first place.
- The Gramm–Leach–Bliley Act (GLBA) has strict limits regarding how personal banking and other financial account data can be shared. It requires an organization to know exactly which cloud sharing platform contains account data and to know exactly who is accessing it.
To follow these directives requires visibility showing when and where regulated information has been stored, sent and accessed.
Inappropriate Sharing May Result in Breaches
Data encryption can protect sensitive information from access by those not authorized and without the necessary keys to unlock it. However, studies by the Ponemon Institute and other security analysts have shown that it is actually non-malicious behavior, often by employees, which leads to the majority of regulatory and policy violations putting companies at the highest risk of a data breach.
Because one of the core objectives of cloud implementations is to facilitate data sharing it is often too easy for an organization to get into trouble by sharing regulated or other sensitive data with an unauthorized third party. Generally, in fact, most data breaches are the result of human error. Authorized users are usually the source of these issues, often by improperly sharing files, installing insecure applications that externalize their data, or by having their credentials misused or stolen outright.
Encryption – Necessary but not Sufficient
Encryption is a necessary piece in an overall security strategy, particularly when implementing cloud storage where concerns for protecting information are greatest and where sharing data may be a key strategy. Leading cloud storage providers offer access controls and data encryption. These are necessary features for organizations needing to properly manage sensitive information However, all of these safeguards are not sufficient to ensure compliance with the requirements of regulated data.
An appropriate modern Data Loss Prevention (DLP) solution will address this issue by providing consistent and constant inspection of regulated data as it is moved anywhere throughout the enterprise network or into the cloud. By taking this action, users are provided with warnings and guidance whenever a remediation action is required.
There is considerable value to encrypting selectively, whenever there is risk of potential loss. However the suggestion that this is always a complete solution is a mistake. As Gil Zimmermann, CEO of Cloudlock, stated in a recent article, “Generally, two thirds of most data breaches are the result of internal human error and system misconfiguration.” Unfortunately neither of these issues can be solved by encryption alone.
DLP – A Proven Compliance Solution
Handling regulated data in the cloud requires the same proven data discovery and deep content analysis tools that are being successfully used to help manage regulated data outside the cloud. Data Loss Prevention (DLP) solutions have been developed over the past decade specifically to accurately discover and help manage sensitive data. DLP has been deployed by enterprises to help control sensitive information in the data center, on the network, in use on desktops or laptops, at rest on end-user devices and network servers. Now, next-generation DLP solutions can be used that transparently extend this capability to the cloud. This capability allows uniform governance of information across all the enterprise data stores to successfully secure and organization’s most important assets.