Cyber Security News

Going Further Than Encryption for Data Regulation in the Cloud

Moving information from enterprise data centers or in-network servers to a cloud environment is often chosen as a means to offload IT maintenance costs, provide a higher degree of physical safeguards and facilitate easier scaling to accommodate business growth.  But, among the main reasons for selecting a cloud strategy is to facilitate easier sharing of information with business partners, customers and others inside and outside the organization.  However, when that information includes regulated data, special attention is needed.

Compliance and the Cloud

Leading cloud storage providers offer access controls, permissions and audit trails.  And, data may be encrypted while at rest in their system.   These safeguards can be employed to provide security for the enterprise’s information.  

However, any party handling certain types of sensitive information such as personal medical or financial information must ensure they are compliant with governmental and industry regulations.  To comply, it is necessary to track where the regulated data resides, and, when and with whom that data is being accessed, whether it is encrypted or not.  A few examples help make this clear:

  • The Health Insurance Portability and Accountability Act (HIPAA) requires maintaining a list of everyone who has viewed a file containing Personal Health Information.  Hence a methodology must be implemented to determine which files share patient data in a cloud collaboration solution.
  • The Payment Card Industry Data Security Standard (PCI DSS) requires that Personal Account Numbers are encrypted everywhere. Even though the cloud storage provider may encrypt this data at rest, a more comprehensive solution might be to restrict the placement of this data to selected cloud files or prevent it from being moved to the cloud in the first place. 
  • The Gramm–Leach–Bliley Act (GLBA) has strict limits regarding how personal banking and other financial account data can be shared.  It requires an organization to know exactly which cloud sharing platform contains account data and to know exactly who is accessing it.

To follow these directives requires visibility showing when and where regulated information has been stored, sent and accessed. 

Inappropriate Sharing May Result in Breaches

Data encryption can protect sensitive information from access by those not authorized and without the necessary keys to unlock it.  However, studies by the Ponemon Institute and other security analysts have shown that it is actually non-malicious behavior, often by employees, which leads to the majority of regulatory and policy violations putting companies at the highest risk of a data breach. 

Because one of the core objectives of cloud implementations is to facilitate data sharing it is often too easy for an organization to get into trouble by sharing regulated or other sensitive data with an unauthorized third party.  Generally, in fact, most data breaches are the result of human error.  Authorized users are usually the source of these issues, often by improperly sharing files, installing insecure applications that externalize their data, or by having their credentials misused or stolen outright.  

Encryption – Necessary but not Sufficient

Encryption is a necessary piece in an overall security strategy, particularly when implementing cloud storage where concerns for protecting information are greatest and where sharing data may be a key strategy. Leading cloud storage providers offer access controls and data encryption.   These are necessary features for organizations needing to properly manage sensitive information   However, all of these safeguards are not sufficient to ensure compliance with the requirements of regulated data.  

An appropriate modern Data Loss Prevention (DLP) solution will address this issue by providing consistent and constant inspection of regulated data as it is moved anywhere throughout the enterprise network or into the cloud.  By taking this action, users are provided with warnings and guidance whenever a remediation action is required.

There is considerable value to encrypting selectively, whenever there is risk of potential loss.  However the suggestion that this is always a complete solution is a mistake. As Gil Zimmermann, CEO of Cloudlock, stated in a recent article, “Generally, two thirds of most data breaches are the result of internal human error and system misconfiguration.”  Unfortunately neither of these issues can be solved by encryption alone.

DLP – A Proven Compliance Solution

Handling regulated data in the cloud requires the same proven data discovery and deep content analysis tools that are being successfully used to help manage regulated data outside the cloud.  Data Loss Prevention (DLP) solutions have been developed over the past decade specifically to accurately discover and help manage sensitive data.  DLP has been deployed by enterprises to help control sensitive information in the data center, on the network, in use on desktops or laptops, at rest on end-user devices and network servers.  Now, next-generation DLP solutions can be used that transparently extend this capability to the cloud.  This capability allows uniform governance of information across all the enterprise data stores to successfully secure and organization’s most important assets.

Did you enjoy this article? Click here to subscribe to Security Magazine. 

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

Security June 2015 issue cover

2015 June

In this June 2015 issue of SecurityIs the security director business’s new “corporate rock star?” Find out how CSOs can become the new leaders of their enterprises through mentorships, partnerships and creatively adding business value. Also, learn how security professionals are training employees in cyber security through games. And why are deterrence and detection so important when it comes to thwarting metal thieves? Find out in this issue.

Table Of Contents Subscribe

Body Cameras on Security Officers

Body cameras are being used increasingly by police in cities across the U.S. Will you arm your security officers with a body camera?
View Results Poll Archive

THE SECURITY STORE

Effective Security Management, 5th Edition.jpg
Effective Security Management, 5th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.