Cyber Security News

Going Further Than Encryption for Data Regulation in the Cloud

Moving information from enterprise data centers or in-network servers to a cloud environment is often chosen as a means to offload IT maintenance costs, provide a higher degree of physical safeguards and facilitate easier scaling to accommodate business growth.  But, among the main reasons for selecting a cloud strategy is to facilitate easier sharing of information with business partners, customers and others inside and outside the organization.  However, when that information includes regulated data, special attention is needed.

Compliance and the Cloud

Leading cloud storage providers offer access controls, permissions and audit trails.  And, data may be encrypted while at rest in their system.   These safeguards can be employed to provide security for the enterprise’s information.  

However, any party handling certain types of sensitive information such as personal medical or financial information must ensure they are compliant with governmental and industry regulations.  To comply, it is necessary to track where the regulated data resides, and, when and with whom that data is being accessed, whether it is encrypted or not.  A few examples help make this clear:

  • The Health Insurance Portability and Accountability Act (HIPAA) requires maintaining a list of everyone who has viewed a file containing Personal Health Information.  Hence a methodology must be implemented to determine which files share patient data in a cloud collaboration solution.
  • The Payment Card Industry Data Security Standard (PCI DSS) requires that Personal Account Numbers are encrypted everywhere. Even though the cloud storage provider may encrypt this data at rest, a more comprehensive solution might be to restrict the placement of this data to selected cloud files or prevent it from being moved to the cloud in the first place. 
  • The Gramm–Leach–Bliley Act (GLBA) has strict limits regarding how personal banking and other financial account data can be shared.  It requires an organization to know exactly which cloud sharing platform contains account data and to know exactly who is accessing it.

To follow these directives requires visibility showing when and where regulated information has been stored, sent and accessed. 

Inappropriate Sharing May Result in Breaches

Data encryption can protect sensitive information from access by those not authorized and without the necessary keys to unlock it.  However, studies by the Ponemon Institute and other security analysts have shown that it is actually non-malicious behavior, often by employees, which leads to the majority of regulatory and policy violations putting companies at the highest risk of a data breach. 

Because one of the core objectives of cloud implementations is to facilitate data sharing it is often too easy for an organization to get into trouble by sharing regulated or other sensitive data with an unauthorized third party.  Generally, in fact, most data breaches are the result of human error.  Authorized users are usually the source of these issues, often by improperly sharing files, installing insecure applications that externalize their data, or by having their credentials misused or stolen outright.  

Encryption – Necessary but not Sufficient

Encryption is a necessary piece in an overall security strategy, particularly when implementing cloud storage where concerns for protecting information are greatest and where sharing data may be a key strategy. Leading cloud storage providers offer access controls and data encryption.   These are necessary features for organizations needing to properly manage sensitive information   However, all of these safeguards are not sufficient to ensure compliance with the requirements of regulated data.  

An appropriate modern Data Loss Prevention (DLP) solution will address this issue by providing consistent and constant inspection of regulated data as it is moved anywhere throughout the enterprise network or into the cloud.  By taking this action, users are provided with warnings and guidance whenever a remediation action is required.

There is considerable value to encrypting selectively, whenever there is risk of potential loss.  However the suggestion that this is always a complete solution is a mistake. As Gil Zimmermann, CEO of Cloudlock, stated in a recent article, “Generally, two thirds of most data breaches are the result of internal human error and system misconfiguration.”  Unfortunately neither of these issues can be solved by encryption alone.

DLP – A Proven Compliance Solution

Handling regulated data in the cloud requires the same proven data discovery and deep content analysis tools that are being successfully used to help manage regulated data outside the cloud.  Data Loss Prevention (DLP) solutions have been developed over the past decade specifically to accurately discover and help manage sensitive data.  DLP has been deployed by enterprises to help control sensitive information in the data center, on the network, in use on desktops or laptops, at rest on end-user devices and network servers.  Now, next-generation DLP solutions can be used that transparently extend this capability to the cloud.  This capability allows uniform governance of information across all the enterprise data stores to successfully secure and organization’s most important assets.

Did you enjoy this article? Click here to subscribe to Security Magazine. 

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

September 2014

2014 September

In the September issue of Security Magazine, find out who this year's most influential people are in the security industry are. Also, take a peek at the technology products that ASIS 2014 will be showcasing at the upcoming event. Read about the lessons learned from security at the World Cup, find out why tactical medical training is a must for your enterprise and how Atlanta increased security by sharing surveillance.
Table Of Contents Subscribe

Adopting New Technology

How long do you wait before adopting a new technology?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+