Cyber Surveillance Headlines Put Spotlight on Consumer Cloud, but Implications Loom Larger for the Enterprise

Grazed from BusinessWire. Author: PR Announcement.

Coverage of the PRISM surveillance program highlights only the most recent example of personal data ending up in the hands of unintended parties. While most attention has been placed on consumer public cloud services such as Gmail and Facebook, many corporate CISOs and CIOs are now re-evaluating the risks of third party access and surveillance to corporate cloud services. Regardless of whether these third parties are governments, cyber-activists, or cyber-criminals, the message is becoming clear – when enterprises put their information into shared cloud services, such as SaaS applications, they need to carefully think through the implications of giving away control of their sensitive corporate data assets.

Enterprise cloud adoption has been rapidly growing despite a historic reluctance to place sensitive data into cloud applications. Today, corporate IT security teams face extraordinary pressure from business units such as Sales, Customer Support, Marketing, HR and IT Service Management, to allow information into cloud applications…

"But beyond the buzz over data surveillance, business leaders need to understand that hackers pose a greater threat than governments because theft of information will stop a business in its tracks, while monitoring information won’t," said David Canellos, CEO, PerspecSys. "It’s well documented that hacking corporate information is on the rise, and cloud applications represent a large and attractive target for cyber criminals."

Indeed, governments and industry regulators have been stepping in to provide guidance. Outside the US, for example, concerns over data privacy safeguards and data security levels have caused governments, such as those in Germany and Switzerland, to regulate which data can leave their geographic borders and which cannot. In regulated industries such as Healthcare and Defense, compliance guidelines like HIPAA and ITAR specify which security measures must be taken to protect personally identifiable and other types of data.

The tension between IT security, business leader demands, government regulation and industry guidelines is leaving enterprises seeking ways to retain control and visibility of their sensitive data as they consider further use of the cloud. Many are starting to see that encryption and tokenization can be the answer – when properly vetted and implemented. These data security techniques can be used to alter sensitive data into unreadable forms before it leaves corporate IT environments and travels through the public Internet to external SaaS providers. Encrypting and/or tokenizing data results in meaningless information should anyone outside of the company access it while it is processed or stored in the cloud.

A Big Risk for Corporate Data in the Cloud – Operations Preserving Encryption

Organizations must require solutions that use well-tested, peer reviewed data encryption and tokenization solutions. If they use encryption, they should try to leverage encryption modules and security techniques that they already have experience using in other areas of their business. They should insist that they retain ownership of all encryption keys, and they should avoid unproven techniques such as "Operations Preserving Encryption," which have come under heavy industry scrutiny. If they use data tokenization from a security solution provider, organizations should make sure it has been audited by an outside, independent agency to validate that it adheres to all industry best practices.

Finally, organizations should look for solutions that allow them to deploy data protection safeguards in a way that is transparent to end users of the cloud applications, such as Cloud Data Protection Gateways. These gateways allow companies to encrypt and tokenize data without impacting the experience and usability of the cloud application for the business’ end-users.