Taking on Security and Privacy in the Cloud
Date: Tuesday , October 20, 2015
With the typical enterprise consuming 1,100 cloud applications, cloud is the killer app for security. By enabling the convenience of the \'anywhere, anytime\' revolution, cloud is projected to become a $106 billion market by 2016. Organizations are embracing cloud applications to help innovate and transform their business. Applications that automate sales processes, HR management, collaboration, email and file sharing continue to grow in popularity, enabling organizations to meet their needs in a shorter timeframe than ever before.
As these applications proliferate, so do concerns about the security and privacy of sensitive information going into those clouds. A wide range of regulations and privacy laws make enterprises directly responsible for protecting regulated information. However, a catch-22 emerges because companies have less direct control over data theft, leaks and surveillance in the cloud.
The EU Data Protection Act and the perfect storm
In the EU, regulators assign responsibility for securing information in the cloud to the company that owns the data-not the cloud provider on whose systems it resides. Due to the fundamental belief in the right to privacy, regulators can levy strict financial penalties for companies that breach the Data Protection Directive.
At the same time, leaks and thefts are occurring with increased frequency. As of June 30, the Identity Theft Resource Center reports 400 data incidents to-date in 2015 with 117,576,693 records confirmed to be at risk. In addition, recent research indicates that companies are still vulnerable for breaches. 59 percent of US IT decision makers and 34 percent of those in the UK admit to sharing access credentials with other employees \"at least somewhat often.\" Another 52 percent in the US and 32 percent in the UK share access \"at least somewhat often\" with contractors.
A three-step approach to navigating compliance complexities. Though the risks-from malicious hacks to insider threats-can seem high, a holistic approach to cloud information protection can help companies reduce the risks of adopting the cloud.
First is the discovery stage. Before you can protect information in the cloud, you need to know where it is and who has access to it:
- Who should have access to certain information Pravin Kothari and who should not?
- What content is sensitive, proprietary, or regulated and how can it be identified?
- Where will this data reside in the cloud and what range of regional privacy, disclosure and other laws might apply?
Then, you need to protect the information using the correct tools:
- Encrypt: As a baseline, unbreakable code - like military grade 256-bit AES - can scramble sensitive information into undecipherable gibberish to protect it from unauthorized viewers. Installing a cloud information protection platform at the network\'s edge ensures any data moving to the cloud is fully protected before it leaves the organization.
- Retain keys: Keep the keys that encrypt and decipher information under the control of the user organization. This ensures that all information requests must involve the owner, even if information is stored on a third-party cloud.
- Cloud data loss prevention: Customize policies on this to scan, detect, and take action to protect information according to its level of sensitivity. This provides an additional level of security and control.
- Cloud malware detection: Screen information exchanges, including external and internal user uploaded attachments, in cloud applications in real-time for virus, malware and other embedded threats.
Finally, the breakthrough of operations-preserving Searchable Strong Encryption solves encryption\'s longstanding problem of breaking application functions in the cloud. This advancement enables natural language searching, sorting, and reporting on encrypted data in the cloud while ensuring the highest levels of protection. Additionally, by using encryption from a third party provider versus from a cloud provider, users can ensure they alone hold the keys and protect against unauthorized surveillance requests.
The popularity of the cloud has driven privacy laws and data residency restrictions around the world. Businesses and chief information officers need to collaborate in finding new security models to use the cloud while assuring sensitive information is fully secured. By embracing a new ecosystem of cloud-based security solutions, businesses can safely extend their virtual security perimeter while complying with privacy regulations.