Is compliance 'clouding' your judgment?
Cloud or not, the bucdk stops with you
By Industry Insight | Published: 11:27, 12 August 2013
Cloud computing is growing, both as an external business tool and as a way to better manage IT in the enterprise. According to the Cloud Industry Forum, over 75 per cent of UK businesses will use at least one cloud service by the end of 2013 as companies jump at the chance to reduce their infrastructure, lower costs and become more agile.
This surge in cloud adoption has created a more stringent regulatory environment. Companies are becoming increasingly concerned about the security of their sensitive information in the cloud and the potential for the data to be exposed to a multitude of risks. Whether it be theft of sensitive information, surveillance in the cloud or penalties for non-compliance, numerous factors fuel concerns for the security of personably identifiable information.
Many organisations commonly assume that working with a cloud provider would either satisfy the compliance requirements or shift security responsibility to the cloud provider. However, a wide range of regulations and privacy laws make organisations directly responsible for protecting their own information.
Data Privacy and Protection - The Letter of the Law
In the UK, the Information Commissioner's Office (ICO) has the ability to levy severe financial penalties of up to £500,000 for companies that breach the Data Protection Act. It recently published guidance that has also put the onus on the companies owning the data. It assigns responsibility for securing information in the cloud unequivocally to the company that owns the data - not the cloud provider on whose systems it resides.
At a regional level, the EU has sanctioned both the Data Protection Directive of 1995 (46/ EC) and Internet Privacy Law of 2002 (58/EC), which cover the electronic processing and storage of personal information. Businesses are required to notify data owners if their personal data is being collected, secure data from potential abuses, and only share data with the subject’s consent.
And at the industry level, the PCI DSS (Payment Card Industry Data Security Standard) is a worldwide information security standard requiring all merchants to protect their customers’ account data from unauthorised access and misuse. In the case of cloud computing, PCI guidance echoes the ICO’s and assigns security responsibility to the company using the cloud.
The below guidance can enable organisations to continue their cloud adoption journey while protecting their customer data as directed by the letter and spirit of the compliance regulations.
Failing to address these security issues can result in stiff fines if their data is exposed in the event of a breach and loss of reputation. To meet these tighter regulations, businesses need to deploy a cloud information protection strategy to ensure sensitive information is secure and compliant, wherever it resides.
Discover, Protect and Enable
To help protect information in the cloud, users first need to know where it is located, who has access to it, and which data compliance laws apply to it. This then ensures the correct tools are in place to protect the information according to requirements.
Encryption and Data Loss Prevention (DLP) technologies are crucial tools in the fight to defend sensitive information. Use military grade encryption to scramble sensitive information into gibberish, which protects that data from cloud breaches and surveillance. By keeping the keys that encrypt and decipher information under the control of the user organisation, this ensures that only the data owner, not the third-party cloud provider or an uninvited surveillance tool in the cloud, can see information in its clear text form.
Customising DLP policies to scan, detect and take action will protect information according to its level of sensitivity. Identifying malware in real-time on information exchanges in cloud applications allows for detection and prevention of viruses, malware and other embedded threats.
A new innovative approach to encryption, called operation-preserving encryption, can successfully enable companies to address the long-standing problem of breaking cloud application functions. This advancement allows users to encrypt sensitive information, while still preserving the usability, performance and functionality of the cloud application including, searching, sorting and reporting.
With new PCI and other regulatory mandates in 2013 pinning security and compliance responsibility on cloud users, a proactive cloud strategy such as this can save businesses money and reputational damage even in the event of a breach.
Posted by Paige Leidig, CipherCloud