Obstacles still remain before companies can safeguard assets in the cloud, but software advances are helping, reports David Cotriss.
Despite all the positive buzz about how moving data to the cloud can provide cost and flexibility benefits, many enterprises are still reluctant to make the move – citing concern for the protection of their assets. However, with recent enhancements to software security, the cloud might be a more protected environment for storing enterprise data.
The consensus from experts: Perhaps. Many say it is still necessary to proceed with caution and examine the relative benefits and drawbacks of taking the cloud approach.
Organizations considering a move should first ask whether the cloud is compatible with company and industry requirements and whether the particular cloud provider is a good fit, says Scott Hazdra, principal security consultant at Neohapsis, a Chicago-based security service provider. The company must then define the business case for moving to the cloud by asking whether it seeks to take on more storage, reduce costs or provide processing to a third-party. It must then ask what data must be moved and why? For example, will data be sensitive personal information? And, finally, it is necessary to ponder whether third-party data will be combined with internal data.
Along with a review, Hazdra recommends that organizations establish a policy prior to moving data to the cloud so it can evaluate offerings from potential service providers.
Yet, according to the Ponemon Institute study, “2013 State of the Endpoint,” only 40 percent of respondent businesses have a centralized cloud security policy in place. Ultimately, data security and policies are the responsibility of the organization, but the solution provider should also be protecting its own data, which isn't always the case.
When companies are evaluating cloud providers, they should make sure the provider has robust security features of their own, says Chris Camejo, director of assessment services at Integralis, an information security solution provider. He says that both the organization and the cloud provider need to be paying attention to the latest innovations in security.
As far as that goes, encryption and tokenization have become the “go to” solutions for data being stored in the cloud. Tokenization may provide stronger security, say experts. That is because encryption uses a cipher algorithm to transform sensitive data's original value to a surrogate value, but the surrogate can be changed back to the original value via the use of a key.
Tokenization, on the other hand, entails intercepting data and replacing it with a surrogate token value. Tokens are usually randomly generated and have no mathematical relation to the original data field. Further, tokenization completely removes the original data from the systems in which the tokens reside. De-tokenization is the reverse process of redeeming a token for its associated original value. Plus, tokens cannot revert without access to the original “look-up” table that matches them to their original values. These tables are typically kept in a hardened database in a secure location inside a company's firewall.
Both encryption and tokens can work in conjunction with a cloud encryption gateway that serves as a proxy entry to a cloud application. The gateway intercepts sensitive data while it is still on-premise and replaces it with a random token value or encryption value, making it indecipherable should it be hacked while it is in transit, processed or while stored in the cloud. If encryption is used, the enterprise controls the key. If tokenization is used, the enterprise controls the token vault. The data remains under corporate control at all times.
This facet is appealing to David Canellos (below), president and CEO of PerspecSys, a gateway provider, with U.S. headquarters in McLean, Va., that offers tokenization and encryption solutions. He asks prospective customers: “What if you could have full use of the cloud without putting your sensitive data there?”
Many users are adopting gateway solutions owing to concerns about compliance from regulated industries. As well, more and more CISOs and CIOs want to protect brands and corporate reputations by applying best practices to cloud security, and data residency – abiding by laws of other countries, says Canellos. Tokenization provides “a frictionless ability to access the cloud with the perimeter dissolving.”
In addition, cloud access security brokers (CASBs), a phrase coined by research firm Gartner, provide cloud-based security policy enforcement points that are placed between cloud service customers and cloud service providers. They consolidate and impose security policies when cloud-based data is accessed. CASB security tools may encompass authentication, single sign-on, authorization, credential mapping, encryption, tokenization, logging, alerting and malware detection.
Canellos sees the market moving in this direction because of the breadth of tools. Whether the cloud provider makes it available or the customer decides to use its own, CASBs will become part of the fabric of cloud security. The CASB model provides more robust security without trading off application functionality, he says. “Security should not become a barrier to adoption of the cloud.”
However, many countries don't allow data to leave their legal jurisdictions. EU countries are under strict regulations for data access and control. Encryption does not address this issue, but tokens do. Data remains resident in the country – in the organization's data center – while the cloud provider can be located anywhere. Canellos offers as an example Switzerland, which has strict privacy laws and prohibits personal data from leaving a legal jurisdiction. Using tokens, a company within Switzerland could access Salesforce.com, which maintains its servers outside of Switzerland, without violating Swiss privacy regulations.