Obstacles still remain before companies can safeguard assets in the cloud, but software advances are helping, reports David Cotriss.
Despite all the positive buzz about how moving data to the cloud can provide cost and flexibility benefits, many enterprises are still reluctant to make the move – citing concern for the protection of their assets. However, with recent enhancements to software security, the cloud might be a more protected environment for storing enterprise data.
The consensus from experts: Perhaps. Many say it is still necessary to proceed with caution and examine the relative benefits and drawbacks of taking the cloud approach.
Organizations considering a move should first ask whether the cloud is compatible with company and industry requirements and whether the particular cloud provider is a good fit, says Scott Hazdra, principal security consultant at Neohapsis, a Chicago-based security service provider. The company must then define the business case for moving to the cloud by asking whether it seeks to take on more storage, reduce costs or provide processing to a third-party. It must then ask what data must be moved and why? For example, will data be sensitive personal information? And, finally, it is necessary to ponder whether third-party data will be combined with internal data.
Along with a review, Hazdra recommends that organizations establish a policy prior to moving data to the cloud so it can evaluate offerings from potential service providers.
Yet, according to the Ponemon Institute study, “2013 State of the Endpoint,” only 40 percent of respondent businesses have a centralized cloud security policy in place. Ultimately, data security and policies are the responsibility of the organization, but the solution provider should also be protecting its own data, which isn't always the case.
When companies are evaluating cloud providers, they should make sure the provider has robust security features of their own, says Chris Camejo, director of assessment services at Integralis, an information security solution provider. He says that both the organization and the cloud provider need to be paying attention to the latest innovations in security.
As far as that goes, encryption and tokenization have become the “go to” solutions for data being stored in the cloud. Tokenization may provide stronger security, say experts. That is because encryption uses a cipher algorithm to transform sensitive data's original value to a surrogate value, but the surrogate can be changed back to the original value via the use of a key.
Tokenization, on the other hand, entails intercepting data and replacing it with a surrogate token value. Tokens are usually randomly generated and have no mathematical relation to the original data field. Further, tokenization completely removes the original data from the systems in which the tokens reside. De-tokenization is the reverse process of redeeming a token for its associated original value. Plus, tokens cannot revert without access to the original “look-up” table that matches them to their original values. These tables are typically kept in a hardened database in a secure location inside a company's firewall.