Cloud Data Security and Compliance Challenges
A web of regional, federal, and international privacy laws makes compliance a challenge, to say the least. In the United States alone, several major regulations govern how enterprises in the financial services sector handle their data, including the big three.
Within the financial services industry, cloud data security is paramount. No matter how many benefits the cloud provides, protecting your customers’ confidential, sensitive personal and financial information must come first—not just for the sake of business, but for the sake of regulatory compliance.
- The Gramm-Leach-Billey Act (GLBA), whose Financial Privacy Rule regulates how financial institutions gather, protect, and disclose customers’ financial information;
- The Payment Card Industry Data Security Standard (PCI DSS), which specifically governs data security of payment card information and provides a framework of standards, tools, metrics, and resources to assist organizations in compliance;
- The Sarbanes-Oxley Act (SOX), which deals with auditing and corporate responsibility.
And What About Global Implications?
And that doesn’t even begin to cover the laws enacted at the US state level and or in other countries e.g. UK, Germany, France, Brazil, Japan, Australia where a financial services firm does business. Maintaining the protection of your data and complying with all the required regulations can be—to put it bluntly—a nightmare. But it doesn’t have to be. There’s a secret to safely adopting the cloud while protecting your data: Control.
Many would have you believe that adopting the cloud necessitates a loss of control. The Cloud Security Alliance’s first two suggestions for cloud security compliance revolve around a managed ceding of control to the cloud provider: the CSA recommends finding providers whose infrastructures are pre-architected for security compliance and who have a demonstrated history of transparency in their cloud security policies. These are, of course, useful suggestions. Companies would be well advised to choose their cloud application providers carefully. Multi-tenancy, a key tenet of the cloud, adds another layer of complexity. The PCI Security Standards Council strongly recommends network segmentation to separate cardholder data from the rest of the network. On-premises, you have control over how your network is segmented and can more easily do as the Council recommends. A cloud provider may not. And improperly segregated data in a multi-tenant cloud environment can also lead to inadvertent disclosures. Take government requests for information. Let’s say your customers’ data resides in a cloud environment with the data of another organization altogether. The other organization’s data has been requested, but because yours hasn’t been correctly separated, the cloud provider ends up giving up yours as well. That, and the possibility of a breach of your data due to a breach of adjacent, poorly segmented, data, can add up to catastrophic cloud information protection failures.
Third Party Cloud Data Security – Guess Who’s Accountable?
Unfortunately, even if the cause of such a failure originated in the way your cloud provider handled your data, the fact that it is your data means that, legally, it is your responsibility.
So how can you take control of your cloud data security strategy in a cloud environment? It’s fairly simple: you encrypt, and you retain exclusive control of your encryption key. The PCI Security Standards Council already suggests that clients of cloud application providers take responsibility for data encryption and data access restriction. Not all encryption is created equal, though, and access control is almost as important, since who can decrypt your data can determine whether your data stays safe or not.
CipherCloud is uniquely positioned to provide companies with the means to take control of their cloud information protection programs through AES 256-bit encryption and tokenization of data. In addition, neither CipherCloud nor your chosen third-party cloud providers retain your encryption keys. The keys always remain under your control. Even in the event of a disclosure, your data will remain encrypted unless you choose to provide the key. Such control makes compliance much easier to achieve and maintain and places your data under safe harbor in many jurisdictions, too.
What role does encryption play in your cloud information protection program? Let us know in the comments.
Check out these other relevant resources:
- Blog post: “Top 5 Best Practices to Eliminate Cloud Data Sovereignty Concerns“
- Free white paper: “Managing Data Residency and Compliance in the Cloud Age” – How to enable new cloud applications while maintaining control over your sensitive information