The recent breach of Social Media site LinkedIn, in which over 6 million passwords were compromised, is the most recent example showing the importance of encryption. LinkedIn did not encrypt its users’ passwords (or Cloud Encryption), making them easy for the criminals to discover.
This is hardly the first such incident – and likely won’t be the last – in which a company or public entity did not adequately protect customer data.
Cloud Encryption [OVERVIEW]
“The LinkedIn breach really reinforces the need for encryption as a last line of defense, and we believe it ultimately will be a best practice to encrypt all data in a cloud or SaaS environment. It’s inexpensive, high performance, and there’s too much to lose by not encrypting,” said Geoff Webb, Credant’s director of product marketing.
Webb believes that most companies won’t learn from LinkedIn’s mistake and will continue to store data in an unencrypted form. Yet, encryption could be the selling point that companies with strong compliance regulations can use for their businesses.
Protect Your Data
Encryption transforms sensitive data to a protected format. For compliance, this means data is under the control of the organization wherever the data travel. Only the organization and its authorized users can read the data, not someone who hacks a cloud database or finds a backup tape. And especially important for compliance, encryption and its resulting protection can be audited and confirmed. Either you can decrypt or you can’t.
“For all of these reasons, encryption is now universally recognized as the best method to protect sensitive data: from U.S. state data breach notification laws to data privacy rules in Australia,” explained Pravin Kothari, Founder and CEO with CipherCloud, a cloud security solutions company. “Encryption delivers control back to organizations by taking sensitive data and turning it into unusable data. Only authorized users with access to the right cryptographic keys can read it.”
Kothari said that before you encrypt data in the cloud, there are two important considerations to keep in mind:
1) What data is used in the cloud and what needs to be secured?
2) When data is encrypted, who controls and has access to the data? the cloud service provider or the organization that owns the data?
“First, not all data is created equal. The most sensitive data, like customers social security numbers, patient healthcare records, or plans to your next product, all should (and in some cases must) be encrypted,” he said.
He continued: “Second, and probably most important of all, who will have access to data over its lifetime? Many cloud service providers encrypt data when it is stored in their databases or transferred through a web browser. But, this encryption is under the control of the cloud service provider and encrypted data is likely not segmented by customer. Both are red flags under a slew of regulations.”
Accessing encrypted data shouldn’t be a problem for authorized users while being completely inaccessible to criminals. “The best encryption is encryption that you never know is working but is so strong that all the computing power in the world combined still couldn’t break it,” said Kothari.
He continued: “The cloud of course makes this much easier. Any app that connects – whether a desktop or mobile app – can be connected to cloud encryption gateways that work in the background to secure data before it’s stored in the cloud provider. Gartner expects 25 percent of all enterprises to be using these services by 2016. Not just helping to secure data but also reducing costs by 30 percent.”
Protect Vital Information
So how do you determine what data should be encrypted in the cloud? This comes down to the risk tolerance of the business and the type of data it handles.
Data that is likely to be covered by a compliance mandate should be protected, but also anything that could prove costly, embarrassing or provide a business advantage to a competitor, according to David Tishgart, director of product marketing with security solution company Gazzang, Inc. “Compliance mandates are generally fairly loose on how encryption should take place,” he said.
By applying good security practices to encryption it is very likely that you will meet compliance requirements “for free.” Per Tishgart, such best practices will include:
1) Keeping encryption keys securely stored
2) Granting access to the keys only on a need basis
3) Using accepted encryption algorithms
4) Managing the key lifecycle and maintaining access privileges as personnel change
5) Auditing and reporting on the status of encryption and key management
Applying such practices will provide greater security and simpler compliance for data both within your network but also anywhere in the cloud – regardless of who owns the infrastructure or where it is located. It should be no surprise that encryption really is the key to cloud security.