Organisations are increasingly experiencing pressure, from industry peers and internally from their executive boards, to adopt cloud-based software as a service (SaaS) and storage.
The attraction of using public or private clouds to simplify operational overheads and reduce costs is important for competitive advantage — but data will be exposed to higher levels of risks that need to be identified and mitigated.
Sensitive corporate material, such as financial or credit card data and personal information, all require immediate attention to provide adequate protection and compliance with regulations.
Data residency is an important concept. This has an impact on the storage footprint of data in cloud environments, where requirements for availability and redundancy mean cloud services providers (CSPs) use several datacentres around the world.
It is important to consider that:
- The geographic locations used by CSPs must be clearly understood to comply with multiple national privacy requirements;
- Some nations place restrictions on the use or export of encryption technology;
- Many countries have national laws that enable authorities or agencies to access data stored there, which can conflict with data privacy requirements from the originating country.
Data security risks are also compounded by the use of SaaS solutions where suppliers and/or CSPs have access to enterprise data, encryption keys or tokens. It is critically important to assess the risks and apply mitigations (where reasonable) to satisfy an acceptable requirements while not losing the desired functionality.
Cryptographic techniques, such as encryption and tokenisation, have been developed to help with compliance and data residency issues. But many of these solutions are immature and some have unproven security architectures.
The main options and several pitfalls are:
- On-premises file/database cryptography — these solutions protect the data on site before storing in the cloud and used for backup and file-sharing. These are low-risk solutions where the keys/tokens are applied and stored on-premises;
- Cloud gateways — typically these solutions use physical or virtual appliances on-premises and provide proxy integration with SaaS applications such as salesforce.com. Sensitive fields can be encrypted or tokenised. Check that any trade-offs between security and SaaS functionality are acceptable;
- Cloud-based cryptography systems require the availability and management of encryption keys or tokens in a public or private cloud environment. Different solutions are emerging that operate in the public cloud (VMware and hypervisors), while other solutions are emerging in private clouds as managed security services.
Suppliers continue to demonstrate highly innovative solutions with many new product launches and venture-based startups. This high level of investment demonstrates the growth in and potential need for data security services.
Brian Lowans is a principal research director at research firm Gartner
This was first published in September 2013