A guide to cloud encryption and tokenization

Cloud adoption shows every sign of continuing to grow. The sharing of resources helps businesses achieve savings and agility based on economies of scale but there’s a problem: cloud computing can also be an attractive target for cyber thieves.

Businesses using the cloud are now increasingly looking to security experts for help on how to protect their data against unwanted intrusion. With Edward Snowden’s continuing revelations on government spying, and a string of headline-grabbing incidents like the recent Heartbleed security vulnerability, many are calling 2014 the year of encryption.

In order to achieve the best cloud information protection strategy, enterprises must understand what information they use to run their enterprise and what sensitive data should needs protection in the cloud. Businesses migrating to the cloud are being advised to lock down any sensitive data before it leaves their premises, which is why more companies are deploying encryption.

To encrypt or not to encrypt
U.S. cloud providers like Google and Microsoft have been upgrading their server encryption levels. This reinforces the relevance of encrypting sensitive data in the cloud for security and privacy compliance worldwide.

Another factor to consider is only a small percent of a company’s data needs to leverage this technology. A pragmatic approach is to encrypt the sensitive data, such as personally identifiable information or research and development materials that could damage the company and or its customers’ reputation in the event of a breach. All data does not need be encrypted in the same way either. Additionally, for functionality’s sake, information such as credit card numbers may need their formats preserved in ways that address information does not.

But is encryption enough to protect private data? To answer that question, it’s vital to understand the encryption methods and know how they work together to keep data protected against unwanted intrusion.

Symmetric and asymmetric encryption
Most secure online transactions rely on asymmetric encryption to encrypt the tunnels as data moves across servers. This is used by online banking or shopping sites to secure the credit card details entered onto transactions page. It relies on a pair of keys – a public one, used to encrypt the data, and a private one, used to decrypt the data.

Yahoo! joined Google and Microsoft in upgrading HTTPS, the encryption standard used to protect these tunnels, from RSA 1024-bit to 2048-bit. This upgrade fortifies the transport layers to protect network environment.

As a complement, symmetric encryption, which relies on one key, provides data-centric protection and typically encrypts the information before it goes to the cloud. Using the industry standard of AES 256-bit, symmetric encryption scrambles the data and gives the keys to the enterprise. This enables enterprises to tighten control over access to the encrypted information.

One of the factors that influences a company’s decision on how to encrypt their data are the privacy regulations they must follow and desired levels of control to meet internal security and privacy policies. Faced with a valid legal order to decrypt and surrender internal data by a government, enterprises must comply with this request. However, this process is still transparent and does not cede decision-making to a third party.

Cloud encryption best practices
Like with any technology, there are common concerns and best practices to follow when securing data with encryption. The first pitfall is whether a business is using strong enough encryption – especially in light of recent security issues.

Encryption comes in different strengths, and choosing the right kind for each data field’s needs is vital to a successful cloud information protection strategy. As mentioned earlier, due to their higher level of sensitivity, customers’ credit card numbers require a higher strength of encryption than customer post codes for example. Failing to use a strong enough encryption method for protected data can result in compliance violations or data breaches – two costly consequences every enterprise wants to avoid.

Collaboration is generally a good thing but any kind of encryption method that gives a third party access to the encryption keys leaves the enterprise more vulnerable to a breach. A third party, for example, could have a security breach or fall victim to an insider threat and, should they ever receive a government request for data, customer information could be turned over without their knowledge or consent.

To ensure that only the business alone has the power to unlock data, keep exclusive control of the encryption keys. This way, even if data is leaked or stolen, it will remain illegible to unauthorised viewers. In the event of cloud surveillance, the intruder can’t decrypt the content without the key.

The beauty of encryption is that it can lock down data so that only authorised parties can read or use it. When implementing an encryption strategy, ensure the software retains data formats and uses methods that preserve the data’s searchability, sortability, reportability, and general functionality in the cloud.

Tokenization best practices
Instead of encrypting data, tokenization replaces the data itself with a placeholder. The data itself is securely stored within an enterprise’s perimeter, and only the token is transmitted. Like encryption, it plays a vital role in a company’s compliance strategy and reduces cloud-related PCI DSS and HIPAA scope by limiting the amount of data that is to be sent outside of the data centre.

However, tokenization has its pitfalls and enterprises should consider the solutions that can address them. The first issue is similar to the uses of a cloud service provider to encrypt their data for the enterprise. By allowing a third party to handle tokenization off-premises, it means handing over sensitive data to a third party and trusting them to secure that data in their own data centres. If tokenization is part of an enterprise’s cloud information protection strategy, do it on premises to retain more control over the data.

Is there such a thing as tokenizing too much or not enough? Tokenization requires enterprises to store their data separately in a data centre, so overuse can result in excessive consumption of that storage resource. With this in mind, only tokenise what is needed.

A word on compliance
Before committing to the cloud, businesses need to understand exactly what cloud information protection measures must be taken to remain in regulatory compliance. Here are a few:

In the UK, the Information Commissioner’s Office (ICO) can impose financial penalties of up to £500,000 for companies that breach the Data Protection Act. Its guidance clearly puts the onus on the companies owning the data.

The EU has sanctioned both the Data Protection Directive of 1995 (46/ EC) and Internet Privacy Law of 2002 (58/EC), where businesses are required to notify data owners if their personal data is being collected, secure data from potential abuses, and only share data with the subject’s consent.

The PCI DSS is a global information security standard every company must consider if they are to protect their credit card and customer account data from unauthorised access and misuse.

What now?
Adopting a well-thought out cloud information protection strategy will give the enterprise full control when it comes to securing its enterprise’s sensitive data. Encryption and tokenization are vital to enabling regulatory compliance and the security and privacy of sensitive data. Used correctly, they can help enterprises stay safe in the cloud and conduct business without interruptions.