A guide to cloud encryption and tokenization
by Bob West - Chief Trust Officer, CipherCloud - Tuesday, 22 April 2014.
Encryption comes in different strengths, and choosing the right kind for each data field’s needs is vital to a successful cloud information protection strategy. As mentioned earlier, due to their higher level of sensitivity, customers’ credit card numbers require a higher strength of encryption than customer post codes for example. Failing to use a strong enough encryption method for protected data can result in compliance violations or data breaches – two costly consequences every enterprise wants to avoid.

Collaboration is generally a good thing but any kind of encryption method that gives a third party access to the encryption keys leaves the enterprise more vulnerable to a breach. A third party, for example, could have a security breach or fall victim to an insider threat and, should they ever receive a government request for data, customer information could be turned over without their knowledge or consent.

To ensure that only the business alone has the power to unlock data, keep exclusive control of the encryption keys. This way, even if data is leaked or stolen, it will remain illegible to unauthorised viewers. In the event of cloud surveillance, the intruder can’t decrypt the content without the key.

The beauty of encryption is that it can lock down data so that only authorised parties can read or use it. When implementing an encryption strategy, ensure the software retains data formats and uses methods that preserve the data’s searchability, sortability, reportability, and general functionality in the cloud.

Tokenization best practices

Instead of encrypting data, tokenization replaces the data itself with a placeholder. The data itself is securely stored within an enterprise’s perimeter, and only the token is transmitted. Like encryption, it plays a vital role in a company’s compliance strategy and reduces cloud-related PCI DSS and HIPAA scope by limiting the amount of data that is to be sent outside of the data centre.

However, tokenization has its pitfalls and enterprises should consider the solutions that can address them. The first issue is similar to the uses of a cloud service provider to encrypt their data for the enterprise. By allowing a third party to handle tokenization off-premises, it means handing over sensitive data to a third party and trusting them to secure that data in their own data centres. If tokenization is part of an enterprise’s cloud information protection strategy, do it on premises to retain more control over the data.

Is there such a thing as tokenizing too much or not enough? Tokenization requires enterprises to store their data separately in a data centre, so overuse can result in excessive consumption of that storage resource. With this in mind, only tokenise what is needed.

A word on compliance

Before committing to the cloud, businesses need to understand exactly what cloud information protection measures must be taken to remain in regulatory compliance. Here are a few:

In the UK, the Information Commissioner's Office (ICO) can impose financial penalties of up to £500,000 for companies that breach the Data Protection Act. Its guidance clearly puts the onus on the companies owning the data.

The EU has sanctioned both the Data Protection Directive of 1995 (46/ EC) and Internet Privacy Law of 2002 (58/EC), where businesses are required to notify data owners if their personal data is being collected, secure data from potential abuses, and only share data with the subject’s consent.

The PCI DSS is a global information security standard every company must consider if they are to protect their credit card and customer account data from unauthorised access and misuse.


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 11th