When it comes to protecting your sensitive customer and corporate data in the cloud, encryption and tokenization will no doubt be two of the most important weapons in your arsenal. But before you can begin applying them (along with your other cloud data protection tools) to your data, you’ll need to know where to encrypt and where to tokenize, and why.
No matter which cloud you’re adopting, your cloud data protection best practices will remain the same: the first step will always be to identify and classify which data must be protected. Encrypting or tokenizing everything going to the cloud would be far too resource-intensive and unwieldy an endeavor, ultimately causing more problems than it solves: there’s no reason to invest in the protection of data that is of no value to competitors or cybercriminals. Instead, determine which data must be protected, and how strongly.
The first step in doing so is to clarify exactly which data privacy regulations or industry best standards you must follow. For healthcare enterprises, for example, HIPAA and HITECH will be of paramount importance; financial services firms will need to focus on the Gramm-Leach-Bliley Act (GLBA), among others. And within each of those regulatory frameworks, different types of data will need different level of protection.
As a general rule, Personally Identifiable Information (PII) will be protected by all data privacy regulations, with different data types at different levels of sensitivity. Consumer financial information, such as social security numbers, bank account numbers, and credit card numbers, are among the most sensitive pieces of data an enterprise can handle and should be encrypted accordingly. In fact, some types of financial information, such as consumer PIN blocks, must be kept on-premises per PCI DSS. Other consumer information, particularly contact information such as email and physical addresses and phone numbers, are less sensitive but typically must still be protected.
Moving into industry-specific regulations, the healthcare industry is among one of the most tightly regulated. Healthcare providers handle confidential consumer health information that demands high levels of data protection: all instances of patient names, dates of birth, case procedures, and other Protected Health Information (PHI) and electronic Protected Health Information (ePHI) should be identified and either encrypted at the client side, or tokenized.
Data classification may prove a challenge when it comes to modern cloud-based collaboration and information sharing applications, since a significant amount of sensitive data may enter those applications in unstructured formats such as messages and documents. As you work towards a thorough cataloguing of all sensitive data in your cloud computing environment, make sure to take into account those unstructured data types and adopt a cloud data protection platform that can work for all such data types.
A cloud data protection strategy is only as effective as its foundation is solid, and the foundation of any cloud data protection strategy is data classification. Take the time to do it right so that your sensitive data doesn’t get exposed.
Ready to learn more about cloud security data classification and other best practices that enterprises are using to protect their data in the cloud? Download our research report, Global Cloud Data Security Report: The Authority on How to Protect Data in the Cloud Q1 2015, today.