For enterprises in regulated industries considering cloud adoption, information protection for compliance is a key concern. Data privacy and breach notification laws abound, creating potential concerns with cloud applications. Cloud encryption solves many of those problems.
but then again, so does tokenization, and both options have their place in an effective cloud information protection program.
Quick Primer on Encryption
Encryption has long been recognized as a powerful tool for securing data (see the cool “A Brief History of Encryption” infographic below!). It uses algorithms to transform specified pieces of information so that they become unreadable until decrypted using cryptographic keys. CipherCloud offers a variety of different encryption schemes for different purposes, among them 256-bit AES encryption, and customers always host the keys locally, never in the cloud or with a cloud provider, making it a powerful tool for cloud data protection.
Encryption addresses many regulatory concerns. More and more data privacy laws recognize that when data is encrypted and the encryption keys remain in the owners’ hands, a loss of data is actually not a data breach. Even when encrypted data is disclosed, it is unintelligible and useless. In such cases, safe harbor laws stipulate that the enterprises who own the disclosed data are not required to notify the public of the breach. It is only when encrypted data and the encryption keys are disclosed that problems arise. Encryption is so secure, in fact, that end-to-end encryption with enterprise control over the encryption key is the most secure and confidential method of protecting corporate data in the cloud.
Overview of Tokenization
Tokenization, on the other hand secures information in a different fashion than encryption. Rather than using an algorithm to transform data, tokenization replaces the actual data with structurally similar but mathematically unrelated “tokens” before the data leaves the enterprise. The original data and a token mapping table are stored on-premise in a secure database. Tokenization meet the strictest data residency laws while still taking advantage of cloud computing. Much like cloud encryption, tokenization can reduce the regulatory burden on an enterprise. The PCI Security Standards Council has declared that tokenization can reduce an organization’s PCI-DSS scope, provided that the tokenization implementation meets several recommendations. Among those recommendations are:
- Minimal storage of non-tokenized personal account numbers (PAN)
- Minimal amount of system components for storage, processing, or transmission of non-tokenized PAN
- Removal of all PAN from source systems after tokenization
- Tokenization that allows all processing to take place without any further need for access to the PAN
- And combination of tokenization with end-to-end or point-to-point encryption
You May Need Both!
Both encryption and tokenization, therefore, serve critical roles in an overall cloud encryption strategy. CipherCloud provides a number of different encryption and tokenization methods of varying strengths, to suit varying purposes and needs.
Looking for more? Below are some helpful, relevant resources:
- On-Demand webinar – “Cloud Encryption 101: Understanding the Basics“. Listen in and learn about: How cloud encryption technologies work; Case studies on how and why organizations are using these technologies, plus a demo of cloud encryption technologies in action!
- Free white paper – “10-Minute Guide to Cloud Encryption Gateways“: What They Are, How They Work, and Why You Need One
- Blog post – “Cloud Information Protection: Symmetric vs. Asymmetric Encryption“
Where do encryption and tokenization fit into your overall cloud data protection strategy? Let us know in the comments.