For businesses operating under strict regulatory compliance requirements, having a well-planned cloud information protection strategy is critical to successful cloud adoption. PCI DSS, GLBA, SOX, HIPAA, and HITECH all have something to say about the storage, use, and sharing of sensitive personal information. We spoke with CipherCloud Chief Trust Officer Bob West about the steps every organization should take to ensure cloud information protection for data privacy and regulatory compliance.
1. Perform a risk assessment
Bob West: First of all, you need to perform a risk assessment so you can understand where your assets are and what their value is. What do I have? Where is it located? What is its value? What will be the cost or the consequences to my organization if these assets are leaked? Additionally, you need to understand what your regulatory requirements are and what you have to do to comply with them.
2. Determine what tools to use for cloud information protection
Bob West: Given what you’ve discovered during your risk assessment, you’ll next need to determine what controls and what tools to use to protect your assets. We have encryption, tokenization and DLP tools among others, and a lot of your decision-making at this step will depend on what cloud you’re using. What happens is, you set up some tools to restrict what information can go into that cloud environment. I may have particular data that I don’t want in a specific cloud service, given the type of information that it is and the limitations of the CSP. And some of it I wouldn’t want in there if I weren’t encrypting it. DLP helps provide the controls to enforce those policies.
Salesforce is a different situation. It’s very straightforward, with a database structure, so encrypting information in Salesforce makes a lot of sense.
3. Minimize risk exposure
Bob West: Based on your risk assessment and evaluation of your cloud information protection tools, you can now put particular controls around your data. Sometimes that may not be enough. You have to make the decision about whether you’re minimizing the risk enough for your company; you may have to keep some data out of the cloud. Particularly in financial institutions, there may be systems that are simply too latency-sensitive or too protected to put in the cloud. Deposit systems, trading systems, and money moving systems in general, for example. Other systems, like trade settlement and High Frequency Trading, may be too sensitive to latency to move into the cloud.
4. Monitor on an ongoing basis
Bob West: Ongoing monitoring is the last step for cloud information protection. As information changes and regulations change, you must continue to understand the environment, what types of information is acceptable to put in the cloud while remaining compliant with regulatory requirements, and what type of information you are actually putting in the cloud.
Cloud information protection and compliance demand a continued effort, but discovery, protection, and monitoring tools like CipherCloud’s can make it easier.
What best practices do you follow to protect your data and remain compliant in the cloud? Let us know in the comments.