In the first part of our Encryption and Tokenization blog post, we focused primarily on encryption, the process by which data can be encoded such that it becomes unreadable to anyone without the corresponding encryption key. Today, let’s talk more about tokenization.
Check out the 10-Minute video excerpt above from one of our most popular webinars – “Demystifying Cloud Encryption (and Tokenization) and read on for all the info you need.
Should I use encryption or tokenization?
Can I set security at the field level?
Will my database accept encrypted data?
Can I search encrypted data?
What’s the most secure?
What’s the easiest to implement?
What do I need for compliance?
Compared to encryption, tokenization is a newer technology. The process is different: instead of encoding data, tokenization actually replaces the data itself with a “token” value. The data itself is securely stored within the enterprise’s perimeter, and only the token is transmitted. In several ways, tokenization is helpful to organizations dealing with compliance requirements. One of the most important ways is that it reduces your cloud-related PCI DSS and HIPAA scope by drastically limiting the amount of protected data that is to be sent outside of your own data center.
Encryption and tokenization both play vital roles in a compliance strategy. As with encryption, however, tokenization has its pitfalls. Let’s examine a couple, as well as the best practices that address them.
Pitfall: Allowing a third party to handle tokenization off-premises
Vendors exist who offer tokenization as a service. Using such vendors means handing over your sensitive data to a third party and trusting them to secure that data in their own data centers. Think about it for a moment. Does that sound like a good way to reduce your risk of a data breach? Or does it sound like a loss of control over precisely the data that you most need protected?
Best Practice: Tokenize, but on your own premises
If control is what you’re looking for—and since you’re working towards a solid encryption and tokenization strategy, I assume it is—then tokenize, yes, but tokenize in-house, so that you retain full control over your sensitive data. CipherCloud ensures your data sovereignty and security by enabling you to store your data locally in a JBDC-compliant data base. Never letting your kids leave the house might be overprotective, but the same isn’t always true of your data.
Pitfall: Tokenizing too much, or not enough
Convinced of the value of tokenization? That’s great, but remember that both encryption and tokenization have a place in your overall cloud information protection and regulatory compliance strategies. Tokenization requires the separate storage of data within your data center, and overuse means excessive consumption of that storage resource.
Best Practice: Only tokenize what you need
Encryption and tokenization are both great. To take full advantage of these powerful technologies, you must apply each of them where they are most appropriate, at a granular level. That’s why CipherCloud offers a wide range of both encryption and tokenization options and gives you the ability to mix and match those options on a per-field basis. This approach gives you full control and the best of both worlds when it comes to securing your enterprise’s sensitive data.
- On-Demand webinar – “Cloud Encryption 101: Understanding the Basics“. Listen in and learn about: How cloud encryption technologies work; Case studies on how and why organizations are using these technologies, plus a demo of cloud encryption technologies in action!
- Free eBook/evaluation guide: “What You Need to Know About Cloud Information Protection Solutions” – Let’s face it – many of us are skeptical about the security of our information in the Cloud.
This evaluation guide includes a handy “report card” and 5 critically important business and technical considerations you will want to understand.
- Blog post – “Cloud Information Protection: Asymmetric vs. Symmetric Encryption”
How does your business use encryption and tokenization? Tell us about your experiences in the comments.