The phrase alone is often enough to make a financial services company CISO’s knees tremble. When you’re already dealing with the demands of the Sarbanes-Oxley Act (SOX), the Payment Card Industry Data Security Standard (PCI-DSS), the Federal Information Security Management Act (FISMA), the Gramm-Leach-Bliley Act, or any of a number of other data privacy and residency laws, adding the cloud to the mix can be terrifying. And robust cloud data protection is absolutely necessary to remaining in compliance.
different regulations require is due to the way regulations lag behind technological innovations, as J. Nicholas Hoover pointed out in the Journal of Business & Technology Law. “Few of the many regulations that govern broad aspects of American corporate life have been updated to address the unique concerns about data privacy and security implicated by cloud computing,” he wrote, adding that “this leaves businesses with little choice but to resort to guesswork in their understanding of how regulations apply to their use of cloud computing services.”
It’s that guesswork that seems most daunting. There is some good news, though. The good news is that cloud data protection doesn’t have to be as hard as it may appear. Here are three reasons why.
1. Ultimately, cloud data protection is up to you.
Yes, you read that right. Ultimately, “it’s your data and…you are responsible for it; you have to remain in control at any given stage,” as a ComputerWeekly.com podcast observed. And that’s a good thing.
But why is it a good thing? Well, it’s quite simple. When you recognize the fact that you are the ultimate arbiter and hold ultimate responsibility for the security of your data in the cloud, then the complexities of individual SLAs and various cloud service providers’ claims of compliance start to matter much less than at first glance. Taking control of your own data and keeping access to that data in the clear strictly within your own organization means you won’t have to worry about whether your cloud service provider is actually following through on their promises of cloud data protection. Responsibility is, in this case, liberating.
2. Readily available encryption schemes and key control simplify compliance
So you’ve accepted the responsibility of protecting your enterprise’s data in the cloud. What next?
Encryption is next. Encryption comes in various flavors, including strong AES 256-bit encryption and CipherCloud’s Searchable Strong Encryption , and encryption, when applied appropriately, can not only put you in compliance with many regulatory requirements, but can also protect your enterprise against data breach notification requirements should your data get out.
“Encryption renders sensitive data meaningless to attackers and exempts organizations from data breach notification to customers,” according to IBM Data Magazine: if data isn’t readable, then its disclosure isn’t continued a breach. This is known as safe harbor, and many regulations, such as PCI-DSS and the EU’s Privacy Directive, acknowledge that. Is your data encrypted? Does your enterprise retain exclusive control of the encryption yes? If you can answer yes, then you can consider yourself well on your way to a cloud data protection strategy that satisfies your particular regulatory environment.
CipherCloud’s platform offers enterprises a unified solution for securing data in the cloud in a manner that complies with a broad range of data privacy and residency regulations. Encryption and key control are key tenets of our philosophy; used effectively, they can greatly simplify secure cloud deployments and keep your organization safe.
What issues complicate your cloud security strategy? Let us know in the comments.
- Free white paper – “Best Practices for Cloud Information Protection in Financial Services” – How 5 banks complied with 10 laws in 20 countries with 1 solution
- On-demand webinar – “Financial Services and the Cloud – Solving the Security Dilemma“