When you’re looking for security and cloud information protection solutions, it’s easy to get overwhelmed. It all comes down to one question:
“How do you manage data in an environment you don’t control?”
One way to get a handle on the landscape is to pay attention to experts who don’t have a stake in any particular vendor or product. That’s why we’re so pleased by Global Identity Foundation chief Paul Simmonds’ recent Raconteur article, “It’s All About the Data, Dummy.” Drawing on his information and identity security expertise, Simmonds’ observations fully validate what we’ve been saying all along.
In the past ten years, the security needs of the enterprise have changed dramatically, Simmonds wrote. De-perimeterization—the need for “corporate data to flow freely outside the corporation’s security perimeter to partners, joint ventures, and a plethora of other bodies with which we did business”—led to a loss of control over sensitive data. The cloud accelerated this trend.
And then Edward Snowden started dropping his bombs.
Revelations about PRISM, the NSA, and government surveillance on both sides of the Atlantic have forced a reevaluation of information security in the cloud era. Thanks to the gag clauses included in surveillance laws, cloud vendors had been promising data security to customers while secretly handing over information at the request of governments. And housing data offshore might not mean a whole lot as long as the cloud provider is headquartered in the country requesting the data.
It’s an alarming situation, but as Simmonds pointed out, there is an answer to the conundrum:
There are solutions out there which allow you to [manage data in an environment you don’t control]. They encrypt your data before it leaves your control and enable you to retain the key, while still letting the cloud provider operate—search and index—that data.
Sound familiar? It should, because that is exactly the approach we’ve taken all along.
When it comes to securing corporate data in third party environments, it’s all about control, and the best way to take control is by encrypting data before it leaves your perimeter and, critically, retaining exclusive control of your encryption keys. That way, no matter who gets a hold of you data—or how—you are the only one who can make it readable. No government agency or other outside party will be able to extract any information from your data unless you give them authorization and access to the encryption keys. Add tight cloud service integration that preserves the functionality of the data while it’s in the cloud, and you’ve got a cloud information protection strategy that allows you to make full use of the cloud without ever losing control of your data.
“Critical to any encryption solution is key ownership,” Simmonds writes. We’ve believed that for some time now, and it’s a great feeling to see other experts agree.
What’s your organization doing to secure your data in the cloud? Tell us your experiences in the comments.