The number one concern that organisations have about putting their sensitive data into the cloud is security. There are four core principles that provide confidence in cloud data ownership and security.
Risk-conscious organisations should be able to take advantage of all the benefits the cloud has to offer while still maintaining full service functionality and independently securing their cloud data.
Cloud solutions have to be secure, and have to offer organisations control over their own data security. While cloud providers should offer assurances and SLA’s, it is also important for their clients to be able to have control over and confidence about any security measures that are in place.
Here are five core principles that should shape any organisation’s approach to data ownership in the cloud.
1. Persistently protect your information
Just like matter, data exists in three states: in transit, at rest and in use. In order for enterprise data to be secure, it has to be protected persistently in all three states. If the data is not encrypted in use (that is, while being processed by a cloud service provider), it is exposed and therefore, vulnerable. Current end-user best practices, as defined by the Cloud Security Alliance, now also mandates encryption in use for data hosted and processed at a cloud service provider.
2. Control the keys, control the data
It is a simple fact that the person or entity that controls and manages the encryption keys has effective control over the data. The customer by definition is no longer in control of their data if it is the cloud service provider that holds the encryption keys.
With direct control of the encryption keys, businesses can:
- Maintain their responsibility for compliance requirements for adequate data protection safeguards,
- Address data residency and privacy regulations for data stored and processed in the cloud,
- Respond directly to government and law enforcement subpoenas for cloud data, and
- Implement and enforce best practices for securing and governing cloud data.
3. Encryption must be transparent to employees and simple to manage
Encryption must operate automatically in the background and not require individual employees to do anything different. In other words, encryption should NOT require people to determine whether a specific email should be encrypted or to take additional steps to send or receive messages.
For IT and Security:
The encryption solution should integrate into your existing IT environment as well as into the target service such as Office 365 and interoperate with existing security, management and IT solutions such as anti-virus, email hygiene, archiving and identity federation. One-hundred percent of emails must automatically be encrypted with a validated encryption scheme – not deterministic word-level encryption.
4. Preserve application functionality
Encryption in use should not compromise the application’s functionality and critical server-side processes such as search, sort and index must continue to work, including the ability to support full Outlook client and server features such as tasks, calendaring and delegation through complete MAPI session proxying.
5. It must be affordable and cost effective
Enterprises move to the cloud to gain cost efficiencies and flexibility. Encryption pricing must be affordable and preserve the value proposition of migrating to the cloud.
By thinking through these principles and challenging your cloud provider to deliver the necessary solutions, while not hampering functionality, your organisation can take the next steps into the cloud with the confidence that your security is not being left to chance.