Risk-conscious organisations should be able to take advantage of all the benefits the cloud has to offer, while still maintaining full service functionality and independently securing their cloud data, says MD of Global Micro, JJ Milner.
"Cloud solutions have to be secure, and have to offer organisations control over their own data security," he says. "While cloud providers should offer assurances and service level agreements, it is also important for their clients to be able to have control over and confidence about any security measures that are in place."
Milner states that a number of principles apply in shaping any organisation's approach to data ownership in the cloud.
"Firstly, persistently protect your information. Just like matter, data exists in three states: in transit, at rest and in use. In order for enterprise data to be secure, it has to be protected persistently in all three states," he says. "If the data is not encrypted in use (that is, while being processed by a cloud service provider), it is exposed and, therefore, vulnerable. Current end-user best practice, as defined by the Cloud Security Alliance, now also mandates encryption in use for data hosted and processed at a cloud service provider."
Milner also points to controlling the keys, controlling the data, saying that it is a simple fact that the person or entity that controls and manages the encryption keys has effective control over the data.
The customer by definition is no longer in control of their data if it is the cloud service provider that holds the encryption keys.
"Also, with direct control of the encryption keys, businesses can maintain their responsibility for compliance requirements for adequate data protection safeguards, address data residency and privacy regulations for data stored and processed in the cloud," he adds. "They can also respond directly to government and law enforcement subpoenas for cloud data, and implement and enforce best practices for securing and governing cloud data."
According to Milner, encryption must be transparent to employees and simple to manage. Encryption must operate automatically in the background and not require individual employees to do anything different. In other words, he says, encryption should NOT require people to determine whether a specific e-mail should be encrypted or to take additional steps to send or receive messages.
"The encryption solution should integrate into your existing IT environment as well as into the target service such as Office 365 and interoperate with existing security, management and IT solutions such as anti-virus, e-mail hygiene, archiving and identity federation," notes Milner. "100% of e-mails must automatically be encrypted with a validated encryption scheme - not deterministic word-level encryption."
Lastly, Milner believes it must be affordable and cost effective, remarking that enterprises move to the cloud to gain cost efficiencies and flexibility. Encryption pricing must be affordable and preserve the value proposition of migrating to the cloud.
"By thinking through these principles and challenging your cloud provider to deliver the necessary solutions, while not hampering functionality, your organisation can take the next steps into the cloud with the confidence that your security is not being left to chance," concludes Milner.
Share