Prime Factors Blog

Why Your Current Cloud Protection Methods Likely Aren't Enough

Posted by Pete Flagella on Oct 4, 2016 10:00:00 AM

Find me on:

39764337_s.jpgThe cloud has exploded in popularity and companies of all kinds are realizing how much time and money they can save by letting someone else take the reins in regards to maintaining servers and storing information. However, talk to those in the computer industry and they may not exhibit universal support. When even Apple's cloud can be hacked to release private photos and messages, it is obvious that there is no company immune from these types of threats. It's the main reason businesses choose not to utilize the cloud — the leaders do not feel comfortable relinquishing control over the security of their information to anyone else. There is such a thing as effective cloud management though, and there are ways to protect information that a decision maker wouldn't want to release under any circumstances. It all starts with understanding the basics of encryption and key management. Learn more about the major problems with storing data in the cloud and the most effective solutions to mitigate against the dangers.

To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption 

Defining the Problem

Like virtually any technology, the cloud is not guaranteed to protect information. However, just because the cloud isn't 100% secure, it doesn't mean there is no value in the service. Companies who perform their own data management often waste money and resources running servers of their own that only perform a few key functions. The cloud is popular because it allows companies to store a variety of digital information without having to figure out the logistics of keeping it organized — a process that gets more complicated every year. Companies like Amazon have already proven that they have the resources and staff to run huge networks of servers, storing everything from credit card numbers and top-secret company news to your Aunt's blog.

But such a trove of valuable information is that much more attractive to a sophisticated hacker. It also means you're vulnerable to the mistakes of the separate entities who might happen to share your server. When you share server space with other companies you can be affected by their fraudulent or poor business practices. If a hacker infiltrates a shared company's website they may gain access to your information, which means they can infiltrate your network as well. Because the cloud is all about who's gaining access to what, it's worth knowing that this method is not fail-safe (and likely won't be anytime soon.)

To add to these concerns, companies who work with sensitive data like PHI or PII and need to comply with HIPAA or PCI DSS rules, will be penalized with fines should that information be stolen. While cloud providers may bear part of the responsibility under extreme circumstances, it's the responsibility of the businesses to employ approved methods to stay within bounds of federal regulations. Companies in the cloud must also combat against human error. Employees won't necessarily treat company data with as much respect as they should, either because of an isolated mistake or because their training has not been sufficient. Breaches are most commonly caused because of mistakes like these, and these mistakes are often a symptom of a larger problem. Additionally, as information grows more valuable, employees have more reasons to take advantage of their status and privacy permissions, which means companies need to be extra careful.

Striving for the Solution

Fortunately there are ways to ensure that the data from your company will be protected — even though the cloud is public. Encryption is hailed by practically everyone as the way to keep cloud information safe from dangerous hacks. It complies with all federal regulations laid out for data security and it is recommended for businesses of all shapes and sizes. Because hackers are after not just financial information but medical and demographic information as well, no one is really safe.  Should there be a successful breach on the public cloud where your information is stored, encryption ensures there is no way for a hacker to decrypt it without the keys, meaning they'll move on to the other companies who happen to have data on that same server.

It all starts with having key management that is flexible enough to work with your company. When businesses cannot keep track of which employees are keeping the keys safe, they need to rethink how they are structuring employee responsibilities and roles. Whether a company has several employees or just a few, there needs to be a clear division of roles within the company and a set standard for how the information is handled. The keys unlock the information that is valuable enough for you to hide, so the keys need to stay out of the hands of the cloud service provider in case that cloud is compromised.

There is great responsibility and accountability for those managing the keys and it can feel like a no-win situation that very few people would want. However, key management can be streamlined and simplified with the right encryption solution. For example, Prime Factors’ EncrypRIGHT allows you to manage all of your keys for different development environments and gives you the choice to implement encryption, tokenization, or both. Depending on your needs, you can safely embed both the encryption and key management services into the application, so that you can keep the keys within the cloud without the threat of them being stolen. You can also leverage your hardware security module (HSM) should you wish to keep the keys on-premises while still utilizing encryption within the cloud.  Prime Factors’ HSM Surveyor offers real time monitoring regardless of your HSM vendor.

If you're comfortable keeping certain data within the cloud but still need a method to store information deemed too sensitive to move into a public domain, you may want to consider tokenization.  Tokenization will replace the sensitive data with random characters, making the real data impossible to obtain. Tokenization lets you keep the information in-house, in a manner of speaking, so you're no longer subjected to the possibility of another company or cloud service provider potentially compromising it.

It's important to remember that best security practices involve more than just encryption software when working in the cloud. To truly round out your plan, your company should be monitoring all those who come into contact with the keys and the cloud. There should be a systematic procedure to identify and handle threats, and a process to select those individuals who will maintain the day-to-day tasks. For example, when updates are available for the encryption software, it should be clear who should be ensuring all updates are performed correctly and on time. That hierarchy of who is in charge of what should be disseminated widely so there is no question about the rules.

Between encryption, tokenization, and raised awareness, you can address practically every fear about having information moved off site. By empowering your team and company with more security standards like automated key management, encryption, easy to use software, and training, you can rest easier when it comes to having your information in the cloud.


To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption


Topics: Enterprise Data Protection, encryption