Seven Critical Criteria for Cloud Data Encryption

Uploaded on 2015-06-16 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

cloud-lock_futundbeidl.jpeg?quality=80&strip=all&w=640

Encrypting the huge number of data files stored in a public cloud today is like bubble-wrapping an entire house. Better to focus on the fragile items that matter.
The unprecedented level of access points into corporate domains leaves information security professionals turning to a number of data protection methods. Encryption has been a primary instrument in the information security toolkit for decades, but requires reevaluation in the face of the digital transformation we are witnessing today.
Encryption, in its traditional form, is a resource-intensive endeavor that often creates nearly as many challenges as it solves. Forward-thinking enterprises looking to leverage modern technologies have an opportunity to redefine their data protection strategy and, in the process, evolve security from a necessary safeguard to a business enabler. To accomplish this, seven critical encryption criteria must be considered.
 

Criterion 1: Exercise discretion?It’s time to think of our old friend, the 80/20 Rule. Ask yourself what percentage of data within your organization is truly sensitive? More likely than not, the vast majority of your company’s information could appear on a billboard in Times Square with minimal impact; the planning document for Todd’s birthday party does not need to be encrypted.
Ubiquitous encryption can interrupt application function, particularly reporting and search functionality and this is an issue that compounds in today’s highly integrated cloud model. A discretionary and selective approach to encryption secures sensitive data without interfering with the benefits of emerging technologies.
 

Criterion 2: Align with corporate security policy?There’s no need to start from scratch when you develop guidelines to determine when encryption makes sense. Consult existing security policy within the organization to assess what sensitive information may exist within your environment and use this knowledge to build a foundation for your encryption strategy. Don’t forget to consider internal and external compliance regulations relevant to your business.

Criterion 3: Automation-ready encryption?Once a consensus is reached as to which circumstances warrant encryption, it’s time to take action. Leverage security technologies to identify sensitive content within the enterprise, and use encryption as a remediation tool for especially risky incidents. By automating this process, security teams stand to rapidly mitigate the potential of inappropriate data exposure in an intelligent and content-aware manner – and make a tangible impact on organizational security posture.

Criterion 4: Factor in the human element?Now more than ever before, security initiatives must factor in the needs of end users. If a corporate security program interferes with typical user workflows or is too invasive (agents are out of the question), employees will circumvent corporate systems and leverage the endless alternatives made available to them via readily accessible SaaS applications and, if need be, the opportunity to bypass the corporate network entirely thanks to BYOD.
 

Criterion 5: The cloud is everywhere.?The question is no longer when organizations are adopting cloud technologies, it’s how. When was the last time you went to an office supply store and bought software in a physical box? It’s okay, I can’t remember, either.
The challenges associated with encryption in the cloud are owed to three phenomena: the explosion of data in the cloud, the expectations of the modern user, and the criticality of preserving native cloud functionality. From 2014 to 2015, we have witnessed 10x growth in the number of files stored in public cloud applications. Encrypting such a high volume of data is analogous to bubble wrapping an entire house rather than focusing on the fragile items that matter.
Meanwhile, security leaders are beginning to understand individuals are leveraging cloud technologies in their business and personal lives, leading to a more efficient, collaborative, and mobile way of life. Users are accessing SaaS applications both inside and outside of traditional corporate networks. And finally, as we have already discussed, non-discretionary encryption can introduce complications in the cloud in the form of broken search and reporting functionality.
 

Criterion 6: Adaptive architecture?It follows, therefore, that contemporary encryption strategies must be compatible with the cloud-first mentality many organizations are adopting to enable their workforce with the best tools available. To that end, hardware-dependent encryption gateways or solutions requiring traffic rerouting and network reconfigurations have been rendered ineffective and non-preferential. (Disclosure: Cloudlock is one of many vendors in the market that offer a cloud-focused encryption solution.)
Network devices associated with the traditional on-premises encryption model introduce a single point of failure and lack the scalability, ease of deployment, and mobile / cloud compatibility that has become the new standard. Additionally, they miss the growing volume of cloud-to-cloud traffic that never traverses the corporate network, i.e., a file sync and share application integrating with a CRM.

Criterion 7: Encryption is just the beginning?While the security value of encryption is substantial, security professionals must avoid the seductive appeal of relying solely on encryption. Complement encryption strategy with additional best practices for a holistic security program.

Rather than treating users as an adversary, convert them to security ambassadors and allies. Engage in an ongoing dialogue with users to ensure their needs are understood while creating an opportunity to communicate the objectives and value of your organizational security strategy. You might even get them to remove Todd’s Social Security number from that birthday party planning document.
Adeptis:  http://bit.ly/1MEAaIf

« Dark Web Drug Dealers Specialised in ‘party packs’
‘Don’t Risk IT – Cyber Secure IT’ »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

BigID

BigID

BigID is redefining personal data protection and privacy. BigID software helps companies secure their customer data & satisfy privacy regulations like GDPR.

Subgraph

Subgraph

Subgraph is an open source security company, committed to making secure and usable open source computing available to everyone.

CSIRT-CY

CSIRT-CY

CSIRT-CY is the National Computer Security Incident Response Team for Cyprus.

Alsid

Alsid

Alsid helps corporates to anticipate attacks by detecting breaches before hackers can exploit them.

OcuCloud

OcuCloud

OcuCloud protects businesses' valuable information in the cloud, preventing security breaches caused by employees and remote vendors.

MrLooquer

MrLooquer

MrLooquer provide a solution to automatically discover the assets of organizations on the internet, determine the level of exposure to attacks and help to manage risk accurately.

Lightship Security

Lightship Security

Lightship Security is an accredited Common Criteria and FIPS 140-2 IT security testing laboratory that specializes in test conformance automation solutions and IT product security certifications.

Macquarie Telecom Group

Macquarie Telecom Group

Macquarie Telecom is Australia's datacentre, cloud, cyber security and telecom company for mid-large business and government customers.

Cybots

Cybots

Cybots is a multinational cyber defence brand founded in Singapore in 2018 to help organizations stay ahead of increasingly sophisticated threats from cyber criminals.

Protecto

Protecto

Make privacy and governance effortless. Brakes allow you to drive faster. Stronger data privacy and security enable companies to unlock the full potential of the data.

Prescott

Prescott

Prescott acts as your guiding light in the preparation for your CMMC assessment and long after by governing your cybersecurity practice.

BLOCX

BLOCX

BLOCX is designed to address the ever-growing challenges of managing and securing digital devices, from personal computers to corporate networks.

Teal Technology Consulting

Teal Technology Consulting

TEAL Technology Consulting is your trusted advisor for all your information security needs.

Gcore

Gcore

Gcore is an international leader in public cloud and edge computing, content delivery, hosting, and security solutions.

SUCCESS Computer Consulting

SUCCESS Computer Consulting

SUCCESS Computer Consulting is a leader in managed IT and security services for small and medium-sized businesses in Minneapolis, St. Paul, and the surrounding Twin Cities Metro area.

enQase

enQase

enQase offers security beyond PQC; the only comprehensive, scalable solution that utilizes enhanced quantum technologies to protect data against current and future quantum threats.