Encryption Protects Sensitive Data
More and more organizations are using the public cloud to store data despite lingering concerns about security. Yet a study by U.K. security firm Thales found that these organizations are not taking basic steps to protect that information. Specifically, more than half of survey respondents admitted that they are not encrypting data in the cloud.
That’s unfortunate because data encryption is a nearly foolproof way to prevent a data breach. Encryption effectively “scrambles” data, which cannot be read without access to the correct encryption key. As a result, encryption can dramatically reduce, if not eliminate, the risk of a costly and embarrassing security breach.
The increasing use of cloud storage is just one of many reasons why organizations need to encrypt data. Encryption is designed to protect so-called “data at rest,” whether it’s stored on in-house systems, portable media such as thumb drives, or mobile devices. Encryption is also used to protect “data in motion” as it is transmitted across networks, sent via email and moved to the cloud.
Organizations in regulated industries have additional incentives to encrypt data. The HIPAA Final Omnibus Rule requires covered entities to notify affected individuals, the Department of Health and Human Services and in some cases the media if there is a breach of unencrypted data. There is also the potential for fines and other penalties under the rule.
But the healthcare sector isn’t the only industry that promotes encryption. Under California’s Security Breach information Act and similar regulations enacted by more than 20 other states, companies must disclose even suspected security breaches to the media and all customers potentially affected. Encrypted data is exempt, however.
The Payment Card Industry (PCI) Data Security Standard mandates the encryption of stored account information — a rule that potentially impacts any merchant that accepts credit cards. It also requires that merchants follow best practices with regard to encryption key management. PCI DSS 3.0, the latest version of the standard, requires “secure cryptographic key storage,” which generally means that encryption keys must be encrypted themselves.
Easier than You Think
By all accounts, organizations are becoming more likely to encrypt sensitive data. The Thales study found that 39 percent of Software-as-a-Service users encrypted their data in 2013, up from 32 percent in 2011, while 29 percent of Infrastructure-as-a-Service and Platform-as-a-Service users did so, up from 1 7percent in 2011.
Still, many organizations continue to operate under the theory that encryption is complicated and makes finding and retrieving information more difficult. There’s also a measure of risk — if the encryption key is lost or corrupted, the encrypted data is lost along with it.
Now, however, there are a number of cloud-based encryption solutions that simplify and streamline the encryption process. Some of these solutions also provide better key management than traditional storage encryption solutions for reduced risk and regulatory compliance.
Recent security breaches serve as a stark reminder of the importance of protecting sensitive data. Encryption can help organizations meet regulatory requirements and prevent a costly and embarrassing security breach. Contact ICG if you need help selecting and implementing an encryption solution.