Encryption Key to Compliance Requirements as Companies Move to Cloud
January 25, 2017
The expansion of compliance requirements for data that is not in a customer’s on-premise environment is inevitable. Is your company ready?
As we start the New Year, security remains a top enterprise concern. And why not? Data breaches are becoming bigger, bolder and more widespread than ever. Thanks to high profile breaches at Yahoo, AdultFriendFinder, Anthem and Target just to name a few, more records have been reported compromised in the past 12 months than in the last seven years combined. Moreover, data breaches now go way beyond just stealing money – they are being used to influence elections, derail M&A transactions, embarrass corporate and civic leaders as well as compromise national security.
As civilized, law-abiding citizens, we deserve a level of security that guarantees our data is secure and our privacy is protected. For their part, governments are beefing up regulations that protect their constituent’s private information and encryption will play a key role in meeting these compliance requirements.
It all started with the State of California and Senate Bill 1386 (SB 1386) that was signed into law in September 2002 and enforced from July 1, 2003. In October 2007, Assembly Bill 1298 (AB 1298) expanded the definition of private information to include healthcare insurance and medical information. Massachusetts passed a similar regulation. These laws require any entity that does business with residents of those states ensure that any breaches of unencrypted data or encrypted data along with its keys be disclosed publicly and that each of the breach incidents be tracked and investigated. The European Union’s General Data Protection Regulation (GDPR) that goes into effect in May 2018 gives this issue a lot of teeth by imposing fines of €20 million or 4 percent of that company’s turnover, whichever is higher, for violations resulting in their resident’s data records being compromised. These regulations are forcing every enterprise to re-evaluate where their cloud provider’s data centers are physically located.
But wait, isn’t this counter to the promise of the cloud where one does not worry about where the data is as long as it is accessible when needed?
Control Your Data
There is a very simple way to address this. Encryption, a technique that has been around since the Middle Ages, can help solve this. If the data is encrypted, it really does not matter where it is stored as it is of no use to a hacker. Interestingly, a consequence of the laws mentioned above requiring disclosure of breaches is that the business is under no obligation to disclose a breach if it only loses encrypted data and not the keys along with it. According to the Consumer Loss Barometer from Forbes Insight and KPMG surveys, loss of reputation is the dominant concern for businesses in the event of a breach, even more than the financial losses involved.
Encryption Adoption Challenges
Ah, but here’s the rub. Few companies encrypt their data. The site breachlevelindex.com reports that less than 4 percent of the 5.8 billion records lost since 2013 were encrypted and, therefore, useless to the hacker. Broader adoption of encryption has been stymied because the technology has proven hard to implement, complex to manage and impacts performance. Now, thanks to the power of innovation, newer SaaS or service model-based encryption solutions are addressing the complexity and performance issues that have plagued traditional encryption solutions. These new and emerging encryption solutions are easier to use and adopt with minimal DevOps impact. They also improve privacy by ensuring that keys for encrypting the data are always controlled by the owner of the data to guarantee the security and privacy of the customer’s data. Every relevant messaging application will be end-to-end encrypted ensuring only the two parties involved in the communication can decode each other’s messages. Isn’t it time for enterprise applications to embrace this paradigm?
These next generation encryption solutions are available for early access and I would urge companies and organizations across the board to consider implementing encryption of records as soon as they are created.