This is our second installment of a three-part series on encryption in the cloud. If you didn’t catch our first blog (Encryption, Meet Cloud. Cloud, Meet Encryption.), read it here.
Corporate data is moving from on-premises infrastructure to the cloud, and security strategy needs to keep up. Conventional security tools, including encryption, need re-examination. Let’s debunk four encryption myths worth debunking in the age of the cloud.
Myth 1: The Platform is Secure, So Encryption is Unnecessary
Many SaaS application providers secure data at the platform level, often leveraging encryption. However, a secure platform in and of itself isn’t sufficient.
While the majority of SaaS applications employ comprehensive security measures, users behavior introduces a variable. How the platform is used may introduce risk outside of the provider’s control – and security protocol must accommodate. This is increasingly imperative in the cloud model, where users possess a high degree of control over sensitive corporate information assets – its content, storage location, and accessibility.
File-level encryption offers additional value, including:
- Increasing granularity and control over what needs to be encrypted – and under what conditions.
- Adding an additional layer of security to your most sensitive data in the event of a breach.
- Introducing the possibility of additional security features, including time-limited access, auditing capabilities, and key
- Tailoring encryption practice based on your own security policy.
- Establishing centralized, policy-driven control across platforms when leveraging a third-party encryption tool.
Myth 2: Ubiquitous Encryption Solves Everything
As mentioned in our earlier encryption blog, encrypting everything is akin to bubble wrapping an entire house, rather than focusing on the fragile items that deserve protection. This tactic is expensive, resource-intensive, and, most notably, unnecessary, as the vast majority of an organization’s data is not sensitive. Painting with such a broad encryption brush has undeniable downsides.
By locking everything down, organizations risk driving user activity underground and losing visibility, as well as control. Additionally, encryption can interrupt native cloud platform functionality, making it undesirable at a global level.
Practice a realistic and selective approach to encryption that secures sensitive data without interfering with the benefits that brought us to the cloud in the first place.
Myth 3: Encryption = Compliance
Some believe encryption to be a shortcut to regulatory compliance. Though encryption is a valuable data governance mechanism to help secure sensitive data and satisfy compliance, it is not a silver bullet solution.
To be compliant, organizations must demonstrate more than just the encryption of sensitive data. For instance, HIPAA regulations require three types of
safeguards: technical, physical, and administrative. Encryption with auditing is a great start, but full compliance is far more reaching.
Conduct a discovery to take inventory of sensitive data within your domain that is subject to compliance regulations. Then, classify the data to initiate a more comprehensive security plan.
Myth 4: Securing Information is the Sole Responsibility of IT
Traditionally, data security has been the exclusive responsibility of IT, but that is changing. There are two primary reasons for this shift in responsibility: 1) the explosion of data in the cloud makes centralized control difficult and 2) users, more than administrators, are the most informed as to what data is sensitive and warrants encryption.
As users possess an increasing degree of control over this data, make sure to incorporate them in security efforts. Gone are the days of the IT Security versus Users tug of war – we are all on the same team and security has become a shared responsibility. By including users in security efforts, organizations take advantage of an opportunity to educate users and encourage positive corporate citizenship. Inform users with notifications in the instance of policy violation and empower them with the opportunity to self-remediate and take ownership of their own data security.
Don’t touch that dial! Our series finalé on encryption in the cloud is right around the corner. In the meanwhile, get a head start on securing your data in the cloud with our complimentary eBook, Data Encryption in the Cloud: A Handy Guide, featuring encryption best practices, tips and tricks to get started, and more.