data protection

Compliance Challenge for Cloud Computing

The single biggest concern for large organizations looking at cloud adoption is still compliance issues, according to a new report by cloud security experts CipherCloud. The survey found that among over 100 respondents, 64% saw compliance as the biggest obstacle to full adoption of the cloud. Of the most concerned, a huge 58% said that cloud services violated data protection laws in their country. Another 31% found that internal security policies were broken, while 11% had issues with moving the sensitive data outside of their home country.

Writing CIO, Maria Korolov found that as a result of data residency laws there are significant differences in encryption or tokenization by geographical location. Laws applicable in some countries prevent even encrypted data from leaving their borders. Tokenization is a possibility in this situation, where data is replaced by random information and made sense of via a look-up table; however, this approach means less functionality.

Further complicating matters is the fact that not all companies encrypt the same amounts of their data. Often, a customer will start by encrypting everything so they don't have to worry about compliance issues. However, unless the cloud is used only for backup or storage this approach is often unsustainable.

This makes it important for companies to decide exactly what data needs encrypting and what can be allowed to remain unencrypted. Companies with a good understanding of the applicable regulations often just narrow their encryption focus down to 30 or 40 data fields. However, just what these fields are varies depending on the industry in question.

For example, in the healthcare industry, 100% of companies encrypt or tokenize electronic health information while only 65% protect “business sensitive” information, and only 30% protect user-generated content like web comments or community discussions.