Low-cost data storage, combined with elastic computation and data analytics services, shift big data deployments from on-premises to the cloud.
By Charl Behrens, Principal technical consultant (security), iOCO Application Management.
Gartner defines data security as comprising the processes and associated tools that protect sensitive information assets, either in transit or at rest. Data security methods include:
- Encryption (applying a keyed cryptographic algorithm so that data is not easily read and/or altered by unauthorised parties).
- Masking (substituting all or part of a high-value data item with a low-value representative token).
- Erasure (ensuring data that is no longer active or used is reliably deleted from a repository).
- Resilience (creating backup copies of data so that organisations can recover data should it be erased or corrupted accidentally or stolen during a data breach).
I agree with this definition, but I would like to add a use case example for businesses that require protection for payment card data on-premises or in the cloud. What they should be seeking is a method that removes the need for storage of cardholder or other sensitive data.
By using a set of static, pre-generated tables to consistently produce a unique, random token for each data value, such as a primary account number, the speed, scalability, security and manageability of the tokenisation process can be optimised.
In specific use cases, such as enabling secure and compliant test data management, the ability to recover data may present an unnecessary risk. First prize is a solution that offers full data anonymisation plus a non-disruptive and more flexible one-way, irreversible transformation that enables high performance and data usability.
Simplicity and scalability are also very important, which bring key management (this refers to the management of cryptographic keys in a cryptosystem) to the fore. Keys are derived dynamically as required, with no key database to store, protect, backup, or to integrate with traditional key management solutions.
Enterprises do not need to manage keys, certificates, or databases, thus eliminating the hardware, software, IT and personnel processes − all of which come with costs − a natural outcome of having to continuously protect key databases on-premises, in off-site backups, or even in the cloud.
The external hosting of sensitive data carries additional security responsibilities and serious risks.
Organisations need complete control over their encryption keys while enabling low-cost, high-performance, highly-available data protection that scales to protect the sensitive data of the world's largest financial services companies, telcos, payment processors plus other global enterprises and government agencies.
Protecting data and enabling analytics in the cloud
Low-cost data storage, combined with elastic computation and an ever-increasing range of data analytics services, are succeeding in shifting the balance of big data deployments from on-premises to the cloud.
But the external hosting of sensitive data carries additional security responsibilities and serious risks. Under the shared responsibility model, cloud providers will ensure the hardware and software services they offer are secure, but customers are ultimately responsible for the security of their own assets.
While data is being moved to the cloud, it needs to be persistently protected across its life cycle, at ingestion, at rest and while in use. You need to deploy a solution that protects data while ensuring its usability by cloud applications.
With migration to hybrid IT and an increasing reliance on SaaS applications, organisations may not have the accessibility or development resources for API-level integration of their in-house-developed applications. The deployment of technology that can be used to accelerate the protection of these in-house applications, providing an alternative to API integration and avoiding the need for programming, is important.
Simplifying hybrid IT migration, accelerating time to value by enabling privacy compliance and providing consistency for end-to-end data protection, are all crucial issues to be considered when selecting protection products and methods.
It is also necessary that the system communicates with Internet Content Adaptation Protocol capable network infrastructure, such as HTTP, in order to apply security policies to data travelling to and from the cloud. Wherever the protection deployment is located – on-premises or in the cloud − the enterprise needs to retain complete control over the infrastructure without the need to share encryption keys with other parties.
High scalability and agility with enterprise data protection and privacy can be achieved by applying a data-centric security approach that aims to protect the data itself, while at the same time addressing the main security challenges in the cloud. In this way, the risks attached to cloud adoption across the spectrum of cloud services that enterprises operate can be mitigated, providing consistent data security for hybrid IT models.
This approach can enable organisations to:
- Accelerate cloud migration with proven data-centric security for safe deployment of applications, data and workloads.
- Enable data privacy compliance in cloud-based analytics, applications and business processes.
- Conduct high-scale secure analytics and data science in cloud data warehouse systems.
- Manage data protection consistently across hybrid IT, IaaS, SaaS, or PaaS cloud services, as platform-agnostic solutions for greater flexibility to scale with multi-cloud ecosystems.
- Reduce the risk of cloud-based data breaches and insider attacks in a shared environment.
- Neutralise data breach impacts by rendering data unusable by attackers.
- Remove the requirement for breach notification of affected consumers under regulations such as the GDPR or POPIA.
- Consistently protect data regardless of where it is stored or processed, across the data lifecycle.
The key to safe enterprise migration to the cloud is to embed data security consistently, persistently and seamlessly to span hybrid IT, allowing data to flow securely across environments.