Recent cloud computing surveys share a similar tone regarding user perceptions of the technology. While enterprise managers look to cloud as a cost-savings measure, IT professionals are squeamish when it comes to moving sensitive data offsite. Indeed, privacy concerns are leading users to think twice about migrating their applications to cloud services.
Eosensa, a governance, risk and compliance advisory service provider, addresses these issues in a recent report: “Protecting Sensitive Data in the Cloud.”
The authors discuss how various methods of encryption and tokenization can better secure information stored in public clouds. For example, the FIPS 140-2 spec, described by NIST as a strong encryption type, is required for products that use government encryption and is suggested for use on data stored in SaaS applications.
Tokenization is another form of data security that is aimed at answering residency issues, which arise when servers store only a portion of the data. The technique is used to reduce the scope of compliance management and auditing for SaaS applications.
Will these solutions convince potential users of cloud services that their data is safe? What about the preying eye of government?
Earlier this year, HPC in the Cloud wrote about a report published by international law firm Hogan Lovells. The study compared the laws of 10 countries in respect to government access of cloud-based data. While the US was typically considered the worst offender of data privacy, other countries had implemented similar, and in some cases, harsher tactics. These nations included the United Kingdom, Germany, France, Spain, Australia, Canada and Japan among others.
In every case, the state could require cloud service providers to disclose customer data during the course of a government investigation. They also had access to monitor electronic communications sent through a cloud provider’s systems. France stood out for its power to compel encryption service providers to hand keys over to government officials.
While services like Eosensa may assist users with data encryption and compliance requirements, they cannot guarantee a risk-free environment. Their service may even lead users to experience a false sense of security, at least as far as government interception is concerned.
Encryption and tokenization are important methods to increase data privacy, but governments hold the highest authority on the matter. Without new legislation reducing the power of government access to cloud-based data, no vendor can guarantee the security of their clients’ information.