Storing And Securing Data Across Borders

Though the cloud brings with it fantastic advantages in terms of agility and cost savings, the issue of accountability for data security and data governance remains entrenched in the business agenda. As data multiplies and becomes increasingly dispersed across cloud-based applications, many firms are finding it difficult to pin-point where their data is held or whether their business documents or records have been transferred or duplicated by their own personnel or third parties.

Today’s businesses must take decisive action to secure and control access to data in order to not only avoid falling hapless victim to a data breach, but to also maintain regulatory compliance. Moreover, with the increased demand for transparency following security breaches and tougher monetary penalties for data protection negligence, the pressure to avoid any sort of privacy infringement has never been greater.

Cloud computing does not change the fundamental principles of information security. As guidelines from the ICO attest, even if data resides on a shared infrastructure or has been outsourced for processing, the cloud does not absolve organisations of their data protection responsibilities. Unfortunately, more and more organisations find themselves at odds trying to implement a security solution that effectively protects their data in the cloud while still serving to satisfy a plethora of data protection regulations across the countries they operate in.

Navigating the stipulations of intricate legislation such as the USA PATRIOT Act and EU Data Protection Directive is further exasperating concerns for international businesses that wish to take advantage of the business benefits of cloud computing, but cannot afford to take the risks associated with non-compliance.

Unfortunately, as recent high-profile data breach incidents reveal, a lack of understanding of the nature of the data held and awareness around what constitutes effective data security is still a large problem among today’s businesses. Organisations must first work through the laborious task of data discovery and classification in order to understand the resources that are being deployed to the cloud. From here a business can identify which data reserves are of value to the business and thus attractive targets for cybercriminals.

Most importantly, this can reveal whether some of this information being processed is subject to regulatory compliance. As data volumes swell in the cloud model and management complexity ensues, this intelligence gathering process will provide key insight into how the businesses’ privacy policies need to be crafted.

Optimal governance and security of data can be achieved through the implementation of a layered, ‘defence-in-depth’ approach, within which encryption and key management is crucial. This combination can serve to ‘lock down’ data and maintain control in multi-tenant environments and, by proxy, curb the undesired migration of data across jurisdictions. By extending encryption to the cloud, and by holding keys on premise, the host organisation can be assured that they, and no one else, controls access to that data.

Of course, no one company can foresee the multifarious threats that threaten their organisation, but establishing a separation of duties based on employee-function or user-risk analysis can create a secure confine within which interaction with data can take place, therefore reducing the risk of internal data compromise. By introducing encryption to this mix, the business builds a barrier as close to the data as possible, ensuring that both ‘structured’ or ‘unstructured’ data is protected.

Such a process limits data movement and data interaction as two sides of the same coin. By rendering the data useless in the hands of anyone unauthorised to access it further reduces the risk of fraud. Ultimately, by approaching cloud security in this way businesses can capitalise on the benefits of cloud computing without running a compliance gauntlet.

Paul Ayers, VP EMEA, leads Vormetric's channel programme in EMEA. He was previously sales director for PGP Europe and senior sales director for Northern Europe for PGP Corporation until its acquisition by Symantec.