There has always been a battle between business efficiency and security since the invention of shared compute and data resources. Enterprise risk managers continue to swing the pendulum between business risk and security risk, depending on new demands versus new threats. Today’s enterprises have experienced this pendulum shift as cloud has become more relevant. It is obvious that most enterprises large and small have made the decision to move some — if not all — of their applications and data to the cloud. In lots of cases, enterprise risk teams have determined that the business risk of not leveraging the cloud far outweighs the inherent security risks of the cloud.
With wide adoption of the cloud, it makes sense there has been a dramatic increase in attacks and theft of critical enterprise and personal data. With the increase of malicious behaviors, governments across the globe have strengthened their policies as to enterprise and cloud provider responsibilities to add stronger data security controls, especially for data in the cloud.
As a response to the compliance and security focus, enterprises are looking at various ways to maintain control of their risk while allowing businesses to take full advantage of the flexibility of cloud. There are many ways to protect data including authentication, authorization, monitoring, data loss protection (DLP) and web filtering. These methods are effective but do come with a cost. There is expense in implementing and deploying robust security environments. There is impact on user experience as new ways of consuming applications and data are enforced, including things like delayed or complicated login processes, limited device access and latency in applications. On top of this, most of these solutions can be bypassed through standard phishing and other attack methods.
The biggest factor that increases risk is that data is transient. A single piece of data can reside in multiple cloud repositories, on personal devices, on enterprise devices or in enterprise storage. The challenge becomes overwhelming when a risk team tries to add external controls to the plethora of conduits users’ access application and data.
To address this, many regulations and enterprise policies turn to encryption as a safe and efficient way to protect data. Encryption adds security at the root of the risk, which is not at the client, server, or device layer but rather at the data itself. If data is properly encrypted, it really doesn’t matter where or how the data is accessed.
You probably have questions. In my next blog, I’ll discuss the factors that should be considered in order to determine the right encryption methodology. In the meantime, leave a comment below, check out Thales cloud security page, and/or tweet me @rjkcasl.