Credit card details, sensitive medical records, salary information – these are just some of the personal details customers are handing over to businesses every day, with an expectation that they’ll take good care of it. Yet one of the biggest challenges that organisations face when securing data is simply knowing where to find it.
Research shows this is getting harder rather than easier. A growing number of businesses highlight keeping track of where sensitive data resides as their biggest data encryption challenge – rising from 50 per cent to 62 per cent during the past three years, according to the latest Global Encryption Trends Study Australia by the Ponemon Institute, commissioned by Thales.
The rise of multi-cloud is a major contributing factor. The study found more than half of respondents (53 per cent) transfer sensitive or confidential data to the cloud and a further 25 per cent plan to do so within the next two years.
IDC’s FutureScape Worldwide Cloud 2017 predictions suggest more than 85 per cent of enterprise IT organisations will employ a multi-cloud strategy by the end of this year. Chasing improved performance, reduced costs and a way to avoid the downsides of vendor lock-in, multi-cloud is becoming the new norm.
This shift and the associated data sprawl coincides with rising customer awareness and expectations about the protection of personal data. Regulatory requirements – like the notifiable data breach scheme and Europe’s GDPR – are only making it more important that businesses do right by their customers.
Securing data is good business sense for more reasons than just regulation. According to an Accenture study covering 25,000 consumers in 33 countries, 87 per cent of people believe it’s important for companies to safeguard their data, 73 per cent are frustrated that they can’t trust companies to look after their personal data and 58 per cent would switch their spending to businesses that do a good job of balancing trust and personalisation.
Security is a major selling point of moving to the cloud. It’s no lie that giants like Amazon Web Services, Google and Microsoft have far more resources to throw at the challenge than the companies using their services. However, whoever owns the encryption key has the key to the kingdom.
Control is fundamental. Yet those who decide to encrypt without a unified, enterprise-wide encryption strategy end up with a multitude of keys. Per the Australian Global Encryption Trends Study, almost two-thirds (63 per cent) say the management of keys is painful. Almost half (49 per cent) are using manual processes like spreadsheets or paper-based systems to keep track of encryption keys. All of which complicates the initial reasons for moving to the cloud – the ability to gain agility and efficiency while outsourcing IT management complexity.
Plan for the worst
There’s good news and bad. The bad news is that it’s advisable to expect the worst. Your data is vulnerable. We encourage businesses to take the view that at some point data will fall into the wrong hands – whether through hacking or misuse of power by someone with privileged access. Encrypting this data avoids exploitation.
The good news is that ensuring data is unreadable when this happens doesn’t have to be difficult. By implementing enterprise-wide encryption strategies rather than siloed deployments, and by using dedicated external key management systems, you’ll have the best of both worlds. These systems include:
- A robust, centralised key management solution to protect data at rest across your entire organisation
- Bring Your Own Key (BYOK) services that enable retention and control of encryption keys, distinguished from provider-controlled encryption
- Options for advanced Bring Your Own Encryption (BYOE) as a potential alternative to cloud provider encryption
- Tamper-resistant, FIPS-certified Hardware Security Modules (HSMs) that provide the highest level of security, strengthening key management practices
Your business has a social and commercial responsibility to take care of customer data. But this need not hurt your cloud flexibility or create a massive management headache. It’s best to start planning now because data, clouds, threats and regulations are only set to grow.