Encryption is an important safeguard to protect sensitive data that’s stored and processed through the cloud. Encryption protects outgoing data so it’s not vulnerable to being read once it’s outside your network. It also satisfies compliance and regulatory standards like HIPAA and PCI DSS and is an essential tool for protecting information used with popular SaaS applications like Salesforce.com.
Even with a highly-secure data center, the protection of important information is a shared responsibility between your service provider and your IT team. Get started by implementing these four encryption best practices for a cloud environment:
1. Clearly Outline Your Business and Security Goals.
Before you choose any encryption products or design a strategy, understand your organization’s business and security objectives. This includes internal and external data governance policies, such as data privacy and residency, and compliance mandates relevant to your business such as HIPAA, PCI, or Gramm-Leach-Bliley (GLB).
You should also have a plan for how to manage your data encryption keys – a critical lynch pin for ensuring data stays protected. In almost all cases, experts recommend you centrally manage encryption keys outside the cloud and ensure no one but you has access to them.
2. Encrypt data before it goes to the cloud.
Since your IT team doesn’t have direct control over data that’s sent through the cloud, it is important to encrypt important information before it leaves your servers. There are many applications that allow you to do this and give you control over the encryption keys.
Also define exactly which types of data need encryption. There are very few organizations that need to encrypt all cloud-based data. Carefully evaluate what information is high-risk and truly requires it.
3. Ensure your provider supports the FIPS standard relevant to your organization.
If you’re a government agency or supporting contractor, you likely need a data center service provider that’s Federal Information Processing Standard (FIPS) compliant.
FIPS is a set of standards that approves cryptographic ciphers for hashing, signature, key exchange, and encryption purposes. There are four levels of FIPS security; each level specifies a tighter degree of protection. Ask your data center service provider which level of FIPS they provide and review their documentation to be sure it meets your needs.
4. Don’t neglect mobile device encryption.
With the proliferation of data on mobile devices, and Bring Your Own Device (BYOD) being adopted by many organizations, it’s tough to know exactly where your data is and what’s happening to it. It only takes one lost or stolen laptop with unencrypted data, and cyber-thieves have easy access to sensitive information. A recent example occurred at MD Anderson Cancer Center when a laptop was stolen from a doctor’s home with 30,000 highly sensitive patient records.
By encrypting data on mobile devices, you prevent these types of embarrassing issues from occurring. Require all employees to use full disk encryption for desktop and notebook computers and especially removable USB drives – even if sensitive information isn’t normally stored on them. Since all mobile devices let users enter data and receive emails, it’s important to encrypt those devices even if your corporate policy specifically prohibits employees from putting sensitive information on them. Much better to be safe than sorry in these cases.
Encryption is an important safeguard for your valuable business data.You also need a reliable data center service provider that understands these complex security issues. Learn more about secure cloud hosting.