Is the Cloud Ready to Store Sensitive Data?

Compliance / Privacy
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

There are no absolutes, particularly when it comes to security, but the cloud can be a safe place to store sensitive personal and financial data if managed properly, according to a prominent data security firm.


Securing the cloud is not a slam dunk, but as an increasing number of companies look to the cloud as a means to reduce cost and increase agility, the need to secure the cloud is upon us. Unfortunately, the skills necessary for most IT professionals to assume responsibility for ensuring reliable cloud security are lacking, according to a new survey.


The 2011 RSA conference concluded this week in San Francisco with a sense that security is more important than ever given threats from hostile nations and organizations including al-Qaeda. Nevertheless, business is determined to move applications and data to the cloud because of the dramatic cost and flexibility advantages that the cloud promises. However, securing the cloud takes special skillsâskills that most IT security practitioners today don't possess.


A survey of more than 10,000 security professionals from 100 different countries conducted by Frost & Sullivan, the "2011 Global Information Security Workforce Study," indicated that nearly three-fourths of the respondents say they need new skills to deal with the cloud, and 90 percent say they require a more detailed understanding of how to secure cloud technology. Half of the respondents also say they need to improve their contract negotiation skills with cloud providers.


Regardless, the move to the cloud is quietly, but emphatically, taking place with more than half of survey respondents saying their organizations already use some type of cloud computingâwith about 16 percent using public cloud services and 42 percent using SaaS.


While cloud security may have been the predominant theme of the RSA conference, other sessions focused on mobile security, emerging threats from social media, cyberwarefare, and privacy. One company familiar to IBM midrange professionals, nuBridges, took the opportunity to announce its new cloud-based tokenization service, nuBridges Protect Tokenization as a Service (TaaS). The online service is designed for companies who want to protect personally identifiable information (PII) and electronic health records (EHR), as well as credit (payment) card data.


Intended to protect structured data at rest, such as social security numbers, national insurance numbers, drivers licenses, passports, salaries, addresses, and account numbers etc., nuBridges TaaS service enables users to connect via web services with the company's data vault, hosted by Verizon Business. It keeps all sensitive data in a single location while substituting tokens throughout the client company's various computer systems. nuBridges in turn manages the sensitive data, creates tokens, ensures the data is backed up, that service level agreements are met, and that encryption keys are rotated and managed properly. As with on-premise tokenization, TaaS reduces exposure of a company's sensitive data as well as the scope of its audits. Since computers that don't store sensitive data ordinarily aren't subject to audit, companies may find their audit expenses are reduced dramatically with a tokenization solution, according to nuBridges.


As a cloud-based solution, TaaS eliminates most up-front costs associated with implementing tokenization, including buying software and additional hardware. Solution costs are spread out over time while the burden on IT is also reduced over an on-premise solution. Implementation, operations and monitoring functions are all handled by the vendor, in this case, nuBridges.


MC Press Online spoke with Gary Palgon, nuBridges vice president of product management, about TaaS, and he explained why he thinks it will be a success as companies become ever more vigilant in protecting electronic health records and other personal information. While smaller companies use tokenization solutions provided by payment processors and gateway service providers, larger companies face challenges to adopting tokenization due to vendor lock-in and loss of control over their data. If a large company implements a tokenization solution, populates its data with tokens, then wants to change providers, traditionally it has created problems. Some solution providers only promise to store a company's data for two years, though most companies need to retain it for seven years for audit purposes.


nuBridges has recognized these impediments and believes it has addressed them, Palgon says. In the case of sensitive data, the company maps tokens to credit card or sensitive numbers, not to transactions, Palgon says. Because nuBridges maintains referential integrity between the data and the tokens, marketing analyses, fraud analytics, and other mission-critical business functions can still be performed on the data. The client retains the relationship between data and the token, even if the company wishes to change providers. nuBridges also is promising to keep customer data as long as necessary with its "limitless data retention" policy.


The TaaS service, available initially to North American businesses, will eventually be available in the U.K., where laws prevent sensitive data from being stored outside the country. The Verizon Business Cloud Computing Program is one of the few cloud providers today that is PCI compliant (and then, only for North America) and a leading reason why nuBridges uses it, according to Palgon (the Amazon cloud also is PCI compliant). The Verizon data vault in Atlanta, Ga., stores nuBridges' primary data, which is backed up in a second Verizon data vault in California. Despite Verizon's massive elastic cloud capabilities and capacity to scale up and provision at will, clients can determine whether they wish to be in nuBridges' multi-tenant environment or have their own token manager and data vault for complete segmentation. Transparent to the user, what is running under the covers on the cloud is nuBridges Protect Token Manager, nuBridges Protect Key Manager, and nuBridges data vault leased from Verizon.


When asked whether he believes the cloud today is a safe place to store sensitive data, Palgon replied: "Yes. There is a lot that goes into it, but yesâproviding that you are using reputable organizations to do it." He admits that many shops today appear to be less than fastidious when it comes to managing sensitive data, even on-premise data.


"They don't necessarily have the level of expertise that I wish were there," says Palgon. "Some organizations are much better than othersâbut their main priority is trying to run a business. That's where we want to play a key role over the next couple of years--offering the best security at a reasonable cost, because that's what we do."


nuBridges Protect Tokenization as a Service represents a milestone in cloud security and security in general. While aimed today toward medium and large businesses, the affordable cloud service suggests that, in future, a tokenization solution will be widely available to businesses of all sizes. Any neighborhood video rental shop, that wishes to protect sensitive consumer dataâincluding the ubiquitous socia