Privacy legislation and corporate data protection policies are compelling increasing numbers of companies to consider encryption for their cloud data. But what if the preferred cloud application securely encrypts but is unable to fulfill specific compliance requirements? Then it’s high time to start looking for a practical alternative! This post looks at suitable candidates – and also explains why a proxy solution is a sound option.
In this era of EU GDPR and other rules and regulations, users of Salesforce, Office 365, and other SaaS cloud applications increasingly face two particular kinds of questions:
“How can I ensure that my data is encrypted without this impacting usability for my cloud application?”
“How can I be certain that my sensitive data does not end up in the wrong hands – because the cloud provider has access to my data, for example?”
The gold standard: mandatory encryption that is data protection-compliant
Regulatory frameworks such as EU GDPR demand an increasingly more stringent approach to handling sensitive and personal data. Such regulations are intended to guarantee the minimization of risks affecting the privacy of natural persons. In many cases, this also now applies to cloud-based data storage and their applications, such as Salesforce or Office 365. Here too, companies must prioritize the protection offered to personal and business-critical data within their sphere of responsibility – and provide proof they have done so. This requires an encryption system that takes steps to ensure that all keys remain under the exclusive control of the cloud user – and so not even the cloud providers themselves are granted access to these keys.
To achieve this level of protection, data encryption is the method of choice for businesses, yet without taking any risks in terms of data sovereignty. In addition, a seamless user experience with the associated cloud application is also of particular importance. In other words: the data encryption techniques must not affect the working practice of users as they interact with the cloud application. In many cases, however, this proves to be the insurmountable barrier for both companies AND cloud providers.
A special challenge: multi-cloud environments
Alongside ‘data sovereignty’ and the ‘user experience’, another recent trend is also making its presence felt, and presenting SAP, Salesforce, Microsoft and other cloud service providers with a major challenge, namely: the centralization of IT security solutions within hybrid and multi-cloud environments. Specifically, this means that increasing numbers of companies are looking at ways to decommission their silo-style IT security and create a centralized platform where cyber risks can be reliably prevented, identified, and countered across the entire corporate IT landscape.
Encrypting sensitive data is certainly one of the most effective preventive actions to take – not least because if the worst comes to the worst, a data breach does not automatically mean a data protection violation. Although: if every cloud provider offers their own encryption technology, how then can centralized cloud data protection based on encryption and pseudonymization – such as is required by EU GDPR, for example – actually be organized for all of the cloud services used within the company?
This is where the eperi Gateway platform comes in, since it has been built for this exact purpose: data encryption and pseudonymization in multiple cloud applications based on a centralized platform.
“But Salesforce & Co. already offer built-in encryption for their platforms,” I hear you say.
Well, that’s all well and good at first glance, but the devil is in the details… From the perspective of a Data Protection Officer at least, the encryption systems used by these cloud providers often have one highly significant weakness: both the encryption solution and the keys required for this solution are not held exclusively within the sovereignty of the cloud user. And that, for certain companies who are required to fulfill strict compliance requirements, is an absolute no-go criterion. Always assuming that these businesses are truly serious about ensuring the security of personal and other sensitive data.
Proprietary encryption versus the eperi encryption solution
Accordingly, it’s fair to say that the encryption solutions available on the market from cloud providers such as Salesforce or Microsoft not only offer a high level of data protection but also work seamlessly with their associated cloud applications – and this, in many cases, is perfectly adequate. Things look very different, however, if the cloud provider’s encryption solution cannot meet internal and external compliance requirements.
This is the case, for example, if a multinational corporation needs to ensure sole control over data protection processes while simultaneously avoiding any situation where the cloud provider themselves could potentially gain access to unencrypted data. Another problematic scenario is data residency, where businesses may wish to – or must – ensure that sensitive data does not leave a specified sovereign territory (and not even for the purposes of backup or load balancing).
Another potential data protection requirement could arise as a result of establishing a centralized IT security architecture, where all processes for data protection and the fulfillment of internal and external compliance requirements are managed from a centralized point of control. In these scenarios, companies should always consider using an effective encryption solution such as the eperi Gateway platform, which enables data to be encrypted automatically via proxy – and across virtually any cloud platform.
Templates offer easy integration of cloud applications with the Gateway
As those familiar with the post eperi Gateway: The Right Approach To Effective Cloud Data Protection will know, eperi’s cloud encryption solutions are based on a template model that enables integration between the eperi Gateway and any cloud application. Among other things, the templates can be used to specify the encryption method to be used, whether certain data types are expected for data entry (such as email addresses), and so on. Since the templates are themselves XML files, they can also contain executable Java code. Pre-built templates are already supplied out of the box by eperi for the most popular cloud and SaaS applications such as Salesforce, Office 365, etc. These preconfigured templates can also be easily customized or new templates can be created by eperi partners or customers for other applications.
Summary: The eperi Gateway platform represents a useful encryption alternative
Whether for regulatory reasons or simply due to setting up a centralized IT security infrastructure for multi-cloud environments, there are many reasons for using encryption systems that fully comply with data protection criteria. The eperi Gateway platform ensures effortless fulfillment of strict regulatory requirements and internal or external compliance policies, and requires no changes to be made to the underlying cloud application. The proxy model used by the eperi Gateway therefore offers a highly practical solution in a great many cases.