Through this series, we have explored how encryption is an effective means of securing data itself and helping organizations to reduce the scope of upcoming GDPR compliance requirements. But this by no means should be interpreted that all encryption solutions will do the job and meet the same standards. Here’s what organizations need to consider when choosing encryption options.
Not all encryption solutions are created equal
An eperi survey of 250 security professionals uncovered that over one half leave encryption to the SaaS provider, less than one third control the encryption process themselves and one in five does not encrypt sensitive data in SaaS applications such as Salesforce or Office 365. These figures are cause for alarm when you consider that almost 60% would find themselves vulnerable under GDPR guidelines.
For organizations to confidently meet requirements where data needs to be protected in use, at rest and in motion, they need to be in full control of the data. That means proving they have taken reasonable steps to protect PII as a data controller. Offloading the encryption process to an outside third-party like a SaaS provider may not be deemed reasonable enough.
Say, for instance, that the third-party SaaS provider is breached, putting all of its customers’ data at risk. If the customer organization can prove that its data is safe because it is encrypted and it controls the encryption keys and not the breached party, then there may be no need to notify its own customers or incur fines. However, if the breached SaaS provider controls the encryption keys to its customer’s data, then there is reasonable doubt that hackers could have accessed the data. This is what we call security by separation – a well-known and time-tested security model.
Is it Open Source?
Encryption that relies on proprietary code isn’t always safest for the simple reason that back doors are possible. With open source solutions, such as the eperi Gateway, the code has had many eyes on it, making it a transparent solution and less vulnerable to nation state espionage or data exploitation.
The Data Lifecycle
It’s been said many times, but organizations cannot forget that sensitive data must be protected at every stage, at rest, in use and in transit. Many encryption solutions, including those offered by third-parties, will merely protect the data at the point it is stored. This is insufficient for meeting GDPR standards.
All too often, historic tools for managing compliance, such as Data Leakage Prevention (DLP) or the advent of Cloud Access Security Brokers (CASB), act as barriers and block information before it enters the cloud and that is unhelpful to modern businesses. Instead, organizations should focus on technology solutions such as Cloud Data Protection (CDP) solutions that can encrypt or tokenize the PII data itself, at every lifecycle stage, and make it useable to organizations by keeping all important functionality of the Cloud application.
eperi believes that data security does not have to negatively impact corporate processes and procedures. Therefore, its Gateway-based procedures support authorized users as they work with the data, without placing restrictions on important functions, such as performing data searches.
Authorized users can use functionality emulators within the data encryption via a gateway application, allowing work to continue on business applications as if there were no encryption in place.
Remember, focusing on protecting the sensitive data itself will have far more impact on security and compliance than attempting to definitively secure infrastructure and systems ever could.
And with this we are completing this GDPR series. Hopefully, it has made the upcoming regulation a little less daunting.
EU GDPR: The Essential Facts at a Glance - Series:
Part 5: Not all encryption solutions are created equal