With GDPR around the corner, organisations need to be fully prepared to secure any sensitive data held within the enterprise. Failure to do so could incur serious penalties for organisations. Thankfully, encryption is an option.
Our latest survey from Infosecurity Europe found over half (53 %) of security professionals will stop putting sensitive data in the cloud due to GDPR. There is an air of uncertainty that surrounds cloud security and that has been echoed by the cyber security industry. The general consensus showed a lack of confidence and trust in the protection of sensitive data should it be placed in the cloud. Many (72 %) felt they would need to re-evaluate their data security requirements in the cloud because of the regulation that comes into force on 25 May 2018.
The microscope, limelight and debate, is firmly back on how adequately secure the cloud is. Companies today must comply with the regulation, if not only because the consequences should they fail to protect the data could be catastrophic. In order to avoid a killer fine, organisations should first and foremost secure the data that goes into the cloud through encryption or tokenisation and remain in control of the encryption keys. This can significantly reduce the scope of GDPR.
The issue we uncovered from the survey is that just over half (54 %) of organisations are relying on their cloud or Software as a Service (SaaS) provider to encrypt data and 51 % think that it is acceptable for the solution provider to control all or part of the encryption keys. This is a problem because, should the cloud or SaaS provider controls the keys and they are breached, then there is no way to be certain if the organisation’s data is safe resulting in notifications and fines, some of which could potentially push an organisation to bankruptcy.
However, if an organisation makes sure that their encryption keys are only controlled by them, compromised data becomes unreadable to all unauthorised users even in case of theft. This can help organisations avoid a fine altogether, as the encrypted or tokenised data is worthless without the keys. This is why encrypting or tokenising data is vital as a security measure.
With the right technology, organizations shouldn’t fear the cloud or putting data there because of GDPR – it should instead embrace both, look at the best options to achieve compliance and reap the business benefits of the cloud.