Security Experts:

Financial Firms Embrace Cloud With Encryption, Tokenization: Report

As more organizations become more comfortable with putting data in the cloud, they are aggressively applying varying levels of data protection to different types of information, according to data protection firm CipherCloud.

Among financial services organizations, 40 percent said they use tokenization along with strong encryption to protect the most sensitive information before putting them in the cloud, CipherCloud found in its Q2 Global Cloud Security Report (PDF). Regulatory compliance is a driver for cloud data protection, but so is the increased number of data breaches.

CipherCloud classified data in four categories: highly sensitive PII, regular PII, personal financial data, and business sensitive data. The report found that some pieces of data, such as the customer's name, could be classified as highly sensitive in one company and regular at another. All the respondents said they use encryption to protect business sensitive data. About 15 percent said they use tokenization for personal finance data and 13 percent for regular PII, the report found.

Cloud Encryption and TokenizationOnly 33 percent store highly sensitive data in the cloud, while 47 percent process personal finance data, and 53 percent store confidential business data on cloud servers, the report found.

“It’s not surprising to see that encryption is the predominant choice for those seeking to protect business-sensitive data,” the report notes. “As this category of data is typically non-critical, few are utilizing heavyweight tokenization to protect business sensitive data.”

Organizations are raising expectations for the kind of protection they need to have on their data, Chenxi Wang, vice-president of cloud strategy at CipherCloud, told SecurityWeek. This means the class of data important enough to be protected is getting bigger.

Not all encryption methods are created equal. IT managers and business managers have to work together to make the choice of more security or ease of use, or for better performance. Most firms favor encryption over tokenization for less sensitive data. However, there are data elements with specific formats, such as Social Security numbers, email addresses, and phone numbers, which need to be protected in such a way their structure is preserved, the report found. About 91 percent used format-preserving encryption for email addresses and 82 percent for phone numbers. Just 9 percent favored using tokenization to protect email addresses.

The report focused on 50 organizations in the financial services industry, including banking, wealth management, investing and financial services companies from North America, Europe, Asia-Pacific and Latin America. Some organizations store more personally identifiable data in the cloud than others, but practically every organization has at least one Software-as-a-service application which contains personal data, Wang said. Salesforce.com is a good example of such an application.

Tokenization uses randomly-generated codebooks to encode data and is typically impervious to crypto analysis. Tokenized data is common in highly regulated environments and is recommended for the most critical information. As organizations look at their highly sensitive data, many of them are realizing they are storing information they don't actually need. Once they realize that, they may make the decision to change their processes to stop collecting the information instead of trying to tokenize that data element, Wang said. This puts organizations in a better place because they don't have the burden of protecting data they aren't using.

The financial services industry as a whole is faster than most sectors in embracing cloud computing as well as taking appropriate security steps to protect the data. CipherCloud has plans to see how the figures line up for the healthcare sector next, Wang said.

Organizations are beginning to trust the cloud because there are ways to secure the data. This has the added benefit of organizations looking at the data stored on-premise, within the perimeter, and making sure their defenses are strong locally as well, Wang said. Data stored on the cloud is secure because of encryption and tokenization, as well as the fact that service providers such as Salesforce.com spend a lot of time and attention on security. Organizations are realizing their assumption that data they have on-premise is safe is not necessarily correct, and are taking steps to fix that problem, Wang said.

Related: Benefits and Challenges for Securing Transaction Data Using Tokenization

Related: PCI Security Standards Council Releases Tokenization Product Guidelines

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.