Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Financial Firms Embrace Cloud With Encryption, Tokenization: Report

As more organizations become more comfortable with putting data in the cloud, they are aggressively applying varying levels of data protection to different types of information, according to data protection firm CipherCloud.

As more organizations become more comfortable with putting data in the cloud, they are aggressively applying varying levels of data protection to different types of information, according to data protection firm CipherCloud.

Among financial services organizations, 40 percent said they use tokenization along with strong encryption to protect the most sensitive information before putting them in the cloud, CipherCloud found in its Q2 Global Cloud Security Report (PDF). Regulatory compliance is a driver for cloud data protection, but so is the increased number of data breaches.

CipherCloud classified data in four categories: highly sensitive PII, regular PII, personal financial data, and business sensitive data. The report found that some pieces of data, such as the customer’s name, could be classified as highly sensitive in one company and regular at another. All the respondents said they use encryption to protect business sensitive data. About 15 percent said they use tokenization for personal finance data and 13 percent for regular PII, the report found.

Cloud Encryption and TokenizationOnly 33 percent store highly sensitive data in the cloud, while 47 percent process personal finance data, and 53 percent store confidential business data on cloud servers, the report found.

“It’s not surprising to see that encryption is the predominant choice for those seeking to protect business-sensitive data,” the report notes. “As this category of data is typically non-critical, few are utilizing heavyweight tokenization to protect business sensitive data.”

Organizations are raising expectations for the kind of protection they need to have on their data, Chenxi Wang, vice-president of cloud strategy at CipherCloud, told SecurityWeek. This means the class of data important enough to be protected is getting bigger.

Not all encryption methods are created equal. IT managers and business managers have to work together to make the choice of more security or ease of use, or for better performance. Most firms favor encryption over tokenization for less sensitive data. However, there are data elements with specific formats, such as Social Security numbers, email addresses, and phone numbers, which need to be protected in such a way their structure is preserved, the report found. About 91 percent used format-preserving encryption for email addresses and 82 percent for phone numbers. Just 9 percent favored using tokenization to protect email addresses.

The report focused on 50 organizations in the financial services industry, including banking, wealth management, investing and financial services companies from North America, Europe, Asia-Pacific and Latin America. Some organizations store more personally identifiable data in the cloud than others, but practically every organization has at least one Software-as-a-service application which contains personal data, Wang said. Salesforce.com is a good example of such an application.

Tokenization uses randomly-generated codebooks to encode data and is typically impervious to crypto analysis. Tokenized data is common in highly regulated environments and is recommended for the most critical information. As organizations look at their highly sensitive data, many of them are realizing they are storing information they don’t actually need. Once they realize that, they may make the decision to change their processes to stop collecting the information instead of trying to tokenize that data element, Wang said. This puts organizations in a better place because they don’t have the burden of protecting data they aren’t using.

Advertisement. Scroll to continue reading.

The financial services industry as a whole is faster than most sectors in embracing cloud computing as well as taking appropriate security steps to protect the data. CipherCloud has plans to see how the figures line up for the healthcare sector next, Wang said.

Organizations are beginning to trust the cloud because there are ways to secure the data. This has the added benefit of organizations looking at the data stored on-premise, within the perimeter, and making sure their defenses are strong locally as well, Wang said. Data stored on the cloud is secure because of encryption and tokenization, as well as the fact that service providers such as Salesforce.com spend a lot of time and attention on security. Organizations are realizing their assumption that data they have on-premise is safe is not necessarily correct, and are taking steps to fix that problem, Wang said.

Related: Benefits and Challenges for Securing Transaction Data Using Tokenization

Related: PCI Security Standards Council Releases Tokenization Product Guidelines

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...