Security Experts:

Connect with us

Hi, what are you looking for?


Cloud Security

Financial Firms Embrace Cloud With Encryption, Tokenization: Report

As more organizations become more comfortable with putting data in the cloud, they are aggressively applying varying levels of data protection to different types of information, according to data protection firm CipherCloud.

As more organizations become more comfortable with putting data in the cloud, they are aggressively applying varying levels of data protection to different types of information, according to data protection firm CipherCloud.

Among financial services organizations, 40 percent said they use tokenization along with strong encryption to protect the most sensitive information before putting them in the cloud, CipherCloud found in its Q2 Global Cloud Security Report (PDF). Regulatory compliance is a driver for cloud data protection, but so is the increased number of data breaches.

CipherCloud classified data in four categories: highly sensitive PII, regular PII, personal financial data, and business sensitive data. The report found that some pieces of data, such as the customer’s name, could be classified as highly sensitive in one company and regular at another. All the respondents said they use encryption to protect business sensitive data. About 15 percent said they use tokenization for personal finance data and 13 percent for regular PII, the report found.

Cloud Encryption and TokenizationOnly 33 percent store highly sensitive data in the cloud, while 47 percent process personal finance data, and 53 percent store confidential business data on cloud servers, the report found.

“It’s not surprising to see that encryption is the predominant choice for those seeking to protect business-sensitive data,” the report notes. “As this category of data is typically non-critical, few are utilizing heavyweight tokenization to protect business sensitive data.”

Organizations are raising expectations for the kind of protection they need to have on their data, Chenxi Wang, vice-president of cloud strategy at CipherCloud, told SecurityWeek. This means the class of data important enough to be protected is getting bigger.

Not all encryption methods are created equal. IT managers and business managers have to work together to make the choice of more security or ease of use, or for better performance. Most firms favor encryption over tokenization for less sensitive data. However, there are data elements with specific formats, such as Social Security numbers, email addresses, and phone numbers, which need to be protected in such a way their structure is preserved, the report found. About 91 percent used format-preserving encryption for email addresses and 82 percent for phone numbers. Just 9 percent favored using tokenization to protect email addresses.

The report focused on 50 organizations in the financial services industry, including banking, wealth management, investing and financial services companies from North America, Europe, Asia-Pacific and Latin America. Some organizations store more personally identifiable data in the cloud than others, but practically every organization has at least one Software-as-a-service application which contains personal data, Wang said. is a good example of such an application.

Tokenization uses randomly-generated codebooks to encode data and is typically impervious to crypto analysis. Tokenized data is common in highly regulated environments and is recommended for the most critical information. As organizations look at their highly sensitive data, many of them are realizing they are storing information they don’t actually need. Once they realize that, they may make the decision to change their processes to stop collecting the information instead of trying to tokenize that data element, Wang said. This puts organizations in a better place because they don’t have the burden of protecting data they aren’t using.

The financial services industry as a whole is faster than most sectors in embracing cloud computing as well as taking appropriate security steps to protect the data. CipherCloud has plans to see how the figures line up for the healthcare sector next, Wang said.

Organizations are beginning to trust the cloud because there are ways to secure the data. This has the added benefit of organizations looking at the data stored on-premise, within the perimeter, and making sure their defenses are strong locally as well, Wang said. Data stored on the cloud is secure because of encryption and tokenization, as well as the fact that service providers such as spend a lot of time and attention on security. Organizations are realizing their assumption that data they have on-premise is safe is not necessarily correct, and are taking steps to fix that problem, Wang said.

Related: Benefits and Challenges for Securing Transaction Data Using Tokenization

Related: PCI Security Standards Council Releases Tokenization Product Guidelines

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cloud Security

Orca Security published details on four server-side request forgery (SSRF) vulnerabilities impacting different Azure services.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cloud Security

Cloud Disaster Recovery - Ingredients for a Recipe that Saves Money and Offers a Safe, More Secure Situation with Greater Accessibility