People in charge of ensuring data privacy policies have an increasingly hard task. Your employees want to use mobile devices to access data. Data storage in the cloud is inexpensive and convenient. At the same time you want to keep customer and employee data secure and you face tough privacy laws.
The conflicting issues directly affect your business. If competitors have lower costs and offer convenient data access by using the cloud, your business may suffer. On the other hand, data breaches can be expensive and can ruin a company’s reputation. Effective data privacy policies are an excellent tool to define your data protection needs and implement appropriate procedures.
When you design such policies from the ground up, identifying sensitive data and ensuring that it remains secure, your policies can become a guide for the kind of technology you should be using. You need data privacy policies based on procedures using the latest and best technology for ensuring complete data protection that satisfies privacy laws.
Identifying Sensitive Data
The first step in creating data privacy policies is to identify the data that you have to keep secure. According to the Federal Trade Commission (FTC), sensitive data includes financial data, health data, information about children and social security numbers. Depending on the state in which you are doing business, additional laws and regulations may apply.
Some jurisdictions consider email addresses and non-public data such as library records private. To be on the safe side, you may want to consider any non-public personally identifiable information as sensitive. California has some of the most detailed privacy legislation and has published a guide for companies to develop and publish their privacy policies. The guide suggests that you should develop simple, easy to understand policies and publish them. Such policies can represent a competitive advantage if they give customers confidence that they can trust you with their data.
As part of a review of sensitive data, you can also ask whether you need to store all the data you are keeping. Often data is no longer needed after a transaction with a customer is completed. Data that changes frequently probably should not be kept for an extended period. It may be outdated quickly and lead to incorrect results.
Protecting Sensitive Data
Once you have identified private data you can start thinking about how to best protect it. Your traditional perimeter protections, both on your own servers and in the cloud, are highly effective in preventing general access to your systems but they have substantial weaknesses. Credential-based access control, in which you enter a user name and password to gain access to data, is based on what you know. If someone else knows your log ins, they can gain the same access you have, often from any computer anywhere in the world.
Since a large number of credentials are issued to a wide variety of people, including your systems administrator, the cloud service technicians, contractors and database administrators, the possibility of people fraudulently obtaining credentials is not negligible. You need additional protection that just secures the data that is sensitive.
Such protection is called data-centric security and it usually involves encrypting some or all of your data. To implement effective data privacy policies, you need solutions that can protect your data without reducing access for authorized people and without introducing delays or additional complexity in everyday use. You want your customers and employees to be able to access your data as before but with ironclad security.
Many encryption technologies are clumsy and hard to use. They make your employees keep track of keys and require extra processing power to maintain speedy access. Often whole files have to be decrypted before you can read the data and even then, a lot of people have to be given the decryption keys to do maintenance, backup and troubleshooting. You need a technology that works unobtrusively in the background to secure only the data you have defined as sensitive.
Tokenization is a new technology that can deliver flexible and granular encryption. Instead of creating a character hash like standard encryption does, tokenization replaces individual characters in a social security number or a name. The new number or name is meaningless and can’t be linked to anything. Tokenized data is no longer personally identifiable information. In the case of a security breach, unauthorized people may be able to see the tokenized data but it is useless.
In typical tokenization implementations, not all the data has to be tokenized. The technology can encrypt only some fields of a database or all of it. For example, if your database contains names and social insurance numbers, tokenizing either field renders the data anonymous. If your business process requires a name, tokenize the social insurance number; if it needs the social insurance number, for example for billing, tokenize the name.
Tokenization can deliver a last line of defence that allows you to implement your privacy policies with confidence. In addition to your traditional protection against unauthorized access to your IT systems, you can rest assured that your data is safe and you comply with data privacy laws, even when the traditional security is breached.
With CloudMask, only your authorized parties can decrypt and see your data. Not hackers with your valid password, Not Cloud Providers, Not Government Agencies, and Not even CloudMask can see your protected data. Twenty-six government cybersecurity agencies around the world back these claims.
Watch our video and demo at www.vimeo.com/cloudmaskShare this article: