Organizations are entitled to strong cloud data security measures from their vendors
By GERRY GREALISH
NIST released a new publication entitled Cloud Computing Synopsis & Recommendations (Special Publication 800-146) that describes in detail the current cloud computing environment, explains the economic opportunities and risks associated with cloud adoption, and openly addresses the security and data privacy challenges. NIST makes numerous recommendations for companies or agencies considering the move to the cloud (including delivering a strong case for uniform management practices in the data security and governance arenas).
The report highlights several reasons why cloud-based SaaS applications present heightened security risks. As a means to offset the threats, NIST's recommendation on cloud encryption is clear-cut: organizations should require FIPS 140-2 compliant encryption to protect their sensitive data assets. This should apply to stored data as well as application data, and for Federal agencies, it's a firm requirement, not simply a best practice or recommended guideline.
Regrettably, some vendors are misleading the market with claims that sensitive data in the cloud does not require FIPS 140-2 validation, and instead lesser validation is sufficient. Customers should challenge these sorts of claims and insist on FIPS 140-2 validation if encryption is selected as the preferred technique to secure sensitive data to the cloud. And they should ensure that the functionality of their SaaS applications, such as Searching and Sorting, is preserved, even when this level of strong FIPS 140-2 encryption is in place.
Regarding data governance and regulatory cloud compliance, NIST also recommends that consumers require cloud providers to meet all international, Federal, and state statutes regarding data protection, privacy, and residency. This is a broad, complex area in which the laws continue to evolve, and consumers are ultimately liable if legal issues arise. Many enterprises believe tokenization technology is best suited to address these "data residency" concerns, since tokens can be used to replace personally identifiable information in the cloud, ensuring the original data never leaves their local jurisdiction. Again, preservation of the cloud application's functionality is critical - so enterprises need to ensure they are not being asked by their vendor to sacrifice on SaaS usability in order to get the strong level of protection required to adequately secure their sensitive business information.
Subscribe to the blog to receive updates about:
AltaFlux understands what you and your organization need to excel, and can deliver rapid innovation to unleash your full workforce potential. Together, we can empower your business by streamlining, transforming, and optimizing your key HCM and talent processes with industry-leading SAP SuccessFactors technology—enabling you to adapt at the speed of change.
AltaFlux Corporation is a global HCM cloud consulting partner based in Troy, Michigan. We empower organizations by streamlining, transforming, and optimizing key human capital management (HCM) processes with industry-leading HCM cloud solutions like SAP SuccessFactors, Benefitfocus, WorkForce Software and Dell Boomi.