Following recent reports of European commission (EC) vice-president Neelie Kroes saying US cloud service providers could suffer loss of business, in light of revelations about the US National Security Agency’s Prism surveillance system, Dave Anderson, senior director at Voltage Security writes:
“In general, the issue at hand is the ability to protect sensitive information from exposure, regardless of whether the exposure is caused by a malicious act, an inadvertent slip, a surveillance operation or a failure of protective controls or processes. Any sensitive information including financials, customer and employee data, or intellectual property should be protected across the entire lifecycle of that data, and loss or exposure of this data can result in compliance or regulatory fines, loss of brand and reputation and, as the recent events further validate, a loss of privacy around how we communicate and the content of those communications.
This will become even more critical as organisations move to the cloud, and increase their awareness of how to best protect themselves from the impact of these types of surveillance and breach activities. The benefits of moving to the cloud are dynamic. Companies are not going to move away from this and will continue to look for ways to leverage the cloud to support current business processes, as well as identifying new customer initiatives through the cloud that will make them more competitive. The ability to properly protect their data from exposure and surveillance, while simultaneously leveraging the cloud, is the true key to competitiveness moving forward.
In order to do so, a data protection program should be developed that ensures privacy and security can be effectively balanced, while still allowing the organisation to leverage the business benefits of moving to the cloud. The ability to “de-identify” information, either through encryption, tokenisation or even data masking capabilities, provide very effective mechanisms to secure sensitive data, how that data is communicated, used and managed at the personal and professional level. This inherently provides an underlying foundation for data privacy as well, ensuring not just that the data level itself is secure, but also that the information can only be accessed and used by authorised users and the specific intended recipients. In this case, privacy and security become very aligned and as users and organisations, we now have the ability to secure any sensitive data while ensuring communications and use of that data can remain private. Additionally, the ability to “re-identify” data is an important capability within a data protection program, as often there are legitimate purposes as to why protected data needs to be re-identified, including anti-fraud analysis when a fraudulent activity is discovered and the business needs to identify the underlying user, and health care analysis when an adverse finding has been identified and the names of patients need to be identified.
Enterprise and consumer customers care deeply about securing their sensitive information and protecting the data that helps govern their business, and effectively deliver and communicate their goods and services to employees, partners, and other stakeholders. This focus is becoming even stronger, as people are growing stronger in their beliefs that security, privacy and compliance are not just a tactical, “check the box” activity that they have to do, but rather is a strategic process that adds tremendous value in their ability to securely communicate at the personal level, and develop and deliver new online business initiatives to customers.”