Weighing in on the encryption vs tokenization debate, Andy Heather, EMEA VP at global leaders of data-centric security, Voltage Security says:
"When all you hold in your hand is a hammer, then everything looks like a nail. Or perhaps a better cliché is one size does certainly not fit all. Putting it clearly it isn’t a case of tokenization vs. encryption, but using tokenization and encryption to solve specific parts of the cloud security challenge.
First generation tokenization, with bloated tokenization vaults, offered an elegant theoretical solution, but it became apparent over time, and real world usage, that the baggage they brought with them in terms of complexity and the need for over engineering were never going to meet the demands that the flexibility and agility of the cloud world required. Thankfully the second generation of stateless/vault less tokenization solutions are now with us and allow organisations to harness the benefits of tokenization for PCI scope reduction as an example in a cloud based environment.
Encryption provides another incredibly valuable but subtly different tool. Companies comfortable with the benefits of encryption within their own environments (where they trade off the control vs. complexity overhead of managing the keys that are required) are not so keen simply to hand over the keys to that data to a third party cloud services provider. Many are looking for, and finding, solutions that eliminate traditional complex key management, and are implementing systems that only dynamically generate keys as and when they are required. Encryption itself provides an excellent level of security. Taking some meaningful information and turning it into unintelligible data certainly fulfils that promise, but it also strips that information of it’s true value, and certainly one reason for any organisation moving to the cloud is to enable greater business value from that information. Finding a way to securely encrypt the information while maintaining the integrity of the format of that data so it can be access and used by applications would seem the logical and desirable goal for any organization moving information into the cloud.
So it’s not a case of either/or, but more of selecting the right tool for the right job, and working with providers that don’t try to force a choice between tokenization and encryption but integrate the two together in a single platform. When building systems that take advantage of all that the cloud has to offer it would be reassuring to know that you have the tools that you need in your hand and not just a hammer."