Governance of company data has never been trickier for organisations than in today’s business world. It was not so long ago that the bulk of company data simply resided either on premise or within a company datacentre, with supervision of that data proving to be a relatively manageable task for IT teams. The widespread adoption of cloud infrastructures has halted this trend, however, with many enterprises increasingly keen on embracing the cloud to help digitally transform their businesses.
However, the distribution of corporate data across private and public stores presents a conundrum in today’s data storage landscape. Many companies are looking to embrace the flexibility and cost advantages of the cloud, whilst at the same time protecting themselves from the impact of a cyber-attack. An obvious way of meeting both of these needs is data encryption, so that even in the event of a breach or hack, resulting in customers’ data being exposed, the information itself cannot be exploited by cyber-criminals.
The GDPR perspective
The enforcement of GDPR has provided an additional incentive for encryption. One of the key tenets of the regulation is that it requires businesses to implement appropriate technical and organisational measures to provide protection to any user information they hold, including encryption of personal or sensitive data. Failure to do so could result in a business being fined €20 million, or 4% of its annual turnover, depending on which is higher.
Breaches occur on an ever more frequent basis and therefore relying solely on a third-party provider’s encryption is unlikely to be a robust defence if a breach occurs.
As standard practice a company should also encrypt its own data, particularly if it is going to reside on a third-party cloud provider. Adhering to this should not add a difficult process to the organisation’s data processes, as if it is, users will just bypass it if they can. Therefore, the aim is to make it easy and transparent for the whole company to encrypt data.
Hybrid, multi-cloud solutions provide exactly this method of transparent encryption for companies, but it’s important to choose the right one. The solution should provide FIPS compliant encryption and be configured to encrypt all data for all mapped on-premises or on-cloud data.
Encryption transparency is pivotal to this process. Ecnryption is done upon upload and then un-encrypted on download, using the same solution, with users not aware that this is taking place. Therefore, in the event of a breach on a third-party provider, and resulting in access to data stored there, cybercriminals will be unable to read or decrypt the data.
Additionally, an encryption solution should integrate with a company’s existing corporate identity management solution, such as Active Directory, LDAP, SAML etc, allowing users to sign into it using their existing domain credentials (single-sign-on).
Additional security should be added over and above the identity management in the form of two-factor authentication, with users entering their single sign-on credentials but then also receiving a two-factor challenge before they can then proceed to login – which adds an essential extra layer of security. Security layers are important as they make it more difficult for attackers to create a breach and steal data.
Deployment of transparent file encryption to enforce data security and satisfy compliance regimes such as GDPR can be simple, scalable and fast with the right solution. With high-profile security breaches seemingly occurring on a weekly basis, and with companies facing huge fines for non-compliance ahead of the GDPR deadline, introducing measures which will help encrypting data should certainly be explored by all organisations irrespective of their size. In doing so, IT teams can be safe in the knowledge that they have a final layer of protection against cyber hackers, keen to do damage to a business’s digital world, and return to benefitting from the advantages of the cloud.