As businesses seek to innovate quickly, they also face tough data protection regulations, growing threats, and ongoing compliance needs. Can they move at cloud speed? Or are they slowed down due to security considerations? Isn’t it possible to have both speed and security? It’s neither abstract nor theoretical: In our experience we find that you can get both speed and security. To achieve both, you need to take a regulatory approach that allows enterprise security and compliance teams to work alongside enforcement teams. You need to ensure that these teams have a structured approach to interacting, working together, and respecting each other’s priorities. Your developers want to work quickly and at scale; the Security team wants to protect your business and data.
Many in business think of regulatory requirements as difficult and onerous. They do take time and effort; look at the regulatory requirements for HIPAA, GDPR, FDIC, FCA or EBA, industry standards (e.g., the NIST) or global standards (e.g., PCI or ISO). But these requirements were not created in a vacuum — they`re there to protect you and the public. And full, topdown compliance in an organization pays real benefits to your data security. Your security team can turn these imposed policies into standardized controls (e.g., based on NIST 80053 standard). They will then need to provide regulatory implementations they will approve to meet these standardized controls (e.g. what technologies are approved for cloud key management). Staying informed and up to date with complex and evolving requirements across the globe, industry and regulation pays dividends in helping to maintain data security.
With data breaches on the rise and stringent data security regulations, data protection should be at the heart of your security program. With that said, admit that not all data is created equal and that one size does not fit all. The measures you take to protect your data depend on the sensitivity of the data. Confidential and sensitive data poses a high risk to the business if it is breached. Operational controls may be sufficient over publicly available information (e.g. press releases or annual reports) and internal data (e.g. internal emails and training materials). However, technical controls, over which you have full rights and assurances over the data, are important for protecting confidential and sensitive data. Confidential data may include employee pay stubs and consumer information, while more sensitive data may include financial transactions or personally identifiable information (PII). Securing your data extends to data protection, data transmission and usage.
One obvious difference is, that with performance guarantee, your cloud provider promises that they won’t access your data and security keys; but with technical guarantee, your cloud provider cannot access your data and keys. The solution to obtaining technical lock insurance is called “keep your own key (KYOK)”. KYOK offers single-tenant key management with a fully dedicated Hardware Security Module (HSM) that you control exclusively and is based on certified technology that meets the high FIPS 1402 Level 4 standard best in the industry. This solution can be used to encrypt databases in databases and storage systems as well as secure private keys to secure data in transit. You also need to take a holistic approach to protecting your sensitive data as it is in use, including computers, containers, and databases. Confidential computing is a security technology that protects the use of data in secure areas in an IT environment. You must design your solutions so that virtualized workloads run on secret servers, containerized applications are deployed in a secret container, and data is stored on-premises confidential data. As a result, leveraging technologies like KYOK and confidential computing provides businesses with greater privacy assurance that their data in the cloud is protected at rest, in transit, and in use.