Adopting the Cloud While Adhering to Domestic & Foreign Government Regulations

David Canellos by David Canellos, PerspecSys
Wednesday, October 2, 2013

As cloud adoption continues to grow, it is becoming apparent that government regulations and cloud usage don’t always work in harmony. While the cloud is sometimes viewed as a type of panacea for data storage, improved operational efficiencies, and application access, taking advantage of it in the public sector can present some major challenges – especially considering the sensitive nature of the data and the various government regulations put in place to protect it.

The situation is more complex when also considering international regulations, which frequently include data sovereignty provisions that seem to indicate the public cloud and some private clouds cannot meet their standards. There are often stark differences between country-specific policies that can, at times, conflict with one another. And with recent headlines of government surveillance by the US and UK, the call for even stricter privacy regulations by the EU and others is likely only to grow.

This leaves government IT decision makers with many important issues to consider, with the most important question being:

Should the public sector move to the public cloud hoping that that safeguards the cloud providers have put in place will adequately secure their sensitive data or must they forgo the benefits of the cloud for the sake of security and keep all applications and data in-house?

We believe there are viable solutions available that, interestingly enough make the answer, neither.

A Strategy for Secure Cloud Adoption

The solution for government organizations is to adopt a cloud strategy already used by many innovative commercial enterprises and public sector entities, which offers powerful data privacy, residency and security capabilities and puts full data control in the hands of the cloud user. With the right data protection policies and technology in place, all sensitive information can be kept in-house, leaving the security of the data in the hands of the organization.

Even with more cloud providers obtaining Federal Risk and Authorization Management Program (FedRAMP) approval and adhering to National Institute of Standards and Technology (NIST) recommendations, the risk of hacking and unauthorized third-party access to cloud environments still exists. Keeping the inherent risks of the cloud in mind, many organizations have now adopted a policy of keeping all sensitive data in house, all while utilizing both public and private Software as a Service (SaaS) and Platform as a Service (PaaS) applications.

These organizations are utilizing tokenization and/or encryption technologies to obfuscate data that is processed or stored in the cloud, therefore leaving the information undecipherable if it were to be viewed by an outside party and hence fully protected. The cloud data protection gateway that provides these security techniques is typically deployed in the organization’s own datacenter and anyone with authorized access can still readily utilize the protected data while experiencing the same user experience and full cloud application functionality - such as searching and sorting, on encrypted or tokenized data – while complying with strict government regulations.

Important Data Protection Strategy Decisions

Encryption and Tokenization are proven solutions already operating in heavily regulated corporate settings. An important part of adopting this strategy though, is to consider which data needs the most security, which must remain on site, and how to protect it. The decision between encryption and tokenization is an important internal step within this strategy.

Encryption enables organizations to store their encryption keys within the geographical area of origin, keeping sensitive data, such as personally identifiable information (PII), protected in the cloud. When encrypted, the information in the cloud is unreadable and can only be translated back into its original form when it is paired with the encryption key held by the government organization. It is important to realize that all forms of encryption are not equal though, and NIST guidelines in the U.S. require that all SBU data (Sensitive But Unclassified Data) be protected with encryption that is currently certified to the FIPS 140-2 standard.

Tokenization assigns randomly generated values, or tokens, to sensitive data. The tokens are then sent to the cloud for processing and storage, remaining completely undecipherable to anyone accessing the information outside of the government agency. Unlike encryption, where only the encryption keys stay resident within an organization, tokenization provides the additional benefit of full data residency, which means the sensitive data never moves beyond the government agency’s firewall. As in the case of encryption, all forms of tokenization are also not the same. There are various methods of creating a token, some highly random and other, based on algorithms, less so. The former techniques that produce random token values are inherently stronger, so organizations should insist on these approaches and should look for solutions that have been audited to adhere to the PCI DSS guidelines.

In addition to determining the appropriate data protection approach to use, agencies need to address the critical issue of how much of their data requires protection. There’s a significant difference between encrypting a few dozen fields of sensitive information and all fields, which, for a federal agency, could reach well beyond terabytes of information. In the interest of flexibility, cost-savings and time-savings, an agency needs to determine just how much and which, data needs to be tokenized or encrypted before going to the cloud.

Which Data Needs to Stay On Site

Most federal, state and local government agencies have data-privacy compliance requirements that keep sensitive data and applications that interact with that data, within the organization and out of the cloud. Only non-sensitive information can be stored or processed in the cloud in its clear-text form. An example can be seen in the Criminal Justice Information System (CJIS) security guidelines, which specify where clear-text information from the applicable FBI databases can and cannot go. There are also regulations that kick-in when government organizations work internationally. Not only must they honor U.S. laws, but they must consider international privacy mandates as well.

In some international markets, such as Germany, Australia and New Zealand, there are regulations that make it extremely difficult to move sensitive information to cloud providers that store data outside of their national borders. Regulations such as these make cloud adoption a challenge when cloud providers host information in data centers across geographic borders, which is a typical practice.

Here is where tokenization technology can be used to render sensitive data undecipherable, keeping critical information safe and on-premise within a particular geographical area. Many organizations, including some in the public sector in Europe, use this strategy as they utilize the cloud in order to comply with specific jurisdictional data sovereignty requirements dictating where sensitive data can physically reside.

Importance of Flexibility and Vigilance

Global data privacy laws and cloud regulations will continue to evolve and change over time. It will be important to stay vigilant to proposed changes in laws and regulations and to take proactive steps to ensure you are deploying the right data protection strategies to comply with the guidelines to which you must adhere.

Some organizations change from encryption strategies to tokenization approaches, and vice versa, as privacy and data residency requirements change. Make sure you have the same flexibility to adapt to changes that impact your organization.

As the cloud continues to evolve, it is proving to be a transformational technology for accessibility to software applications, processing power and storage. Federal organizations that want to stay current, take full advantage and remain compliant will have to meet mandates and laws that often seem to contradict one another – familiar ground for anyone who has worked in government.

Many private-sector organizations, including those in finance, health, manufacturing and others have been reaping the many benefits of the cloud with the tremendous security advantages offered by cloud data protection gateways – and now government agencies are doing the same as well.

More information

Post a comment

Sign in to comment.

Not yet registered? Join the debate