To state that organisations are worried about data security in the cloud is to invite a sarcastic retort featuring bears and woods or the Pope and the Catholic church. Such fears are unquestionably the main barrier to wider use of cloud-based applications.
Despite the protestations of cloud vendors that their platforms are at least as secure as on-premise systems, breaches do happen, and when they do the compensation their customers can expect is minimal.
“Every time you’re tempted to use the word ‘cloud’ replace it with ‘someone else’s computer’,” advised security expert Graham Cluley, by way of reminding people what cloud really is. Just as you wouldn’t deliberately leave a wallet full of cash and credit cards in a stranger’s house so you shouldn’t put plaintext data on someone else’s server.
If you choose to use cloud services (i.e. someone else’s computers), you need to make sure that sensitive data is obfuscated before it is sent off on a journey to who knows where. Bears and woods, but of course it’s not as simple as that. Feed encrypted data into a cloud-based application designed to handle plaintext and you will break that application.
Now you see it...
The two main technologies for obscuring sensitive data are encryption and tokenisation, of which the former has the lion’s share. “Among our customers we’re seeing about 80 per cent encryption and 20 per cent tokenisation,” said Pravin Kothari, CEO of cloud information security firm CipherCloud.
Tokenisation, which dates back to 2005, differs from encryption in a number of ways. First, data never leaves the owner’s premises. Instead sensitive data such as a credit card number is replaced by a random string of characters – the token. It is this token that is passed to the application, be it in the cloud or anywhere else, for processing. Unlike encryption, there is no way that the token can be reverse engineered.
“In the payment card industry tokenisation has been the de facto standard for years,” said David Canellos, CEO of cloud security firm PerspecSys. “But now we’re seeing new use cases for it in the cloud paradigm.”
[click to enlarge]
The wider interest in tokenisation was initially driven by customers in Europe concerned about the US Patriot Act, Canellos said. “Encrypted data leaving your location is still data leaving your premises. Our customers across the globe who are contracting with US cloud suppliers are increasingly opting for tokenisation.”
The fact that sensitive data remains completely under the control of the organisation that owns it and the relative simplicity of handling tokens in the cloud compared with encrypted data leads Canellos to believe that tokenisation will become an increasingly important way of securely processing data in the cloud.
[click to enlarge]
However, it is not as simple as encryption vs tokenisation. For example, the token vault, which generates unique tokens to take the place of sensitive data, must be strongly encrypted as it represents the beating heart of the system and is sure to be a target for hackers. Both encryption and tokenisation have their strengths and weaknesses as we will see below.
The ideal combination of encryption and tokenisation for a particular organisation will be largely governed by the regulatory landscape in which it operates. For companies taking card payments and handling sensitive data such as card numbers and personal data, tokenisation makes compliance with PCI DSS (Payment Card Industry Data Security Standard) an easier proposition by taking aspects of the payment system “out of scope” of the regulations.
[Turn to next page]