Data Encryption: a seat belt on the regulated cloud highway
Many approaches to multitenant cloud-based security involve securely routing and segregating one tenant’s data from another’s. This is one element of a complete data protection plan, but it is dangerous to rely solely on “fortress mentality” when it comes to data security. A complete solution needs to incorporate encryption of data in motion and at rest in addition to perimeter techniques, especially when it comes to regulatory compliance.
Encryption and regulatory compliance
As evidence of this, consider that the Health Insurance Portability Accountability Act (HIPAA) mandates the use of encryption for patient health information (PHI). In addition, of the four mechanisms the Payment Card Industry Data Security Standard (PCI-DSS) lists for secure storage of cardholder personal account numbers (PANs), encryption is the only mechanism which preserves the integrity of the information and allows it to be retrieved later. HIPAA and PCI also both have requirements for the secure disposal of media used to store sensitive information. An added benefit of encrypting data at rest is that it addresses data remanence issues, meaning that the data remain protected even if the media are not adequately wiped before disposal.
A recent survey of health care providers on HIPAA and data protection (Data Privacy and security: How hospitals and providers view HIPAA mandates and data protection technologies SearchHealthIT.com Data Privacy and Security Report) reveals a general understanding of the benefits data encryption brings. 40% of the health care respondents surveyed plan to purchase encryption technologies within the next year to help achieve HIPAA compliance and nearly half of respondents said that they are planning to spend more on clinical data encryption within the next two years. The report goes on to state that “HIPAA officials have said that when encrypted patient data is lost, it doesn’t count as a data breach and therefore is not a violation.”
Deploying data encryption easily and cost-effectively
Given the need for data encryption, the question becomes “how can cloud service providers deploy it without disrupting existing systems and at minimal cost?” In addition, “how can service providers ensure that only their customers have access to sensitive cardholder data, personal health information, etc.?”
AFORE CloudLink delivers secure multitenancy by providing customer-controlled encrypted storage and SLA-monitored secure VPN, allowing cloud service providers to host regulatory-compliant multitenant infrastructures without the need to dedicate hardware to each tenant. Deployment of virtual machines using encrypted storage is seamless, and customers own and control the encryption keys, allowing them to retain complete control of their data, in motion and at rest. Cloud service providers benefit by being able to offer HIPAA and PCI-compliant infrastructure services and customers benefit by being able to stay compliant while realizing the benefits of cloud computing.