Over half of security professionals will stop putting sensitive data in the cloud due to GDPR: survey
- Published: Wednesday, 28 June 2017 08:26
A new survey by eperi gives insights into what the new EU General Data Protection Regulation (GDPR) will mean for organizational cloud practices. The study indicates uncertainty when it comes to cloud security as 53 percent of respondents said that GDPR data security requirements would keep them from putting sensitive data in the cloud. For the majority (85 percent) this was due to their lack of confidence in the protection of sensitive data. In addition, 72 percent noted that they would have to re-evaluate their data security requirements in the cloud because of the regulation, that comes into force May 2018.
“GDPR has meant that the age-old debate about the adequacy of security in the cloud has reared its head again,” said Ravi Pather, senior vice president of eperi. “Fines under the regulation seem to be the main driver for meeting compliance, as it’s likely to be an organization killer for the worst offences. But with all of this hype, organizations must not forget that if they first and foremost secure the data that goes into the cloud through encryption or tokenisation and remain in control of the encryption keys, the scope of GDPR can be significantly reduced.”
Encrypting or tokenising data means that it is scrambled by an algorithm to such an extent that it is rendered unusable to any unauthorised party attempting to access it. The only way to decrypt the data is to use a key, which ideally should be under the control of the organization that owns the data. Currently, Pather points out, this is where many companies fall down in relation to GDPR, as 54 percent admitted that they rely on their cloud or software as a service (SaaS) provider to encrypt data and just over half (51 percent) think that it is acceptable for the solution provider to control all or part of the encryption keys.
“Where 54 percent rely on the SaaS vendor for encryption, this is usually for 'data at rest', which under GDPR is only a subset of the 'comprehensive security' guidelines and recommendations which specifies the protection of PII and sensitive PII 'data in motion', 'at rest' and 'in use',” Pather explained. “In the event of data compromise or loss, if the organization is in full control of its own encryption keys, it can avoid the notification step altogether if the data is unreadable to the world outside the organization,” he continued. “In contrast, if the cloud or SaaS provider controls the keys and they are breached, then there is no way to be certain the organization’s data is safe and notifications and fines will ensue.”