When a jacket I’d originally purchased from a major outdoor sportswear retailer began to delaminate, I returned it to the store. The sales assistant immediately accessed my entire purchase history—all eight years’ worth—and identified the original sales transaction, then promptly replaced the jacket. Well-managed identifying data, also known as personally identifiable information (PII), made this transaction effortless. I remain a satisfied customer.
Stored and accessible PII, which is broadly defined as any information that could be used to identify an individual, facilitates these transactions for all consumers. However, near-weekly reports of significant data breaches have raised concerns about the ability of retailers and other organizations to keep consumer records secure. For the sake of convenience and enhanced service, consumers are willing to provide personal information to companies—but they expect those companies to protect that PII, to use the best possible practices to keep that information confidential, and certainly to keep it out of the hands of the bad guys.
Personally Identifiable Information: an expanding definition
As technology permeates every aspect of our lives, an ever-increasing stream of information about individuals is generated, gathered and tracked. Retailer-maintained data are only a small part of it: PII can be gathered from almost everywhere, including medical and financial records, employer histories, social media accounts and most online transactions and interactions. As a result, the definition of personally identifiable information is constantly expanding. Previously, an individual’s name, address, phone number and social security number were considered standard identifiers, along with private information such as credit card numbers and associated credit details, financial institutions, bank account numbers and so on. Now, PII can also include workplace addresses, email addresses, IP addresses, GPS locations, biometric data, blood type, health vital signs and any other information that could be used, whether on its own or in combination with other PII, to identify a specific individual or an individual’s private information. Organizations are charged with keeping the PII they collect and maintain secure—a difficult task, especially considering the ever-expanding definition of that information. Government regulations such as GDPR further add to an organization’s PII security responsibilities concerning safe and appropriate methods of data acquisition and usage.
The rapid adoption of cloud computing presents additional PII security challenges for enterprises, particularly for those using multiple cloud providers to support their application and data storage needs. Between the expanding definition of PII and the proliferation of data managed in the cloud, what are the best practices for effectively managing PII security? In particular, how are encryption keys—a crucial component of any strategy for protecting data—securely managed in multicloud environments?
Know your data
When was the last time you conducted a complete inventory of data in your organization? While daunting, this is an essential task, and PII security compliance regulations provide added motivation for conducting it in a timely manner. To help you gain a better understanding of the current state of data security, we suggest beginning your inventory by asking these basics:
- What applications do you have under management? Start by inventorying these.
- Who owns each application?
- For each application, what data does it collect and/or store? Who owns the data?
- For each, what used for? Do the data still have business value?
- Where are the data stored, both physically and logically?
- Which data are subject to data sovereignty regulations regarding PII?
- Which data qualify as company I.P.?
- Overall, are all the data securely protected—not just the PII? Consider access controls, least privilege access and encryption of data at rest and in motion.
- What are the risks—financial and reputational—if the data are compromised?
- What data security and encryption methods are currently in effect?
In addition to numerous legacy on-premises software applications, the adoption of cloud-based business applications such as Salesforce, Box, Workday, Zenefits, Slack and Marketo, as well as cloud-based database-as-a-services, each operating in different cloud environments, brings additional challenges when conducting a data inventory. The results of your inventory should underscore the need for establishing a data security strategy that can consistently and effectively protect data, both on-premises and across multicloud environments.
Determine the appropriate level of security
After conducting the data inventory, the next essential step is the development of a scheme to assign security levels appropriate to those data. If your industry is retail, banking, finance, insurance, payments or healthcare, your PII customer data security scheme will be driven by government and industry regulations—not to mention the desire to avoid being tomorrow’s data breach headline. If your enterprise is primarily B2B, you’ll probably be mostly concerned with protecting employee information and company intellectual property. The necessary level of security to protect that data will vary by industry and types of data managed.
Encryption and key management: the bedrock of data security
After completing your inventory and determining the appropriate level of data security, shift your focus to finding ways to appropriate security for customer and company PII. Encryption plays a vital role in protecting company and customer PII; it should be applied judiciously, both to secure data and to minimize the overhead of encryption/decryption processing. Bear in mind that encryption for some data may be unwarranted. While encrypting an entire database, for example, might sometimes prove unnecessary and/or impractical, specific tables—or rows or columns within tables—contained within that database may need to be encrypted to provide the required level of security.
The Online Trust Alliance 2017 Cyber Incident and Breach Response Guide is very clear in emphasizing the importance of encryption and key management:
Encryption of data at rest / in storage and in transit is a fundamental security requirement and the respective failure is frequently cited as the cause for regulatory action and lawsuits. If an organization properly encrypts its data with strong, industry-standard cryptography […] and properly manages cryptographic keys used, it can effectively contain the effects of an incident. It is essential that companies carefully consider not only the strength of encryption, but also the proper management of cryptographic keys. (p. 14)
While you have several choices regarding implementation and management of encryption keys, your current cloud strategy plays a deciding factor in determining which method you choose. Organizations that have transitioned from on-premises data and application management to a private or hybrid cloud environment may want to continue their strategy of purchasing and provisioning hardware security modules (HSMs) located in their own data center. Familiarity with HSM operations and on-premises experience would support that decision. Meanwhile, organizations that have contracted with a single cloud vendor are likely to use the vendor’s key management service (KMS).
However, if you are like the growing majority of enterprises, you are already contracting with multiple cloud and SaaS providers. RightScale’s 2018 State of the Cloud Report indicates that the average enterprise is already using five or more cloud environments. Not all cloud platforms offer equal functionality: Some offer better features than others, while some cloud applications only run on certain platforms. These constraints force enterprises into multicloud arrangements. Unfortunately, multicloud environments present problems with respect to data security and the consistency of encryption key management methods.
Each cloud provider has a different approach to key management services. In addition, storage of both encryption keys and encrypted data by the same entity—i.e. the same cloud provider that is storing the data—increases the chance of data breach. A hacker gaining access to encryption keys can then access encrypted data stored by the same entity. Best practice recommends keeping encryption keys separate, both physically and digitally in two different domains of management control, from encrypted data to reduce the risk of loss of customer and company PII.
Keeping PII secure in multicloud environments
Given the inefficiency of adhering to different encryption key management methods for each cloud environment, how can enterprises reduce complexity while still maintaining a proper level of PII security? Taking a cloud-agile approach reduces the number of encryption key management methods to a single method, while also allowing encryption keys to be maintained separately from encrypted data to provide the highest level of security for customer and company PII. Such a cloud-agile solution—SmartKey—is available today as Hardware Security Module as a Service (HSMaaS). It’s specifically designed and deployed to provide secure key generation, management and cryptography services for multicloud environments.
SmartKey is offered by Equinix, a leader in global connectivity—physically and virtually—for digital business around the world. SmartKey on Platform Equinix® provides cloud scalability, secure key/secret generation, storage, life-cycle management, encryption and tokenization services that address risk and compliance requirements associated with secure management of company and customer PII.
Explore the benefits of using SmartKey for encryption key management. SmartKey’s HSM as a Service delivery model simplifies the provisioning and control of secure secret/key storage. Get started by registering for a free trial to see how SmartKey can help you efficiently manage encryption keys in multicloud environments.