Maneuvering the Data Privacy Maze

As enterprises increasingly shift larger workloads and data sets into multiple cloud and/or SaaS platforms, concerns around meeting data privacy, residency and compliance regulations have risen exponentially. The recent EU General Data Protection Regulation (GDPR) has been billed as the most important development in data privacy regulations in 20 years, mainly due to its stiff penalties and global implications. However, practically every industry has been dealing with industry and government compliance regulations for decades. From the global Payment Card Industry (PCI) security standards to the U.S. Health Insurance Portability and Accountability Act (HIPAA) and Personally Identifiable Information (PII) regulations, how companies are handling business and personal data has long been an ongoing concern.

Given the number of high-profile breaches in 2018, there is a heightened awareness around data privacy and protection regulations among the general public, and increasing scrutiny of how companies are managing user data. And with data moving from the data center into the cloud, out of a company’s direct control, more effective security strategies at local, national and global levels are required to protect corporate-owned data and intellectual property, as well as the data customers entrust with those companies. To ensure more comprehensive data protection and compliance throughout the enterprise, IT organizations need to deploy proactive security processes via distributed data management architectures, including private interconnection to hybrid and multicloud infrastructures and data repositories.

Protecting data in transit, at rest and in memory

Encryption has been the primary mechanism to protect data since public key encryption was invented in 1976. Encryption does not allow data to be “seen,” and generally applies to three data states: “in transit” data moving between different places, “at rest” data on disk and “in memory” data currently being processed on a system. However, according to the 2018 Ponemon Institute findings on global encryption trends, less than half (43%) of organizations have a consistent, enterprise-wide encryption strategy. It is even more surprising to know that 61% of respondents said their organizations transfer sensitive or confidential data to the cloud, whether or not it is encrypted or made unreadable via some other mechanism such as tokenization or data masking.[i]

This inconsistent approach to data encryption management increases the likelihood of many common data breaches, especially if the data is being transferred between on-premises locations and the cloud over the public internet. And if data is being backhauled over the public internet from the edge, where most data is created and consumed, to be processed at centralized enterprise data centers, that also increases the attack surface creating more opportunities for data loss. What’s needed is encryption key management methods that consistently extend key management from on-premises data infrastructures to the cloud or out to edge locations via private interconnection, to ensure end-to-end data management protection.

How private interconnection plays its part

Private interconnection plays a critical role in ensuring data is safe in transit by eliminating the need for data to be sent over the public internet. Data can be transferred from the edge, to the cloud, or other SaaS services, privately, without the need to expose the data to the internet greatly reducing the attack surface. Private interconnection enables low-latency, high-speed communications at the physical layer (Layer 1) and does not place anything between you and the people or things you are trying to interconnect with, an important safeguard for protecting sensitive data from being intercepted by others.

How we see companies addressing data protection and compliance

Moving forward, we see enterprises being able to prevent data breaches and retain control over their data in the following ways:

  • Leveraging new data encryption techniques, such as fully homomorphic encryption (FHE) that allows computations to be performed on encrypted data, without requiring access to the raw information. This allows for the information to remain private and secure, but still gain the insights needed. FHE has current limitations in performance, but there are many researchers and companies working to overcome these challenges.
  • Utilizing techniques such as tokenization, which is the principle of substituting an actual piece of data for pseudo data with a token. This prevents the actual data from being shared with a third-party while still being able to process and conduct digital business.
  • Leveraging technologies, such as confidential computing, which process data in secure hardware enclaves even in a multi-tenant environment. This technology creates a secure, trusted execution environment on the server, which prevents malicious code, malware or event root authority on the same server from having access to the contents of the secure enclave. This technology protects data at rest, in transit and in memory, and is available today from companies such as Intel or AMD and with open source projects such as Keystone.

The latter is the same technology that is being used in the Equinix SmartKey™ HSM-as-a-service solution. Equinix SmartKey is a global SaaS-based, secure key management and cryptography service offered on cloud-neutral Platform Equinix®. It provides key storage, encryption and tokenization, and addresses performance and governance, risk management, and compliance requirements at the digital edge, close to clouds, carriers and counterparties, restricting key access to authorized users. Equinix SmartKey simplifies data protection across any digital architecture by securely storing encryption keys at Equinix, separate from but in proximity to the Edge, Clouds and SaaS.

Leveraging security operations control as a service using private interconnection

At Equinix, we have a growing security ecosystem, with a number of partners that have developed security services across hybrid and multicloud platforms leveraging the Equinix Cloud Exchange Fabric™ (ECX Fabric™).

You can see the power of the flexible, cost-effective security operation center service available on Platform Equinix reflected in our work with our customer Motiv. The Motiv SOC solution collects, analyzes and correlates all activities on the application and associated data in a centralized manner for its customers as a service, so deviations can be recognized and reported quickly. Motiv also provides real-time alerting to deliver faster insights to customers so they can immediately analyze and solve potential security breaches. Platform Equinix enables Motiv to gain secure, private access to multiple public cloud providers via global, software-defined interconnection that is enabled by ECX Fabric. “Our security monitoring solution’s real-time alerting gets quicker insights to our customers so they can immediately analyze and solve problems,” said Maarten Lutterman, senior technology specialist, Motiv. “Equinix Cloud Exchange Fabric, with its fast and secure multicloud access, is the underlying interconnection platform that’s making it all happen.”
Learn more about Equinix SmartKey and how to deploy best practices in managing data security throughout your enterprise via our Interconnection Oriented Architecture® (IOA®) Security Blueprint.

Be sure to check out our other Predictions 2019 blog posts:

[i] Ponemon Institute, “Global Encryption Trends Study,” 2018.