Residing on disks, in computer memory or transferred by wire or wireless, data increasingly drives global economies. Try going a day without internet access. How isolated do you feel when you’re out of cell-tower range? Your day is driven by data, and the value of data is defined by its context and usage. A more formal way to describe this concept is data currency: value assigned to data to identify its financial significance to an individual or an organization. Let’s consider some examples to help you gauge the value of data currency:
- Your credit card number and PIN give you the ability to easily transact business in person or remotely worldwide. Your credit card number has value to you, to thousands of companies that you could potentially do business with, to the banks that handle credit transactions and to the credit card company. Although your credit card number consists of just a few digits, its data currency is significant.
- Medical records have value to the patient, to medical professionals and to insurance companies. Inability to access complete and accurate medical records could mean the difference between life and death. In addition, HIPAA compliance regulations must be met.
- Operational data generated by automated manufacturing processes have value to the employees monitoring the manufacturing line, to maintenance personnel and to the manufacturer of the automated equipment. Analyses of these data indicate whether operations are running smoothly and can also provide advanced warning of impending failure.
- Research notes, descriptions of proprietary processes and trial results have value to pharmaceutical companies, to medical researchers and potentially to patients. Decisions that impact lives as well as the financial health of organizations are based on this confidential information.
While assigning specific monetary values to each example is a complicated matter, note that the value of data currency hinges upon secure access to and control of the data. Loss or misappropriation of the data would have an economic impact.
Data drives the information economy
In order for data currency to retain its value, it needs to be protected, just as you would protect any other critical corporate asset. As data takes on greater value, greater protection efforts are required. Data security has become a priority for any data-intensive organization. Gartner, for instance, predicts 2018 worldwide security spending will reach $96 billion. The latest IBM-sponsored Cost of a Data Breach Study by Ponemon calculates the global average cost of a data breach to be $3.86 million. A few examples illustrate the potential impact on data currency as the result of cyber attacks:
- We’re all too familiar with news items concerning successful cyber attacks on financial institutions or the revelation of unauthorized sharing of personal information. The economic impact on companies is significant.
- A hospital in central Washington recently confirmed a data breach of patient records, specifically patient names and treatments. Unauthorized persons gained access via an employee email account. Companies are often hesitant to admit to the public that their cybersecurity strategy has holes; in this case, the breach was discovered two months prior to the public announcement. While the economic impact in this example may, on the wide spectrum of data breaches, ultimately be negligible, the public acknowledgment of error diminishes trust in the institution.
- Operational data generated by manufacturing, utilities, transportation or civic infrastructure are prime targets for disruptive cyber attacks. In these instances, data currency equals safe and efficient operations. Successful penetration of the digital systems and manipulation of data that keep these systems running smoothly would have a disastrous impact—economically, socially and politically.
- Cyber theft of intellectual property may not have the widespread impact of a financial or personal data breach, but economic damage can be considerable, as any patent or copyright lawyer will confirm.
To maintain data currency, data must be securely managed and made accessible only to authorized users. In the current technology climate, that’s easier said than done. While this challenge is the utmost concern of organizations that own and/or manage the data, governments are also increasingly focused on the problem.
Government incentives to bolster data security
Although institutions should be sufficiently motivated to attain the proper level of data security, efforts across industries and countries have been inconsistent. Governments are attempting to remedy this shortcoming with prescriptive regulations and significant sanctions. These fines can make the necessary data security expenditures seem like small change in comparison.
The General Data Protection Regulation (GDPR), recently implemented throughout the EU, is one of the most coordinated and focused efforts to date. Canada has the Personal Information Protection and Electronic Documents Act (PIPEDA), while in the US, the Health Insurance Portability and Accountability Act (HIPAA) governs medical information. Brazil’s Civil Rights Framework for the Internet, passed into law in 2014, covers the collection, maintenance and use of personal data. These laws are both a boon and a burden: They strengthen data security, but simultaneously present challenges to enterprises operating in multiple countries who must comply with the varying regulations.
Best practices to protect your data currency
As the data currency of the information you manage increases, how do you protect these assets while making them accessible only to authorized individuals, systems, and applications? The Gartner report lists a wide range of data security categories: identity access, infrastructure protection, network security, security services and consumer security. It’s clear multiple components are required to build proper defenses against cyber attacks. One foundational component of security services is data encryption—specifically, encryption key management.
When managed correctly, data encryption is a best practice for protecting data currency. In the event of an attack, encrypted data remains valueless ciphertext without access to the encryption keys. However, with widespread adoption of the cloud, the vast majority of organizations use multiple cloud providers, making encryption key management complex.
The limitations of HSM and KMS
Every cloud service provider offers a different approach to encryption key management. Some offer hardware security modules (HSMs) to manage encryption keys. Others have developed key management services (KMS) as an alternative to HSMs. If you’re an enterprise working with multiple cloud service providers, you’ll need to learn and master the encryption key tools supplied by each of your providers.
Data security organization are already understaffed as a result of the widespread shortage of cybersecurity skills. Standardization and simplicity are needed for encryption key management in multicloud environments.
HSM as a Service: an ideal alternative for multicloud environments
The ideal alternative to HSM and KMS is the concept of HSM as a Service, which provides HSM-grade security with on-demand cloud availability. HSM as a Service is cloud-neutral and supports encryption key management on leading cloud platforms such as AWS, Azure, IBM, Google, and Oracle, in private, public or hybrid environments. HSM as a Service simplifies encryption key management without sacrificing security by:
- Providing a single, centralized control point for managing the entire encryption key lifecycle: creation, distribution, rotation, refreshment and retirement
- Enabling users to easily assimilate encryption keys from corporate resources or existing services
- Supporting Federal Information Processing Standards (FIPS) to ensure computer security and interoperability among systems and networks.
- Ensuring keys are never available in plaintext to any software component.
- Storing keys in an encrypted database when not in use. When in use, the keys are only available inside a secure enclave.
Keys stored separately for added data currency protection
HSM as a Service brings an additional level of security to protect data currency. Encryption keys managed by HSM as a Service are stored separately from encrypted data. Via this separation, a cyberattack on the data renders only ciphertext. An attack on the encryption keys provides no access to the encrypted data.
In this way, HSM as a Service complements the data management services of leading cloud providers with a “shared responsibility” model between cloud providers and customers. The cloud provider is responsible for the security of the cloud, and the customer is responsible for the security in the cloud. Only the customer, not the cloud provider, has management responsibilities and secure access to the encryption keys.
As data currency continually increases in value and importance, enterprises will be challenged to search for new ways to keep that data secure. To meet the challenges of protecting data currency against cyber attacks, compliance with numerous country-specific data regulation, and a shortage of cybersecurity skills, adopting an HSM as a Service approach for encryption key management in multicloud environments can ensure greater security and simplicity.