Cloud Security Alliance Guidance for Data Ownership and Control Best Practices Emphasizes Importance of Encryption of Data-in-Use
October 2012 by Cloud Security Alliance
The Cloud Security Alliance has incorporated in recently-released implementation guidance issued by the Security as a Service Working Group a set of recommendations for cloud end users to adopt encryption of data-in-use as a best practice. The guidance notes that it is critical that the customer, and not the cloud service provider, is responsible for the security and encryption protection controls necessary to meet their requirements.
In its guidance focused on email security and encryption (SecaaS Implementation Guidance - Category 4: Email Security), the CSA specifies as a best practice that organizations should adopt technologies that allow sorting and searching of encrypted text, while reducing the amount of data needing to be decrypted. Specifically, the independent organization recommends encrypting data before it goes to the cloud and maintaining segregation of duties by keeping the encryption keys in the direct control of the customer, not the cloud provider. Implementation guidance for encryption as a service (SecaaS Implementation Guidance - Category 8: Encryption) also notes that once data is safely transmitted to a cloud service provider, it should be stored, transmitted and processed in a secure way.
This CSA guidance aligns with Vaultive’s capabilities for pre-cloud encryption and approach of implementing three states of cloud data encryption – encryption of data-at-rest, data-in-transit and data-in-use – as well as limiting access to the encryption keys exclusively to authorized users within the organization where the data originates, and trusted parties. Vaultive is a provider of cloud data encryption solutions designed to maintain the control, security and compliance of data processed by cloud-based services.
In line with the CSA guidance related both to cloud encryption and email security, Vaultive’s advanced encryption capabilities are designed to enable cloud end users to maintain control and ownership of organizational data processed by third-party services in order to address concerns including data security, compliance, unauthorized disclosure and data residency or privacy regulations. As a result, the cloud provider never has access to customer data in its unencrypted form, and enterprise cloud data remains unreadable if an unauthorized third-party attempts access — or even if the data is disclosed in response to a government request.
At CSA Congress 2012 held in Orlando, FL, Vaultive will be conducting a session on best practices for maintaining control and ownership of data in the cloud and the delineation of roles and responsibilities between cloud service providers and end users.
“Cloud Security Alliance Implementation Guides help organizations effectively decipher what best practices should be and sets the global standard for companies seeking to utilize the cloud in a secure manner. We are very pleased that the recommendations made in latest version of the CSA guidance mirror Vaultive’s own approach to cloud data encryption,” said Maayan Tal, Co-Founder and CTO of Vaultive. “Vaultive allows organizations to implement the three complete states of data encryption to ensure sensitive data is secure in the cloud at all times, just as the CSA advises.”
CSA Implementation Guidance research seeks to establish a stable, secure baseline for cloud operations in order to provide a practical, actionable road map for managers wanting to adopt the cloud paradigm safely and securely. In keeping with its mission, the CSA recently released third edition of its CSA guidance to provide greater clarity around the area of Security as a Service. The complete CSA Implementation Guidance is available now for free download.