Financial Data Cloud Security: Using Encryption & Tokenization

Cloud computing is generating an incredible amount of excitement and interest from companies across the financial services industry for good reason.  In response to concerns about information access and usage, by both public and private corporations, Cloud Computing has spawned an entirely new body of law, generated new policies, created new standards, and raising new concerns.

For the Financial Services industry, specific legislation such as the Gramm-Leach-Bliley Act (GLBA) and regulations surrounding Personally Identifiable Information (PII) requires organizations to adhere to an ever-changing set of standards, laws, and guidelines in order to safeguard their company’s private and business sensitive data, while complying with the law. GLBA’s Financial Privacy Rule requires institutions to provide an annual notice to customers explaining how their data is maintained and shared, as well as the steps that are taken to protect it. Similarly, the Safeguards Rule requires institutions to implement an information security program and the adoption of public cloud services can significantly complicate this task.

In the past, data security and regulations have kept Financial Services companies away from the cloud; but those concerns have dissipated, while care and governance must be taken to assess and address security risks and compliance, Financial Services organizations are realizing that online vulnerabilities do not necessitate a slowing adoption of the cloud.

Two ways Cloud Data Protection Gateways protect information in the cloud:

  1. Encryption
    Encryption is a strategy cloud service providers use to protect enterprise cloud data from any unauthorized access. Cloud Data Encryption mathematically transforms data so that it is indecipherable without the “key” that can be used to change the data back to its original form.

    Enterprises intent on deploying cloud data encryption need to engage their IT and* Security teams to ensure that the strength of the encryption being used is well understood. They need to look for peer reviewed security proofs and understand implications on the end users of cloud applications if strong encryption techniques, such as FIPS 140-2 validated modules deployed in FIPS mode, are used.
  2. Tokenization 
    Tokenization is a process by which a sensitive data field, such as an account number or a national ID number, is replaced with a surrogate value called a token. Tokenization helps solve the issue of storing data in a US-based cloud because it is not the data itself, but a meaningless string of numbers or letters. Strong tokens cannot be reversed back to their original values without access to the “look-up” table that matches them up to their original values. These tables are typically kept in a “hardened” database in a secure location inside a company’s firewall.

    Tokenization differs significantly from encryption, as there is no cipher algorithm to mathematically transform sensitive data’s surrogate value back to its original value. So while encryption clearly can be used to conceal a value, a mathematical link back to its true form still exists.

    Tokenization is unique in that it completely removes the original data from the systems in which the tokens reside. And when tokenization is deployed within a cloud data protection gateway, the end-user’s experience with the cloud application is kept intact — they can still complete important functions like searching or running reports on data, even if it has been tokenized.

The Enterprise Can Maintain Control

Sensitive, regulated financial data should never be processed or stored in the clear when outside of an organization’s control. By rendering data undecipherable, and therefore unusable, when it’s outside an enterprise firewall, financial institutions can protect information in the cloud, comply with regulations, and, ultimately, reap the business benefits of cloud adoption while keeping sensitive data secure.

Gerry Grealish is Chief Marketing Officer of Perspecsys, a cloud data control software provider.

Interested in learning more about cloud security for financial services organizations? Connect with Perspecsys at Bluewolf's Engagement Squared Summit in New York, June 18th. Registration is free, but space is limited. Reserve your seat now.



Bluewolf, an IBM Company, is a global consulting agency and proven Salesforce strategic partner that builds digital solutions designed to create results. Now.