Gerry Grealish

Subscribe to Gerry Grealish: eMailAlertsEmail Alerts
Get Gerry Grealish: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Related Topics: Cloud Computing, Government Cloud Computing, SOA & WOA Magazine, Cloud Security Journal , Secure Cloud Computing

Blog Post

NIST Weighs In on the Cloud

Organizations are entitled to strong cloud data security measures from their vendors

NIST released a new publication entitled Cloud Computing Synopsis & Recommendations (Special Publication 800-146) that describes in detail the current cloud computing environment, explains the economic opportunities and risks associated with cloud adoption, and openly addresses the security and data privacy challenges. NIST makes numerous recommendations for companies or agencies considering the move to the cloud (including delivering a strong case for uniform management practices in the data security and governance arenas).

The report highlights several reasons why cloud-based SaaS applications present heightened security risks. As a means to offset the threats, NIST's recommendation on cloud encryption is clear-cut: organizations should require FIPS 140-2 compliant encryption to protect their sensitive data assets. This should apply to stored data as well as application data, and for Federal agencies, it's a firm requirement, not simply a best practice or recommended guideline.

Regrettably, some vendors are misleading the market with claims that sensitive data in the cloud does not require FIPS 140-2 validation, and instead lesser validation is sufficient. Customers should challenge these sorts of claims and insist on FIPS 140-2 validation if encryption is selected as the preferred technique to secure sensitive data to the cloud. And they should ensure that the functionality of their SaaS applications, such as Searching and Sorting, is preserved, even when this level of strong FIPS 140-2 encryption is in place.

Regarding data governance and regulatory cloud compliance, NIST also recommends that consumers require cloud providers to meet all international, Federal, and state statutes regarding data protection, privacy, and residency. This is a broad, complex area in which the laws continue to evolve, and consumers are ultimately liable if legal issues arise. Many enterprises believe tokenization technology is best suited to address these "data residency" concerns, since tokens can be used to replace personally identifiable information in the cloud, ensuring the original data never leaves their local jurisdiction. Again, preservation of the cloud application's functionality is critical - so enterprises need to ensure they are not being asked by their vendor to sacrifice on SaaS usability in order to get the strong level of protection required to adequately secure their sensitive business information.

•   •   •

PerspecSys Inc. is a leading provider of cloud data security and saas security solutions that remove the technical, legal and financial risks of placing sensitive company data in the cloud. PerspecSys accomplishes this for many large, heavily regulated companies who rely on cloud compliance by never allowing sensitive data to leave a customer's network, while maintaining the functionality of cloud applications. Based in Toronto, PerspecSys Inc. is a privately held company backed by investors that include Intel Capital and GrowthWorks.

More Stories By Gerry Grealish

Gerry Grealish is Vice President, Marketing & Products, at PerspecSys. He is responsible for defining and executing PerspecSys’ marketing vision and driving revenue growth through strategic market expansion and new product development. Previously, he ran Product Marketing for the TNS Payments Division, helping create the marketing and product strategy for its cloud-based payment gateway and tokenization/encryption security solutions. He has held senior marketing and leadership roles for venture-backed startups as well as F500 companies, and his industry experience includes enterprise analytical software, payment processing and security services, and marketing and credit risk decisioning platforms.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.