When Good Is Not Good Enough: NIST Raises the Bar for Cloud Data Protection Vendors
Blog Article Published: 02/21/2013
Earlier this year, the National Institute of Standards and Technology (NIST) released a publication titled Cloud Computing Synopsis & Recommendations (Special Publication 800-146) describing in detail the current cloud computing environment, explaining the economic opportunities and risks associated with cloud adoption, and openly addressing the security and data privacy challenges. NIST makes numerous recommendations for companies or agencies considering the move to the cloud (including delivering a strong case for uniform management practices in the data security and governance arenas). The report highlights several reasons why cloud-based SaaS applications present heightened security risks. As a means to offset the threats, NIST’s recommendation on cloud encryption is clear-cut: organizations should require FIPS 140-2 compliant encryption to protect their sensitive data assets. This should apply to stored data as well as application data, and for Federal agencies, it’s a firm requirement, not simply a best practice or recommended guideline. What does FIPS 140-2 validation mean? An encryption vendor whose cryptographic module attains this validation attests that its solution:
- Uses an approved algorithm,
- Handles the encryption keys appropriately, and
- Always handles the data to be encrypted in a certain way, in a certain block size, with a certain amount of padding, and with some amount of randomness so the ciphertext can’t be searched.
- Privacy & Security Professionals: Can use industry acknowledged strong encryption techniques, such as FIPS 140-2, or tokenization
- Business End-Users: Can get all of the SaaS or PaaS application functionality they need – security does not “break” the application’s usability
- IT Professionals: Can deploy a standards-based, scalable platform that meets security and business needs and scales to support multiple clouds
Share this content on your favorite social network today!