As we enter a new normal period of accelerated digital transformation post-COVID, the vast number of organizations are now relying heavily on public and hybrid cloud services. And companies in highly regulated industries, now more than ever, find themselves needing cloud services that offer a greater level of protection and privacy.
As a result, data privacy and protection outside of the traditional perimeter and in the cloud have become a chief information security officer’s (CISO’s) imperative. The global average cost of a data breach in 2020 was USD 3.86 million and 52% of those breaches were caused by malicious attacks.¹ With these increases in data breaches, an enterprise’s data protection and privacy in the cloud is at stake as it needs one single point of control that provides a holistic view of threats and mitigates complexity.
The data protection needs of organizations are driven by the concerns about protecting sensitive information, intellectual property, and meeting compliance and regulatory requirements. In today’s digital global economy, data is one of the most valuable assets so data must be protected end to end – when it’s at rest, in motion and in use.
Data is often encrypted at rest in storage and in transit across the network, but applications and the sensitive data they process — data in use — are vulnerable to unauthorized access and tampering while they are running. Even when encrypted at rest, depending on where it’s encrypted, either the data or the encryption keys could be vulnerable to unauthorized access. According to Gartner, by 2025, 50% of large organizations will adopt privacy-enhancing computation for processing data in untrusted environments to protect data in use.²
The dilemma for organizations is how do they independently retain ownership and control of their data while still driving innovation? Protecting sensitive data is vital to an enterprise’s cloud data security, privacy and digital trust.
As enterprises contemplate moving sensitive data and workloads to the public cloud, they’re looking for ways to address the following concerns:
- Is my data and my customers’ data safe in the cloud?
- How do I meet regulatory and privacy requirements?
- How can I ensure that my cloud provider has no access to my data?
- How do I protect personal identifiable information (PII)?
- How do I preserve privacy of user and business data?
- How do I preserve privacy of data while performing analytics and AI modeling or sharing data with other third parties?
When hosting their data with cloud providers, companies want to have complete authority over their valuable data and associated workloads, including no access to sensitive data for even their cloud providers.
So how can you protect your sensitive data in the public cloud?
Encryption is a key technical measure to safeguard data in the cloud. The loss of data often leads to loss of customer trust with serious financial consequences. Regulatory compliance often mandates encryption of data at rest and in transit or strongly encourages it as a technical measure to protect data. And regulatory compliance requirements can be complex and the penalties significant. Extensive use of encryption, data loss prevention, threat intelligence sharing, and integrating security into the development, security and operations process (DevSecOps) were all associated with lower-than-average data breach costs.
Among these safeguards, encryption had the greatest impact. Deploying extensive encryption can be a substantial cost-mitigating factor in the event of a data breach — as the average total reduction in the cost of a breach due to extensive encryption was USD 237 thousand in 2020.¹
Yet, data protection through encryption is only as strong as your ability to protect the keys used to encrypt the data. With constant threats of external cyberattacks and insider threats, now, more than ever, there’s a need for workload isolation, data encryption, trusted execution environments, and other security practices and tools to protect your most sensitive workloads.
How can you mitigate these concerns and risks?
The current approaches to securing data is through data at rest and data in transit encryption. However, the challenging problem resides in gaining technical assurance that only you have access to your data or keys and protecting sensitive data in use to provide protection at all stages of data usage. Due to the growing understanding of the need for data in use protection, the adoption of confidential computing is increasing.
The term confidential computing refers to cloud computing technology that protects data while in use. The technology helps reduce security concerns as companies adopt more cloud services. The primary goal of confidential computing is to provide greater privacy assurance to companies that their data in the cloud is protected and confidential and instill confidence in moving more of their sensitive data and computing workloads to any location, including public cloud services.
Protect data across the compute lifecycle. To achieve the highest level of commercial privacy assurance, IBM goes beyond confidential computing to help protect your sensitive data across the entirety of the compute lifecycle — providing you with complete authority over your data at rest, in transit and in use.
What should you know about protecting your data across the lifecycle? Explore the following chapters to learn more about confidential computing and how it can help with data privacy and protection in your hybrid cloud environments.