Not Just Another Token Solution to Data Residency Issues

Tight regulations that protect the personal data of a country’s citizens are nothing new. Switzerland, for example, has long been known for its steadfast laws guarding against the storage beyond its physical borders of personally identifiable information pertaining to Swiss citizens. So why has there been so much concern of late regarding the expansion of data residency laws across the globe? Because if the new restricting cross-border data flows can’t be met, these increasingly tough guidelines have the ability to interfere with global commerce across a number of critical industries such as banking, finance, utilities and retail.  

The latest country to step into the data residency spotlight is Russia. While making international headlines is nothing new for Russia, it’s the country’s new focus on stricter data protection and privacy that has the global business community scrambling. The provisions, currently slated to go into effect in 2016 are representative of a new reality facing corporations interested in conducting business across multiple countries. Whether you have operations in Germany, Australia, Canada, China, France, the UK, Switzerland, or now Russia, you will be forced to deal with some level of data sovereignty issues. And while the standards may vary from country to country, the message to cloud providers in particular remains very much the same: either find a way to abide by our standards or see your business decline within our borders.

The enterprises most often affected by these regulations tend to be banks, healthcare providers, public sector organizations or government agencies ­– essentially businesses where you would expect to find large amounts of personally identifiable consumer data. On the surface, the inability to move essential data around would appear potentially crippling to many organizations that rely on this information to conduct operations. However, as Gartner Research Director Andrew Walls recently said, “There is no need to panic. Work with your business stakeholders to build a flexible approach to infrastructure deployment and business process design. Anticipate regular changes in the regulatory climate in all jurisdictions and plan accordingly.”

One way to plan accordingly and meet the challenges of a changing data residency landscape is by adopting Cloud Data Protection Gateway (CDPG) technology. These gateways allow enterprises and government agencies to replace regulated or sensitive data with a token before it goes to the cloud. It’s the same concept that has been used for years to secure payment card details in the credit card industry, but is now designed to protect all sorts of sensitive data in cloud-based applications.  And when using tokenization, sensitive data never leaves the organization’s control and works its way into cloud environments – making it particularly useful for enterprises operating in countries with strict data residency and sovereignty laws.

Tokenization is a process by which a sensitive data field, such as a patient’s first and last name or scanned x-ray images from a medical record, is replaced with surrogate values called tokens. Tokenization helps solve the data residency issue of storing and processing data in a US-based cloud (or any cloud outside and enterprise’s home country borders), because it is not the data itself, but a meaningless string of characters  (tokens) that are processed and stored in the foreign country-based cloud. Strong tokens cannot be reversed back to their original values without access to the ‘look-up’ table that matches them up to their original values. These tables themselves are kept in a ‘hardened’ database in a secure location inside a company’s firewall (or a secure, managed service provider’s data center located in the company’s home-country) which is monitored 24/7, keeping all clear data within its country of origin.

Security practitioners and regulators are seeing that tokenization, when properly deployed, differs significantly from encryption, as there is no cipher algorithm used to mathematically transform sensitive data to its surrogate value and back again. While encryption clearly can be used to conceal a value, a mathematical link back to its true form, via encryption keys, still exists. Forms of tokenization that do not rely on this notion of a mathematical approach to generate token values are unique in that they completely remove the original data from the systems in which the tokens reside. And when tokenization is deployed as the underlying security method within a cloud data protection gateway, the end-user’s experience with the cloud application is kept intact – they can still complete important functions like searching or running reports on data, even if it has been tokenized.

Simply put, cyber-criminals can’t steal data that isn’t there. Tokenization allows for the use of critical information in public cloud environments while mitigating the privacy and regulatory risks associated with putting it there. In the years to come, most experts agree that we are likely to see even stricter residency laws emerge as attacks and surveillance efforts become even more sophisticated and better funded. In order to ensure privacy and stay compliant with regulations, technologies such as tokenization will become more widely adopted as a way of securing borders without inhibiting commerce.

David Canellos is president and CEO of Perspecsys, a provider of cloud data protection solutions

What’s Hot on Infosecurity Magazine?