At panel at the 2016 RSA Conference, the CSO of Sallie Mae talked about encrypting data going to the cloud for...
compliance. Sallie Mae encrypts all data going to the cloud so regulators can't get to it because it doesn't want any outside regulators -- or anybody -- to access its data. Is this a sound strategy? Does this make it more challenging for regulators? Does this cause friction between enterprises and compliance bodies?
In my opinion, encrypting data is the most critical security control used to protect information stored in cloud services or transmitted over public networks. Regulators should never be uncomfortable with the use of encryption and, in fact, should advocate the increased use of encryption to protect sensitive information.
At the panel that took place at RSA Conference 2016, Sallie Mae's Jerry Archer stated: "We can encrypt all the data as it leaves our environment and goes into a cloud provider, and only we have the key," Archer said. "The cloud provider can never disclose the information in any way, shape or form, because it's fully encrypted."
I don't believe that Archer's statement about encrypting data is meant as an attempt to hide information from regulators specifically. Rather, he is merely reiterating the gold standard security practice that many of us have embraced for years: if you have sensitive information, encrypt it and carefully manage the keys. Organizations around the world use this strategy to protect financial, healthcare and other sensitive information.
I can't imagine that any government regulators would disagree with this approach to encrypting data. There are few situations where regulators need to actually access sensitive information and, even in those cases, they normally would not access that information directly themselves but would instead ask the company to provide information in response to a regulatory query.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Find out how encryption legislation could impact enterprises
Check out the readers' top picks for enterprise encryption tools in 2016
Learn why enterprises need data encryption in the cloud
Dig Deeper on Data privacy issues and compliance
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ...continue reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ...continue reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.