nobeastsofierce - Fotolia

Does encrypting data make access harder for regulators?

Encrypting data going to the cloud is a security best practice, but does it add extra challenges for regulators that might need to access the data? Expert Mike Chapple discusses.

At panel at the 2016 RSA Conference, the CSO of Sallie Mae talked about encrypting data going to the cloud for compliance. Sallie Mae encrypts all data going to the cloud so regulators can't get to it because it doesn't want any outside regulators -- or anybody -- to access its data. Is this a sound strategy? Does this make it more challenging for regulators? Does this cause friction between enterprises and compliance bodies?

In my opinion, encrypting data is the most critical security control used to protect information stored in cloud services or transmitted over public networks. Regulators should never be uncomfortable with the use of encryption and, in fact, should advocate the increased use of encryption to protect sensitive information.

At the panel that took place at RSA Conference 2016, Sallie Mae's Jerry Archer stated: "We can encrypt all the data as it leaves our environment and goes into a cloud provider, and only we have the key," Archer said. "The cloud provider can never disclose the information in any way, shape or form, because it's fully encrypted."

I don't believe that Archer's statement about encrypting data is meant as an attempt to hide information from regulators specifically. Rather, he is merely reiterating the gold standard security practice that many of us have embraced for years: if you have sensitive information, encrypt it and carefully manage the keys. Organizations around the world use this strategy to protect financial, healthcare and other sensitive information.

I can't imagine that any government regulators would disagree with this approach to encrypting data. There are few situations where regulators need to actually access sensitive information and, even in those cases, they normally would not access that information directly themselves but would instead ask the company to provide information in response to a regulatory query.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Find out how encryption legislation could impact enterprises

Check out the readers' top picks for enterprise encryption tools in 2016

Learn why enterprises need data encryption in the cloud

This was last published in August 2016

Dig Deeper on Data privacy issues and compliance