Analysing cloud adoption across industry verticals, the banking and financial industry is as good a yardstick as any to assess progress due to its stringent data security requirements. A new report from CipherCloud shows financial firms have an increased confidence in cloud technologies; 100% of respondents said they put certain personally identifiable information (PII) in the cloud.
This does not extend to all PII however – only one in three respondents said they use the cloud to store particularly sensitive data, such as social security numbers, birth dates and tax IDs. Yet there is a clear trend from financial firms to improve security as the sensitivity of data increases. 40% of organisations polled say that for the most sensitive information, they use tokenisation and strong encryption.
One of the more interesting facets of the report related around how companies classify their data. CipherCloud asked respondents to put their data in four categories; highly sensitive PII; regular PII; personal finance data; and business sensitive data. Intriguingly, a piece of ‘highly sensitive’ data at one company can be relegated to standard ‘regular PII’ at another. The most extreme example is ‘Name’ – some banking firms, perhaps more associated with private banking or high net worth customers, see this as highly sensitive information.
The report also examined the differences over businesses using encryption or tokenisation to protect data. For business sensitive data, the response was a clear 100% for encryption. 15% of finance organisations use tokenisation for personal finance data and 13% for regular PII.
“It’s not surprising to see that encryption is the predominant choice for those seeking to protect business-sensitive data,” the report notes. “As this category of data is typically non-critical, few are utilising heavyweight tokenisation to protect business sensitive data.”
The report also examined the protection techniques companies utilised for structured PII fields; for email addresses, 91% of those polled used format-preserving encryption, while that number dropped to 82% for phone numbers. The other respondents favoured tokenisation (9% email) or length-restricting encryption (18% phone).