Read time: 04 minutes 22 seconds

Customers and Cloud Service Provider (CSP) share the responsibility of security and compliance. Thus, the organization would have the freedom to have architect their security and compliance needs, according to the services they utilize from the CSP and the services they intend to achieve. CSP has the responsibility to provide services securely and to provide physical security of the cloud. If, however, a customer opts for Software-as-a-service, then the CSP provides standard compliance. Still, the organization has to check if it meets its regulations and compliance levels to strive to achieve. All Cloud services (such ad different forms of databases) are not created equal. Policies and procedures should be agreed upon between CSP and client for all security requirements and operations responsibility.

Let’s dive into particular compliance and regulations maintained within the industry.

PCI DSS on Cloud

Payment Card Industry Data Security Standards (PCI DSS) is a set of security standards formed in 2004 to secure credit and debit card transactions against data theft and fraud. PCI DSS is a set of compliance, which is a requirement for any business.

Let’s suppose payment card data is stored, processed, or transmitted to a cloud environment. In that case, PCI DSS will apply to that environment and will involve validation of CSP’s infrastructure and the client’s usage of that environment.

PCI DSS Requirement Responsibility assignment for management of controls
IaaS PaaS SaaS
Install and maintain a firewall configuration to protect cardholder data Client and CSP Client and CSP CSP
Do not use vendor-supplied default for system passwords and other security parameters Client and CSP Client and CSP CSP
Protect stored cardholder data Client and CSP Client and CSP CSP
Encrypt transmission of cardholder data across an open, public network Client Client and CSP CSP
Use and regularly update anti-virus software or programs Client Client and CSP CSP
Develop and maintain secure systems and applications Client and CSP Client and CSP Client and CSP
Restrict access to cardholder data by business need to know Client and CSP Client and CSP Client and CSP
Assign a unique ID to each person with computer access Client and CSP Client and CSP Client and CSP
Restrict physical access to cardholder data CSP CSP CSP
Track and monitor all access to network resources and cardholder data Client and CSP Client and CSP CSP
Regularly test security systems and processes Client and CSP Client and CSP CSP
Maintain a policy that addresses information security for all personnel Client and CSP Client and CSP Client and CSP


General Data Protection Regulation (GDPR) is the core of Europe’s digital privacy legislation. “The digital future of Europe can only be built on trust. With solid common standards for data protection, people can be sure they are in control of their personal information,” said Andrus Ansip, vice-president for the Digital Single Market, speaking when the reforms were agreed in December 2015.GDPR applies to all companies, which collect and process EU resident’s data. Non-EU companies would need to appoint a GDPR representative and be held liable for all fines and sanctions. Critical Requirements of GDPR are:

  1. Lawful, fair, and transparent processing

  2. Limitation of purpose, data, and storage

    Collect only necessary information and discard any personal information after processing is complete

  3. Data subject rights

    A customer can ask what data an organization has on them and the intended use of the data.

  4. Consent

    Organizations must ask for the consent of the customer if personal data is processed beyond legitimate purposes. The customer can also remove consent anytime they wish.

  5. Personal data breaches

    Based on the severity and regulatory, the customer must be informed within 72 hours of identifying the breach.

  6. Privacy by Design

    Organizations should incorporate organizational and technical mechanisms to protect personal data in the design of new systems and processes

  7. Data Protection Impact Assessment

    Data Protection Impact Assessment should be conducted when initiating a new project, change, or product.

  8. Data transfers

    Organizations have to ensure personal data is protected and GDPR requirements are respected, even if a third party does it

  9. Data Protection Officer

    When there is significant personal data processing in an organization, the organization should assign a Data Protection Officer.

  10. Awareness and training

    Organizations must create awareness among employees about crucial GDPR requirements

To achieve GDPR on the cloud, we need to take these additional steps

  • Organizations should know the location where the data is stored and processed by CSP
  • Organizations should know which CSP and cloud apps meet their security standards. Organizations should take adequate security measures to protect personal data from loss, alteration, and unauthorized processing.
  • Organizations should have a data processing agreement with CSP and cloud apps they shall be using.
  • Organizations should only collect necessary data that it would need and should limit the processing of personal data any further.
  • Organizations should ensure that data processing agreement is respected, and personal data is not used for other purposes by CSP or cloud apps.
  • Organizations should be able to erase data at will from all data sources in CSP.


Regulations and Compliances depend on the country organizations operate in. It is essential to research CSP and the regulations and compliance they are following. You can find more information about the CSPs on their respective websites:

If an organization fails to abide by the set of regulations applicable in the country or region. In that case, they may face fines and may lose the ability to operate in that country.

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Encryption Services

About the Author

Anish Bhattacharya is a Consultant at Encryption Consulting, working with PKIs, HSMs, creating Google Cloud applications, and working as a consultant with high-profile clients.


PII Data Encryption – Best Practices

What is Personally Identifiable Information (PII)?

The digital age of today is powered by customer and consumer data: data is the new currency. Provided it is collected through consent and transparency, consumer data is the key for enterprises to create value for their consumers, for example through personalization and transformed experiences. Among the various attributes of consumer data are those which can be used to uniquely identify the consumer – the set of such data is called Personally Identifiable Information (PII). Examples of PII include name, email address, telephone number, address, and other attributes related with the individual’s demographic, financial, health and any other personal details.

The need for enterprises to protect PII

With regulations such as the California Consumer Protection Act (CCPA) in the USA, General Data Protection Regulation (GDPR) in Europe and similar ones in other parts of the world, enterprises are under increasing legal obligations to protect PII data. As consumer awareness increases, each data breach causes a significant dent in consumer trust and consequently, the organization’s brand and reputation. However, it’s not just about brand and reputation: recent research indicates that each data breach has a financial impact of $4 million. With threats and vulnerabilities constantly on the rise, the need for enterprises to protect PII data is more today than ever before.

Encryption of PII Data

Encryption is one of the proven ways to protect PII data. Once consumer data is encrypted, the risk of a data breach can be mitigated to a large extent, and the impact of the breach can be contained – since the stolen data will be of no use to the attacker in an encrypted form. Apart from risk mitigation, PII data encryption is also necessary from a compliance perspective, with regulations such as CCPA and GDPR mentioned earlier, mandating such encryption.

What to encrypt?

The first step in PII data encryption is to decide what data to encrypt: and data privacy regulations offer a good starting point. For example, the HIPAA (Health Insurance Portability and Accountability Act) regulations in the US defines the patient information that needs to be encrypted, including treatment information. One point to note is that while regulations indicate what data is to be encrypted, they leave the choice of the encryption technology to the enterprise.

Locating the data

Once the data to be encrypted is identified, the next step is in locating the data across the enterprise, as a part of a data discovery exercise. This is essential because PII data could be stored in multiple applications, databases, and file systems across the enterprise, or in the cloud. The data discovery exercise typically involves an application and system portfolio study or assessment, along with the use of data discovery tools.

Encryption Technologies & Standards

The next step is the actual encryption of the data. There are multiple encryption technologies and standards available and let’s take a look at the most popular ones.

Advanced Encryption Standard (AES):
AES is one of the best encryption options primarily due to its strength and widespread acceptability. As one of the strongest encryption technologies available, AES enjoys widespread acceptability across regulations, enterprises, credit card issuers, and government agencies. AES is also used in the Pretty Good Privacy (PGP) standard which is used by a large number of banking and financial services institutions. The National Institute of Standards and Technology (NIST) recommends AES as the highest standard for encryption, with three different key sizes: 128 bit, 192 bit, and 256 bits.

This is an encryption standard named after its three inventors: Rivest, Shamir and Adleman. The strength of RSA is derived from the fact that prime factorization of very large numbers is computationally extremely difficult with existing hardware and compute resources. RSA has become popular since it can help assure the confidentiality, integrity, authenticity, and non-repudiation of data. Key lengths in RSA are very long at 1024 or 2048 bits and this is another reason for RSA’s strength. With these key lengths, the algorithm however is relatively slow and therefore one application of RSA is to use it for key encryption instead of direct data encryption. Another limitation of RSA is that as computers get more powerful, key lengths need to get longer and longer in order to stay ahead of brute force attempts at prime factorization.

Elliptic Curve Cryptography (ECC):
This is emerging as a popular alternative to RSA due to its advantages of speed, smaller key sizes, and cryptographic efficiency. ECC is also a good option for mobile devices due to its lower requirements on compute power and battery use. The algorithm is based on algebraic equations that represent elliptic curves. Keys generated through this approach are mathematically several orders of magnitude stronger than the prime factorization approach of RSA. For example, a 256 bit ECC key has the same strength as a 3072 bit RSA key.

The Secure Sockets Layer (SSL) protocol and its successor, Transport Layer Security (TLS) have now become mainstream with web servers and browsers being a familiar example of their usage. With PII data often being sent over the network from client to server, from one application to another and from one server to another, communication channel encryption using SSL/TLS is critical to avoid “man in the middle” attacks. At the heart of SSL/TLS is a handshake protocol between the two endpoints and secured using asymmetric cryptography, which is used to generate a session key that is valid only for that communication session. The rest of the communication over the channel is encrypted using a symmetric cryptography approach, with this session key used by both endpoints. The SSL/TLS protocol ensures both security as well as performance and has become the de-facto encryption standard for data in motion not just between a web browser and server, but across any two endpoints.

Key Management:
The ultimate success of any data encryption technology does not depend on the algorithms, hardware and software used: it depends on how well the private keys used for encryption are managed. The fundamental requirement for key management is to separate the encrypted data and the encryption keys into distinct physical locations. Options for key management include Hardware Security Modules (HSM), Virtual appliances, and Cloud key management services.

Key Takeaways

Any enterprise that handles personally identifiable information (PII) of consumers is also responsible for protecting that data. Data breaches pose three significant business risks to any organization: loss of consumer trust, direct financial impact, and legal / regulatory implications and penalties. Encryption technologies offer a proven means for enterprises to protect PII data and address all three risks.

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Encryption Services

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

Compliance, Encryption

Data Privacy Laws for Encryption

Data Privacy regulations and compliance are becoming a driving force behind the need for Encryption, Tokenization, and Masking. In 2018, Organizations are dealing with threats from cyber-attacks at an all-time high yet now; organizations must adhere to the latest laws and regulations set nationally and globally. Further regulations and compliance are on their way, but current guidelines set in place already are affecting all industries that will face major fines if not met. Many of these guidelines are regarding private data protection at rest, data in use, and data in motion. As of 2018, all 50 U.S. states, as well as the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands have passed Data Privacy laws. Organizations operating within the U.S must now also comply with European regulations. The EU has implemented the most recent General Data Protection Regulation enforced in May of 2018. By the usage of encryption procedures and technologies, organizations will be able to adhere to the many complex data privacy and security regulations while bolstering their overall security from cyber attacks.

The table below exemplifies how these technologies can help you meet the requirements:

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Encryption Services

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

Let's talk