Is Cloud Tokenization an Attractive Alternative to Cloud Encryption?

As security threats grow in complexity, IT leaders need to consider encryption and tokenization technologies to prevent hackers from accessing or stealing highly sensitive data. While encryption has been around for a while, tokenization is one method that’s grown in popularity.

Cloud security is an evolving and fast-maturing concept. Every year or month there’s a new threat, provoking a response with improved or new defenses, even as existing products broaden their interoperability or load up with new features. At the base of all this is data traveling between services and a growing movement to tokenization over encryption to ensure data remains secure.

Don't let cloud security threats go unnoticed

Equip your team with the right tools to improve visibility, reduce risk & respond to threats faster.

VISIT THE HUB

As more firms share data with partners or among teams in the cloud, little attention is paid to how far that data can travel, the many hops along its route and the devices it’s eventually stored on. All of these create risks for firms that are looking to protect critical business information, have legal obligation to protect customer data or work in an industry where there are many compliance rules to follow.

But how can you know if those rules are being followed on a remote cloud server or within a partner business? To address this, IT teams, CISOs and CIOs seek new ways to control and protect their data to reduce the risk of reputational or operational damage to the business.

Encryption has long been used by businesses when it comes to protecting data. Many think that once data is encrypted, it’s totally safe, just as people thought making sure the firewall light was on would protect an entire business from all threats. In reality, things are more nuanced than that and any encryption can be broken with enough computing power, or if someone in the business is careless with the encryption keys.

Tokenization is fast becoming a popular additional method of securing data, partly as it’s mandated for protecting credit card information as part of the Payment Card Industry Data Security Standard (PCI DSS) compliance. That gives it legitimacy among trade bodies, governments and industry, who are looking at wider use cases for tokenization, notably in areas where personally-identifying information (PII) is used.

Tokenization can protect government-issued or health ID numbers, account numbers and the typical ancillary security information like pet names and other useful reminders that billions of people use daily to access a growing range of services.

What is tokenization and what are the benefits?

Any business operating in the cloud can benefit from tokenization solutions. Tokenization replaces specific original information, such as a credit card number, with a token of the same length. The original data is stored in a token vault, so even if a customer’s internet connection isn’t secure or their files are being monitored, there’s no accessible information that the hackers can access. When the information comes back from a third-party the token is matched with the real number, stored in a token vault or local secure database, and a transaction can be completed.

That encapsulates the benefits of tokenization: increased security and improved compliance. Business data never leaves the company, and the process provides a straightforward way to perform huge numbers of transactions.

On the downside, tokenization can’t be applied to everything a company shares. The process doesn’t scale well and would struggle with unstructured data. So, just as with encryption, there are pros and cons of using tokenization.

Tokenization versus encryption

Given the differences between encryption and tokenization, there are some clear use cases for each technology. A firm can easily encrypt all of its data, but it’s only as secure as the encryption key, and while it’s less likely the token vault could be hacked, the possibility still exists.

Both tokenization and encryption can also cause trouble across the growing number of cloud services that businesses adopt. Either may lack support, or the cloud service uses a particular standard, creating compatibility risks, and the encryption/detokenization process adds an element of lag or latency, especially in complex or time-sensitive requests.

The rise of tokenization

Naturally, cloud service providers are always looking to push technology to new use cases, so there’s a growth in tokenization-as-a-service (TaaS) supported by the bank card industries and their key providers. This technology improves support for payments, reducing the need for merchants to store card data. That’s just one example, but other industries and providers will be looking to see how they can use tokenization.

In most cases, a hybrid strategy covers all the bases for businesses to protect their data, but tokenization is growing in adoption and broadening in use. Estimates put the tokenization market size to grow from $1.9 billion in 2020 to $4.8 billion by 2025, at a CAGR of 19.5% during 2020-2025.

That’s mainly driven by large finance organizations looking to combat fraud, but in America, firms are faced with a 180 day deadline to comply with the White House executive order on improving the nation’s cybersecurity, creating a rush of interest in fresh security ideas.

Vendors aren’t standing still, with some providing vaultless tokenization through dynamic data masking to improve control and compliance when moving data to the cloud or across big data environments.

Whatever the innovations, the threats won’t go away, so firms will remain in a constant battle to better protect data. And as more industries mandate tokenization to secure key forms of data, more businesses will end up using it.