Cloud Migration Challenges

Cloud Migration Challenges: How to Keep Sensitive Data Secure

Written by:
Cloud Migration Challenges: How to Keep Sensitive Data Secure

Watch the Webinar

Consolidating your business data in cloud data warehouses is a smart move that unlocks innovation and value. All your data in one place makes it easier to connect the dots in ways that were impossible or unimaginable before. For instance, a retail chain can optimize sales projections by analyzing weather patterns, or a logistics company can more accurately predict costs by accounting for the salaries of all the people involved in a shipment.  The key to making a project like this successful is to overcome the cloud migration challenges that can pop up along the way.

Sensitive PII: Cloud Migration Challenge and Opportunity

Getting those new data-fed insights is a process that starts with moving the data to a consolidated cloud data warehouse like Snowflake. An extract, transform, and load (ETL) migration technology partner simplifies moving or loading the data from each of your company’s locations into a cloud data warehouse to make it analytics-ready in no time. Migrating data is what these companies do best. Data governance and sensitive data security are not their priority, however, which is a tremendous concern when the most valuable data is often the most valuable – both to the business and to bad actors. That makes sensitive data migration one of the biggest cloud migration challenges. Confidential information like customer PII, which includes email, home addresses, or social security numbers, can be extremely useful to analytics. For example, it can help marketing teams know where, when and to whom they should target a specific offer if they can determine what age, sex, location are mostly likely to buy. However if breached, customer PII can cause create significant risk of legal exposure and to your reputation.  

The need for high levels of data protection and secure access can cause significant tradeoffs in data usability and sharing, which adds risk and complicates matters for analytics teams. Even the built-in security and governance capabilities of data warehouses require a level of database coding expertise that is costly to implement and time-consuming to manage at scale. Distributed enterprises need a thoughtful yet simpler approach to protecting data in the cloud that keeps information airtight and doesn’t slow down access and progress. 

Overcoming Cloud Migration Challenges with Integrated Data Security

Before you migrate data to the cloud, let’s understand how cloud migration data security can help overcome your cloud migration challenges - and why some solutions fit better than others for your specific business needs. We all know that we must protect sensitive data in order to comply with appropriate regulations and maintain the trust of our customers. What is not always clear is if the same standards for storing and protecting data on-premises also apply to data in the cloud. 

These requirements include using NIST-approved security or standards for at-rest data protection. At a minimum, we must ensure there’s not a single door for hackers to get through, known as a single-party threat. If data can be de-obfuscated by just by one person, the protection method doesn’t count. For example, simply reversing a medical record is not enough. Encryption meets this requirement because you need both the encrypted data and the key to unlock it in order to access the original data.  

For data in the cloud, however, you need to rethink tooling and management decisions. Let’s look at methods for data obfuscation including encryption, but through a cloud lens. You’ll quickly run into several issues:  

  • You can’t expect to connect your on-prem key management solution to a cloud data warehouse like Snowflake and have it work at scale
  • Someone who gets the key can decrypt all the data stored in your centralized data warehouse
  • You also need fail-safes to prevent users with privileged access, like the Snowflake administrator, from being able to view the data if they’re not supposed to

To avoid these access and encryption issues, some security methods rely on transforming data through “one-way” techniques like hashing before storing the hash in the cloud. Hash codes ensure privacy and allow users to still know the dataset comprises, for example, social security numbers. However, an authorized user who needs the real social security number won’t be able to retrieve it, because once hashed, the data cannot be recovered in the cloud database.  

Even anonymization techniques, such as storing the data as a range, limit the application of data. You might not need an individual anonymized data point today, but you may very need it later. Your business may depend on allowing some authorized users to have access to the original data, while ensuring it is meaningless and opaque to everyone else.  

If analytics is the goal of your sensitive data migration, then the preferred security solution is tokenization for its ability to balance data protection and sharing.

4 Major Benefits of Tokenization for Cloud Migration

When it comes to solving security-related cloud migration challenges, tokenization has all the obfuscation benefits of encryption, hashing, and anonymization, while providing a much greater analytics usability. Let’s look at the advantages in more detail. 

  1. Tokenization replaces plain-text data with a completely unrelated token that has no value if breached. There’s no mathematical formula or key; the real data remains secure in a token vault.    
  1. You can perform high-level analysis just like you could on real data, without having access to the real thing. In contrast, you have limited analytics capability on anonymized data and none on hashed and encrypted data. With the right tokenization solution, you can feed tokenized data directly from the warehouse into any application, without requiring data to be unencrypted and inadvertently exposing it to privileged users.   
  1. Retaining the connection to the original data enables more granular analytics than anonymization. Anonymized data is hamstrung by the original parameters, such as age ranges, which might not provide enough granularity or flexibility for future applications. With tokenized data, analysts can create fresh slices of cloud data as needed, down to the original, individual PII. 
  1. Tokenization combines the analytics opportunity of anonymization with the strong at-rest protection of encryption. Look for approaches that limit the amount of previously masked data that can revert to its original form (de-tokenization) and also issue notifications and alerts for de-tokenized data so you can ensure only approved users get the data. 

Embedding Tokenization in Your Cloud Migration Data Pipeline

One of the best approaches to solve your sensitive data cloud migration challenge is to embed data security and governance right into your migration pipeline. ALTR has partnered with ETL leader Matillion to do just that. ALTR's open-source integration for Matillion ETL lets you tokenize data through Matillion so that it's protected in the flow of your cloud migration. The ALTR shared job is used to automatically tokenize, as well as apply policy on sensitive columns that have been loaded into Snowflake.

See how it works: 

Wrapping Up

Given the volume of data being generated and collected, enterprises are looking for ways to scale data storage. Migrating their data to the cloud is a popular solution, as it not only solves data volume problems, but also offers numerous advantages. While it would be nice to flip a switch and be in the cloud, it’s not that simple! Moving to the cloud requires a strategy and a big part of that is data security. Tokenization solves one of the biggest cloud migration challenges: sensitive data migration. It delivers tough protection for sensitive data while allowing flexibility to utilize the data down to the individual, allowing companies to unlock the value of their cloud data quickly and securely.  

Related Resources