Financial – GLBA
Gramm-Leach-Bliley Act (GLBA) Overview
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to establish standards for protecting the security and confidentiality of their customers’ non-public personal information. Section 501(b) of the act specifies that the objectives of these standards are to:
- Secure the privacy of customer information and records.
- Provide ongoing protect against threats to the security and integrity of customer information and records.
- Prevent unauthorized access and use of customer information.
GLBA guidelines direct financial organizations to evaluate the use of encryption to secure electronic customer information while in transit or in storage. Providing a view on the topic, the Federal Financial Institutions Examination Council stated: that (a) Financial institutions should employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit and (b) they should utilize Effective key management practices.
The Council has the ability to investigate why certain institutions elected to not use encryption for these sorts of communication if they opt to not use it.
GLBA and the Cloud – Considerations
GLBA’s Financial Privacy Rule requires institutions to provide an annual notice to customers explaining how their data is maintained and shared as well as the steps that are taken to protect it. Clearly, the use of the services of an outside cloud provider complicates matters greatly. Loss of full control of the data makes compliance with this rule quite challenging.
Also, the GLBA Safeguards Rule requires institutions to implement an information security program and the adoption of public cloud services can significantly complicate this task. Many financial institutions are wrestling with the loss of data control that comes with the business benefits of cloud adoption – which is why they are turning to Blue Coat for the data security they need as they make the move to the cloud.
Only Blue Coat Can Deliver
Strongest Available Cloud Data Control – No data is shared in “the clear” outside of your network; data is secured at the field-level control based on user defined tokenization or encryption options. Enterprise retains full control of the token vault and/or the encryption keys securing the data.
Only Solution That Supports FIPS 140-2 Encryption While Preserving Cloud Functionality – To preserve application functionality, all other vendors require the use of their own proprietary weakened encryption within their platform solution. Close analysis of their modules and associated certifications reveals that non-compliant algorithms unavailable in FIPS-mode are required to encrypt sensitive data when an enterprise needs to preserve critical cloud functionality.
Only Solution with 3rd Party Audited Tokenization Solution – Blue Coat enables organizations to use well documented and proven tokenization techniques to protect information as an alternative to encryption. The tokenization technique deployed within the platform – which is especially useful for data residency and data sovereignty requirements – has been audited and validated against relevant industry standards by CoalFire Inc, a PCI DSS QSA and a FedRAMP 3PAO.
Doesn’t Tie Support of Cloud Application Functionality to the use of Specific Encryption Techniques – Enterprises value flexibility because nothing is as certain as change. Only Blue Coat lets enterprises change the underlying data protection techniques used within the platform over time – at their own discretion – as they see fit. All other alternatives in the marketplace require the use of specific, unproven techniques in order to preserve cloud application functionality.
Specific types of information that Blue Coat can safeguard varies within sub-sectors of Financial Services. The table below covers some typical use cases of sensitive data that needs to be secured in cloud environments: