by Kim Borg
enterprise-sized companies, especially those that deal in highly sensitive
data, such as medical, financial and health care organizations, understandably remain more than a little hesitant about
moving to the cloud. Concerns relating to data privacy, residency, security and
compliance undoubtedly remain top of mind when they entertain the dream of
seamlessly transitioning to a cloud-based infrastructure.
is helping to transform that dream into more than just an altered state with
its cloud data protection gateways for public and private clouds. The cloud
encryption heavyweight is able to not only encrypt sensitive data in real time
before its journey to the cloud but also maintain functionality, usability and
performance in the process.
I recently spoke with Pravin Kothari, CipherCloud’s founder and CEO, about
feeling truly secure, the importance of allowing customers to designate their
own data protection schemes and why CipherCloud is feeling fairly validated
Kim Borg: Would you please
illuminate for our readers just how CipherCloud’s Gateway technology encrypts
data in real time before it's sent to the cloud?
Pravin Kothari: Rather than relying on cloud providers to protect customer data, CipherCloud applies encryption, before sensitive data leaves the enterprise. CipherCloud is deployed as an in-line security gateway within the enterprise network that sits between the users and cloud applications. It offers multiple (National Institute of Standards and Technology-approved Advanced Encryption Standard-compatible encryption and tokenization options, including format-and-operations-preserving encryption algorithms.
Enterprises can identify which data they consider sensitive (such as proprietary information, personally-identifiable information or other regulated data). When that data is posted or updated into the cloud, we apply the selected encryption or tokenization method, on the fly, to protect that data before it leaves the enterprise network. We reverse the process when employees access the cloud application through the gateway, decrypting data in real time so the users see the actual data rather than the encrypted version that resides within the cloud. CipherCloud's highly secure encryption and tokenization preserves both the format and operations of the data, so that the cloud application remains operational but its real content remains locked within the enterprise.
KB: How does this technology
secure sensitive customer data across multiple public and private cloud
applications without impacting functionality or performance?
PK:The key to CipherCloud's success has been its extensible and scalable, plug-in based architecture. At the core, we provide critical cloud security capabilities such as encryption, tokenization, key management, malware detection, user activity monitoring, data protection APIs and more. We extend this platform by adding a layer of out-of-the-box connectors for several popular cloud applications and platforms such as Salesforce, Amazon, Force.com and Gmail.
The behavior and operations of each cloud application (for example, how is search performed, what are field length and format restrictions, etc.) is embedded into these connectors, which allows the CipherCloud gateway to protect data while respecting application functionality. Finally, CipherCloud provides an Open Connect API that makes it easy to extend the platform's capabilities to other cloud applications – including private clouds – using XML-based policy files that define the meta-data and context for the applications.
It's important to highlight that customers ultimately decide which fields need to be protected, under which circumstances, and using which controls. We provide more than a dozen data protection schemes to select from, each of which is tuned to handle varying cloud application operations and limitations.
Finally, due to its completely stateless architecture (no data or session is maintained on the gateway), CipherCloud is able to perform all transactions with near-zero latency.
KB: How significant is the Federal
Information Processing Standard (FIPS) 197 accreditation CipherCloud recently
received for its implementation of the Advanced Encryption Standard encryption
PK: According to the NIST website, CipherCloud is the only company that offers AES-based format-and-operations-preserving encryption solutions for cloud services, such as Salesforce and Gmail, that has received the FIPS 197 accreditation. Reaching this certification achievement speaks to our mission to provide the industry’s most secure encryption solutions for our customers who are concerned about security, privacy and compliance of their sensitive data in the cloud.
We believe this certification presents new opportunities for us to serve enterprises and government organizations; whose policies don't allow for the implementation of proprietary encryption algorithms that are being offered by many vendors in the market today.
KB: How will this certification set
apart CipherCloud from its closest competitors?
PK:The FIPS 197 accreditation provided by NIST validates CipherCloud's commitment to ensuring transparency and highest levels of security through third-party validations. Customers not only want to ensure that any cryptographic modules adopted by vendors meet industry standards, but also that their specific implementations in the product have been validated and certified by a recognized body such as NIST.
After all, a breach of sensitive data encrypted by such technologies can cause millions of dollars in damages. Unfortunately, some vendors often mislead customers with claims of FIPS compliance by simply embedding a FIPS-certified module into their products without any third-party validation around its implementation. Customers should verify such claims by checking for the vendor certification on NIST's website: http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html.
For more information about CipherCloud's cloud data protection gateways, check out www.ciphercloud.com.
Kim Borg is the Editorial Manager at Computer Technology Review. She can be reached at firstname.lastname@example.org.