by
James Furbush
If you haven’t heard Louis C.K. explain the cloud you should go do that first
and then come back. Louis C.K. makes the now-accepted notion of giving up ownership of data seem like a positively ridiculous and funny idea. His hesitancy to give up ownership and control of his sexy Tom Cruise photos (you don't want to know what he's doing with those photos!) parallels the hesitancy of IT regarding sensitive corporate data, which is the biggest reason why organizations
have yet to fully embrace the cloud. The comedian makes a great point.
Anyway, a recent survey conducted by Ipswitch, Inc., a
network management and messaging vendor, found that 69% of IT professionals
send sensitive data -- for example, payroll, customer, or financial information -- through
their personal email accounts whether it’s Hotmail, Gmail, or Yahoo. Now, if IT
is doing that with email, imagine what other employees are doing with sensitive
data and SaaS apps, whether inadvertently or not.
The holy grail of consumerization is enabling SaaS apps and
mobility without compromising sensitive data. One way to do that is with
Toronto-based company PerspecSys’ Cloud Data Protection Gateway.
What does PerspecSys do?
The Cloud Data Protection Gateway is a software package that
sits on a Linux server inside the corporate firewall. Information passes
through the PerspecSys server to be encrypted or tokenized before it gets passed
out into a cloud application. The data becomes meaningless should anyone hack it
while it is in transit, stored in a SaaS app or at rest on a mobile device.
This is a pretty big deal for highly-regulated industries
and even multi-national corporations that do business in the European Union,
where data residency requirements and other regulations can prevent a
discussion of moving to the cloud.
Let’s say your organization wants to use Salesforce.com.
Non-sensitive data would go to Salesforce as clear text. Sensitive data is
passed to Salesforce with it either encrypted (obscured slightly) or tokenized
(the data is completely swapped out for a new value set). It all depends on the
level of protection needed.
With tokenization, the actual data and its corresponding
token value are kept in an index table at the enterprise's chosen location.
Only the token is sent to the SaaS application. Those SaaS providers can play
with the token and use it however they want, but they can’t do much with it for
the simple reason that the data doesn’t exist there. Information is passed back
through the PerpsecSys server so the end-user sees the correction information
being displayed.
Standard data encryption falls short of data residency
requirements, whereas tokenization meets the threshold for approval because on
a very technical level, the sensitive data has never left the on-premises
server (or designated public cloud).
The big problem with consumerization is that users want to access SaaS apps from devices and networks other than those provided by the organization. What happens when an employee wants to use Salesforce while working from home?
User can still access their cloud applications via the PerspecSys server through a reverse proxy option deployed in the DMZ. This is a bit trickier to configure but does allow users to access SaaS apps with the encryption through other devices without having to VPN into the server. They just access the PerspecSys server via a URL re-direct in the DMZ. The downside is if they access the SaaS app without going through the corporate component somehow they will see either the token or encrypted fields instead of clear text.
This is fairly typical of the push and pull between security and usability.
Looking Ahead
Securely enabling the cloud is going to be a necessity for IT. If Gartner is to be believed, than 50% of the world’s data will be stored entirely in the cloud by 2016. That means the problem of data security for enterprises is only going to grow exponentially as consumerization grows.
PerpecSys works with various SaaS apps through API
connectors, which the company said takes them roughly three months to build out.
Like other consumerization problems, the company has struggled to keep up with
the thousands of available SaaS apps used by people. To that end, they are
currently working on the creation of a software developer kit so enterprises
can build their own connectors to enable the apps employees are using or encourage
them towards using IT-supported SaaS apps.
Vaultive and Navajo Systems (which happened to get acquired by Salesforce last fall) are two companies that compete in
the same space as PespecSys, who said they differentiate themselves from their competitors with its tokenization
approach to data encryption and by being cloud vendor neutral.
(Note: You must be logged in to post a comment.)
If you log in and nothing happens, delete your cookies from BrianMadden.com and try again. Sorry about that, but we had to make a one-time change to the cookie path when we migrated web servers.