If you haven’t heard Louis C.K. explain the cloud you should go do that first and then come back. Louis C.K. makes the now-accepted notion of giving up ownership of data seem like a positively ridiculous and funny idea. His hesitancy to give up ownership and control of his sexy Tom Cruise photos (you don't want to know what he's doing with those photos!) parallels the hesitancy of IT regarding sensitive corporate data, which is the biggest reason why organizations have yet to fully embrace the cloud. The comedian makes a great point.
Anyway, a recent survey conducted by Ipswitch, Inc., a network management and messaging vendor, found that 69% of IT professionals send sensitive data -- for example, payroll, customer, or financial information -- through their personal email accounts whether it’s Hotmail, Gmail, or Yahoo. Now, if IT is doing that with email, imagine what other employees are doing with sensitive data and SaaS apps, whether inadvertently or not.
The holy grail of consumerization is enabling SaaS apps and mobility without compromising sensitive data. One way to do that is with Toronto-based company PerspecSys’ Cloud Data Protection Gateway.
What does PerspecSys do?
The Cloud Data Protection Gateway is a software package that sits on a Linux server inside the corporate firewall. Information passes through the PerspecSys server to be encrypted or tokenized before it gets passed out into a cloud application. The data becomes meaningless should anyone hack it while it is in transit, stored in a SaaS app or at rest on a mobile device.
This is a pretty big deal for highly-regulated industries and even multi-national corporations that do business in the European Union, where data residency requirements and other regulations can prevent a discussion of moving to the cloud.
Let’s say your organization wants to use Salesforce.com. Non-sensitive data would go to Salesforce as clear text. Sensitive data is passed to Salesforce with it either encrypted (obscured slightly) or tokenized (the data is completely swapped out for a new value set). It all depends on the level of protection needed.
With tokenization, the actual data and its corresponding token value are kept in an index table at the enterprise's chosen location. Only the token is sent to the SaaS application. Those SaaS providers can play with the token and use it however they want, but they can’t do much with it for the simple reason that the data doesn’t exist there. Information is passed back through the PerpsecSys server so the end-user sees the correction information being displayed.
Standard data encryption falls short of data residency requirements, whereas tokenization meets the threshold for approval because on a very technical level, the sensitive data has never left the on-premises server (or designated public cloud).
The big problem with consumerization is that users want to access SaaS apps from devices and networks other than those provided by the organization. What happens when an employee wants to use Salesforce while working from home?
User can still access their cloud applications via the PerspecSys server through a reverse proxy option deployed in the DMZ. This is a bit trickier to configure but does allow users to access SaaS apps with the encryption through other devices without having to VPN into the server. They just access the PerspecSys server via a URL re-direct in the DMZ. The downside is if they access the SaaS app without going through the corporate component somehow they will see either the token or encrypted fields instead of clear text.
This is fairly typical of the push and pull between security and usability.
Securely enabling the cloud is going to be a necessity for IT. If Gartner is to be believed, than 50% of the world’s data will be stored entirely in the cloud by 2016. That means the problem of data security for enterprises is only going to grow exponentially as consumerization grows.
PerpecSys works with various SaaS apps through API connectors, which the company said takes them roughly three months to build out. Like other consumerization problems, the company has struggled to keep up with the thousands of available SaaS apps used by people. To that end, they are currently working on the creation of a software developer kit so enterprises can build their own connectors to enable the apps employees are using or encourage them towards using IT-supported SaaS apps.
Vaultive and Navajo Systems (which happened to get acquired by Salesforce last fall) are two companies that compete in the same space as PespecSys, who said they differentiate themselves from their competitors with its tokenization approach to data encryption and by being cloud vendor neutral.