Will encryption and tokenization better enable cloud adoption?

Louis C.K. makes the now-accepted notion of giving up ownership of data seem like a positively ridiculous and funny idea.

If you haven’t heard Louis C.K. explain the cloud you should go do that first and then come back. Louis C.K. makes the now-accepted notion of giving up ownership of data seem like a positively ridiculous and funny idea.  His hesitancy to give up ownership and control of his sexy Tom Cruise photos (you don't want to know what he's doing with those photos!) parallels the hesitancy of IT regarding sensitive corporate data, which is the biggest reason why organizations have yet to fully embrace the cloud. The comedian makes a great point.

Anyway, a recent survey conducted by Ipswitch, Inc., a network management and messaging vendor, found that 69% of IT professionals send sensitive data -- for example, payroll, customer, or financial information -- through their personal email accounts whether it’s Hotmail, Gmail, or Yahoo. Now, if IT is doing that with email, imagine what other employees are doing with sensitive data and SaaS apps, whether inadvertently or not.

The holy grail of consumerization is enabling SaaS apps and mobility without compromising sensitive data. One way to do that is with Toronto-based company PerspecSys’ Cloud Data Protection Gateway.

What does PerspecSys do?

The Cloud Data Protection Gateway is a software package that sits on a Linux server inside the corporate firewall. Information passes through the PerspecSys server to be encrypted or tokenized before it gets passed out into a cloud application. The data becomes meaningless should anyone hack it while it is in transit, stored in a SaaS app or at rest on a mobile device.

This is a pretty big deal for highly-regulated industries and even multi-national corporations that do business in the European Union, where data residency requirements and other regulations can prevent a discussion of moving to the cloud.

Let’s say your organization wants to use Salesforce.com. Non-sensitive data would go to Salesforce as clear text. Sensitive data is passed to Salesforce with it either encrypted (obscured slightly) or tokenized (the data is completely swapped out for a new value set). It all depends on the level of protection needed.

With tokenization, the actual data and its corresponding token value are kept in an index table at the enterprise's chosen location. Only the token is sent to the SaaS application. Those SaaS providers can play with the token and use it however they want, but they can’t do much with it for the simple reason that the data doesn’t exist there. Information is passed back through the PerpsecSys server so the end-user sees the correction information being displayed.

Standard data encryption falls short of data residency requirements, whereas tokenization meets the threshold for approval because on a very technical level, the sensitive data has never left the on-premises server (or designated public cloud). 

The big problem with consumerization is that users want to access SaaS apps from devices and networks other than those provided by the organization. What happens when an employee wants to use Salesforce while working from home? 

User can still access their cloud applications via the PerspecSys server through a reverse proxy option deployed in the DMZ. This is a bit trickier to configure but does allow users to access SaaS apps with the encryption through other devices without having to VPN into the server. They just access the PerspecSys server via a URL re-direct in the DMZ. The downside is if they access the SaaS app without going through the corporate component somehow they will see either the token or encrypted fields instead of clear text. 

This is fairly typical of the push and pull between security and usability.  

Looking Ahead

Securely enabling the cloud is going to be a necessity for IT. If Gartner is to be believed, than 50% of the world’s data will be stored entirely in the cloud by 2016. That means the problem of data security for enterprises is only going to grow exponentially as consumerization grows.

PerpecSys works with various SaaS apps through API connectors, which the company said takes them roughly three months to build out. Like other consumerization problems, the company has struggled to keep up with the thousands of available SaaS apps used by people. To that end, they are currently working on the creation of a software developer kit so enterprises can build their own connectors to enable the apps employees are using or encourage them towards using IT-supported SaaS apps.

Vaultive and Navajo Systems (which happened to get acquired by Salesforce last fall) are two companies that compete in the same space as PespecSys, who said they differentiate themselves from their competitors with its tokenization approach to data encryption and by being cloud vendor neutral.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

It seems like this would be a good way to fill the niche and make a bridge across to SaaS, but, man, it seems like it'd be clunky and kind of defeat some of the purpose of SaaS. I want to see how smoothly it actually works.


Jack - happy to brief you on the ways we have engineered the solution to make it easy for IT/Security to deploy and maintain and how we make it transparent to the end users of the SaaS applications.  Without this solution, an on-prem deployment of the apps is where many of these organizations (dealing with sensitive information and and facing compliance/privacy/residency issues) would need to head...opening up a much more complex and unwieldy scenario.  We make the cloud possible for them.


CipherCloud also provides encryption for multiple cloud applications including Salesforce, Force.com, Chatter, Gmail, Office 365, and more - all from a single gateway to solve the tough data privacy, residency, security, and compliance barriers in moving to the cloud. The world's leading banks and healthcare organizations use CipherCloud to encrypt or tokenize their cloud application. You can watch an online demo of CipherCloud in action with Salesforce pages.ciphercloud.com/Office365OnlineDemo.html and Office 365 pages.ciphercloud.com/Office365OnlineDemo.html


Consumerization and Cloud Computing are definitely related, so Cloud seems a valid subject here - but to then completely ignore Consumerization! Employees don't chose to use their own devices to still be tied to the office. Any solution that is based on keeping the corporate data on-premise precludes mobile work using such data. So the solutions presented here may be of interest to companies that restrict their folk to work on-premise only, it seems to have little relevance for Consumerization.


Thinking about this more, it makes a lot of sense, if it can be done right.

I'm imagining the solutions here as corporate intermediaries between SaaS and users. The point isn't to keep users from saying FUIT and heading to a SaaS provider on their own. You'll never, ever be able to control that. Rather, the point is to say "Yes, these cloud-based SaaS products are awesome, but we just want you to use them in a way that's compliant."

Then if it helps if that corporate gateway is completely transparent to the end user, (because so many people really hate using VPNs) (just ask me about TechTarget's VPN...) and it also helps if the company pays for and provisions the account.

The other issue that I can think of is that some SaaS products might be of less value if all they're allowed to work with is tokens or encrypted data.

@Ernst, While there's nothing that these services can do about FUIT, I don't completely don't that these ignore consumerization. The impression that I got from the article was that users could log in through their corporate intermediary from anywhere (is that correct?) It seems like a good attempt at a compromise, again with the caveat that if the UX is painful, users will defect.

@Grealish and KevinLB, I'd like to hear more about these products—drop a line at jmadden@techtarget.com


Consumerization and Mist Registering are unquestionably identified, so Fog appears a valid subject here-but to then totally disregard Consumerization! Agents don't picked to utilize their specific apparatuses to still be tied to the workplace. Any result that is dependent upon keeping the corporate information on-reason blocks portable work utilizing such information. So the fixes introduced here may be of investment to outfits that limit their society to finish up-reason just, it appears to have small significance for Consumerization.