PerspecSys: Removing a Key Security Barrier to Public Cloud Adoption

Several months ago, an IT trade publication (which will remain nameless) published an article whose title stated that public cloud security remains "mission impossible." While the article was well-reasoned and backed off from the title's hyperbolic assertion, the damage had already been done. Actually, the title should have been something more like, "Public cloud security is mission possible, but proceed cautiously."

Why do I say this? Because cloud "security" (I place security in quotes to emphasize that it may include data control and data protection issues broadly defined) requires careful technology, administrative control and regulatory planning that have to carefully address each issue as it is important to an enterprise. As an example of solving a very important security issue from PerspecSys, let's take a vendor whose solution enables enterprises to use an application running in a public cloud without also placing sensitive, personally identifiable information (PII, or information that may be used to construct the identity of an individual, including, but not limited to, full name, national identification number and credit card numbers) in the cloud.

Worldwide--most notably in the European Union, but also more and more in the United States and elsewhere--governments are preventing organizations from disseminating or storing PII improperly. Exactly what constitutes improper behavior is still evolving, but clearly one big restriction is the geographical constraint on where PII can be disseminated or stored. For example, even within the European Union, restrictions exist on transferring and storing PII across country borders--say, locating PII pertaining to German citizens in Italy or Greece.

This is a regulatory barrier that has teeth, levying notably heavy fines for violations. Therefore, an enterprise may be prohibited from using a public cloud that stores data in a different country than that in which the enterprise is located. That can be a significant problem if, let's say, an enterprise wants to use a software-as-a-service (SaaS) provider, such as Saleforce.com, for important business reasons. No go.

PerspecSys dissolves this problem, enabling the enterprise to use Saleforce.com or other SaaS applications wherever the application is run, because the PII data is stored in the enterprise's own approved geographical location (in its own or a third-party's data center). The rest of the data that the SaaS application uses can be stored in a public cloud, without regard to geographical location.

How is this possible? PerspecSys provides software, which it calls the PRS (Privacy, Residency and Security) Server, that is installed on a standard Linux-based server in a data center where an enterprise can legally store PII. A Salesforce.com user, for example, goes through the PRS Server when creating a Salesforce.com record. The non-PII information goes through to Salesforce.com untouched in clear text form, whereas the PRS Server replaces the PII clear text with anonymized data that cannot be reconstructed at the public cloud end to recreate the PII information.

There are two methods for achieving this. The first method is encryption. The encryption keys are kept by the company in the country of origin so the public cloud cannot decipher the PII. Now, while this is a technically sound method of providing privacy, and many governments approve this method, some jurisdictions are still not happy with this approach because, in some sense, the PII has still been moved and only the residency of the keys, not the PII, is with the company. In such cases, another method, called tokenization, which is all about the residency of data, serves as a strong alternative.

Every piece of PII has a randomly generated value. The value can be alphanumeric and corresponds to what the application requires for purposes of processing, such as a national identification number. This value is called a token. The real PII and its corresponding token value are kept in an index table at the enterprise's chosen processing location. Only the token is sent to the SaaS application. Now, Salesforce.com or other SaaS providers can play with this token to their hearts' content and use it in processing, but no one (not even a governmental agency that seizes the data) can reconstruct the PII data for the simple reason that it doesn't exist there.

However, a user can recall the necessary records of information from Salesforce.com to his or her company's legal location, and PRS Server will substitute the proper PII for the token so that the user sees the correct information transparently without having to take any action. Note that PRS Server can also detect the location from where the user (say, through a laptop) is accessing the data to make sure that the user, who may be authorized to access data, is also authorized to access data from wherever he or she is located at the time.

Moreover, the PRS Server collects detailed log files of who accessed what, where and when, so it serves an auditing function to ensure compliance. Policies can be set to ensure compliance within whatever jurisdiction an enterprise is located. In fact, multiple site organizations that are located in many different jurisdictions, and with both internal and external data centers, can have restrictions put on for their own internal use.

PerspecSys works with SaaS applications as well as some platform-as-a-service (PaaS) capabilities, and plans to extend its support in the future.

Rather than taking a broad brush to cloud "security," enterprises need to take a planned approach in which each relevant aspect of security is examined and measured on a very focused basis and later integrated as necessary. One inhibiting factor to the adoption of SaaS in the public cloud may very well be the need to prevent PII from getting into those very environments. In such cases, PerspecSys' PRS Server qualifies as a clear and definitive solution.

PRS Server cleverly replaces PII with encryption or a token that cannot be read at the public cloud, but doesn't prevent a legal user from integrating PII with the other information created and used in a SaaS application back home when necessary. Since legal authorities are satisfied, enterprise legal departments and IT can breathe easily, and users can rest assured that their private data remains so. As a result of PerspecSys' innovation, an IT problem is solved before it becomes a crisis, and another barrier to public cloud adoption is removed.

At the time of publication, PerspecSys is not a client of David Hill and the Mesabi Group.