Released last week by cloud security vendor CipherCloud, the Connect AnyApp gateway can be used to encrypt or tokenize--meaning, replace with unique symbols--any cloud-based or intranet application data.
CipherCloud is pitching the product in part as a way for businesses to make use of cloud-based software without having to worry about whether the cloud provider's security is fit for the task. Likewise, storing only encrypted data in the systems of a cloud provider eliminates worries that hacktivists or others might access and copy the data. Finally, some foreign companies are prohibited from using any U.S.-based servers, over fears that the U.S. government might sneak a peek at the data under the auspices of the Patriot Act.
[ It's time for cloud services to get serious about social engineering attacks. Read Apple, Amazon Security Fails: Time For Change. ]
"Encryption really uniquely puts an enterprise back in control, because if I own the encryption key, and I am encrypting the data myself, then that means I control the data and where it goes--a third party hosting the data doesn't have access to it," said Kevin Bocek, VP of marketing for CipherCloud.
Numerous surveys of cloud computing users find that they think that cloud service providers are responsible for the security of the data they store. But according to a recent Ponemon Institute study, 72% of cloud users don't know what, if any, security measures their cloud vendor has in place to protect their data.
Interestingly, a study conducted by Ponemon last year also found that 69% of cloud providers believe that their customers are most responsible for the security of their data. Tellingly, only 35% of cloud users believed the same.
CipherCloud began selling virtual cloud encryption gateways in February 2011 on a per-product basis, including for Salesforce.com and Office 365. With the new Connect AnyApp, Bocek said, "What we've done now is taken that core capability of encrypting data in real time, as a user is working with the information, and allowing an enterprise to configure--by policy--which fields need to be encrypted."
In addition, he said, encrypted data remains searchable, and can still be sorted, inside the Web application. Bocek said that's possible because cloud software such as Salesforce.com will see an encrypted representation of a search query being sent from the gateway, for example for "Chicago." But it won't have any idea what the search query is really about. "They don't know it's Chicago--it's just the encrypted representation of Chicago," he said, which is enough to find a search hit in Salesforce.
But while using a virtual gateway to encrypt cloud application data offers a new way to secure Web applications for business use, wouldn't it be better to build security in rather than bolting it on? "Although I do agree that bolt-on security is always challenging and [avoiding it] is often sound guidance, there are many examples where security technologies are used in a bolt-on manner to satisfy specific customer requirements," said Gartner analyst Lawrence Pingree via email. In this case, he said the key requirement is customers being able "to utilize specific encryption algorithms or maintain encryption keys on-premise versus off-premise." Again, using a virtual encryption gateway puts customers, rather than a third party, in charge of their encryption keys.
Interestingly, Pingree suggested that such technology might be used not just on a per-application basis, but also by businesses that want to build their own private, secure clouds without having to rely on third parties. "Organizations can use encryption gateway products in conjunction with other enforcement technologies--for example, next-generation firewalls, application controls, and URL filtering--to effectively create their own on-premise cloud service portals," he said. "These gateways allow an organization to mimic some of the centralized service catalog functionality a cloud service brokerage would typically provide."
Find out the nine questions you must ask before migrating apps to the public cloud in the Cloud Ready? special issue of InformationWeek. Also in this issue: It's time to lay to rest two common myths of the cloud computing era. (Free registration required.)