Vendors tap into cloud security concerns with new encryption tools

Products let enterprises retain control over key management functions

A handful of vendors have begun rolling out new technologies designed to let companies take advantage of cloud computing environments without exposing sensitive data.

One of these vendors, CipherCloud, a Cupertino, Calif.-based start-up, on Thursday launched a virtual appliance technology that companies can use from within their premises to encrypt or to mask sensitive data before it hits the cloud platform.

Unlike the case with encryption services offered by cloud providers, CipherCloud's technology lets enterprises have complete control over the encryption and decryption process, said Pravin Kothari, CEO and founder of the company. The only set of encryption keys resides with the enterprise and not the cloud provider, ensuring that only authorized users can view the data, Kothari said.

CipherCloud's algorithm works in a way that encrypts data without fundamentally altering the data format or function, said Kothari, whose previous start-up was ArcSight , a company acquired by Hewlett-Packard last year for $1.5 billion.

CipherCloud's technology also supports a tokenization feature that replaces sensitive data entered into a cloud application with anonymous dummy values. The tokenization feature, like the encryption technology, lets companies mask sensitive data while ensuring that they still retain the ability to sort, search, validate and generate reports with it, according to Kothari.

CipherCloud's technology is designed to work with any cloud provider, although the launch version works only with Salesforce.com's cloud platform.

CipherCloud is not the only company offering such products. Another vendor offering a similar cloud encryption technology is Vormetric, which on Wednesday rolled out an encryption product for use within Amazon's Web Services platform. The Vormetric product also lets enterprises encrypt sensitive data that is stored in the cloud, while allowing them to retain full control over encryption key and policy management functions.

Voltage Security and Navajo Systems offer technologies that are similar in approach and function to CipherCloud's product. Like CipherCloud, Navajo has an offering for Salesforce.com's cloud computing platform.

Such technologies give companies an immediate way to protect data in their existing cloud applications, said Richard Stiennon, a security analyst at IT-Harvest. They also can help mitigate the data residency issues that can sometimes crop up when companies move data to the cloud, he said. Companies in certain industries for instance, can face restrictions when it comes to storing their data outside certain geographic borders. The data masking and cloud encryption tools that are becoming available today can offer a way around such issues, he said.

One example of an organization that plans on using such technology to get around data residency restrictions is the New Democratic Party (NDP) of Canada, which is a beta tester of the CipherCloud product. The NDP wanted to move its applications to Salesforce.com but was concerned about having its database of 24 million voters stored on Salesforce.com servers in the U.S.

"We really liked the Salesforce.com product, but we were highly reluctant to have our data stored in the U.S and being prone to the Patriot Act," said James Williamson, IT coordinator at the NDP. "Also, being a political party, our members our highly sensitive to storing their [personal data] in the U.S," he added.

Initially, the NDP considered the encryption services offered by Salesforce.com but decided not to pursue that avenue because the encryption keys would also be held by the provider. "If the Patriot Act was invoked, they would hand over the key, so there really was no protection," Williamson said.

At the recommendation of Saleforce.com, the NDP tried one other vendor that offered a similar encryption approach before trying out CipherCloud. So far, the experience has been positive, Williamson said. CipherCloud's technology has allowed NDP to encrypt and decrypt data on the fly, with no noticeable impact on performance, he said. The fact that key management functions are under the control of the NDP has lessened the risk of NDP's voter data being accessed in an unauthorized fashion, he said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies