An explosive growth in cloud applications has dramatically changed the security architecture enterprises need to protect themselves. As a result, those same enterprises are realising they must re-assess their states of security, privacy and compliance such that they can be ‘cloud compatible’. Debabrata Dash delves deep into the sphere of cloud information protection gateways
Today, virtually every type of business application is available in the cloud – sales, marketing, financials, Human Resources (HR), supply chains, procurement, collaboration and analytics are but a few. While some organisations consider delaying any move to the cloud, others are continuing adoption by examining the promise of cloud information protection gateways to deliver a proactive defence mechanism.
In its simplest form, a gateway – usually delivered as a piece of software – sits at the edge of the network and is the last touchpoint for enterprise data before it passes into a third party cloud application.
Since this is still a new market, companies are approaching the technology blend in different ways. Some have veered towards developing encryption or ‘tokenisation’ specific to one cloud or only offering cloud discovery capabilities. However, those enterprises placing a long-term bet on cloud require an holistic platform spanning multiple controls in order to protect multiple clouds.
In effect, the gateway acts as a reverse proxy server enabling the business to monitor incoming and outgoing traffic (eg HTTP, SMTP, SOAP and REST) between its enterprise users and cloud applications. This is the first step towards helping companies maintain visibility in terms of where their data is going and setting security policies that better protect this crucial information as it moves off-site.
A gateway of this kind examines all outgoing cloud requests in real-time to identify sensitive data and then provides an assortment of granular security controls (encrypt, ‘tokenise’, scan for malware, etc) before forwarding the modified request to the cloud application. Encrypted or ‘tokenised’ data returning from the cloud application is converted into deciphered text before being displayed to the authorised user who requested the information.
Host companies can identify which cloud data they consider sensitive such as proprietary information, personally identifiable information (like a national ID number) or other regulated data. When that data is sent into the cloud application, the gateway applies the encryption method the user selects to protect it before it leaves the enterprise network.
Some gateways boast encryption capabilities that introduce a performance latency of less than 100 milliseconds. While it might not be noticeable by the end user (in comparison, it takes 300 to 400 milliseconds to blink), it’s certainly a small price to pay for keeping regulated or sensitive data absolutely secure and under your own control.
Gateways and advanced capabilities
An important factor in choosing a gateway is that of integrated key management capabilities. The end user must be given the capability to exclusively hold on to the keys so that only the company – not the cloud provider or any other party – can access its own sensitive data.
Protecting structured and unstructured data is also vital. Full service encryption capabilities safeguard structured data stored in cloud applications such as tables, rows and columns of a database and can also encrypt and ‘tokenise’ e-mail messages and attachments (including spreadsheets and PDFs).
Businesses are also given the tools to conduct an audit trail of all activities such that they might track what users are logging in, from what IP addresses and at what time and, importantly, what records they’re accessing from cloud-based applications. These levels of support also extend to mobile devices, where the gateway can secure remote and mobile access with devices such as Apple’s iPhone.
Data encryption in the cloud provides a way for companies to encrypt sensitive information as it moves to any cloud application. This protects the data from being accessed by other tenants in a Software-as-a-Service (SaaS) solution, SaaS administrators and other unauthorised entities both inside and outside of a company. The technology preserves the cloud application user experience with minimal latency, and without making any changes to the cloud application itself.
Securing sensitive information
Tokenisation is the data making alternative to encryption that’s popular in certain countries such as Germany and Singapore, where data isn’t allowed to leave the enterprise’s premises. While an effective and compliant security control, tokenisation requires more infrastructure investments than encryption.
As with encryption, tokenisation gives companies actionable options to proactively secure sensitive information. However, companies also need cloud discovery to identify ‘shadow IT’ (those instances where employees are using unsanctioned cloud and create security and compliance problems).
The irony with most third party cloud discovery solutions is that they’re cloud-based, which requires enterprises to hand sensitive network logs to third parties – in turn creating potential compliance issues.
That brings us to data loss prevention and the centralisation of policies for governing cloud data. This is the engine that takes the intelligence from the discovery and monitoring capabilities and sets policies corresponding to security actions. Ideally, the solution should integrate with enterprise data loss prevention systems such as RSA, McAfee and Symantec and effectively extend existing system policies to cloud applications.
Data privacy and residency
With cloud encryption gateways, businesses retain control of the data itself and their encryption keys. If a cloud application provider is compromised or the users’ account credentials are stolen, attackers can see only the encrypted versions of an enterprise’s sensitive data.
For these reasons, several industry sectors have devised privacy guidelines designed to safeguard Best Practice for handling sensitive data. By way of example, regulations such as the Payment Card Industry Data Security Standard for the retail sector require encryption of sensitive data.
Where data residency is concerned, there are dozens of laws that govern the flow and storage of data across national borders. They include the EU Data Protection Directive.
Cloud Gateways: End User Checklist
The following checklist outlines some key ‘must have’ capabilities that end users should be looking to source in terms of cloud gateways:
Enterprise-Class Gateway, Support for All Clouds
• Application-aware to exercise granular control without breaking cloud applications
• Application-aware to exercise granular control over application data
• Liminal latency
• Deployable on premises or in a private cloud
• Support for Salesforce, AWS, Google G-mail, Microsoft Office 365, Box, ServiceNow and other cloud applications
Retain Cloud Application Capabilities
• Operations preserving: indexing, searching, sorting and reporting
• Format preserving: strings, dates, telephone, e-mail and domain names
Device Agnostic and Mobile Ready
• Support for remote employees regardless of the device: laptops, tablets and smart phones
• Support for the latest technologies
• HTML5 applications
Expanded Cloud Protection
• Cloud discovery to identify all cloud applications being used by employees
• Strong encryption and ‘tokenisation’ to scramble or mask sensitive data
• Malware protection
• Data loss prevention
Debabrata Dash is Vice-President of Technology and Head of Engineering at CipherCloud