Edward Snowden's leaks about NSA spying may have brought the issue of cloud security to broad public attention, but some enterprise users were already concerned about how to take advantage of cloud-based applications while keeping their data safe.
As a result, enterprises, cloud-based application vendors, and security startups have all been trying to come up with ideas to make clouds more secure.
The main issue at heart is that a cloud-based software-as-a-service (SaaS) provider must see the data in order to do anything useful with it. For example, an online word processing application must be able to read the document in order to offer spell checking capabilities. An online storage vendor must be able to read stored documents in order to allow users to search for just the ones they need.
Since the cloud vendor must be able to see the actual data at some point, that is when a rogue employee, a hacker, or a government agency might step in and grab a copy of it.
Some enterprises are choosing to forego the cost savings and convenience of using the cloud apps, and switching back to on-premises software. According to an August report from the Information Technology & Innovation Foundation, the U.S. cloud computing industry can lose between $22 and $25 billion over the next three years as a result of security concerns.
To address this problem, SaaS vendors and their customers are turning to a new crop of security solutions for the cloud.
In general, these fall into two major categories: on-premises gateways that encrypt or tokenize data before passing it on to the cloud vendor, and third-party encryption appliances that limit vendor access to data while allowing the customer to control the keys.
Proxies and gateways
With a proxy or gateway, an enterprise installs an encryption appliance on premises, in a data center they control, or even in a virtual machine with a public cloud provider like Amazon. Company users looking to access their favorite cloud services are sent to the proxy instead, where, completely invisible to the user, the data is encrypted or tokenized before it goes out, and decrypted when it comes back in.
This approach is particularly attractive to companies in Europe, where regulations constrain the degree to which some types of data can cross national borders.
The cloud vendor never actually sees the data in plain form, even while working with it. Vendors use various tactics to ensure that the cloud vendor can work with the data even when its encrypted.
San Jose-based CipherCloud Inc., one of the leading vendors in this space, saw a 200 percent increase in revenues this summer after the NSA leaks came out compared to the same time last year.
"It was our best quarter ever, especially in Europe but also in Asia," said company SVP Paige Leidig.
According to CEO Pravin Kothari, 2 million end users are currently using CipherCloud gateways, which provides security for many popular cloud offerings including Salesforce, Chatter, Gmail, Office 365, Amazon Web Services, and Box.net.
The way the product works is that the CipherCloud gateway provides the most-commonly used functionality needed by cloud application providers, such as searching and sorting. The data that is actually passed along to the cloud application is fully encrypted, using symmetric encryption, several orders of magnitude more secure than the asymmetic encryption typically used for Internet communications.
Customers can also choose to use tokenization to protect their data. Unlike encryption, which uses a mathematical formula to convert text, tokenization using a codebook approach, with a different randomly-generated code for each piece of information that needs to be secured. Tokenization is often used to protect Social Security or credit card numbers.
The company is rapidly adding connectors to other cloud services, but it also offers a standard tool kit that companies can use to set up access to any cloud service they wish.
"The goal of our company is to make sure that users don't see a difference," Kothari told CSO. "There is no change in the user behavior. All the operations like seraching, sorting and reporting continue to work even though the data in the cloud is fully encrypted."
What sets CipherCloud apart is the wide range of cloud services it supports, said Kothari. "The reality is that most customers are thinking beyond just a single cloud application."
A similar approach is taken by Toronto-based PerspecSys Inc., for example, with customers being able to set up their gateways to use either encryption or tokenization, or even leave some data in the clear. PerspectSys currently offers ready-to-go connectivity to Oracle CRM On Demand, Salesforce.com, Xactly Incent, Cornerstone on Demand, and Oracle Fusion. Typically, the gateway is bought and installed by the enterprise customer, but now cloud application vendors themselves are looking to offer this technology.
"We have partnerships with SaaS vendors that want to offer a premium version of their solution, and we are working with them to bake in our technology and they can offer a data secure versions to their customers," PerspectSys CEO David Canellos told CSO.
In addition, some international vendors are hosting PerspectSys gateways on behalf of customers in particular countries.
"Some countries have data residency or sovereingty laws," said Canellos. "We have many instances in the world, where people outsource the management of the perspectSys gateway to a managed service provider."
Like CipherCloud, PerspectSys also has a tool kit that allows companies to create adapters for new cloud applications.
Another approach that some vendors take is to use a form of encryption that preserves the ability to search and sort data.
New York-based Vaultive Inc., provides a gateway to Office 365's Exchange platform and plans to add support for other Microsoft cloud products.
The application currently supports mailboxes, calendar, notes and tasks.
"The current support is for all service-side operations you expect Exchange to provide," said co-founder and chief strategy officer Ben Matzkel. "E-discovery. Legal holds. Personal archives. Filtering. Data loss prevention. All of these things in most cases require some sort of insight into the data."
To accomplish this, Vaultive combines "well-known cryptography algorithms and tools and cryptographic hashes" with additional meta-data in such a way that cloud applications can continue to perform operations on encrypted data and get the results as if it was plain text.
"It works for indexing, sorting, creating reports, joining data from different sources and correlating them," Matzkel told CSO. "If you're doing something like spellcheck, where the actual word needs to get to the application for it to work, we can implement that in the proxy itself."
This approach has some downsides, however.
"A lot of these function-preserving encryption methods are not as secure," said security expert Tsion Gonen, chief strategy officer at Baltimore-based SafeNet Inc. "There's a compromise you have to make between security and preserving functionality. But it's definitely better than nothing if you have a compliance issue."
Another potential downside to this approach is that not all functionality can be preserved. No type of encryption, for example, will allow spell check to work. Vendors typically move this functionality into the proxy itself.
"But it's really cumbersome and takes a long time," Gonen told CSO. "And how long can companies do this? Every time the cloud vendor comes out with a new version, they have to do it again."
If a company is willing to let a vendor see the plain data temporarily in order to process it, several vendors are offering encryption appliances. These are physical or virtual machines that encrypt and decrypt data for a vendor to use while ensuring that stored data is fully encrypted -- without ever letting the vendor see the keys.
These vendors include Tel Aviv-based Porticor Ltd., Austin-based Gazzang, Inc., and San Jose-based Vormetric, Inc.
Regulated industries such as health-care providers and payment companies are among the early adopters of encryption appliances, according to Ariel Dan, co-founder and marketing EVP at Porticor.
"Porticor is deployed as an additional virtual instance in the vendor's environment," Dan told CSO. "Everything that passes through Porticor is encrypted, everything that passes back to the vendor is decrypted."
As a result, all the data stored by the vendor is in an encrypted state, and the vendor doesn't have the keys. Neither does Porticor -- the customer holds the keys and decides when to use them.
Only a minimum amount of data is exposed, and only for a short time. It is theoretically possible for a hacker with deep knowledge of the vendor's application to grab that data as it is being used, but the level of effort required would be significant.
"It adds a significant hurdle to protect the data from hackers," said Dan.
Porticor claims to differentiate itself from other companies in this space with a unique "homomorphic split key" system based on a mathematical algorithm that allows the key to be passed from the customer to the Porticor appliance in an encrypted form, so that even if it is stolen, the hackers won't be able to use it to decrypt the stored data.
Another vendor with a similar encryption appliance is Austin-based Gazzang, Inc. which focuses on health care and financial sector clients and the cloud vendors that serve them.
One customer is Rockford, Ill.-based financial planning vendor ScenarioNow Inc., which uses Gazzang's zNcrypt appliance to secure its tools when they decided to offer cloud-based versions to their customers.
"One of the largest concerns our clients have is security of their financial information," said ScenarioNow CEO Patrick Sullivan in a statement.
Gazzang's zNcrypt adds an additional level of security in allowing enterprises to determine how and when their data can be accessed by the cloud vendor.
"What you really want is to enable the SaaS vendor to get to the data for normal day-in and day-out processing, but to need special permission for things like backup or copy," Gazzang CEO Larry Warnock told CSO. "So, say, if more than 50 records are accessed at once, this is probably a nefarious action. And with a key manager that supports policies, a SaaS vendor can even ask for multi-factor authentication for certain functions."
Other SaaS vendors that use Gazzang include Appcelerator, Castlight, Everbridge and Fireapps, the company said.
The best known of these vendors is Vormetric, which is primarily used internally by enterprises to secure their data, to allow their encryption keys to by controlled by a security manager so that nobody in the IT department can access sensitive data. According to the company, 17 of the Fortune 25 companies are customers, including four of the top five commercial banks.
The Vormetric tools are also increasingly being used by SaaS vendors to lock down their cloud applications, and put control of the keys in customer hands. In addition to encrypting data at rest and protecting the keys, the Vormetric appliance also allows for fine-grained access controls.
"Only approved users, processes and applications are allowed to see the data," Vormetric CEO Alan Kessler told CSO.
Still not perfect
When it comes to security, there are no absolute guarantees.
Even when a vendor claims not to have access to the encryption keys, things can still go wrong, said Adrian Sanabria, an analyst at New York-based 451 Research.
"That's still not a guarantee that there isn't a backdoor key that they or the government don't have access to," he told CSO.
For example, security firm RSA recently warned customers against using one of its random number generators because it was compromised by the NSA.
Even hardware-based encryption can potentially be compromised right in the factories where the chips are made, or during the design process.
"And there are knock-off products, like fake Cisco products that look almost identical but with different internals," he said.
In the end, he said, the goal is to manage risk, using the highest level of security available for the most sensitive data.