Tech Insights


Contributor Columns on Information Technology and Security

CipherCloud CMO on Cloud Cybersecurity: If Your Data is Unencrypted It's Vulnerable To Hacking

As even casual observers of the IT industry are aware, cloud computing is dramatically changing the industry. In organizations large and small, IT specialists are wrestling with how and when to move their enterprise's data to the cloud as well as what will happen to it once it's there.

As even casual observers of the IT industry are aware, cloud computing is dramatically changing the industry. In organizations large and small, IT specialists are wrestling with how and when to move their enterprise's data to the cloud as well as what will happen to it once it's there.

One issue that is becoming an increasing concern for IT specialists everywhere is the security of their company's data once it is in the cloud. While there is no question there can be substantial cost savings associated with the cloud, hackers have also seen the cloud as a potential trove of sensitive information including financial and other corporate documents, health records, personal addresses and more. Not surprisingly, from data mining to fishing and other  techniques, hackers have been aggressively targeting cloud providers and their customers. Finally, let's not forget that the ongoing revelations of the NSA's PRISM and other spying programs have driven home to organizations who use the cloud that they cannot necessarily be sure what country their data is stored in, and the rules and regulations regarding data protection vary widely across jurisdictions. 

In that context, for cloud computing to continue it's growth path, users will increasingly want to marry cloud computing with cybersecurity. One company that is on the leading edge of cloud security is CipherCloud. In that context, I am joined today by Paige Leidig, CipherCloud's SVP and Chief Marketing Officer, who will discuss the issues and challenges involved with cloud security, and how CipherCloud addresses there.

IT Specialist: Thank you for joining us today Paige. To start with, can you provide some brief background on CipherCloud such as what year you were started, who are your founders and what was the inspiration for starting CipherCloud?

Paige: CipherCloud was founded in late 2010 by Pravin Kothari, a former co-founder of ArcSight, a security company which HP acquired for $1.6 billion earlier in 2010. A serial entrepreneur and technologist, Pravin had the foresight to sense an opportunity in protecting sensitive enterprise information in the cloud and across multiple clouds. He also understood that since cloud data can reside in any country, it can be subject to local law enforcement that can seize that data. He founded CipherCloud to eliminate these critical issues and make it possible for organizations to enable their secure move to the cloud. Organizations have a desire to use more cloud applications and also have control over their sensitive information, but they are concerned that encryption breaks the application command, such as search and sort. Their cloud encryption gateway is designed in a way to enable organizations to protect their data in the cloud without sacrificing application functionality, user experience, or performance, and without making any changes to the cloud application.

IT Specialist: Could you explain at a high level what are the major issues involved in Cloud security - I would venture to say that cybersecurity is one, and that related to this would be all of the regulatory aspects in the Cloud, is that correct? 

Paige: At a high level, the cloud creates information protection challenges that fall into 4 camps: security, privacy, residency and compliance. First, information and infrastructure have to be protected from malware, theft and increasingly from surveillance. Second, is Personally Identifiable Information (PII) has to be protected to meet privacy requirements established by U.S. state privacy laws.  Third, are data residency guidelines that stipulate that data cannot leave the boundaries of a country. Fourth, in the case of heavily regulated industries (financials, insurance, healthcare, etc.) is the requirement to  comply with industry and government regulations - GLBA for banks, PCI DSS for payment card merchants, HIPAA/HITECH for healthcare etc.

IT Specialist: How prevalent are Cloud security breaches, and more specifically, from a technical perspective what are the main types of possible breaches that enterprise IT specialists should be concerned about?

Paige: With more data moving to the cloud, cloud breaches - including the largest publicly announced - are inevitably increasing as the bad guys historically follow the money. But in addition to cyber thieves looking for personal data and IP to steal and sell, the NSA PRISM revelations highlight that surreptitious cloud surveillance is another risk to their data being disclosed without them knowing about it. 

IT Specialist: How or why do these breaches occur?  

Paige: Aside from accidental leaks, breaches happen when an unauthorized entity breaks into a server - either hacker or internal employee usually for the end goal of stealing valuable information to sell on the black markets or to use for competitive advantages. If the data is unencrypted, then it's vulnerable.   

 IT Specialist: This may sound a bit simplistic, from an enterprise IT manager's perspective, can't they simply count on their Cloud provider to protect their data security? If the answer is no, then why is relying on their Cloud provider not enough?

Paige: Some cloud providers offer encryption of data at rest while in their servers, but many do not. However, even if data is encrypted by the cloud provider, they typically decrypt data during any type of data processing as they hold the keys.  This leaves the data vulnerable to rogue insiders, mismanagement or forced legal disclosure, and many legal experts agree that this is not adequate for regulatory compliance. By comparison, with CipherCloud's solution, the encryption keys never leave the organization, assuring compliance and  protection of the data.

IT Specialist:  Your web site highlights a number of protection controls CipherCloud delivers, including encryption, tokenization, activity monitoring, data loss prevention (DLP) and malware detection. Can you briefly speak to each of these? The concept of tokenization is particularly interesting, where your data appears to reside in the Cloud, but it's actually still behind the firewall - what does this actually mean in practice and how does tokenization actually operate? 

Paige: We provide a platform of cloud-based security and compliance software:

AES-256 bit encryption - Operations-preserving encryption  that protects sensitive information before it is sent to the cloud

Tokenization - Actual data resides locally in a token cache / database, and what is sent out to the cloud are tokens that are structurally similar to the actual data, but have no mathematical correlation.

Cloud Data Loss Prevention (DLP) - Custom DLP policies that scan, detect, and take action to protect sensitive information in any field or document, providing an additional level of security and control

Cloud Malware Detection - Information exchanges including external and internal user uploaded attachments are screened in real-time for virus, malware and other embedded threats

Activity Monitoring - Security dashboards report on activities to monitor out of compliance users

IT Specialist: One thing that strikes me about CipherCloud's approach to Cloud security is that you seem to have a strong focus on securing data - for example through encryption or Data Loss Prevention strategies - before it reaches the Cloud, or essentially while data is still within the enterprise's own network. Is this just the most natural way to approach Cloud security, or does it represent a particular strategy CipherCloud decided to use? 

Paige: We think our approach is the best way to protect data in the cloud because it offers enterprises the ability to preserve the usability and functionality of their cloud applications. Our software encrypts data before it ever leaves the companies network, with negligible impact to the cloud application performance. The net effect is that users have a seamless interface and experience with the cloud application - but with the robust security of CipherCloud.   

IT Specialist: Speaking of encryption, I see you actually offer military grade, AES encryption schemes, as well as software-based cryptographic key management based on a standard called NIST SP 800-21. Can you explain what cryptographic key management actually is, and why this would allow an enterprise IT specialist sleep better at night?

Paige: We use AES-256 bit encryption, which is the most advanced known protocol for encryption. It's the standard that governments around the world use to encrypt their sensitive information. We also give the encryption and decryption keys to the enterprise. As we covered earlier, when an enterprise retains the keys, they have more control over their data, resulting in tighter security and better compliance.  

AES encryption has been certified by NIST under FIPS 197 and CipherCloud is in the final certification process for FIPS 140-2. The AES standard has been publicly published and extensively reviewed and tested by many independent organizations. In addition, CipherCloud's implementation has gone through rigorous testing, code review and validation by dozens of major enterprise customers including  the world's  largest banks.

IT Specialist: Does CipherCloud's technology offer security for any Cloud-based application or product, or is there a particular group of Cloud products you focus on? For example, does securing a product such as Microsoft 365 present different challenges than, say, a Cloud product from Google or even from a specific SaaS vendor such as Salesforce?

Paige: We offer out-of-the-box cloud information protection software for popular enterprise applications such as Salesforce, Gmail, Office 365, AWS and Box. Additionally, our Connect AnyApp framework can provide this same level of cloud information protection to any cloud application, including home-grown mash-ups. 

 IT Specialist: Turning our attention now to your customer base, are there any vertical markets from where you see a particular focus on Cloud security? For example, it seems like Government might be one. I would also have to imagine that certain industries which are subject to particularly strong security compliance and privacy standards regulations - Healthcare? Finance? - also would need to be extraordinarily cautious about ensuring their Cloud security - is this accurate?

Paige: Government, finance and healthcare do represent some of our existing customers. Insurance, retail and hi-tech are also among our verticals. Essentially, we're a good fit for any organization that is handling sensitive data in the cloud and needs to overcome data privacy, security, residency and regulatory compliance risks.     

IT Specialist: How has the overall reception to CipherCloud been in the enterprise market, and can you give us a sense of the total size of your customer base? Are there any particular customers that you are able to highlight and share with us?

Paige: With a product that is just over two years old, we have grown extremely rapidly.  We now have more than 1.2 million users in North America, South America, Europe, and Asia in over 10 industries including banking, insurance healthcare, government, high tech etc.  Our customers include the largest banks and investment houses in the world. In the aftermath of the NSA PRISM revelations, we received a spike interest from prospects around the world as the threat of cloud surveillance by governments raised concerns for increase data protection and the need for companies to protect their data from third parties, whether a government agency collecting records or a malicious hacker looking to steal IP and personal information.

Our customers include the largest banks in the world who use us for mortgage, personal and investment banking. In fact, Mitsubishi just announced that they are using CipherCloud for Salesforce.

IT Specialist: From a corporate perspective, has CipherCloud raised any capital to date, and if yes, who are your core investors?

Paige: Andreessen Horowitz invested $30 million in December of 2012. Our other investors include Index Ventures and T-Venture.

IT Specialist: Finally, Who do you primarily interact with in the enterprise, I assume you work closely with IT departments and enterprise IT specialists? For prospective customers who may want to work with you or trial your products, what is the best way for them to interface with CipherCloud to start the discussion process?

Paige: We interact with line-of-business executives whose budget pays for the deployment of existing and new cloud applications within a company, IT security specialists who validate the capabilities of our offering, IT architects  who determine how our solution will fit into their company's infrastructure etc.  The best way for prospects to reach us is to drop us a note,as well as join us at any of the upcoming public events we will be attending. 

IT Specialist: Finally, turning to the future, is there any upcoming news or new product releases you might like to highlight?

Paige: Stay tuned for launch of a number of new offerings this Fall, focused on extending our out-of-the box support for more popular cloud applications as well as deepening our security controls to provide an even stronger level of protection to data stored in the cloud.

IT Specialist: Thank you for joining us today Paige, and best of luck going forward.

Showing 0 Comment
Your comment will be shown after administrator's approval

b i u quote

Save Comment
The Number One Menace to All Organizations

Learn more about how to protect your organization against this growing menace