One of the holy grails of Cloud computing is the ability to secure the service in an extremely strong way. Across the globe riding the wave of concern over surveillance that the PRISM, NSA, and our own GCSB continue to generate are a number of start-ups racing to provide products that not only hide companies (and individuals) from spies, but also provide extremely high-levels of privacy, solve the data sovereignty issue, allow encrypted data to be processed in the Cloud, and only have a single key, which you hold.
Tools have existed for some time for the home user but for the large company or government agency it hasn’t been available. New Zealand government are very wary of using overseas Cloud services because of issues of security. This generally forces them into using local services, which is great for the industry, but also expensive, and compared to overseas security services provided by global giants like Amazon, a little less. Don’t get me wrong, the big local Cloud providers have strong security, but they can’t compete with Amazon in terms of multi-layer defence systems.
In the last few weeks we have seen the emergence of one company (I’m not going to name them, this isn’t an advertorial) that seems to have solved these problems of security for enterprise class companies and agencies for the following Cloud services; SalesForce, AnyApp, Gmail, Office 365, Box, and Amazon. A small start, but you can be sure there will be more on the way.
It works like this.
You deploy an encryption engine between your company and the Cloud service provider which allows for multiple forms of encryption and tokenization based on the level of protection needed.
You can identify which data you consider to be sensitive and requiring strong security such as the National Health Index number, IRD numbers, and anything that can personally identify a person in a record.
The engine encrypts that data prior it leaving the enterprise network. Here’s the kicker. It can do that while still retaining the format of the data, for example, email, phone number format, the IRD number, and so on. That means that the data can be processed in the Cloud provider as if it were real data, which means you can use the application functionality such as searching, sorting, and reporting.
Tokenization, the management of the data between the enterprise and the cloud provider means that sensitive data never actually leaves your enterprise. This solves the data sovereignty issue.
The Cloud Gateway uses FIPS 140-2 validated cryptographic modules, which is a standard that is approved for use by US government agencies, and health & financial institutions.
Your company is the only place that the encryption key is stored. It doesn’t get stored with the encryption engine supplier or the Cloud provider. That means only you have access to the data.
My sources tell me that this is technology already in use within the New Zealand financial industry and that the overhead is low, i.e. it doesn’t cause performance problems for your business and the cost in the scheme of things, is not that great.
This type of technology has an interesting effect on the ICT industry and its continued paranoia with security, privacy, and data sovereignty.
For starters, if you are identifying your data is sensitive, using this engine, it retains a copy of the local data and sends the encrypted copy for processing and storage. This means that data sovereignty is no longer an issue. Using that technology, the Enterprise in New Zealand could validly use overseas Cloud providers where restricted by a “do not go offshore” mandate before. This would be particularly useful for central government agencies who have tied themselves in knots about where data can and can’t be.
The data can’t be accessed by your competitors, the Cloud service provider, your telecommunications company, the SIS, the GCSB, the NSA, PRISM, Tempora, hackers, crackers, pirates, thieves, or anyone else for that matter. They may be able to take that stream of data and store it, but it’s completely useless.
Let’s imagine they have the resources to decrypt the data, because of tokenization, it’s valueless. It can’t be linked back to individuals unless it is reverse decrypted and put back together inside your Enterprise network.
As far as the inbound GCSB and TICS law changes are concerned, this technology makes the law redundant (as do other good encryption tools) because while the spies can capture it, they can’t read it.
If nothing else, the PRISM saga is driving a wave of privacy innovation that is growing by the day. It bodes well for us when we can keep ahead of the criminals and spies. Privacy is a right and this kind of technology can protect us at an Enterprise level.
If you are interested in the company I’ve used as a case study drop me a note through the contact page and I’ll email you.