Gartner
Highlights the Importance of Third-Party Validation
Gartner
recently published a report that highlights the growing importance of Cloud
Access Security Brokers - solution providers that offer unified cloud computing
security platforms. This solution category includes a new class of products that
Gartner terms Cloud Encryption Gateways, which encrypt or tokenize sensitive
information before it leaves an organization's firewall. These solutions, if
designed properly, allow organizations to maintain control of sensitive data
since they replace the original "clear-text" values with indecipherable
replacement values in the cloud. Businesses are adopting these solutions to
address issues raised by data residency requirements and data privacy
regulations driven by a host of industry compliance mandates. In addition to
enabling organizations to satisfy the data protection needs, products like those
from PerspecSys also preserve the user experience with the SaaS application
(such as Salesforce.com or Oracle CRM). With PerspecSys, critical functionality
like Search is retained even when strong encryption (e.g., FIPS 140-2 validated
modules) or tokenization is used to protect the data being sent to the
cloud.
Gartner
highlights the importance of using strong tokenization capabilities that have
been evaluated by an independent third party. Practitioners from the payment
card industry, where I spent quite a few years, are very familiar with this
requirement.
Enterprises
should make sure the providers they depend on to satisfy regulatory compliance
or strict data privacy and residency requirements can deliver on the expected
results. One way is to look for assessments from third parties like I referenced
above. Well-qualified independent auditors that use established testing and
evaluation criteria can validate that solutions are doing what providers say
they do. This type of assessment ought to be a no-brainer for the technology
providers and is something that enterprises should expect.
What
else? Well, it may seem intuitive, but another important step is to look for
products that use well-vetted and accepted industry approaches. For example,
within the PerspecSys solution, we made great efforts to ensure that our
customers could use industry-standard cryptographic modules that they have
approved based on internally established screening criteria as well as external
benchmarks, such as NIST FIPS 140-2 validation. When we initially began
designing our solution, we considered developing a proprietary encryption
algorithm that would make it simpler for us to preserve SaaS application
functionality such as "Searching" and "Sorting" on data that was encrypted
inside of the cloud. Creation of such an algorithm requires the designer to
tweak and modify ("weaken") a strong algorithm in order to get the desired
result. But when we considered the long-term ramifications of this approach, we
understood that it ran completely counter to what enterprise security
organizations would (and should) expect from a solution meant to protect their
most sensitive business data. Standards-based security, robust and scalable,
without exception - this continues to be a central design principle that
enterprise security professionals require, and what we deliver as evidenced by
the award-winning PerspecSys Cloud Data Protection Gateway.
For
further information visit: http://cloudcomputing.sys-con.
No comments:
Post a Comment