This is the third in a series of posts on cloud encryption solutions.
Security vendor PerspecSys is tackling the cloud computing space from the SaaS angle. PerspecSys believes that many organizations want to enjoy the speed and ease of deployment as well as the cost advantages that SaaS solutions such as Salesforce.com provide, but issues like data privacy, residency and security get in the way. PerspecSys has a purpose-built solution called the Cloud Data Protection Gateway that intelligently encrypts or tokenizes data before it goes into the SaaS application.
With SaaS applications, data going into the cloud is not simply being stored; it is also used for searching, sorting, reporting and calculating. This creates a real challenge: how to perform those kinds of functions when the data is encrypted or tokenized. For example, data encrypted via strong algorithms cannot be sorted. Tokenized data cannot be searched — at least not with any meaning, since tokens by definition are totally random values.
PerspecSys has taken these challenges into consideration in developing its gateway solution. PerspecSys works with the SaaS application vendors to create a unique application connector that customizes the obfuscation techniques that work with each SaaS application. This allows for features like field by field encryption or tokenization, rather than full database encryption. It’s possible to encrypt one field and tokenize another in order to meet data residency requirements.
The core system in the PerspecSys Cloud Data Protection Gateway is the PRS Server, which acts as a forward proxy. The PRS Server resides transparently between the cloud-based application and its users, intercepting critical data before it is passed to the application in the cloud and replacing it with a random token or encrypted value that is meaningless outside the PRS Server. The PRS Server can be hosted locally in a customer’s data center or in a cloud.
Depending on a customer’s specific needs, PerspecSys can help create a hybrid cloud configuration where some data is processed and/or stored locally, while other data is processed and/or stored in the cloud. The vendor cites a fairly complex application used by a European bank that has customers in both Germany and Switzerland. The two countries have different data residency requirements that prohibit the comingling of data coming from the other. The PerspecSys product allows actual German data to stay resident in Germany, and actual Swiss data to stay resident in Switzerland, while tokenized representations of both countries’ data is used in a cloud-based SaaS application. The bank gets the benefits of SaaS without violating local mandates for data residency and privacy.