Security vendors are heeding the siren call to create more useful solutions to protect data going into the cloud. In particular, there is some real innovation in products designed to encrypt or tokenize data before it is sent to cloud based applications. Three of the more significant developments include:
- Format preservation
- Operation preservation
- Content awareness
All three of these features can be applied to data as it is being either encrypted or tokenized. Let’s have a look at why they are useful and even necessary for applications in the cloud.
Format preservation is the capability of having the encrypted data or token take the same basic format as the original clear text data. This may be necessary when the cipher text or token is being plugged into an application that is expecting data to be in a specific format. For example, a credit card number will always have 16 characters, and a social security number will always have the format ###–##–####. It’s likely that an application would choke on cipher text that can’t meet the basic format requirements of a field.
Format preservation can go well beyond the cipher text simply having the same number of characters as the original data. For example, a merchant may want to preserve the last four digits of a credit card number when the value is printed on a receipt. This helps a customer recognize his card number, even if only a few digits are displayed. Thus, a card number that begins as “1234 5678 9012 3456” might be tokenized as “a6&2 Nh9d ls48 3456” and might appear on the customer’s receipt as “**** **** **** 3456”.
Operation preservation allows an application to perform essential operations on data that is now represented by cipher text or a token. The most important operations that would be performed on protected data in many applications are “search” and “sort.” For instance, consider customer information that may be stored in a cloud based CRM application as cipher text. An end user of an application wants to search for a customer by name, say “Smith.” But “Smith” doesn’t actually appear anywhere in the database because only encrypted text is stored there.
Now there are some encryption engines that preserve enough information about the actual data to allow for basic search and sort operations in the cloud based application. Without this capability, the application would be difficult to use as intended.
Content-aware encryption is the latest innovation to come to market. This technology incorporates elements of data loss prevention into the encryption engine through the use of dynamic encryption policies.
With content-aware encryption, administrators set a policy that looks for sensitive data, such as a field containing sensitive text, and automatically encrypts one or more fields. Dynamic encryption policies are critical as enterprises moving to the cloud must meet data loss prevention, privacy, compliance, and security demands. For example, a defense contractor that must meet certification requirements under ITAR (International Traffic in Arms Regulations) can now set a policy to encrypt an organization’s name, address, notes, and other sensitive data when the organization’s industry matches “Defense.”
Being able to set policies over certain types of data eliminates the need to encrypt information that may not be considered sensitive, thus speeding deployment and reducing overhead. And, it takes the decision of what is “sensitive” away from end users by building the definition into automated policies.
Encryption, and to a lesser extent tokenization, is a critical technology to protect data going into cloud applications. Innovations such as those mentioned above are making it easier for organizations to make the choice to deploy more SaaS and other cloud based applications.