Cloud
5/9/2013
11:28 PM
Connect Directly
RSS
E-Mail
50%
50%

Startups Tackle Secure Corporate Data Access From Personal Devices

With employees wanting to use data both inside and outside the company, cloud security startups have focused on two models: protecting data in third-party cloud services and protecting data on the endpoint

As cloud services gain popularity and employees increasingly work from a variety of personal devices, workers expect to be able to access their data from anywhere.

Yet the trend poses security risks for business data, which typically ends up in one of two places outside the corporate network: stored in a cloud service or saved on an employee's device -- and with file-sharing services, it can be both. Because securing data in the cloud means protecting it wherever it is, a bevy of young firms and startups have focused on the problem of protecting data while allowing employees easy access to business information.

Two complementary approaches have evolved to handle these needs for companies. On one hand, companies that want to use cloud services but not lose control of their sensitive data can use a cloud-security gateway to encrypt sensitive data as it leaves the network to be stored in the cloud. On the other, companies can allow employees to work with sensitive data from their devices without losing control by using secure containers to protect and limit the use of the information.

"Both approaches are nearby stops along the evolutionary train," says Suresh Balasubramanian, CEO of Armor5, a year-old startup that has created a technology for offering access to enterprise applications through a protected cloud service.

The two approaches tackle the most common security issues that concern company executives moving parts of their businesses to the cloud. They also represent two legs of the triangle between corporate data, cloud services, and work-anywhere users. Business data can be protected inside cloud services and remote employees can securely access sensitive data without the business losing control of the data.

Businesses need to evaluate where they believe their risks lay in using cloud services, but may need both types of services to best cover the worst threats to their data.

"The immediate demand for data outside the enterprise comes from the mobile workforce, who want to access it on their devices," says Balasubramanian. "The first step is to plan to secure the data and not to just throw it into the cloud."

Companies that worry about the privacy and security of their data as well as complying to a particular nation's laws can use a cloud-security gateway, called a broker, to modify sensitive data as it leaves the corporate network, encrypting or tokenizing it for protection. The technology adds a layer of security that the company can control without relying on their cloud provider to keep their data secure, and makes the use of the data auditable, satisfying compliance mandates. At the same time, the company wants to be able to continue to allow some functions, such as search and report generation, which frequently are lost when data is encrypted.

[An original aim of the cloud was to simplify corporate infrastructure, but having a multitude of services has made networks complex and hard to manage. Can adding a third party make the cloud more secure? See Cloud Brokers Seek To Simplify, Secure Services.]

"It's a hard problem to solve because you have to make sure that you provide that robust security -- it has to be a vetted encryption and tokenized solution -- but you also have to preserve the application functionality, and that is a really hard thing to do," says David Canellos, CEO of cloud-security service provider PerspecSys.

On Thursday, the year-old startup closed a second round of funding for $12 million. PerspecSys and 2-year-old rival CipherCloud have both seen demand for their cloud-security gateways.

If businesses are not storing sensitive data in the cloud, but are losing track of documents and other data among the plethora of mobile devices, then using a cloud-security broker to securely access corporate data can help reign in unrestricted sharing. The danger is that employees may not understand the dangers of sharing and syncing through the cloud, says Armor5's Balasubramanian.

Many cloud services "are in the business of syncing everything, and now they have just transported your documents onto all these devices, even ones that you might have only incidentally used," he says.

Armor5 and rival Watchdox, founded in 2007, take slightly different tacks to secure data. Armor5 offers a portal -- or the technology for a company to set up its own portal -- through which remote employees can securely access data, but not leave any resident on whatever device they are using. Watchdox uses encryption, key management, and a virtual container on the device to restrict access to documents.

"It's about securing the last mile," says Balasubramanian.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

CVE-2014-0600
Published: 2014-08-29
FileUploadServlet in the Administration service in Novell GroupWise 2014 before SP1 allows remote attackers to read or write to arbitrary files via the poLibMaintenanceFileSave parameter, aka ZDI-CAN-2287.

CVE-2014-0888
Published: 2014-08-29
IBM Worklight Foundation 5.x and 6.x before 6.2.0.0, as used in Worklight and Mobile Foundation, allows remote authenticated users to bypass the application-authenticity feature via unspecified vectors.

CVE-2014-0897
Published: 2014-08-29
The Configuration Patterns component in IBM Flex System Manager (FSM) 1.2.0.x, 1.2.1.x, 1.3.0.x, and 1.3.1.x uses a weak algorithm in an encryption step during Chassis Management Module (CMM) account creation, which makes it easier for remote authenticated users to defeat cryptographic protection me...

CVE-2014-3024
Published: 2014-08-29
Cross-site request forgery (CSRF) vulnerability in IBM Maximo Asset Management 7.1 through 7.1.1.12 and 7.5 through 7.5.0.6 and Maximo Asset Management 7.5.0 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk allows remote authenticated users to hijack the authentication of arbitr...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.