With employees wanting to use data both inside and outside the company, cloud security startups have focused on two models: protecting data in third-party cloud services and protecting data on the endpoint

As cloud services gain popularity and employees increasingly work from a variety of personal devices, workers expect to be able to access their data from anywhere.

Yet the trend poses security risks for business data, which typically ends up in one of two places outside the corporate network: stored in a cloud service or saved on an employee's device -- and with file-sharing services, it can be both. Because securing data in the cloud means protecting it wherever it is, a bevy of young firms and startups have focused on the problem of protecting data while allowing employees easy access to business information.

Two complementary approaches have evolved to handle these needs for companies. On one hand, companies that want to use cloud services but not lose control of their sensitive data can use a cloud-security gateway to encrypt sensitive data as it leaves the network to be stored in the cloud. On the other, companies can allow employees to work with sensitive data from their devices without losing control by using secure containers to protect and limit the use of the information.

"Both approaches are nearby stops along the evolutionary train," says Suresh Balasubramanian, CEO of Armor5, a year-old startup that has created a technology for offering access to enterprise applications through a protected cloud service.

The two approaches tackle the most common security issues that concern company executives moving parts of their businesses to the cloud. They also represent two legs of the triangle between corporate data, cloud services, and work-anywhere users. Business data can be protected inside cloud services and remote employees can securely access sensitive data without the business losing control of the data.

Businesses need to evaluate where they believe their risks lay in using cloud services, but may need both types of services to best cover the worst threats to their data.

"The immediate demand for data outside the enterprise comes from the mobile workforce, who want to access it on their devices," says Balasubramanian. "The first step is to plan to secure the data and not to just throw it into the cloud."

Companies that worry about the privacy and security of their data as well as complying to a particular nation's laws can use a cloud-security gateway, called a broker, to modify sensitive data as it leaves the corporate network, encrypting or tokenizing it for protection. The technology adds a layer of security that the company can control without relying on their cloud provider to keep their data secure, and makes the use of the data auditable, satisfying compliance mandates. At the same time, the company wants to be able to continue to allow some functions, such as search and report generation, which frequently are lost when data is encrypted.

[An original aim of the cloud was to simplify corporate infrastructure, but having a multitude of services has made networks complex and hard to manage. Can adding a third party make the cloud more secure? See Cloud Brokers Seek To Simplify, Secure Services.]

"It's a hard problem to solve because you have to make sure that you provide that robust security -- it has to be a vetted encryption and tokenized solution -- but you also have to preserve the application functionality, and that is a really hard thing to do," says David Canellos, CEO of cloud-security service provider PerspecSys.

On Thursday, the year-old startup closed a second round of funding for $12 million. PerspecSys and 2-year-old rival CipherCloud have both seen demand for their cloud-security gateways.

If businesses are not storing sensitive data in the cloud, but are losing track of documents and other data among the plethora of mobile devices, then using a cloud-security broker to securely access corporate data can help reign in unrestricted sharing. The danger is that employees may not understand the dangers of sharing and syncing through the cloud, says Armor5's Balasubramanian.

Many cloud services "are in the business of syncing everything, and now they have just transported your documents onto all these devices, even ones that you might have only incidentally used," he says.

Armor5 and rival Watchdox, founded in 2007, take slightly different tacks to secure data. Armor5 offers a portal -- or the technology for a company to set up its own portal -- through which remote employees can securely access data, but not leave any resident on whatever device they are using. Watchdox uses encryption, key management, and a virtual container on the device to restrict access to documents.

"It's about securing the last mile," says Balasubramanian.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights