06:21 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly

Cloud Security Alliance Guidance For Data Ownership and Control Best Practices Emphasizes Importance Of Encryption Of Data-In-Us

Guidance aligns with Vaultive’s approach of implementing three states of cloud data encryption

New York, NY – October 23, 2012 -- The Cloud Security Alliance, the global not-for-profit organization that sets best practices for cloud security, has incorporated in recently-released implementation guidance issued by the Security as a Service Working Group a set of recommendations for cloud end users to adopt encryption of data-in-use as a best practice. The guidance notes that it is critical that the customer, and not the cloud service provider, is responsible for the security and encryption protection controls necessary to meet their requirements.

In its guidance focused on email security and encryption (SecaaS Implementation Guidance - Category 4: Email Security), the CSA specifies as a best practice that organizations should adopt technologies that allow sorting and searching of encrypted text, while reducing the amount of data needing to be decrypted. Specifically, the independent organization recommends encrypting data before it goes to the cloud and maintaining segregation of duties by keeping the encryption keys in the direct control of the customer, not the cloud provider. Implementation guidance for encryption as a service (SecaaS Implementation Guidance - Category 8: Encryption) also notes that once data is safely transmitted to a cloud service provider, it should be stored, transmitted and processed in a secure way.

This CSA guidance aligns with Vaultive's capabilities for pre-cloud encryption and approach of implementing three states of cloud data encryption – encryption of data-at-rest, data-in-transit and data-in-use – as well as limiting access to the encryption keys exclusively to authorized users within the organization where the data originates, and trusted parties. Vaultive is a provider of cloud data encryption solutions designed to maintain the control, security and compliance of data processed by cloud-based services.

In line with the CSA guidance related both to cloud encryption and email security, Vaultive's advanced encryption capabilities are designed to enable cloud end users to maintain control and ownership of organizational data processed by third-party services in order to address concerns including data security, compliance, unauthorized disclosure and data residency or privacy regulations. As a result, the cloud provider never has access to customer data in its unencrypted form, and enterprise cloud data remains unreadable if an unauthorized third-party attempts access -- or even if the data is disclosed in response to a government request.

At CSA Congress 2012 held in Orlando, FL, Vaultive will be conducting a session on best practices for maintaining control and ownership of data in the cloud and the delineation of roles and responsibilities between cloud service providers and end users.

"Cloud Security Alliance Implementation Guides help organizations effectively decipher what best practices should be and sets the global standard for companies seeking to utilize the cloud in a secure manner. We are very pleased that the recommendations made in latest version of the CSA guidance mirror Vaultive's own approach to cloud data encryption," said Maayan Tal, Co-Founder and CTO of Vaultive. "Vaultive allows organizations to implement the three complete states of data encryption to ensure sensitive data is secure in the cloud at all times, just as the CSA advises."

CSA Implementation Guidance research seeks to establish a stable, secure baseline for cloud operations in order to provide a practical, actionable road map for managers wanting to adopt the cloud paradigm safely and securely. In keeping with its mission, the CSA recently released third edition of its CSA guidance to provide greater clarity around the area of Security as a Service. The complete CSA Implementation Guidance is available now for free download.

About Vaultive

Vaultive is a provider of cloud data encryption solutions designed to maintain the control, security and compliance of data processed by cloud-based services. Vaultive's patent-pending form of 256-bit AES encryption encrypts data-at-rest, data-in-transit and data-in-use in a format that can be searched, sorted and indexed -- while enterprise IT retains control of the encryption keys. This addresses the principal business challenges of migrating data to the cloud including data security, regulatory compliance, unauthorized data disclosure and access, and international privacy/data residency regulations. Optimized for Microsoft® Office 365 and Hosted Exchange, the Vaultive platform supports best practices for the control and ownership of corporate data in the cloud. Vaultive has raised more than $10 million from leading venture capital firms .406 Ventures, New Science Partners, Harmony Partners and Security Growth Partners.

For more information, visit

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.