CipherCloud is a construction set with many pre-fab pieces, and it requires significant planning to deploy in order to gain full effectiveness. It’s in use by some of the largest financial institutions in the world.
The strong upside is its ability to establish strong flexible encryption to the record/field level, and with it, strong DLP controls for its list of covered applications. A hidden cost is integration and adaptation of specific cloud app platforms, like Salesforce. With some work, it can be come annealed to a target application like no other, because of its data protection schemes.
We installed the gateway as an Amazon Web Services VM. Multiple instances of the gateway appliance VM can be used in redundant instances as a reverse proxy gateway between users and cloud resources. Once set, and platforms are encrypted, so it renders AES-256 gibberish of any access that doesn’t use the gateway and its decryption resources. Once accessed through the controls set in CipherCloud’s trust platform, it’s possible to set encryption that allows searches and field-level data loss prevention (DLP) flagging and control.
We like CipherCloud for its certificate key control, staggering varieties of stateful/stateless encryption, tokenization possibilities and breadth of popular SaaS app coverage. (CipherCloud doesn’t cover every app found in the cloud.)
We also like it for its strong flexibility for varying deployment designs for larger organizations. BitDefender services are available as an additional intermediary for streams flowing through, although streaming data examination isn’t totally perfect.
Architecturally, the VM is a reverse proxy gateway appliance that’s licensed by user count, so multiple instances can be generated and deployed without additional cost. The gateway, which requires healthy server-allocation resources, serves as a deep-inspector, even with many pre-set encrypted data flows filtering through it, using AES-256 encryption.
Each gateway is supposed to service approximately 5,000 users, and we caution this is an untested number; it could be more or less.
We could add redundancy of the gateway appliance in our network operations center, or distribute it to branches, or locations where its existence made sense from a control, management, and communications-need perspective. The VM is placed from a networking path behind where users logon to the desired cloud resource, meaning via VPN and through the gateway. Unless one does so, what happens is that they can directly access the Saas/cloud resource, but the data is encrypted at the SaaS/cloud destination, and is unusable, until someone figures out how to decrypt AES-256.
There are several levels of staff functionaries that must come together to make CipherCloud or any other CASB management system work, including networking, security, DLP/asset management, production instance management, and help desk support. The reverse proxy mechanism watches for exfiltration and policy violations. There are a rich amount of action/condition choices, ranging from stop-it-cold to providing stub access as a replacement for data improperly stored.
Sign up for Computerworld eNewsletters.