CCTP doesn’t need to encrypt everything, if desired, only pertinent fields. If set to encrypt entire discrete files, data from this form of encryption cannot be used for searches. You use your own keys, and CipherCloud doesn’t keep them. This means you generate your own keys, and/or make use of a certificate authority to generate appropriate keys.
Once installed, the keys encrypt what you’ve chosen. As an example, when we tested Salesforce via the test gateway VM residing in AWS, we could open up the Salesforce instances database schema, and choose which fields to encrypt. When we tried direct access to the data, deliberately going around the gateway, the result was total gibberish. Sorting on the gibberish produces still more gibberish, as the rendered encrypted text is in UTC-8 characters. If we had the keys outside the gateway keystore, we would have been able to decrypt the data — if we also had any optional tokens needed to further de-hash the data into meaningfulness. Salesforce domains and apps could therefore receive surgical treatment in terms of DLP.
The entire Salesforce database could be encrypted, but it’s not really needed, unless each field must be encrypted for regulatory compliance. If there are different Salesforce Orgs, each Org instance can be encrypted, including online Salesforce apps. For single sign-on, we used CipherCloud directly, but it’s possible to connect via Active Directory Federation Services or other SSO mechanisms.
CCTP manages this with what we feel are astute key repository banking and management, so that multiple apps can be managed concurrently. Keys are managed on the CCTP VM gateway after installation, and as such, allow jurisdiction partitioning of data. SafeNet’s KeySecure is supported as a third party key store, but we didn’t test this. As administrators are separated into system administrators, key managers, and cloud application managers, a key manager function can be kept ideologically distinct as a function. This comes in handy.
Key separation is used for geo-locating data into separate empires. For example, a European branch can use data that is encrypted differently than data in Chicago. This comes at low cost, because again, redundancy of the gateway(s) costs no more, as the pricing is related per user, so branches, business units, country-managed entities can each have their own gateway.
Initial key distribution and renewal/replacement means going into each gateway to replicate infrastructure. Subsequent upgrades (we did not try this) allow a dry run of updates prior to deployment within the appliance(s).
Data running through the gateway can have application-specific tuple treatment such as these: AES Email Address Encryption, AES Email Relay Encryption, AES Encryption for Alphabetic Filtering, AES File Stream Encryption, AES Length Restricting Encryption, AES Phone Number Encryption, AES Search and Sort Encryption, AES Search and Sort Encryption(FIPS Mode), AES Web URL Encryption, Alphabetic Filtering Tokenizer, Email Address Tokenizer, Email Relay Tokenizer, File Name Tokenizer, Length Restricting Tokenizer, Phone Number Tokenizer, Search and Sort Tokenizer, Stateless AES Alphanumeric Encryption, Stateless AES Chatter Encryption, Stateless AES Encryption with Search, Stateless AES Encryption without Search, Stateless AES Prefix Preserving Encryption, Stateless AFPE, Stateless AFPE for Alphabetic Filtering, Stateless Chatter URL Encryption, Stateless Email Address Encryption, Stateless Email Relay Encryption, Stateless Function Preserving Hybrid AES Encryption, Stateless Length Restricting Encryption, Stateless Order Preserving Hash Encryption, Stateless Partial Field Encryption, Stateless Partial Field Hybrid AES Encryption, Stateless Phone Number Encryption, Stateless Web URL Encryption, Static Chatter Tokenizer, Static Chatter URL Tokenizer, Static Date Tokenizer, Static Email Address Tokenizer, Static Length Restricting Tokenizer, Static Number Tokenizer, Static Partial Field Tokenizer, Static Per Word Tokenizer, Static Phone Number Tokenizer, Static URL Tokenizer, URL Tokenizer.
Sign up for Computerworld eNewsletters.