Federal agencies are starting to catch up to the risks posed by cloud computing. This is sure to stimulate compliance IT projects at financial institutions. A premium will be placed on data that's in flight, or traveling the vulnerable path between banks and third parties.
CipherCloud , whose clients include two of the five largest U.S. banks, late this week debuted a new product called CipherCloud Connect AnyApp. The product is designed to encrypt data in transit, in use or at rest for public and private cloud applications — including infrastructure-as-as-service (IaaS), software-as-a-service (SaaS) and platform-as-a-service (PaaS). IaaS refers to the outsourcing of equipment used to support operations, such as storage and servers. PaaS refers to the leasing of operating systems, storage and network capacity over the internet. SaaS is a software distribution method in which hosted applications are delivered to firms over the web. Each of these methods involves some form of data transfer to a host, which places it under FFIEC's guidance.
"The [FFIEC] guidance is about protecting data from criminals," says Kevin Bocek, a vice president at CipherCloud, adding that, as such, the FFIEC guidance lends itself to layered security measures such as format preserving encryption, a device long used to protect retail payments from hackers and other crooks.
Firms install CipherCloud on their own network to automatically generate encryption keys. The bank or other user specifies the URLs of the public and private cloud applications to be encrypted, and then uses navigation tools to create policies that encrypt one or more fields based on the bank's preference. "The encryption key and the software is run and managed by our customers, only the financial institution has access to the data," says Bocek.
Once the policy is enabled, data is automatically encrypted or tokenized (meaning the data identifiers are turned into dummy text that in theory can't be used by crooks) using a format preserving technique. The encrypted data field is of the same size and form as the "real" data. That's designed to make the encryption process easier since the systems handling the data don't have to be retrofitted to handle the encryption characters.
The CipherCloud Platform is designed to secure Salesforce, Force.com, Chatter, Gmail, Office 365 and Amazon AWS cloud initiatives. "An organization can take virtually any public cloud or application that's home grown and start encrypting data," Bocek says.
Cloud computing experts say that as regulators increase scrutiny of cloud safety, compliance tech is sure to follow as vendors chase bank IT dollars.
"I wouldn't doubt that compliance, especially with cloud computing, is an important topic for financial services and government entities. With federal cloud computing emphasis, I would expect that this is a growth area," says Bernard Golden, CEO of Hyperstratus, a cloud computing consultant.
Another firm, Coalfire, just established the VMWare Compliance Lab in Seattle. The facility designs, tests and develops IT security practices and audit guidelines for virtualized computing environments, which are a key part of cloud computing. CoalFire, which is partnering with VMWare (VMW) on the lab, gathers architecture and controls data from VMWare and tests these controls. These tests generate compliance and risk guidance documents for security professionals.
The lab also hosts controls information from products built on the VMWare reference architecture, such as solutions from EMC (EMC), RSA, HP (HP), Symantec (SYMC), McAfee (MFE) and LogRhythm.
Ken Westby, a founding partner at Coalfire, says targeted users will include merchants and other firms in the payment industry, who will use the tests and audits as a way to segment their IT networks, thus removing less data-intensive actions from the scope of Payment Card Industry Standard (PCI DSS) compliance tests. He says other users would include financial institutions looking to comply with FFIEC and Gramm-Leach-Bliley (GLBA) data protection rules; and firms in the healthcare provider and payment industries. "With all of those industries we're seeing the same drivers to leverage virtualization and the cloud to achieve lower costs," he says.