We recently had the opportunity to talk with David Canellos, CEO of PerspecSys, about his company’s cloud encryption and tokenization solutions. PerspecSys recently joined SafeGov as a partner.
What follows is an edited transcript of our conversation.
Q: What does PerspecSys do?
A: We make software that lets organizations protect their data before they send it to the cloud. We address data privacy, security and residency. Using either encryption or tokenization, we can protect all kinds of data. It can be customer data in a Software as a Service (SaaS) cloud such as CRM services like Salesforce or Oracle CRM. Or it can be information like financial and product data stored in the cloud. Our customers tend to be large organizations that are not comfortable putting their data in the cloud without added protection, especially not in public multitenant clouds such as those of the SaaS providers. Market research shows that data security and confidentiality are the top inhibitors to enterprise cloud adoption.
Q: What exactly is tokenization?
A: Tokenization is when you replace individual data items such as field values in a database with completely random values. These values – or tokens – have no intrinsic value. Unlike encrypted values, they cannot be decrypted by a “key”. Our gateway behind the customer’s firewall stores a dictionary, known as a “token vault” that can convert the token back into its original value inside the enterprise’s environment.
Q: Since I’m assuming that tokenization is less scalable than encryption, why would a customer want to use it instead of encryption?
A: Actually, it is just as scalable, but we do see certain use cases gravitate towards tokenization. For example, customers choose tokenization in situations where laws or regulations require that data not leave a certain jurisdiction or even not leave the customer organization. These are cases of data residency laws in certain countries or privacy regulations in certain industries. Often these customers are banks, public sector organizations or government agencies. Tokenization meets data residency requirements because the actual data never goes outside the customer’s firewall, only the random tokens do. For example, Swiss banking law requires that all personally identifiable information (PII) must remain inside the Swiss border. There are severe fines for banks that violate this rule. So if a Swiss bank wants to use a cloud service like Salesforce.com or Oracle CRM where the servers are located outside of Switzerland, tokenization will allow them to do so, while encryption will not. Our tokenization solution is very scalable. We have one Salesforce customer with 500 Salesforce database fields and 20 million rows that have been tokenized, and there is no performance degradation thanks to caching and other techniques.
Q: Is tokenization limited to field values in a database?
A: No. It can also be used with email or things like file attachments. Suppose you have an extremely large attachment – for example, an MRI image - stored in a SaaS app. If a user in Europe grabs the attachment from the SaaS provider’s U.S. data center and pulls it back to Europe, that’s a lot of data to transmit. But with tokenization we can use a 50 byte token that serves as a pointer to the gigabyte file that stays behind your firewall.
Q: Your web site says that your encryption solutions preserve the functionality of SaaS applications like Salesforce that live in the cloud. What exactly does this mean?
A: What we mean by functional preservation is that even when your data is encrypted before it is sent to the cloud, you can still use the features of the cloud provider’s software to perform operations on your data such as search. We are unique in enabling things like complex search – you can go into your Salesforce database and search for substrings that contain certain characters. We enable this with tokenization as well.
Q: How do you do this?
A: The basic idea is that we intercept transactions going to the cloud using software server that sits behind your firewall. Our software knows if the transaction is a search request, an email or a report command or whatever, and it knows what to do in each case. We have patented methods that do this. This doesn’t require any cooperation from the SaaS provider. They can’t read the customer’s data on their servers, because the encryption keys (or the token vault) are controlled by the customer and never leave the firewall. Customers don’t want to trade off cloud functionality for cloud security. Lots of vendors offer tokenization and encryption. The hard part is preserving cloud functionality and remaining invisible to the end-user.
Q: How do you manage encryption inside the customer’s firewall?
A: As I said, the encryption keys are held by our gateway under the customer’s control inside their firewall. The keys are never sent outside the firewall. No one who has access to the cloud provider’s data center – whether it be the provider’s own staff, outside hackers or even law enforcement – can decrypt the customer’s data stored on the provider’s servers. But to manage the keys and the encryption process we allow our customers to use their existing encryption software from third parties like SafeNet or Symantec or Voltage. We can take advantage of their cryptographic modules. We don’t require the customer to buy a new system to do things like split and rotate keys. As far as I know, we have the only solution in the market that allows for the use of strong third party validated FIPS 140-2 encryption modules but still preserves cloud functionality such as search and reporting. Unlike others, we don’t require you to use proprietary encryption that has been weakened in order to preserve cloud operations.. And keep in mind that that NIST FIPS 140-2 validated modules are being specified for use within many sectors beyond government, such as regulated industries like financial services, insurance life sciences, and health care. So the solution has broad applicability.
Q: How much interest are you seeing for your software from public sector users, not just in the U.S. but also abroad?
A: We have public sector users today in the U.S., Canada and Europe, and we’re talking to government customers in Asia-Pacific as well. They all want to use cloud services, but they want data security and privacy, and often they need data sovereignty too. In the U.S. the Federal government is moving to cloud because of Cloud First and FedRAMP. There is a lot of interest in SaaS solutions that we’ve already mentioned. But they are also doing private government-only clouds, and they still want cloud encryption, because often these private clouds are shared among several agencies, and the individual agencies still want to protect their data.
Q: What about international public sector users?
A: We are looking at projects right now in Asia-Pacific and North Africa, where governments want to use cloud services and even offshore-based SaaS services, but don’t want to give up control over citizen data. For example, we have multiple projects in Australia, where they have very tough privacy and data residency laws, especially for public sector and Financial services. Australia wants both the data center and even the backup data recovery data center to be located in Australia, and the American SaaS vendors can’t offer that. So we provide a solution to this problem.
Q: You and your competitors in the cloud encryption space are very young companies. How do you see this market maturing?
A: It’s true that these solutions are very new, they only came on market in the last two-three years. PerspecSys created the category and has the most mature solution in the market. As a result, we’ve seen rapid uptake among large organizations in key verticals such as financial services, health care and government. But a lot of the data protection regulators don’t yet understand much about what we are doing. Gartner has just now categorized products like ours as “cloud access security brokers”. They say less than 1% of the market is penetrated, but they are forecasting rapid growth in the next few years. The SaaS apps were the low hanging fruit. But now we see demand from customers who are building private clouds or third parties who want to use our tool to develop custom cloud apps.
Q: What are the possible barriers to the growth of this market?
A: BYOD and consumerization of IT have impacted the way organizations perceive cloud risk. They know they need to get control over their data and until now there haven’t been any good solutions. But some of the cloud vendors in the consumer space don’t want this technology turned on, because it goes against their network effect where they can’t data mine the information on their servers. Encrypting everything that goes into the cloud impacts the Facebooks and the Twitters and the Gmails. This battle might end up being fought out in the privacy laws, which are evolving. But what we are seeing is that we are actually removing the biggest barrier to cloud adoption itself – which is the concern that organizations have about the security of data processed and stored in the cloud. So the future of the category looks bright indeed.