Revelations about increased levels of data snooping tend to dampen cloud enthusiasm. Afore Systems is trying to build confidence with its Cypher-X data encryption solution.
Ongoing revelations from the Edward Snowden leaks have put data security in the spotlight, particularly the security of data that resides in the cloud.
It is imperative that cloud providers and IT vendors are able to offer
potential customers the assurance that their data is safe. To respond to
this need, Afore Systems has created a new set of applications (a
management console and clients) called Cypher-X that provides an end to end security solution.
How does Cypher-X work?
The
management console runs as a virtual machine (or on a physical server)
and allows policies to be created to determine which applications are
controlled. A controlled application is referred to as a certified
application; this means that it can have control policies applied to it.
When a client PC checks in with the management application,
applications that meet the needed criteria will be able to access the
secured information. Figure A below shows both the management console and the client on different PCs.
Figure A
Cypher-X console and client
For
example, suppose that my organization has confidential Word documents
that need to be secured. Cypher-X would be configured to certify Word,
using policies to determine which users, groups, and computers (through
Active Directory) should be allowed to access this information. When
Word data is created on a managed machine, the data stored in a document
is encrypted. If my system has the Cypher-X client installed and I am
in the correct groups, I will be able to see that data. If I am not in
the right groups, the data will appear as an encrypted mess of
unreadable text. Also, if I attempt to open the Word doc with Word Pad,
the information will remain encrypted.
Figure B shows a
file open in Word (the certified application) and Wordpad (a
non-certified application). In Word, the data appears but in Notepad it
does not.
Figure B
Certified applications vs. non-certified applications
Note: If
your environment runs more than one version of an application, like
Word, a separate policy will be needed for each version at this time.
If
my computer does not have the Cypher-X client on it, I can still use
Word, however my data will not be encrypted and I will be unable to open
previously encrypted files from that station.
The Cypher-X client
sits between the applications being managed and Windows. It is capable
of capturing all I/O generated by an application. For certified
applications this does several things: first it allows Cypher-X to stay
out of the way and remain mostly invisible to the user. Second, it
allows data produced within a certified application to be encrypted as
soon as it is produced. The benefit here is that I can create data in
Excel, which is our example application, and even if I copy information
to the clipboard the data sent to the clipboard is encrypted. When
pasted into another application, the information there will be encrypted
text and no confidential information will be displayed.
Does it only work for client applications?
As
great as this is from a client or data creation perspective, this is
not the only place Cypher-X can help. If you decide that SQL Server or
SharePoint needs to be a certified application, these applications will
not function for clients who do not meet the criteria for the policy.
Any applications that need to access these things, Internet Explorer in
the case of SharePoint, will also need to be certified by Cypher-X. When
the applications are both certified, the connection happens and things
will move forward as expected. If, in the case of SharePoint, Internet
Explorer is not certified, access to the SharePoint environment will be
denied with an error message that it is unavailable.
Remember: Errors
can be redirected by IIS to show a page with a fuller explanation than
the error provides, which can be helpful for your colleagues and reduce
helpdesk calls.
How does Cypher-X prevent leaks?
Because
data is encrypted as it is written and the encryption client sits in the
I/O stream, once the data leaves the secure environment, it will appear
as encrypted data. This could be via SkyDrive, DropBox, a USB drive, or
even a disconnected laptop.
Currently, the client needs to be
online to check in with the management server for the decryption to be
performed. Afore mentioned that they are considering features in the
future to address the travelling CEO who might need to create or work
with secured data offline.
Encourage cloud use… your data will stay secure
Even
when documents that are created in certified applications are saved out
to services like SkyDrive, the contents are encrypted before the save
gets completed. This ensures that file stored in the cloud is the
encrypted file. Accessing the file will appear as secured data not as
the contents unless the party accessing it meets the policy requirements
of user/groups, environment, and certified application.
The
encryption keys are managed by the management console and can be stored
in Active Directory; they are not managed by or known to any cloud
providers. This ensures that cloud providers or other tenants using them
will have no way to access your information.
Licensing and pricing
Cypher-X is licensed at $150 per user for perpetual licensing and $15 per user/month for subscription based licensing.
Overall impression
With
all of the data leaks and worrying about outside parties accessing
information, the encryption solution provided as part of the Cypher-X
product is really very innovative. Because many solutions only encrypt
data at rest and this solution encrypts data created/edited by
application it could really help prevent both leaks and snooping.
Certainly, this is something organizations today might want to consider
to ensure the security of their data.
For organizations making investments in technologies like DirectAccess this
might be a great solution to also deploy. With the availability of
domain resources over the Internet, securing information from end to end
with managed encryption could be a very complete solution for
organizations in need of advanced data security.
0 comments:
Post a Comment
Appreciate your concern ...