Cloud security startup hopes it holds key for cloud encryption

When enterprises think about cloud computing they think about the benefits of paying as they go and not forking out a fortune for a new layer of infrastructure. They think about not having to worry about managing hardware, operating systems and vast arrays of storage. One thing they don’t usually think about is the physical location where their data will be stored.

That’s one of the benefits of cloud computing, and one of the risks. Laws and legislation don’t move as fast as information technology, and wherever data is physically stored determines to a great extent the laws it is governed under. For instance, data stored by US firms within data centers located within the European Union are likely to have differing subpoena rules than if they were stored in the United States.

• Cloud security predictions for 2011

While many IT managers may not pay attention to this detail, James Williamson, IT coordinator at the New Canadian Democratic Party (NPD) certainly does. Williamson explains that the NPD manages 24 million records from 308 electoral districts within the country, each with 100,000 records.

About a year ago, the NPD started using Salesforce.com to manage those 24 million constituents. But there was a problem, however, explains Williamson. Salesforce.com’s data center is located within the United States. Considering the NPD is handling political data, it wasn’t comfortable storing that data outside the Canadian border without a level of encryption it could trust.

More on cloud computing and security

• Cloud security predictions for 2011
• Cloud Security Alliance updates controls matrix
• Survey finds companies still struggling with cloud security

Getting to that level of encryption proved more difficult than one might initially presume. Salesforce.com provided encryption, Williamson explains, but the encryption keys were stored on Salesforce.com’s servers. That wasn’t good enough. “If the U.S. government sought access to the records and the keys, how do we know they wouldn’t be given them?” says Williamson.

Williamson explains that the NPD tried other options as well, including a data tokenization provider. That approach, Williamson says, didn’t work well with a number of third-party applications the NPD uses.

• The cloud security survival guide

The NPD certainly isn’t the only organization concerned about security in cloud services. Forrester analyst Jonathon Penn predicts in his report, “Security And the Cloud”, that this will be a $1.5 billion market by 2015.

Williamson says that if the NPD couldn’t find a way to satisfactorily secure their data on Salesforce.com, they would have probably eventually pulled their data out of the service.

However, a few months ago, Williamson says, the NPD began working with CipherCloud, a then stealth cloud data encryption and security firm that felt it had a fix for NPD’s dilemma.

Coming out of stealth this week, CipherCloud provides data encryption and tokenization for a number of cloud services, such as Salesforce.com and Google Apps, through a virtual appliance that is installed on the network of the enterprise. The virtual appliance then encrypts the data before it is sent to the cloud application. The encryption keys reside within the enterprise and are not extended out onto any cloud services.

“We were not as concerned about the location of the data if it could be encrypted,” Williamson says. “That’s why we tried the CipherCloud beta, and it addressed most of our needs,” he says.

The encryption isn’t without a cost in performance. But Williamson says the performance hit is about 5 percent. “Though that’s not a perceivable difference to users, and it’s a much lower performance impact than the other solution we tried,” he says.

According to CipherCloud, their appliance will be available in early March with volume pricing starting at $20 per user a month.

CipherCloud was founded by Pravin Kothari, who also was founder and CTO of IT-GRC provider Agiliance and co-founder and VP of engineering at security information and event management software maker ArcSight.

George V. Hulme writes about security, technology, and business from his home in Minneapolis, Minnesota. You can also find him on Twitter as @georgevhulme.