Critical Questions To Ask Cloud Protection Gateway Providers [Preview]1. Download Full White Paper >
CRITICAL QUESTIONS TO ASK CLOUD PROTECTION GATEWAY PROVIDERS
Cloud Data Protection Gateway Market Requirements
New technology solution categories, by definition, can be a challenge to fully understand. With any
innovations, where broad-based adoption has yet to occur and “trusted advisors” are typically not
available to consult, enterprise IT and Security professionals are given the primary task of evaluating
products from competing solution providers.
It is just this sort of situation that characterizes a new security solution category that Gartner has
named the “Cloud Encryption Gateway” market. This solution space developed to address significant
barriers that have inhibited many organizations from moving to the cloud, such as:
Cloud Data Protection Gateways reside transparently between applications and their users,
intercepting sensitive data and replacing it with tokens or encrypted values before it is passed to the
cloud for processing and storage. These solutions also provide the critical benefit of preserving cloud
application functionality, such as searching, so that the application users’ experience is not impacted.
The solution category holds
tremendous promise and has been
adopted by many leading enterprises.
But Security and IT professionals need
to focus on critically analyzing
marketing and solution claims from
vendors to ensure the technologies
being adopted are truly capable of
meeting the data privacy, security and
compliance requirements faced by
their organizations.
Copyright © 2013, PerspecSys Inc., All rights reserved. PerspecSys is a trademark of PerspecSys Inc.
This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and
conditions of merchantability or fitness for a particular purpose.
2. What Questions Should Be Asked?
Each group within the enterprise, including Security, Governance & Risk, IT, and the End Users of the
cloud applications, need to thoroughly evaluate a Cloud Data Protection Gateway solution against
their own specific needs and requirements.
SECURITY TEAM
The primary reason that enterprises typically adopt Cloud Data Protection Gateways is to address
security and data protection needs, so a thorough understanding of the core security techniques
used by the gateway provider is critical. Representatives from the enterprise’s security office need
to ask:
How secure is my data?
a. What security techniques are available in the solution, and how do these align with our
business and data protection objectives? Does the vendor fully support both tokenization
and encryption, or do they do so with caveats and limits?
b. If considering encryption as a primary solution for data protection:
i. What algorithms are available (i.e. AES, 3DES)?
ii. Are the algorithms proprietary with limited review by the cryptographic community
or are they certified with a recognized standard, such as the NIST publications?
iii. If the vendor does highlight a NIST FIPS certification, which one? There are wide
differences in implementations of FIPS certified solutions.
As an example, FIPS 197 only designates that a cipher implements the AES
algorithm, but does not meet additional rigorous requirements outlined in
the FIPS 140-2 publication. (Only the latter may be used by U.S.
government agencies and is equally adopted by leading enterprises.)
iv. How are keys managed? Will the organization maintain control of the keys being
used to encrypt the information per the recently published Cloud Security Alliance
best practices on deploying encryption?
If using the vendor’s key management solution, does it comply with the
NIST 800-57 publication on key management? Does the solution support
crypto-periods, key revocation, key state management, multiple keys, etc.?
> Download Full White Paper <
Copyright © 2013, PerspecSys Inc., All rights reserved. PerspecSys is a trademark of PerspecSys Inc.
This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and
conditions of merchantability or fitness for a particular purpose.