Government endeavors to expand and make available the range of services to the largest possible numbers of users. At the same time, the public sector also works hard to improve its own internal operations and use the best possible talent it can get. Increasingly, there is also a need to improve the collaboration between different sectors of the government while ensuring that data privacy and security are not affected
Human Factors of XR: Using Human Factors to Design XR Systems
Global Security Certification for Governments
1. CloudMask thinks differently in the secure-cloud landscape.
Providing the highest standard of data security for the government sector
The economic value proposition of Software as a Service (SaaS) is undeniable. SaaS is disrupting industry after industry,
making accessible to sole proprietors and small businesses software functionality that historically required significant
investment in hardware, software, and annual maintenance fees. This, in turn, is making smaller players even more agile
and efficient than they used to be, allowing them to run competitive circles around larger or laggard players.
The good news is that rich software functionality is often available for less than $100 per month, enabling high levels of
business management and administrative efficiencies.
The bad news is that the tempting sky of cloud and SaaS computing is filled with thunderclouds of cybersecurity concerns.
Despite the best efforts of traditional cybersecurity experts, the adoption of cloud computing has been accompanied by an
ever-growing number of egregious data breaches. These breaches damage brands and drive up significant costs for
investigations, notification, and identity-theft protection for clients whose personal information has drifted into malicious
hands.
So, what’s going on? Why do even the largest enterprises struggle with securing their data? Wouldn’t the National
Security Agency be one of the most rigorous security practitioners in the world? What leaks have we not yet detected?
One thought leader at a major global cybersecurity consultancy explained it like this: “We’re trying to examine every packet
that flows across the perimeter of the network and notice IP addresses that don’t make sense. This is incredibly hard.
There’s a ridiculous amount of data, and we’ve entered an age where the network no longer has clear boundaries. We
really haven’t solved that problem.”
What is the problem?
The problem lies in the way traditional security thinkers have defined the problem. They’re working with a castle-and-moat
metaphor, where the internal network is protected with a set of security rings. Each ring, however, has costly hardware and
software searching for malevolent inbound and outbound data. But it’s like looking for needles in a haystack. And even if
security experts are successful at protecting the perimeter, there is little protection against insiders (employees or others
with access to the internal network).
Global Security Certification
for Governments
2. CloudMask thinks differently.
We see the problem in simpler terms: protecting sensitive data and ensuring that only authorized users, using known
devices, can see data in the clear. We’re happy to let the traditional security experts work on their perimeters, knowing that
when they fail, our customers’ data remains secure. And, in contrast with products designed for big enterprises, we’ve
created a solution that can be installed, configured, and afforded by small businesses without IT staff.
The SaaS Security Problem – Simplified
SaaS applications use best-practice security protocols and rely on their cloud provider to secure the infrastructure the
application runs on.
One vendor explains it this way: “We ensure that your communications are secure using bank-grade 256-bit SSL
encryption. All of (our) infrastructure is hosted using physically secure, managed data centers that meet the rigid SSAE 16
specifications. Geo-redundant backups are performed multiple times per day, and site security and privacy are routinely
audited by respected third parties.”
By means of 256-bit SSL encryption, the connection between your browser or app and database servers is secured. When
you submit a query or update, the data is encrypted as it transits the internet. Once the data reaches the data center, it is
decrypted for insertion into the app’s database.
The data center itself (e.g., Amazon Web Services) has a rigorous set of security controls and protocols, meaning that only
employees with the proper identification and access passwords can physically or virtually access the servers that hold the
application’s data. SSAE 16 is a standard according to which data centers are audited for their degree of compliance with
policy.
There are three vulnerabilities that should concern executives:
1. Anyone who tricks a user into revealing their username and password can impersonate that user and log in
from any browser in the world.
Such a hacker can impersonate the user and perform administrator functions. You don’t have to be a fool to have this
happen to you. Even a sophisticated user like CIA Director John Brennan has fallen prey to high school-age hackers.
2. Any insider (employee of the data center) can turn from “good” to “bad” overnight or have their credentials
stolen, meaning that an authorized system administrator could access application data for malevolent purposes.
Insiders don’t need to be “bad” to present a threat. They can simply be careless.
A recent report on cybersecurity suggests that less than 50 percent of organizations have adequate policies in place to
mitigate insider-threat risks. The challenge here is that executives depend on their SaaS provider, who in turn rely on their
cloud service providers to maintain security hygiene. That’s a lot of blind faith.
3. Governments have the desire, capacity and experience to tap into the cloud-service providers who hold the
world’s data.
The problem here is manifold. On the one hand, the government can access specific information based on a warrant. On
the other hand, it is an entirely different matter to access everything on an as-needs basis, under cover of National Security
Letters or their equivalent. Despite their best efforts to security screen and oversee intelligence and law enforcement
operations, the government also falls prey to “trusted” staff performing unauthorized actions. These vulnerabilities impact
the firm’s liability for data breaches and the capacity to deliver on a promise of client confidentiality and privacy.
In storing sensitive personal and other data, the firm is considered a data controller. As a data controller, the firm is subject
to a variety of data protection laws and regulations. Such regulations increasingly create a costly burden to notify
individuals affected by data breaches and to purchase several years of identity-theft protection. Emerging European laws
impose heavy fines for firms who violate data protection regulations.
3. Protecting data security in the government sector
Using cloud services in government is an important activity because, contrary to what people joke about, the government is
constantly looking for ways to improve its services and minimize its costs. Government endeavors to expand and make
available the range of services to the largest possible numbers of users. At the same time, the public sector also works hard
to improve its own internal operations and use the best possible talent it can get. Increasingly, there is also a need to improve
the collaboration between different sectors of the government while ensuring that data privacy and security are not affected.
The cloud provides a practical answer to many requirements of large government organizations. Office productivity
applications, content management (the government is one of the largest generators of content) and applications that manage
large projects are all ideally suited to be deployed to the cloud. Many custom-built applications are also being deployed to
public data centers because these offer the ease of access and scalability that government cloud projects need.
Cloud computing has also reduced the costs and risks associated with large government programs. Information Week has
reported that the US Army had consolidated their email services under a cloud managed by the Defense Information Systems
Agency. This was expected to save the US Army about $100 million in expenses annually. Bloomberg reports that Amazon
and IBM are fighting over a contract for cloud services to the CIA worth $600 million. NASA is using a public cloud at their
Jet Propulsion Laboratory (document requires free registration to see).
Agencies starting a new initiative can leverage the cloud to start pilot projects with minimal expenditure and loss of time.
Cloud services in government are helping governments become positively more agile. The key benefits of cloud computing
are:
Consolidation of facilities – government data centers can all be combined together to give economies of scale;
Better use of highly skilled staff;
Better use of expensive assets by sharing them across several organizations;
Reduced capital expenditure;
Easy tracking of services – since all activities in the cloud are monitored closely;
Improved agility and scalability and rapid deployment;
Elastic services where cloud resources can grow and shrink as required; and
Resilience of services due to the far better up-time and management of cloud services.
While the benefits associated with the use of cloud facilities by governments and the public sector are very clear and
compelling, there are some legitimate concerns as well. These include:
Control over resources: Managers want to know where their data is being stored and there could be issues of data
ownership and accountability.
Security: Organizations need to protect data, guard against intrusions, ensure privacy and protect intellectual
property.
Other worries include reliability of infrastructure, portability of data and implementation of standards. However, these
concerns are largely being addressed as the infrastructure being put up is very robust and standards are being implemented.
The key issue to be resolved is control over data security and privacy. Cloud services in government must ensure that it
meets its own high standards of data security that it applies to everyone else.
Security and privacy of data can be partially handled by encrypting data. However, when one gets down to actually doing
so, practical difficulties emerge. Key management becomes an issue, there is a requirement of creating encryption gateways,
and encrypted data cannot be searched, indexed and processed. In addition, there will always be vulnerabilities where
unencrypted data moves over the local area networks before it reaches the encryption gateway.
Another problem arises when data is processed. It is not possible for applications to process encrypted data. Therefore, at
the cloud end data will be converted back to clear text before it can be processed conventionally. It then becomes possible
for sophisticated attackers to read data.
4. The solution to such limited and porous security lies in a unique solution developed by CloudMask. We are a company that
has pioneered a security solution that is certified by 26 governments. The CloudMask solution analyses data as it is being
created and determines which fields can be encrypted and which fields will be required to process the data. It then encrypts
data selectively, and for data that is required to be processed, it follows a process called masking or tokenization. Here data
is masked by replacing it with random data that has a similar structure to the data being protected. A date, for example,
would be replaced by another date. Thus, application processing can go through without having to use the original data.
Later, when the results of processing are to be displayed to authorized users, the masked data is converted back to the
original values.
Such a solution also anonymizes data. It is not possible to tell who the data belongs to because the individual it refers to is
masked. Thus, even if someone has complete access to your data in the cloud, they will not be able to use it because some
elements are encrypted while others are masked and tokenized. The key to CloudMask protection stays with the data owner.
It is never shared with the application or the cloud service provider because all processing can be done with secured data.
If you think the solution is not to use cloud, think again.
The concerns outlined above have caused many organizations to have misgivings about adopting cloud-based solutions,
presuming that an on-premise solution (a server running in your office) is safer. Unfortunately, that is not the case. Your
office or server room isn’t nearly as secure as an access-controlled data center.
CloudMask: a silver lining for SaaS
CloudMask addresses these vulnerabilities in a way that enables executives to immunize their firms against data-
breaches, differentiate by offering highly secure data management and communications, and using economical cloud
services with confidence.
CloudMask can provide SaaS users with an easy-to-install browser extension that automatically masks sensitive data
before it enters the 256-bit encryption channel to the data center. When that data arrives at the data center where the 256-
bit protection ends, CloudMask data stays masked.
This process also works in reverse, as in the case when the user requests sensitive data. Here the masked data is double-
encrypted as it moves through the secured communications channel. When it arrives in the browser, the 256-bit encryption
is removed, and CloudMask seamlessly unmasks to present the data in the clear.
Alongside controlling users and their access rights, practice management account owners/administrators have the capacity
to select specific fields to be masked. Not all data needs to be masked and protected, but data categorized as sensitive
personal data, personally identifying, or otherwise confidential, can be selected for automated, seamless masking and
unmasking.
From a functional perspective, CloudMask resolves the concerns that executives
might have with respect to using SaaS applications:
1. Each user authorized to access the SaaS account installs a CloudMask browser extension that is activated through a
simple process generating the personal, private and public keys required for the encryption process. What’s more, the
extension can be installed on multiple personal devices, each of which is personalized with a private key. Thus, even if a
username and password are somehow compromised, which under normal circumstances would allow anyone anywhere in
the world to log into the account and see data in the clear, the unauthorized user cannot do so without access to the
specific devices configured with the personalized browser extension.
2. The data stored under care of the data center remains masked while at rest or in motion. Neither the practice
management SaaS vendor, nor CloudMask administrators, nor data center administrators, have keys that can be used to
unmask the data. If the data center suffers a breach (e.g., an unauthorized insider penetrates the database, or a
government agency serves a National Security Letter), data the user has designated as sensitive remains protected.
5. 3. The data stored under care of the data center is masked in such a way (“tokenization”) that anonymizes what was
previously sensitive data. Thus, even if that data is stolen, it is no longer considered sensitive personal information or
personally identifying information, so it no longer falls under data protection regulations or requirements. In other words,
breaches of systems holding tokenized data do not trigger the costly response and remediation efforts associated with
breaches of systems holding sensitive personal information.
The Technical Story
A separate e-book explains the technical details behind this process and the software that automates it, as well as
describing the benefits of encrypting and tokenizing data, which we collectively refer to as “masking.” The e-book also
provides a brief explanation of the well-established public/private key methods used by the encryption process.
Grounded Confidence
CloudMask is unique in having its “CloudMask engine” certified through a Common Criteria for Information Technology
Security Evaluation (Common Criteria) process, which is used by twenty-six federal governments to evaluate security
products for their own use.
The process of independent evaluation assesses whether a product’s functional claims live up to the way it is coded and
performs. Many products claim to be “bank-grade” or “military-grade,” both of which are subjective assessments.
CloudMask is the only data-masking product capable of working with SaaS offers to achieve Common Criteria certification.
More expensive competitors like Cipher Cloud and Ionic have not achieved such objective criteria. Technical advisors can
access CloudMask’s Common Criteria Assessment here.
It’s easy to get started with CloudMask. Visit www.cloudmask.com