Each gateway is supposed to service approximately 5,000 users, and we caution this is an untested number; it could be more or less.
We could add redundancy of the gateway appliance in our network operations center, or distribute it to branches, or locations where its existence made sense from a control, management, and communications-need perspective. The VM is placed from a networking path behind where users logon to the desired cloud resource, meaning via VPN and through the gateway. Unless one does so, what happens is that they can directly access the Saas/cloud resource, but the data is encrypted at the SaaS/cloud destination, and is unusable, until someone figures out how to decrypt AES-256.
There are several levels of staff functionaries that must come together to make CipherCloud or any other CASB management system work, including networking, security, DLP/asset management, production instance management, and help desk support. The reverse proxy mechanism watches for exfiltration and policy violations. There are a rich amount of action/condition choices, ranging from stop-it-cold to providing stub access as a replacement for data improperly stored.
CCTP doesn’t need to encrypt everything, if desired, only pertinent fields. If set to encrypt entire discrete files, data from this form of encryption cannot be used for searches. You use your own keys, and CipherCloud doesn’t keep them. This means you generate your own keys, and/or make use of a certificate authority to generate appropriate keys.
Once installed, the keys encrypt what you’ve chosen. As an example, when we tested Salesforce via the test gateway VM residing in AWS, we could open up the Salesforce instances database schema, and choose which fields to encrypt. When we tried direct access to the data, deliberately going around the gateway, the result was total gibberish. Sorting on the gibberish produces still more gibberish, as the rendered encrypted text is in UTC-8 characters. If we had the keys outside the gateway keystore, we would have been able to decrypt the data — if we also had any optional tokens needed to further de-hash the data into meaningfulness. Salesforce domains and apps could therefore receive surgical treatment in terms of DLP.
The entire Salesforce database could be encrypted, but it’s not really needed, unless each field must be encrypted for regulatory compliance. If there are different Salesforce Orgs, each Org instance can be encrypted, including online Salesforce apps. For single sign-on, we used CipherCloud directly, but it’s possible to connect via Active Directory Federation Services or other SSO mechanisms.
CCTP manages this with what we feel are astute key repository banking and management, so that multiple apps can be managed concurrently. Keys are managed on the CCTP VM gateway after installation, and as such, allow jurisdiction partitioning of data. SafeNet’s KeySecure is supported as a third party key store, but we didn’t test this. As administrators are separated into system administrators, key managers, and cloud application managers, a key manager function can be kept ideologically distinct as a function. This comes in handy.
Key separation is used for geo-locating data into separate empires. For example, a European branch can use data that is encrypted differently than data in Chicago. This comes at low cost, because again, redundancy of the gateway(s) costs no more, as the pricing is related per user, so branches, business units, country-managed entities can each have their own gateway.
Initial key distribution and renewal/replacement means going into each gateway to replicate infrastructure. Subsequent upgrades (we did not try this) allow a dry run of updates prior to deployment within the appliance(s).
Data running through the gateway can have application-specific tuple treatment such as these: AES Email Address Encryption, AES Email Relay Encryption, AES Encryption for Alphabetic Filtering, AES File Stream Encryption, AES Length Restricting Encryption, AES Phone Number Encryption, AES Search and Sort Encryption, AES Search and Sort Encryption(FIPS Mode), AES Web URL Encryption, Alphabetic Filtering Tokenizer, Email Address Tokenizer, Email Relay Tokenizer, File Name Tokenizer, Length Restricting Tokenizer, Phone Number Tokenizer, Search and Sort Tokenizer, Stateless AES Alphanumeric Encryption, Stateless AES Chatter Encryption, Stateless AES Encryption with Search, Stateless AES Encryption without Search, Stateless AES Prefix Preserving Encryption, Stateless AFPE, Stateless AFPE for Alphabetic Filtering, Stateless Chatter URL Encryption, Stateless Email Address Encryption, Stateless Email Relay Encryption, Stateless Function Preserving Hybrid AES Encryption, Stateless Length Restricting Encryption, Stateless Order Preserving Hash Encryption, Stateless Partial Field Encryption, Stateless Partial Field Hybrid AES Encryption, Stateless Phone Number Encryption, Stateless Web URL Encryption, Static Chatter Tokenizer, Static Chatter URL Tokenizer, Static Date Tokenizer, Static Email Address Tokenizer, Static Length Restricting Tokenizer, Static Number Tokenizer, Static Partial Field Tokenizer, Static Per Word Tokenizer, Static Phone Number Tokenizer, Static URL Tokenizer, URL Tokenizer.
No, we didn’t test all of them. Also available are anti-malware and anti-virus stream examination.
The tokenizers are tokenization hashes designed to keep data local, so that one need use only a single encryption key, but keep data partitioned for jurisdictional purposes, so that international branches can comply with data export constraints via administratively generated tokens.
Policies can be based on these fields for varying filtrations. There is an inline antivirus/antimalware app that works either system-wide, or not at all. The gateway and its keys are totally critical to organizational use of protected SaaS resources, and this means the gateway needs to be both replicated and backed up -- and from a communications perspective, constitutes a key critical path for organizations. No access to the gateway means: help desks catch fire.
If you believe in secret sauces, the strongest CipherCloud sauce in our estimation is that fact that it uses stateless/stateful AES encryption variances. This means that CipherCloud can use deep traffic inspection techniques and filter for policy-driven dysfunction indicating data exfiltration/misuse -- hence policy violations. Numerous types of fields can be examined for pattern matches, and when matches (hits) are found, CipherCloud records what’s happening and by policy can halt, or place tombstones representing data while the data is cached elsewhere.
This is where additional costs come into play: if you don’t deal with the warnings, your organization’s compliance is in jeopardy. How each organization deals with warnings and policies is up to the organization’s best practices, and CipherCloud gave us recommendations on how varying situations are dealt with from an administrative and policy perspective.
The downside is that it’s still possible for pre-encrypted data streams that CipherCloud has no keys for to be infiltrated/exfiltrated within an organization, and so CipherCloud isn’t a perfect firewall, but most firewalls can’t halt such activity. We also felt that CipherCloud can be overkill for smaller organizations.
In all, CipherCloud portends an intimate relationship between users, administrators, and SaaS applications. It’s a complex platform, and is not a simple undertaking. We like its encryption infrastructure, and its ability to inspect encrypted flows. It doesn’t cover an unlimited number of potential SaaS applications, but the list of covered apps is impressive.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.