Webinar Recording
Enabling Cloud Access While Ensuring Security and Compliance
The cloud and mobile revolutions have changed the way we work and the very nature of IT. But these advances have also created immense new challenges and risks to security, data protection and compliance. In order to address these risks the Cloud Access Security Broker (CASB) market has rapidly emerged with vendors providing a range of solutions to increase visibility, control and data protection for a broad set of cloud applications. CASBs function as security policy gatekeepers for data going to the cloud, automatically identifying various risks in real time and encrypting sensitive data to make it indecipherable to intruders.
CASBs have become an essential security pillar as computing and data moves outside the enterprise, bypassing legacy tools like firewalls. The ideal CASB should enable cloud usage – not block it, and support a wide range of applications from any device, without affecting usability. However, not all CASBs are the same and organizations need to make sure that the CASB they choose helps to meet their own particular needs.
Log in and watch the full video!
Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.
I have an account
Log inRegister your account to start 30 days of free trial access
RegisterSubscribe to become a client
Choose a package
Good afternoon, everyone. And welcome to this KuppingerCole webinar on enabling cloud access while ensuring security and compliance. And this, this is Mike Small, I'm a senior Analyst with KuppingerCole and my co-presenter this afternoon is Dave Berman, who is senior director of cloud compliance and governance at cipher cloud. So the KuppingerCole is an industry Analyst with a focus on security issues. In particular, we have a global presence in Europe, Australasia and the us, and we provide research services and advisory services as well as events in your and around the world. And our upcoming events include the consumer identity summit in Paris, which will be next week, digital finance world in Frankfurt in March next year, and our annual major event in Munich during may the European identity in cloud conference.
So during this webinar, you, the audience are all muted. You can ask questions by using the question widget, which is on the screen. And if you, if you have a question you can type them in and I will be moderating those questions and helping to find a good response at the end of the webinar, the webinar will take place in two parts, followed by a question and answer session. And in part one, I'm going to describe the challenges that cloud services pose. And in part two, Dave Bour cipher cloud will demonstrate the capabilities of cipher cloud's cloud access security broker solution, including a set of case studies, as well as a live demonstration of his product. So let's now look at what is leading to all of this. And in Kuppinger Cole's view the change in the technology, which is brought about by the interconnection of nearly every everyone and everything together with the increases in computer power are leading organizations to strive to find a digital transformation.
And this is being driven by the need to improve your services in the face of a, a highly competitive landscape, and also to meet with the ever-changing landscape for regulations. And not only that, but the, the movement from products being simply things into products, including lots of services that surround them. And in order to do that, you need three things, which is agility, flexibility in the organization, as well as innovation. And all of those things are coming to, to fruition, if you will, through the use of cloud services. So cloud services are one of the fundamental technologies and services that organizations are using to achieve that flexibility in order to deal with the competition and to be able to innovate at least faster than your main competitors. Now, there are different perspectives on the use of the cloud and business, and it services tend to have a different view of what the cloud means and business tends to want the agility that I've been describing, whereas it has been used to doing it themselves and is looking for security and compliance.
So if we look at the business led view of things, what you see there is business initiatives focus on fully exploiting digital technology to transform their business in getting closer to their connected customers, using this technology, to creating innovation and innovative products based on the new technologies available to them. And their view of risk is about business risk. And that business risk includes not actually exploding the market. It's the risk of not being there together with the risk of doing it in a way which is non-compliant with all the regulations. The it view of the cloud is that it is something that can bring cost reduction that can reduce the costs of it services that it can improve the efficiency with which those services are delivered. It can be used to migrate existing applications in a way which will make them more cost effective. And to do that in a way, which is both compliant and security.
So we really should be able to deal with both of these things. And the agile connected organization should be able to get the rewards, but using cloud services, unfortunately do introduce some challenges. Now what those challenges are, has in fact changed over time that a few years ago, nearly every organization was telling me that they were worried about security. But in fact, nowadays the top issue, the top concern is one of compliance it's that organizations are now faced with this continually increasing number of laws and regulations that they need to comply with and moving to the cloud means that that compliance falls to some extent into the hand of the third party, providing the service cybersecurity is still a risk, but it's it's the, the risk has changed from the we don't trust the cloud service provided to the fact that cyber crime has grown so rapidly that that, that the criminals are even using cloud services in order to become better at being criminals.
Now, availability is another issue because in order for the cloud service to work for it, to be available to you, you need this complex infrastructure, much of which is outside of the control of the customer. And then there are things like locking due to proprietary standards and legal risks. Well, if we look at what this, this particular webinar is going to focus on, it's really going to be around security and compliance. So compliance the challenge with compliance is that in nearly every regulation and nearly every law, the organization that collects the data is the organization that remains responsible for compliance when using the service, even if mistakes and problems are raised by the processor and in Europe, as there is this upcoming general data protection regulation, which comes into force in May, 2018, which is causing a great deal of concern because the penalties for non-compliance with that regulation include penalties of up to 4% of global turnover.
And indeed the penalty can be imposed both on the, what is called the data processor as well as the data controller. So there is a lot of incentive for organizations and data processing, data processes, and cloud service providers to pay attention to this. Now that isn't the only way that data can get lost. And another concern is the concern over legal intercept of customer's data. And this has been, shall we say, increased by suspicions in Europe about the, the things that are going on in the us in order to combat terrorism and organized crime. And indeed this fire has been fueled by reports like the one in October, where it was reported that Yahoo had been scanning incoming emails on behalf of the FBI. Now Yahoo says that this is a misleading report, but nevertheless, the, the suspicions remain and they stick. And so this kind of are, these are both reasons why people are reluctant to put their data into the cloud and to try and bring more control over how the cloud is used.
So in order to achieve that, what you need is governance and governance is not about management. Management is about delivering the service governance is about making sure that the objectives that you need are met by the service that you buy. And that's kind of a little bit difficult for many it, people who have become highly qualified in how to do it themselves, but effectively, this means you need to set business goals and you need to be able to measure how those goals are being realized, using some kind of key performance indicators. And in terms of security and compliance, there are a number of risks that you need to ensure are correctly managed policy technical and legal risks. And the governance of risk is really about taking, making sure that there are management actions that reduce both the impact and the probability of these risks. And these are the kinds of things that you need to be looking at in order to improve your governance.
So organizations need to have a, a consistent process which sets a policy for cloud usage and looks at this from a perspective of business benefits. So, first of all, we can look at how governance should be dealt with in a theoretical basis, that there should be a board level view of why you are using the cloud, what the business objectives are and the policy for the use of the cloud. And I can't emphasize that too much because many organizations we talk to say, oh, we don't need a policy, but if you don't have a policy and you don't communicate to your employees, that they should not be using, yeah, they should not be using YouTube to share videos and they should not be using Dropbox to share sensitive information. Then you can hardly be surprised if they continue to do it. And those objectives lead to a view of what the security and compliance requirements would be.
And in turn for a particular use case, you can then say, what are the particular business and technical requirements together with a proper procurement process should lead to some vendors and a risk analysis of those vendors, which comes round to defining whether you're going to accept the, accept, the service, not accepted and do something else or set in place mitigating controls, which is the most likely outcome. And if you do decide upon the mitigating controls, then you need to be able to monitor the way that they are being used and make sure that they are effective. So governance is about setting the, the objectives and monitoring whether or not this works. Now, having said that that is a theoretical perspective of things. What in fact happens in reality is that many business lines of business in fact have realized the potential benefits for using the cloud.
And they just do it. They can do it based on their corporate credit card, or they do it because there is nobody stopping them to do it. And there's no policy and no procurement process they can go through. So they bypass this process and this makes it all the more important to monitor the usage of the cloud and to be able to detect that and remediate it if necessary. So this gap between theoretical and cloud governance is important, and it is in this gap that cloud access security brokers are most effective in helping to improve the cloud governance in an organization. Because what they basically do is they provide visibility by monitoring cloud uses. They provide visibility of how controls are being effective or not. And they can also indeed implement certain kinds of controls as well as provide the evidence that's needed on how you have to remediate them.
So basically we have done some considerable research into the market for cloud security access brokers, and we've identified a number of technical functionality that we believe these products should provide. And you can see this in our, in our research document here. So I'm going to summarize what these requirements are in a short set of slides. First of all, we need to look at what is needed to support compliance. And we find that many organizations say, well, you know, we are happy with the cloud because the cloud provider tells us they're doing a good job. Well, that's, that's one view of things, but can you prove it? And then they, they, the people will say to us, well, actually, we've got a contractual commitment, which is very good providing your, you've got the money to pay your lawyers to argue it in court, better than that is.
If there is independent validation. And now you will find that you will be bored by the long list of independent attestations and validations that cloud providers provide, which are important, but perhaps not sufficient validation is not as good as actually having tested it. And some, some cloud providers will tell you that they can let you have access to their testing data. But best of all is if you remain in control. So if you have your own controls, which can provide an overarching confirmation that, you know, what's going on, then you can be most satisfied and most assured that you are compliant. And so the first of these controls is to be able to detect which clouds are being used and who is using them. And that might sound a simple thing, but it's not because being able to know which cloud services in use involves keeping up to date with the tens of thousands of cloud services that exist.
And it's no mean feat, just to keep up with that, then you need to be able to integrate your technology with your existing user databases, to be able to relate what's going on, on, on the cloud to people in your organization. Otherwise you go, somebody somewhere is using it, but you can't do anything about it because you can't find who it is. And ideally you also need to have some kind of a view of the risk associated with those cloud services that are being used. There are many, many very well, very well governed cloud services that are provided, but as with all of these booming markets, there is an op an awful opportunity for the Charlas as well. So detecting cloud use is, is an important first step. Then you really need to have a way of implementing access control and that access control should be able to allow you to control which org, which, which people in the organization can access which cloud services and in what way, and from which devices.
And again, this is in another significant challenge because of, of, of the many dimensions that, that evolves. So again, cloud access security brokers really need to be able to bring this to where now, in addition to that, as well as being able to control access, you need to be able to protect what is being put into the cloud. And one of the strongest ways of protecting that data is to encrypt it. One, one thing you can do is you can detect which kinds of data being put in there. So there is a need for an extension to data, leak, data leakage prevention tools, to be able to be specifically sensitive to data that's moving to the cloud. But once data has been moved into the cloud, you need to find a way of encrypting it in a way where you retain access to the keys.
Now, many cloud providers will tell you that they encrypt the data, but they actually have control of the keys. So the suspicious minded amongst us think there are risks where it is possible that staff of the cloud service provider could illegitimately access it, or that the cloud service provider could be required by law to make access to, to the data, to some legal agency. If you've got the keys, then that legal agency has to come to you. And that's a big benefit. And this also is a benefit when it comes to protecting against cyber crime, because many of the cyber crimes in involve the exfiltration of your data. And if that data is encrypted, then at least you have one level of protection against it. But the other challenge is that nowadays most of the cyber crime involves managing to masquerade through hijacked accounts or whatever as legitimate users.
And so whether your data is in the cloud or on premise, the most likely way of being able to detect that, that is happening is through monitoring the usage and looking for anomalies. And so being able to know who is using the nature in the cloud, for what purpose, and to find anomalies, that is almost certainly the best way to do it. So in summary cloud is here to stay. Cloud is essential to providing business agility, but in order to get the best outta cloud and to do it in a compliant way, you need governance and cloud access security providers are a very important and useful too, to supporting that. So cloud governance needs policy and objectives, which understand the security and requirements, the security and compliance requirements of the data processing that you are doing. And cloud access security brokers are able to monitor what's going on, control, access, and protect data in the cloud. So with that, I'll say, thank you for your attention. And we'll now pass the presentation over to Dave Berman, or CipherCloud over to you, Dave.
Thank you, Mike. I'm just gonna throw up my slides here and, and get started. So a great overview of the governance and really the legal and compliance considerations that our customers are also struggling with. I'm gonna go through basically some of the core business challenges and compliance challenges that we're hearing from our customers, and then give you an overview of our platform and, and basically delve into those technical controls that Mike talked about during his remarks. So let's get started three business ch challenges that we constantly hear from our customers are that as they migrate to the cloud, they're really losing visibility of the kinds of sensitive and regulated data that is under compliance. And also that they want to secure that would, that would lead to reputation, damaging data breaches and the like, so certainly visibility and understanding what's going on with shadow it in their environment is critical as Mike had pointed out, but also being able to enforce controls on clouds, that they are sanctioning their businesses to use.
And they want to be able to ensure compliance. They don't wanna say no to everything, just blocking everything for customers nowadays is not the answer. So they really want to be able to control and enforce policies across clouds. They want to be able to do that in a consistent way. And of course they want to be able to protect the data. In the end, the data is the asset that the customers, our customers are concerned about. It. They have a data-centric view of what it means to mitigate their risk in the cloud. And of course you could have lots of monitoring and controls, which we provide, but in the end, if you don't have some basic capabilities or methods like encryption and tokenization to protect the data, you're, you're at risk of having that data exfil traded in the clear as Mike mentioned. So what does that compliance environment look like?
Our org, our customers are organizations that are multinational and often global, but even if they're doing business primarily in the us, they may actually have some compliance challenges across us states or even with European law, if they have partners in Europe. So, as Mike mentioned, you know, cloud providers have data all over the world and the data centers really, although you can have regions and you can have data centers that are located in certain countries, data typically flows in a cloud provider environment across national boundaries. And those compliance rules that Mike was talking about really talked to data, residency data privacy for each country, and they can be different for each country. There will be some consistency across the EU, as the GDPR comes into effect, but you can see there's many, many, many data privacy data protection, data, residency rules that organizations need to understand and deal with. And in fact, we have a, quite an extensive 83 page guide, which we can point you to. That gives you a nice reference for most of the data privacy laws that are out there.
So what kind of threats do organizations need to be concerned about in the past? Organizations were really con concerned about protecting the infrastructure within their data center and obviously protecting data in transit. So things like SSL and encrypted media were table stakes for these organizations, but in this cloud world, the threats are a little different. As Mike mentioned, you know, the threats and vulnerabilities to the cloud really have to do with the data that is in the clear, within the application and infrastructure layers of the cloud provider. You obviously might be concerned about the cloud provider privilege users, but also there are threats that attack, as Mike mentioned, credentials, you have forced government disclosure. Obviously the us is a major concern to European customers, but other governments also bring subpoenas for law enforcement and other reasons and want providers to, as it were cough up data that they're interested in there's issues around data breaches that are both malicious and unintentional, and you have a shared infrastructure, a multi-tenant infrastructure in these cloud provider environments. And so there can be unintentional leakage of data. And there's also the issue of APIs where each one of these providers, as I'll talk about a little later has their own ecosystem where APIs support integration with other clouds and on-premises systems and data does flow around. So you can't just assume that once you have your data in the cloud, that the provider themselves will be able to protect that data as it flows to other third party components that you're using with that cloud.
So let's look at cer card as a, just a product overview. As I, as Mike mentioned, you know, there are some key capabilities that make a CAS V the control point for, for your multi-cloud deployment. First and foremost, you need to be able to understand your shadow it environment. You need to be able to discover the use of clouds, both sanctioned and unsanctioned, and who's using them. You need to monitor the activity. You need to protect that data through encryption or tokenization. You need to be able to look at data in the cloud and understand if there's sensitive data within both structured fields like notes and description fields, but also within files. And you need to be able to protect against things like malware, because you'll, your users are gonna be uploading and, and accessing those clouds remotely, not just through the, the enterprise perimeter.
So you need to some way to be able to make sure that the cloud is not a factor for things like the viruses and things like that. In addition, organizations are, are definitely moving large categories of business applications to the cloud. So a complete TASB needs to really include the, the clouds that organizations are now adopting to, to create a, a more flexible and agile business environment. That includes things like CRM and it service management and collaboration through file sharing, but also things like HR systems and marketing analytics systems that companies are now deploying in the cloud. And also all the third party ecosystem players that are associated with these clouds. So you can see here that Salesforce has a lot of different components that customers typically use with Salesforce. The same would be true for organizations that adopt an it SM in the cloud. There might be other third party components, both on premise and in the cloud that integrate with that cloud and that where sensitive data can flow. So this is one picture where C for clouds provides both a complete capability, but also robust coverage of clouds that organizations are using today.
If you look at our platform, you know, it maps very closely to what our customers are telling us are the challenges they face. So within the visibility area here we do cloud discovery. We have thousands of clouds and our cloud knowledge base that are risk rated so that our, our customers can compare the risk profile, both from a security, privacy compliance, and infrastructure point of view for each of those clouds, we do activity monitoring of users in the clouds. You have a tremendous visibility into the, the different activities users are taking, and whether those actions are risky. And we also provide anomaly detection for things like geo anomalies, excessive downloads, et cetera. So you have that visibility capability. You also have control in the form of cloud data, loss prevention and advanced policy engine. I'll quickly show you what that looks like within our product and other compliance controls that make sure you can discover things like bank routing numbers, national ID numbers, and other things that users might inadvertently put into the cloud, and, and might not be aware that that's gonna cost some kind of compliance violation. And of course we have protection. So we do malware detection. We provide advanced encryption and tokenization, and we do this in a platform that's multimodal that allows you to protect both structured and unstructured data using the APIs of the native cloud providers, but also using an inline gateway that ensures the strictest levels of, of security and compliance for, for regulated industries.
So let's just look at a little overview of that inline gateway. So in the cypher cloud model, data is encrypted and decrypted before it leaves the cloud. So the customer always has complete control of the keys. They have complete control of where the encryption of decryption happens within their premises. And they're able to ensure that the protected data that goes into the cloud will always be protected end to end, regardless of where it flows with the cloud or with connected clouds or, or with extract transform and load processes with on premises tools like Informatica. So this approach is very robust. It ensures that for instance, if a government wants to come in and, and demand a force disclosure, they're gonna have to come to the customer and ask for the keys and the customer's not gonna have their data handed over without their knowledge. So that's, that's critically important.
If we look at the API model we're able to do on demand scans of data that already exists in the, in these major collaboration clouds and understand what kind of behavior users are undertaking and who they're sharing files with. One of the key things about file sharing is once a file is shared to the cloud is often shared again, five or six times. So if you don't have control and visibility into how that file's being shared, and who's allowed to share it and ultimately controls around encryption of that file so that users can only access that file if they're authorized to do so, then you really lost control of that file once it's put up in the cloud. So we provide API integration that is very robust and provides a cross cloud policy capability, which I'll show you that allows you to do the kinds of controls and, and create the kinds of remediation actions that enterprises need to control these cloud environments.
So let's look at a couple of use cases. We are a major provider of solutions for the Salesforce platform. We also support other clouds like the Adobe analytics marketing analytics cloud. And in this case, we have a major healthcare pharmacy retailer that is protecting Phi data health data in the Adobe analytics cloud. So let's look at how that looks. So, you know, the use case is basically, you know, in a marketing analytics deployment, the customer wants to be able to provide a more personalized experience for their customers. The data that this customer was using is it was inherently, you know, sensitive. It was covered by HIPAA high tech. And of course, as a provider of, of prescription services to millions of customers, you know, any exposure, would've been hugely reputation damaging to those, to the, this customer and to their, to their consumers. So they had some unique requirements.
They wanted to make sure that no PII data was being passed through URLs that the customer user experience was maintained and that they could maintain high volumes of, of, of service with their cloud as a, as their customers used their web application. And then they wanted, and they also make sure that their data Analyst and managers using Adobe analytics didn't lose any functionality as they were analyzing and segmenting data. So they chose Cy cloud because we had this extensible platform, we could provide them with enterprise grade encryption, and we were able to provide them with a solution that was also highly scalable. So let's look at kind of an overview of what that system looks like at a high level. So here you can see a, a user accessing the pharmacy Porwal and as they do that, they have sensitive data that's flowing through the C for cloud gateway is getting encrypted. In addition, as the data's getting collected in the Adobe analytics cloud sensitive information is being scrubbed from the public URL. So that there's no, there's no point of leakage for that data.
As data is consumed by people within the organization, they're able to access the Clearex data. If they're authorized, do the, all the ad hoc analysis, segmentation and other reporting they need to do. And that same data can be integrated with ecosystem components that most customers would be using with that Adobe analytics cloud, including tag management, data warehousing and single sign on. So you, you see that the picture of being able to sort of in 360 degrees support a major cloud is not just encrypting the data as it goes up, but supporting this complex ecosystem for, for the customer. Another major use case is a global investment bank, and they're sharing client advisory information, and they're using a, a box in this case as a public cloud. And they of course wanna do this with, with clients that they serve in many countries. In this case, you have, you know, files that are being shared in Salesforce and box.
They're trying to address privacy and financial regulations. And of course they want to make sure that, that they don't experience any data loss. If someone loses their device or has their device stolen, and they ask you unique requirements, they want to be able to have very flexible deal P policies and remediation options. And they also wanted ensure that, that the data that users are accessing remotely is protected, persist, persistently down to the mobile endpoint. So that's critically important for this customer. And they also have, you know, a variety of endpoint and mobile devices they want to support. So I'll show you a little bit about what that looks like. So what we supplied to them was a policy based encryption approach, which scans files in folders, and also controls who can actually access folders. And when sensitive data is found, that sensitive information is encrypted and authorized users can access it on their mobile devices here, you see the CEO sharing a file with the CSO, but if there were the unauthorized user attempting to access that file, of course, all they get is undecidable the text.
They would not be able to read that file. So that's kind of the, the policy policy based encryption approach using data loss prevention scans to and compliance scans to ensure that data in the cloud is protected. There are many compliance approaches, and of course all these different compliance approaches need flexible remediation actions. So you need to be able to have these policy options where you can determine who can share sensitive data, what they can share, where they can share it, who they can can share it with. And then if there's a violation or sensitive data is found, what kind of action do you wanna take? So within our model, you have the flexibility to really determine any kind of flexible policy that you wanna set up for the various types of sensitive data that you're trying to control within your clouds.
So let's just quickly look at what that looks like in our product. So here you see SIOR clouds console, and of course, we can give you a much more extensive demo if you like, but today we're gonna focus on just the, the, the, the file protection aspects of it. You can see, we have very extensive dashboards for policy violations, activity, monitoring, privilege, user, and, and anomaly detection. And you can see that we, we can look at how different clouds have, and violations have been remediated. And we also have our policy section, which allows you to set up cross cloud policies for, of course, scanning and removing files with malware, looking at individual clouds and, and possibly quarantining certain types of data. In this case, we have a policy that quarantines data.
If credit, if a, excuse me, if a social security number is found, and in this case, you can see the context and you can see that for these box clouds, these various instances of box, we're gonna quarantine a file. We're gonna set up a marker file, and we're gonna also control which groups are allowed to access that file. So again, very flexible approach to being able to control who can access that file and, and whether or not it gets encrypted or deleted or, or quarantined. Again, we have another policy here where we encrypt the credit card file a file containing credit cards, and you can see the context and the rules for this particular file are that within any cloud, if, if a credit card is found, we're gonna encrypt it. And we're gonna send an email notification to, to the administrator, to the security administrator that someone has uploaded a file containing credit card numbers.
So let's look at what that looks like within box and Salesforce here, you see the file that had the social security numbers. It was scanned, and a micro file was placed in that same folder, letting the user know that they've uploaded a file that violated a policy. And that's why their file is no longer there. In addition, the credit card file has been encrypted and of course, authorized users can still look at this file so they can go through the Cy cloud client. And of course you can see that the client decrypts the file. And you can see that indeed it did create, it did contain credit card numbers, and they can also of course do the same action remotely on their devices. Let me just, let me just bring up my little reflector application here and we'll look at my device. So here you can see the cipher cloud client, and it will also protect files down to this remote endpoint in this case, an iPhone. And you can then see the, the marker file that was placed in the box folder. And also we can decrypt the file containing credit card numbers. And here you see the same file containing credit card numbers. And of course we have similar clients for Android and windows systems as well. So that's my short demonstration. Of course, if you wanted to have more details on other capabilities of our product, we'd be happy to show them to you.
And then we just close by saying C for cloud has hundreds of customers over the globe, and in many regulated industries, including healthcare, financial services, aerospace, and defense, retail, and pharmaceutical, and we would be happy to talk to you about your needs for multi-cloud control and compliance and helping you with your cloud governance strategy. And now we'd be happy to take some questions.
Okay. Thanks very much. Indeed, Dave, for that very interesting talk and your heroic demonstration. Okay. So we now have an opportunity for questions, and if there are any participants that would like to ask questions, please will they use the tool that comes with, go to webinar to ask the questions and I will pass them on Dave, or try to answer them myself. So while we're waiting for people to raise questions, then what we can do is I will, I will ask a couple of questions. So I think the first question that nearly everybody wants to know the answer to is how you manage to retain the functionality of the cloud services when the data is encrypted. So I don't know if you are able to give us some insight into that, Dave.
Sure. So CYF cloud has been a pioneer in this space for many years and a lot of our intellectual property and patents are around preserving capabilities around encrypted data in the cloud. So we are able to provide our customers with a variety of encryption and tokenization methods that preserve searching, sorting, filtering, preserving the things like charting within cloud applications like Salesforce, making sure that you can still maintain workflows that include encrypted data in clouds like ServiceNow. So we are able to do that through techniques like format, preserving encryption, searchable encryption, and also using techniques like partial field encryption, where the parts of the data that need to be maintained for processing can be in the clear.
Okay. Okay. Now, one of the, the techniques that you use is tokenization. Would you like to talk about that? Some people have said that tokenization introduces a problem with there being another database that needs maintaining.
So I know for us, it's, it's a, it's a trade off. It's a, it's about a specific organization's compliance and security needs. So we've found that many organizations prefer tokenization, cuz they feel that it is more in line with the data residency regulations that they're trying to certify against. So having the data within the database is important within our system, the data is still protected with encryption within the database. So we see them as it's a little bit of a, an art and a science, as far as choosing which type of protection method you, you might choose within our platform, you can mix and match tokenization and encryption method. So you can have some fields tokenized, other fields encrypted, and you can make those choices based on both your data processing needs, but also your compliance requirements.
Okay? Okay. So now we're getting some questions from the in fact we seem to have a lot of questions coming in. So I'm going to try and start from, from the beginning, does C for cloud support, Google analytics, like Adobe analytics.
We currently don't support that cloud, but we support the wave analytics within the Salesforce family of clouds and we support Adobe analytics. And of course we're, we have an extensible architecture that enables us to add new clouds. So one of the advantages of a CASB platform is having the platform itself, gives you the ability to add new clouds as those become relevant for your organization. And of course we're always supporting new clouds as, as we go along here.
Okay. Thank you. And now another question is, is office 365 and SharePoint supported. CipherCloud working as proxy between enterprise user and cloud vendor.
So for the API mode, we support SharePoint in one drive and other file collaboration, clouds like box Dropbox, Google drive, and, and clouds like Evernote. And we also support SharePoint online. So those are the clouds that we support through the API mode. The clouds that we support through our inline gateway or proxy mode would be clouds like Adobe analytics, Salesforce, ServiceNow, SAP success factors. And of course, some of them we support through both modes like Salesforce. So just depending on the cloud you're using, you would be able to use both the inline gateway and the API mode.
Okay. Thank you. Now there's a number of questions which come from different people, but more or less say the same thing which are asking is the CipherCloud DLP superior to other DLPs by being integrated with CipherCloud. Would you like to comment on what sets out your DLP?
So we do have a very extensive capability for compliance, scanning and DLP for clouds. And we have very granular policies for all sorts of regulated data. As I mentioned, financial account numbers like swift and, and bank routing codes, as well as national ID numbers, including many national ID formats from around the globe, UK national ID numbers, German national ID numbers, social security numbers, et cetera. But we, we also integrate with enterprise on premises, DLP recognizing that our enterprise customers have existing policies that they might wanna leverage and they're already using. So you can do both. You can have as a first pass compliance, scan a scan in the cloud, and you can still check those same, that same content against the policies you have in your enterprise. D O P we integrate by ICAP with those major enterprise DLP products like Symantec and others.
Okay. So you just answered another specific question about Symantec, but you, you integrate with anything that uses this ICAP interface. Okay. Now I, I'm not sure I understand this, but maybe this was a follow on from a previous question. Do you require SSL, TLS termination? Well, do you, do you have any comment on that, Dave,
That may be a little deeper than my technical scope, but it's certainly a question we can, we can answer offline and we can get one of our, our sales engineers to,
To, so the questions that have come via the question and answer system will be sent to you with the people that details of the people that ask the question. So if you've asked a question and we haven't answered it, there's an opportunity for, to be answered subsequently. So let's see another specific question that, that, that I've got, which is what can you do to help with GDPR specifically, because this is something that's on so many people's minds at the moment it's worth taking a moment out to just focus on what cipher cloud can do to help organizations comply with GDPR.
So as we understand GDPR today, part of the requirements require that data, the resident within a country or within the EU, and that there be also a number of different controls around the data so that the data in essentially remains anonymized. So you can achieve that through both encryption and tokenization, you can prevent the Clearex data from leaving your region or country, and you could also mitigate the risk of a, a, a breach notification. As a lot of people are aware for the first time in most European countries, GDPR will introduce the I, the notion which we've had in the us for a long time of breach notification. And of course there's a, a good deal of thought out there that if your data is, is, is in decipherable, that your protected from some of these breach notification requirements, because the clear text data hasn't been hasn't been lost.
Okay. Well, thank you very much for that, Dave. I think we're now coming to the end of this, this webinar. I don't see any more questions on the question and answer system. So I think with that, it's just for me to say thank you very much, Dave, for such an interesting presentation and demonstration, and thank you to all the participants for taking the time to listen to this. And I wish you all a very nice rest of your day whenever you are. So thank you very much, everyone. Good afternoon.
So during this webinar, you, the audience are all muted. You can ask questions by using the question widget, which is on the screen. And if you, if you have a question you can type them in and I will be moderating those questions and helping to find a good response at the end of the webinar, the webinar will take place in two parts, followed by a question and answer session. And in part one, I'm going to describe the challenges that cloud services pose. And in part two, Dave Bour cipher cloud will demonstrate the capabilities of cipher cloud's cloud access security broker solution, including a set of case studies, as well as a live demonstration of his product. So let's now look at what is leading to all of this. And in Kuppinger Cole's view the change in the technology, which is brought about by the interconnection of nearly every everyone and everything together with the increases in computer power are leading organizations to strive to find a digital transformation.
And this is being driven by the need to improve your services in the face of a, a highly competitive landscape, and also to meet with the ever-changing landscape for regulations. And not only that, but the, the movement from products being simply things into products, including lots of services that surround them. And in order to do that, you need three things, which is agility, flexibility in the organization, as well as innovation. And all of those things are coming to, to fruition, if you will, through the use of cloud services. So cloud services are one of the fundamental technologies and services that organizations are using to achieve that flexibility in order to deal with the competition and to be able to innovate at least faster than your main competitors. Now, there are different perspectives on the use of the cloud and business, and it services tend to have a different view of what the cloud means and business tends to want the agility that I've been describing, whereas it has been used to doing it themselves and is looking for security and compliance.
So if we look at the business led view of things, what you see there is business initiatives focus on fully exploiting digital technology to transform their business in getting closer to their connected customers, using this technology, to creating innovation and innovative products based on the new technologies available to them. And their view of risk is about business risk. And that business risk includes not actually exploding the market. It's the risk of not being there together with the risk of doing it in a way which is non-compliant with all the regulations. The it view of the cloud is that it is something that can bring cost reduction that can reduce the costs of it services that it can improve the efficiency with which those services are delivered. It can be used to migrate existing applications in a way which will make them more cost effective. And to do that in a way, which is both compliant and security.
So we really should be able to deal with both of these things. And the agile connected organization should be able to get the rewards, but using cloud services, unfortunately do introduce some challenges. Now what those challenges are, has in fact changed over time that a few years ago, nearly every organization was telling me that they were worried about security. But in fact, nowadays the top issue, the top concern is one of compliance it's that organizations are now faced with this continually increasing number of laws and regulations that they need to comply with and moving to the cloud means that that compliance falls to some extent into the hand of the third party, providing the service cybersecurity is still a risk, but it's it's the, the risk has changed from the we don't trust the cloud service provided to the fact that cyber crime has grown so rapidly that that, that the criminals are even using cloud services in order to become better at being criminals.
Now, availability is another issue because in order for the cloud service to work for it, to be available to you, you need this complex infrastructure, much of which is outside of the control of the customer. And then there are things like locking due to proprietary standards and legal risks. Well, if we look at what this, this particular webinar is going to focus on, it's really going to be around security and compliance. So compliance the challenge with compliance is that in nearly every regulation and nearly every law, the organization that collects the data is the organization that remains responsible for compliance when using the service, even if mistakes and problems are raised by the processor and in Europe, as there is this upcoming general data protection regulation, which comes into force in May, 2018, which is causing a great deal of concern because the penalties for non-compliance with that regulation include penalties of up to 4% of global turnover.
And indeed the penalty can be imposed both on the, what is called the data processor as well as the data controller. So there is a lot of incentive for organizations and data processing, data processes, and cloud service providers to pay attention to this. Now that isn't the only way that data can get lost. And another concern is the concern over legal intercept of customer's data. And this has been, shall we say, increased by suspicions in Europe about the, the things that are going on in the us in order to combat terrorism and organized crime. And indeed this fire has been fueled by reports like the one in October, where it was reported that Yahoo had been scanning incoming emails on behalf of the FBI. Now Yahoo says that this is a misleading report, but nevertheless, the, the suspicions remain and they stick. And so this kind of are, these are both reasons why people are reluctant to put their data into the cloud and to try and bring more control over how the cloud is used.
So in order to achieve that, what you need is governance and governance is not about management. Management is about delivering the service governance is about making sure that the objectives that you need are met by the service that you buy. And that's kind of a little bit difficult for many it, people who have become highly qualified in how to do it themselves, but effectively, this means you need to set business goals and you need to be able to measure how those goals are being realized, using some kind of key performance indicators. And in terms of security and compliance, there are a number of risks that you need to ensure are correctly managed policy technical and legal risks. And the governance of risk is really about taking, making sure that there are management actions that reduce both the impact and the probability of these risks. And these are the kinds of things that you need to be looking at in order to improve your governance.
So organizations need to have a, a consistent process which sets a policy for cloud usage and looks at this from a perspective of business benefits. So, first of all, we can look at how governance should be dealt with in a theoretical basis, that there should be a board level view of why you are using the cloud, what the business objectives are and the policy for the use of the cloud. And I can't emphasize that too much because many organizations we talk to say, oh, we don't need a policy, but if you don't have a policy and you don't communicate to your employees, that they should not be using, yeah, they should not be using YouTube to share videos and they should not be using Dropbox to share sensitive information. Then you can hardly be surprised if they continue to do it. And those objectives lead to a view of what the security and compliance requirements would be.
And in turn for a particular use case, you can then say, what are the particular business and technical requirements together with a proper procurement process should lead to some vendors and a risk analysis of those vendors, which comes round to defining whether you're going to accept the, accept, the service, not accepted and do something else or set in place mitigating controls, which is the most likely outcome. And if you do decide upon the mitigating controls, then you need to be able to monitor the way that they are being used and make sure that they are effective. So governance is about setting the, the objectives and monitoring whether or not this works. Now, having said that that is a theoretical perspective of things. What in fact happens in reality is that many business lines of business in fact have realized the potential benefits for using the cloud.
And they just do it. They can do it based on their corporate credit card, or they do it because there is nobody stopping them to do it. And there's no policy and no procurement process they can go through. So they bypass this process and this makes it all the more important to monitor the usage of the cloud and to be able to detect that and remediate it if necessary. So this gap between theoretical and cloud governance is important, and it is in this gap that cloud access security brokers are most effective in helping to improve the cloud governance in an organization. Because what they basically do is they provide visibility by monitoring cloud uses. They provide visibility of how controls are being effective or not. And they can also indeed implement certain kinds of controls as well as provide the evidence that's needed on how you have to remediate them.
So basically we have done some considerable research into the market for cloud security access brokers, and we've identified a number of technical functionality that we believe these products should provide. And you can see this in our, in our research document here. So I'm going to summarize what these requirements are in a short set of slides. First of all, we need to look at what is needed to support compliance. And we find that many organizations say, well, you know, we are happy with the cloud because the cloud provider tells us they're doing a good job. Well, that's, that's one view of things, but can you prove it? And then they, they, the people will say to us, well, actually, we've got a contractual commitment, which is very good providing your, you've got the money to pay your lawyers to argue it in court, better than that is.
If there is independent validation. And now you will find that you will be bored by the long list of independent attestations and validations that cloud providers provide, which are important, but perhaps not sufficient validation is not as good as actually having tested it. And some, some cloud providers will tell you that they can let you have access to their testing data. But best of all is if you remain in control. So if you have your own controls, which can provide an overarching confirmation that, you know, what's going on, then you can be most satisfied and most assured that you are compliant. And so the first of these controls is to be able to detect which clouds are being used and who is using them. And that might sound a simple thing, but it's not because being able to know which cloud services in use involves keeping up to date with the tens of thousands of cloud services that exist.
And it's no mean feat, just to keep up with that, then you need to be able to integrate your technology with your existing user databases, to be able to relate what's going on, on, on the cloud to people in your organization. Otherwise you go, somebody somewhere is using it, but you can't do anything about it because you can't find who it is. And ideally you also need to have some kind of a view of the risk associated with those cloud services that are being used. There are many, many very well, very well governed cloud services that are provided, but as with all of these booming markets, there is an op an awful opportunity for the Charlas as well. So detecting cloud use is, is an important first step. Then you really need to have a way of implementing access control and that access control should be able to allow you to control which org, which, which people in the organization can access which cloud services and in what way, and from which devices.
And again, this is in another significant challenge because of, of, of the many dimensions that, that evolves. So again, cloud access security brokers really need to be able to bring this to where now, in addition to that, as well as being able to control access, you need to be able to protect what is being put into the cloud. And one of the strongest ways of protecting that data is to encrypt it. One, one thing you can do is you can detect which kinds of data being put in there. So there is a need for an extension to data, leak, data leakage prevention tools, to be able to be specifically sensitive to data that's moving to the cloud. But once data has been moved into the cloud, you need to find a way of encrypting it in a way where you retain access to the keys.
Now, many cloud providers will tell you that they encrypt the data, but they actually have control of the keys. So the suspicious minded amongst us think there are risks where it is possible that staff of the cloud service provider could illegitimately access it, or that the cloud service provider could be required by law to make access to, to the data, to some legal agency. If you've got the keys, then that legal agency has to come to you. And that's a big benefit. And this also is a benefit when it comes to protecting against cyber crime, because many of the cyber crimes in involve the exfiltration of your data. And if that data is encrypted, then at least you have one level of protection against it. But the other challenge is that nowadays most of the cyber crime involves managing to masquerade through hijacked accounts or whatever as legitimate users.
And so whether your data is in the cloud or on premise, the most likely way of being able to detect that, that is happening is through monitoring the usage and looking for anomalies. And so being able to know who is using the nature in the cloud, for what purpose, and to find anomalies, that is almost certainly the best way to do it. So in summary cloud is here to stay. Cloud is essential to providing business agility, but in order to get the best outta cloud and to do it in a compliant way, you need governance and cloud access security providers are a very important and useful too, to supporting that. So cloud governance needs policy and objectives, which understand the security and requirements, the security and compliance requirements of the data processing that you are doing. And cloud access security brokers are able to monitor what's going on, control, access, and protect data in the cloud. So with that, I'll say, thank you for your attention. And we'll now pass the presentation over to Dave Berman, or CipherCloud over to you, Dave.
Thank you, Mike. I'm just gonna throw up my slides here and, and get started. So a great overview of the governance and really the legal and compliance considerations that our customers are also struggling with. I'm gonna go through basically some of the core business challenges and compliance challenges that we're hearing from our customers, and then give you an overview of our platform and, and basically delve into those technical controls that Mike talked about during his remarks. So let's get started three business ch challenges that we constantly hear from our customers are that as they migrate to the cloud, they're really losing visibility of the kinds of sensitive and regulated data that is under compliance. And also that they want to secure that would, that would lead to reputation, damaging data breaches and the like, so certainly visibility and understanding what's going on with shadow it in their environment is critical as Mike had pointed out, but also being able to enforce controls on clouds, that they are sanctioning their businesses to use.
And they want to be able to ensure compliance. They don't wanna say no to everything, just blocking everything for customers nowadays is not the answer. So they really want to be able to control and enforce policies across clouds. They want to be able to do that in a consistent way. And of course they want to be able to protect the data. In the end, the data is the asset that the customers, our customers are concerned about. It. They have a data-centric view of what it means to mitigate their risk in the cloud. And of course you could have lots of monitoring and controls, which we provide, but in the end, if you don't have some basic capabilities or methods like encryption and tokenization to protect the data, you're, you're at risk of having that data exfil traded in the clear as Mike mentioned. So what does that compliance environment look like?
Our org, our customers are organizations that are multinational and often global, but even if they're doing business primarily in the us, they may actually have some compliance challenges across us states or even with European law, if they have partners in Europe. So, as Mike mentioned, you know, cloud providers have data all over the world and the data centers really, although you can have regions and you can have data centers that are located in certain countries, data typically flows in a cloud provider environment across national boundaries. And those compliance rules that Mike was talking about really talked to data, residency data privacy for each country, and they can be different for each country. There will be some consistency across the EU, as the GDPR comes into effect, but you can see there's many, many, many data privacy data protection, data, residency rules that organizations need to understand and deal with. And in fact, we have a, quite an extensive 83 page guide, which we can point you to. That gives you a nice reference for most of the data privacy laws that are out there.
So what kind of threats do organizations need to be concerned about in the past? Organizations were really con concerned about protecting the infrastructure within their data center and obviously protecting data in transit. So things like SSL and encrypted media were table stakes for these organizations, but in this cloud world, the threats are a little different. As Mike mentioned, you know, the threats and vulnerabilities to the cloud really have to do with the data that is in the clear, within the application and infrastructure layers of the cloud provider. You obviously might be concerned about the cloud provider privilege users, but also there are threats that attack, as Mike mentioned, credentials, you have forced government disclosure. Obviously the us is a major concern to European customers, but other governments also bring subpoenas for law enforcement and other reasons and want providers to, as it were cough up data that they're interested in there's issues around data breaches that are both malicious and unintentional, and you have a shared infrastructure, a multi-tenant infrastructure in these cloud provider environments. And so there can be unintentional leakage of data. And there's also the issue of APIs where each one of these providers, as I'll talk about a little later has their own ecosystem where APIs support integration with other clouds and on-premises systems and data does flow around. So you can't just assume that once you have your data in the cloud, that the provider themselves will be able to protect that data as it flows to other third party components that you're using with that cloud.
So let's look at cer card as a, just a product overview. As I, as Mike mentioned, you know, there are some key capabilities that make a CAS V the control point for, for your multi-cloud deployment. First and foremost, you need to be able to understand your shadow it environment. You need to be able to discover the use of clouds, both sanctioned and unsanctioned, and who's using them. You need to monitor the activity. You need to protect that data through encryption or tokenization. You need to be able to look at data in the cloud and understand if there's sensitive data within both structured fields like notes and description fields, but also within files. And you need to be able to protect against things like malware, because you'll, your users are gonna be uploading and, and accessing those clouds remotely, not just through the, the enterprise perimeter.
So you need to some way to be able to make sure that the cloud is not a factor for things like the viruses and things like that. In addition, organizations are, are definitely moving large categories of business applications to the cloud. So a complete TASB needs to really include the, the clouds that organizations are now adopting to, to create a, a more flexible and agile business environment. That includes things like CRM and it service management and collaboration through file sharing, but also things like HR systems and marketing analytics systems that companies are now deploying in the cloud. And also all the third party ecosystem players that are associated with these clouds. So you can see here that Salesforce has a lot of different components that customers typically use with Salesforce. The same would be true for organizations that adopt an it SM in the cloud. There might be other third party components, both on premise and in the cloud that integrate with that cloud and that where sensitive data can flow. So this is one picture where C for clouds provides both a complete capability, but also robust coverage of clouds that organizations are using today.
If you look at our platform, you know, it maps very closely to what our customers are telling us are the challenges they face. So within the visibility area here we do cloud discovery. We have thousands of clouds and our cloud knowledge base that are risk rated so that our, our customers can compare the risk profile, both from a security, privacy compliance, and infrastructure point of view for each of those clouds, we do activity monitoring of users in the clouds. You have a tremendous visibility into the, the different activities users are taking, and whether those actions are risky. And we also provide anomaly detection for things like geo anomalies, excessive downloads, et cetera. So you have that visibility capability. You also have control in the form of cloud data, loss prevention and advanced policy engine. I'll quickly show you what that looks like within our product and other compliance controls that make sure you can discover things like bank routing numbers, national ID numbers, and other things that users might inadvertently put into the cloud, and, and might not be aware that that's gonna cost some kind of compliance violation. And of course we have protection. So we do malware detection. We provide advanced encryption and tokenization, and we do this in a platform that's multimodal that allows you to protect both structured and unstructured data using the APIs of the native cloud providers, but also using an inline gateway that ensures the strictest levels of, of security and compliance for, for regulated industries.
So let's just look at a little overview of that inline gateway. So in the cypher cloud model, data is encrypted and decrypted before it leaves the cloud. So the customer always has complete control of the keys. They have complete control of where the encryption of decryption happens within their premises. And they're able to ensure that the protected data that goes into the cloud will always be protected end to end, regardless of where it flows with the cloud or with connected clouds or, or with extract transform and load processes with on premises tools like Informatica. So this approach is very robust. It ensures that for instance, if a government wants to come in and, and demand a force disclosure, they're gonna have to come to the customer and ask for the keys and the customer's not gonna have their data handed over without their knowledge. So that's, that's critically important.
If we look at the API model we're able to do on demand scans of data that already exists in the, in these major collaboration clouds and understand what kind of behavior users are undertaking and who they're sharing files with. One of the key things about file sharing is once a file is shared to the cloud is often shared again, five or six times. So if you don't have control and visibility into how that file's being shared, and who's allowed to share it and ultimately controls around encryption of that file so that users can only access that file if they're authorized to do so, then you really lost control of that file once it's put up in the cloud. So we provide API integration that is very robust and provides a cross cloud policy capability, which I'll show you that allows you to do the kinds of controls and, and create the kinds of remediation actions that enterprises need to control these cloud environments.
So let's look at a couple of use cases. We are a major provider of solutions for the Salesforce platform. We also support other clouds like the Adobe analytics marketing analytics cloud. And in this case, we have a major healthcare pharmacy retailer that is protecting Phi data health data in the Adobe analytics cloud. So let's look at how that looks. So, you know, the use case is basically, you know, in a marketing analytics deployment, the customer wants to be able to provide a more personalized experience for their customers. The data that this customer was using is it was inherently, you know, sensitive. It was covered by HIPAA high tech. And of course, as a provider of, of prescription services to millions of customers, you know, any exposure, would've been hugely reputation damaging to those, to the, this customer and to their, to their consumers. So they had some unique requirements.
They wanted to make sure that no PII data was being passed through URLs that the customer user experience was maintained and that they could maintain high volumes of, of, of service with their cloud as a, as their customers used their web application. And then they wanted, and they also make sure that their data Analyst and managers using Adobe analytics didn't lose any functionality as they were analyzing and segmenting data. So they chose Cy cloud because we had this extensible platform, we could provide them with enterprise grade encryption, and we were able to provide them with a solution that was also highly scalable. So let's look at kind of an overview of what that system looks like at a high level. So here you can see a, a user accessing the pharmacy Porwal and as they do that, they have sensitive data that's flowing through the C for cloud gateway is getting encrypted. In addition, as the data's getting collected in the Adobe analytics cloud sensitive information is being scrubbed from the public URL. So that there's no, there's no point of leakage for that data.
As data is consumed by people within the organization, they're able to access the Clearex data. If they're authorized, do the, all the ad hoc analysis, segmentation and other reporting they need to do. And that same data can be integrated with ecosystem components that most customers would be using with that Adobe analytics cloud, including tag management, data warehousing and single sign on. So you, you see that the picture of being able to sort of in 360 degrees support a major cloud is not just encrypting the data as it goes up, but supporting this complex ecosystem for, for the customer. Another major use case is a global investment bank, and they're sharing client advisory information, and they're using a, a box in this case as a public cloud. And they of course wanna do this with, with clients that they serve in many countries. In this case, you have, you know, files that are being shared in Salesforce and box.
They're trying to address privacy and financial regulations. And of course they want to make sure that, that they don't experience any data loss. If someone loses their device or has their device stolen, and they ask you unique requirements, they want to be able to have very flexible deal P policies and remediation options. And they also wanted ensure that, that the data that users are accessing remotely is protected, persist, persistently down to the mobile endpoint. So that's critically important for this customer. And they also have, you know, a variety of endpoint and mobile devices they want to support. So I'll show you a little bit about what that looks like. So what we supplied to them was a policy based encryption approach, which scans files in folders, and also controls who can actually access folders. And when sensitive data is found, that sensitive information is encrypted and authorized users can access it on their mobile devices here, you see the CEO sharing a file with the CSO, but if there were the unauthorized user attempting to access that file, of course, all they get is undecidable the text.
They would not be able to read that file. So that's kind of the, the policy policy based encryption approach using data loss prevention scans to and compliance scans to ensure that data in the cloud is protected. There are many compliance approaches, and of course all these different compliance approaches need flexible remediation actions. So you need to be able to have these policy options where you can determine who can share sensitive data, what they can share, where they can share it, who they can can share it with. And then if there's a violation or sensitive data is found, what kind of action do you wanna take? So within our model, you have the flexibility to really determine any kind of flexible policy that you wanna set up for the various types of sensitive data that you're trying to control within your clouds.
So let's just quickly look at what that looks like in our product. So here you see SIOR clouds console, and of course, we can give you a much more extensive demo if you like, but today we're gonna focus on just the, the, the, the file protection aspects of it. You can see, we have very extensive dashboards for policy violations, activity, monitoring, privilege, user, and, and anomaly detection. And you can see that we, we can look at how different clouds have, and violations have been remediated. And we also have our policy section, which allows you to set up cross cloud policies for, of course, scanning and removing files with malware, looking at individual clouds and, and possibly quarantining certain types of data. In this case, we have a policy that quarantines data.
If credit, if a, excuse me, if a social security number is found, and in this case, you can see the context and you can see that for these box clouds, these various instances of box, we're gonna quarantine a file. We're gonna set up a marker file, and we're gonna also control which groups are allowed to access that file. So again, very flexible approach to being able to control who can access that file and, and whether or not it gets encrypted or deleted or, or quarantined. Again, we have another policy here where we encrypt the credit card file a file containing credit cards, and you can see the context and the rules for this particular file are that within any cloud, if, if a credit card is found, we're gonna encrypt it. And we're gonna send an email notification to, to the administrator, to the security administrator that someone has uploaded a file containing credit card numbers.
So let's look at what that looks like within box and Salesforce here, you see the file that had the social security numbers. It was scanned, and a micro file was placed in that same folder, letting the user know that they've uploaded a file that violated a policy. And that's why their file is no longer there. In addition, the credit card file has been encrypted and of course, authorized users can still look at this file so they can go through the Cy cloud client. And of course you can see that the client decrypts the file. And you can see that indeed it did create, it did contain credit card numbers, and they can also of course do the same action remotely on their devices. Let me just, let me just bring up my little reflector application here and we'll look at my device. So here you can see the cipher cloud client, and it will also protect files down to this remote endpoint in this case, an iPhone. And you can then see the, the marker file that was placed in the box folder. And also we can decrypt the file containing credit card numbers. And here you see the same file containing credit card numbers. And of course we have similar clients for Android and windows systems as well. So that's my short demonstration. Of course, if you wanted to have more details on other capabilities of our product, we'd be happy to show them to you.
And then we just close by saying C for cloud has hundreds of customers over the globe, and in many regulated industries, including healthcare, financial services, aerospace, and defense, retail, and pharmaceutical, and we would be happy to talk to you about your needs for multi-cloud control and compliance and helping you with your cloud governance strategy. And now we'd be happy to take some questions.
Okay. Thanks very much. Indeed, Dave, for that very interesting talk and your heroic demonstration. Okay. So we now have an opportunity for questions, and if there are any participants that would like to ask questions, please will they use the tool that comes with, go to webinar to ask the questions and I will pass them on Dave, or try to answer them myself. So while we're waiting for people to raise questions, then what we can do is I will, I will ask a couple of questions. So I think the first question that nearly everybody wants to know the answer to is how you manage to retain the functionality of the cloud services when the data is encrypted. So I don't know if you are able to give us some insight into that, Dave.
Sure. So CYF cloud has been a pioneer in this space for many years and a lot of our intellectual property and patents are around preserving capabilities around encrypted data in the cloud. So we are able to provide our customers with a variety of encryption and tokenization methods that preserve searching, sorting, filtering, preserving the things like charting within cloud applications like Salesforce, making sure that you can still maintain workflows that include encrypted data in clouds like ServiceNow. So we are able to do that through techniques like format, preserving encryption, searchable encryption, and also using techniques like partial field encryption, where the parts of the data that need to be maintained for processing can be in the clear.
Okay. Okay. Now, one of the, the techniques that you use is tokenization. Would you like to talk about that? Some people have said that tokenization introduces a problem with there being another database that needs maintaining.
So I know for us, it's, it's a, it's a trade off. It's a, it's about a specific organization's compliance and security needs. So we've found that many organizations prefer tokenization, cuz they feel that it is more in line with the data residency regulations that they're trying to certify against. So having the data within the database is important within our system, the data is still protected with encryption within the database. So we see them as it's a little bit of a, an art and a science, as far as choosing which type of protection method you, you might choose within our platform, you can mix and match tokenization and encryption method. So you can have some fields tokenized, other fields encrypted, and you can make those choices based on both your data processing needs, but also your compliance requirements.
Okay? Okay. So now we're getting some questions from the in fact we seem to have a lot of questions coming in. So I'm going to try and start from, from the beginning, does C for cloud support, Google analytics, like Adobe analytics.
We currently don't support that cloud, but we support the wave analytics within the Salesforce family of clouds and we support Adobe analytics. And of course we're, we have an extensible architecture that enables us to add new clouds. So one of the advantages of a CASB platform is having the platform itself, gives you the ability to add new clouds as those become relevant for your organization. And of course we're always supporting new clouds as, as we go along here.
Okay. Thank you. And now another question is, is office 365 and SharePoint supported. CipherCloud working as proxy between enterprise user and cloud vendor.
So for the API mode, we support SharePoint in one drive and other file collaboration, clouds like box Dropbox, Google drive, and, and clouds like Evernote. And we also support SharePoint online. So those are the clouds that we support through the API mode. The clouds that we support through our inline gateway or proxy mode would be clouds like Adobe analytics, Salesforce, ServiceNow, SAP success factors. And of course, some of them we support through both modes like Salesforce. So just depending on the cloud you're using, you would be able to use both the inline gateway and the API mode.
Okay. Thank you. Now there's a number of questions which come from different people, but more or less say the same thing which are asking is the CipherCloud DLP superior to other DLPs by being integrated with CipherCloud. Would you like to comment on what sets out your DLP?
So we do have a very extensive capability for compliance, scanning and DLP for clouds. And we have very granular policies for all sorts of regulated data. As I mentioned, financial account numbers like swift and, and bank routing codes, as well as national ID numbers, including many national ID formats from around the globe, UK national ID numbers, German national ID numbers, social security numbers, et cetera. But we, we also integrate with enterprise on premises, DLP recognizing that our enterprise customers have existing policies that they might wanna leverage and they're already using. So you can do both. You can have as a first pass compliance, scan a scan in the cloud, and you can still check those same, that same content against the policies you have in your enterprise. D O P we integrate by ICAP with those major enterprise DLP products like Symantec and others.
Okay. So you just answered another specific question about Symantec, but you, you integrate with anything that uses this ICAP interface. Okay. Now I, I'm not sure I understand this, but maybe this was a follow on from a previous question. Do you require SSL, TLS termination? Well, do you, do you have any comment on that, Dave,
That may be a little deeper than my technical scope, but it's certainly a question we can, we can answer offline and we can get one of our, our sales engineers to,
To, so the questions that have come via the question and answer system will be sent to you with the people that details of the people that ask the question. So if you've asked a question and we haven't answered it, there's an opportunity for, to be answered subsequently. So let's see another specific question that, that, that I've got, which is what can you do to help with GDPR specifically, because this is something that's on so many people's minds at the moment it's worth taking a moment out to just focus on what cipher cloud can do to help organizations comply with GDPR.
So as we understand GDPR today, part of the requirements require that data, the resident within a country or within the EU, and that there be also a number of different controls around the data so that the data in essentially remains anonymized. So you can achieve that through both encryption and tokenization, you can prevent the Clearex data from leaving your region or country, and you could also mitigate the risk of a, a, a breach notification. As a lot of people are aware for the first time in most European countries, GDPR will introduce the I, the notion which we've had in the us for a long time of breach notification. And of course there's a, a good deal of thought out there that if your data is, is, is in decipherable, that your protected from some of these breach notification requirements, because the clear text data hasn't been hasn't been lost.
Okay. Well, thank you very much for that, Dave. I think we're now coming to the end of this, this webinar. I don't see any more questions on the question and answer system. So I think with that, it's just for me to say thank you very much, Dave, for such an interesting presentation and demonstration, and thank you to all the participants for taking the time to listen to this. And I wish you all a very nice rest of your day whenever you are. So thank you very much, everyone. Good afternoon.
Stay Connected
Related Videos
How can we help you