CloudMask thinks differently in the secure-cloud landscape.

The education industry keeps sensitive data secure with CloudMask.

The economic value proposition of Software as a Service (SaaS) is undeniable. SaaS is disrupting industry after industry, making accessible to sole proprietors and small businesses software functionality that historically required significant investment in hardware, software, and annual maintenance fees. This, in turn, is making smaller players even more agile and efficient than they used to be, allowing them to run competitive circles around larger or laggard players.

The good news is that rich software functionality is often available for less than $100 per month, enabling high levels of business management and administrative efficiencies.

The bad news is that the tempting sky of cloud and SaaS computing is filled with thunderclouds of cybersecurity concerns. Despite the best efforts of traditional cybersecurity experts, the adoption of cloud computing has been accompanied by an ever-growing number of egregious data breaches. These breaches damage brands and drive up significant costs for investigations, notification, and identity-theft protection for clients whose personal information has drifted into malicious hands.

So, what’s going on? Why do even the largest enterprises struggle with securing their data? Wouldn’t the National Security Agency be one of the most rigorous security practitioners in the world? What leaks have we not yet detected?

One thought leader at a major global cybersecurity consultancy explained it like this: “We’re trying to examine every packet that flows across the perimeter of the network and notice IP addresses that don’t make sense. This is incredibly hard. There’s a ridiculous amount of data, and we’ve entered an age where the network no longer has clear boundaries. We really haven’t solved that problem.

What is the problem?

The problem lies in the way traditional security thinkers have defined the problem. They’re working with a castle-and-moat metaphor, where the internal network is protected with a set of security rings. Each ring, however, has costly hardware and software searching for malevolent inbound and outbound data. But it’s like looking for needles in a haystack. And even if security experts are successful at protecting the perimeter, there is little protection against insiders (employees or others with access to the internal network).

Keep Student information

protected while

improving services

CloudMask thinks differently.

We see the problem in simpler terms: protecting sensitive data and ensuring that only authorized users, using known devices, can see data in the clear. We’re happy to let the traditional security experts work on their perimeters, knowing that when they fail, our customers’ data remains secure. And, in contrast with products designed for big enterprises, we’ve created a solution that can be installed, configured, and afforded by small businesses without IT staff.

The SaaS Security Problem – Simplified

SaaS applications use best-practice security protocols and rely on their cloud provider to secure the infrastructure the application runs on.

One vendor explains it this way: “We ensure that your communications are secure using bank-grade 256-bit SSL encryption. All of (our) infrastructure is hosted using physically secure, managed data centers that meet the rigid SSAE 16 specifications. Geo-redundant backups are performed multiple times per day, and site security and privacy are routinely audited by respected third parties.”

By means of 256-bit SSL encryption, the connection between your browser or app and database servers is secured. When you submit a query or update, the data is encrypted as it transits the internet. Once the data reaches the data center, it is decrypted for insertion into the app’s database.

The data center itself (e.g., Amazon Web Services) has a rigorous set of security controls and protocols, meaning that only employees with the proper identification and access passwords can physically or virtually access the servers that hold the application’s data. SSAE 16 is a standard according to which data centers are audited for their degree of compliance with policy.

There are three vulnerabilities that should concern executives:

1. Anyone who tricks a user into revealing their username and password can impersonate that user and log in from any browser in the world.

Such a hacker can impersonate the user and perform administrator functions. You don’t have to be a fool to have this happen to you. Even a sophisticated user like CIA Director John Brennan has fallen prey to high school-age hackers.

2. Any insider (employee of the data center) can turn from “good” to “bad” overnight or have their credentials stolen, meaning that an authorized system administrator could access application data for malevolent purposes. Insiders don’t need to be “bad” to present a threat. They can simply be careless.

A recent report on cybersecurity suggests that less than 50 percent of organizations have adequate policies in place to mitigate insider-threat risks. The challenge here is that executives depend on their SaaS provider, who in turn rely on their cloud service providers to maintain security hygiene. That’s a lot of blind faith.

3. Governments have the desire, capacity and experience to tap into the cloud-service providers who hold the world’s data.

The problem here is manifold. On the one hand, the government can access specific information based on a warrant. On the other hand, it is an entirely different matter to access everything on an as-needs basis, under cover of National Security Letters or their equivalent. Despite their best efforts to security screen and oversee intelligence and law enforcement operations, the government also falls prey to “trusted” staff performing unauthorized actions. These vulnerabilities impact the firm’s liability for data breaches and the capacity to deliver on a promise of client confidentiality and privacy.

In storing sensitive personal and other data, the firm is considered a data controller. As a data controller, the firm is subject to a variety of data protection laws and regulations. Such regulations increasingly create a costly burden to notify individuals affected by data breaches and to purchase several years of identity-theft protection. Emerging European laws impose heavy fines for firms who violate data protection regulations.

Higher learning institutions are leading the way.

Increasingly, we are seeing instances of cloud use in universities and institutions of higher learning moving their applications

to the cloud. Although the rate of movement is somewhat lower than the broader market, the trend is clearly visible.

Universities are moving to the cloud for a large number of applications, including student engagement, learning, research,

inter-university collaboration and routine management of university operations.

While many educational institutions tend to be conservative about their use of technology, there is no doubt that cloud-based

educational services will dominate information technology use in higher learning institutions in the years to come. When

researchers studied the adoption of cloud computing in a large number of universities, they found that universities welcomed

the agility, scalability and functionality that cloud computing offered them. It became clear that their own resources would not

be adequate to build the capabilities that cloud computing gave them. The day is not far away when researchers will ask for

100 hours of virtual server time rather than ask for a server. In a large number of cases users are already setting up virtual

servers on popular cloud-service providers. The benefits are simply too great to ignore.

Cloud security is still a major concern.

There is a very real nervousness shared by the higher learning community about cloud security, and many universities prefer

private clouds to public ones. With security as their number one concern, all universities are very wary about putting any

intellectual property on public clouds. This is not just about students breaking into question banks and altering marks; there

are also serious issues of export control over research material and implementation of intellectual property rights (IPR). Data

centers could exist outside the country, and there are serious cross-border data transfer issues, especially for institutes

engaged in cutting-edge research. Institutes that violate export control and IPR laws could easily find their funding cut off

and criminal charges being pressed.

Compliance costs are soaring.

A study by Vanderbilt University found that the cost of regulatory compliance in higher education was as high as 6.4% of the

total operating expenditures. Research-related security compliance could go as high as 25% of the overall research

expenditure, and when the cost of compliance was extrapolated to the entire education sector, the figure came to an

astounding $27 billion. While this covers compliance with all federal laws, a substantial portion of it would be related to

managing security of data. Therefore, it is important to understand some of the laws that govern the functions of schools and

universities in the country.

There are a large number of laws that apply to educational institutions. Many of these can be infringed if data stored in the

cloud is disclosed, lost or stolen. The most well-known of these, of course, is the FERPA Act—the Family Education Rights

and Privacy Act. This law applies to all schools that receive funds from the US Department of Education. FERPA defines

how student records are to be handled and what can and cannot be disclosed. An institution that does not comply with

FERPA may be deprived of federal funds and even be liable to fines and monetary damages.

Other laws include the Campus Safety and Security Act (Clery Act), that requires collection and classification of crime

statistics, the Drug and alcohol abuse prevention Drug Free Schools and Communities Act (DFSCA), various Financial Aid

programs, Sexual misconduct Title IX, Violence Against Women Act (VAWA), FISMA Federal Information Security

Management Act. Growing numbers of students admitted from foreign countries will require a means to manage their

admission process and visa applications. All of these management tasks can be processed in the cloud but will require to be

adequately protected. There are also non-education related laws requiring compliance. For example, the HIPAA Health

Insurance Portability and Accountability Act of 1996 requires that all medical data about student and employee health has to

be held in accordance with HIPAA regulations.

The requirement of securing data required under these acts can be met only if data is encrypted completely during storage

or during transmission. However, the problem occurs during data processing. Encrypted data cannot be processed unless

every application is specifically rewritten to be built to handle such data. This is simply not possible, and thus all applications

decrypt data before processing it.

Where does data exposure take place?

The threat of data exposure lies in the duration when data is decrypted prior to processing. A hacker could gain access to

data at this vulnerable stage. The university would be forced to make a disclosure as required by law, and there would be

severe consequences. Besides legal consequences, there would be a major loss of intellectual property. Such a proprietary

fear is holding back the deployment of cloud technology in education at a sufficient pace.

As a result, universities are losing money.

The solution lies in a data protection mechanism that understands the various components of data and knows how to encrypt

and protect them selectively so that processing of this data in a cloud-based application does not require the entire data to

be decrypted. For example, if the personal details of a student were to be secured, then the rest of the data collected under

the Drug Free Schools Act would no longer be sensitive data. Going case by case, a data security specialist can create a

program to ensure complete security and compliance while allowing the university to use cloud-based resources.

Who is CloudMask?

CloudMask is a specialist company in the domain of data security whether in the cloud or in premises. Using technology that

CloudMask has developed itself, data is segregated into several groups. One kind of data can be encrypted; another can be

masked or tokenized. Masked or tokenized data has the same format as the original data except that the original student

name or Social Security Number, for example, would be replaced by a dummy value. This dummy value would allow for all

processing to be carried out in the cloud and even if there is a loss of data, there would be no repercussions because the

identifying elements are masked and other elements are encrypted. In this manner, data is anonymized, and universities can

now use the cloud with confidence.

When CloudMask protection is applied to data, even if an attacker has complete access to the application or database, he

will not be able to obtain any data of value. In such a situation, the organization may not even have to report any loss of data

because what has been stolen is, after all, encrypted gibberish.

CloudMask solutions can be deployed rapidly at very low costs. Universities will not be required to install any expensive and

complex encryption gateways. Encryption starts at the PC of the user who is creating the data, and every individual element

is protected as data is being keyed in. Though your university could be using any software solution, CloudMask will be able

to provide protection without needing to alter the application in any way.

If you think the solution is not to use cloud, think again.

The concerns outlined above have caused many organizations to have misgivings about adopting cloud-based solutions, presuming that an on-premise solution (a server running in your office) is safer. Unfortunately, that is not the case. Your office or server room isn’t nearly as secure as an access-controlled data center.

CloudMask: a silver lining for SaaS

CloudMask addresses these vulnerabilities in a way that enables executives to immunize their firms against data-breaches, differentiate by offering highly secure data management and communications, and using economical cloud services with confidence.

CloudMask can provide SaaS users with an easy-to-install browser extension that automatically masks sensitive data before it enters the 256-bit encryption channel to the data center. When that data arrives at the data center where the 256-bit protection ends, CloudMask data stays masked.

This process also works in reverse, as in the case when the user requests sensitive data. Here the masked data is double-encrypted as it moves through the secured communications channel. When it arrives in the browser, the 256-bit encryption is removed, and CloudMask seamlessly unmasks to present the data in the clear.

Alongside controlling users and their access rights, practice management account owners/administrators have the capacity to select specific fields to be masked. Not all data needs to be masked and protected, but data categorized as sensitive personal data, personally identifying, or otherwise confidential, can be selected for automated, seamless masking and unmasking.

From a functional perspective, CloudMask resolves the concerns that executives might have with respect to using SaaS applications:

1. Each user authorized to access the SaaS account installs a CloudMask browser extension that is activated through a simple process generating the personal, private and public keys required for the encryption process. What’s more, the extension can be installed on multiple personal devices, each of which is personalized with a private key. Thus, even if a username and password are somehow compromised, which under normal circumstances would allow anyone anywhere in the world to log into the account and see data in the clear, the unauthorized user cannot do so without access to the specific devices configured with the personalized browser extension.

2. The data stored under care of the data center remains masked while at rest or in motion. Neither the practice management SaaS vendor nor CloudMask administrators nor data center administrators, have keys that can be used to unmask the data. If the data center suffers a breach (e.g., an unauthorized insider penetrates the database, or a government agency serves a National Security Letter), data the user has designated as sensitive remains protected.

3. The data stored under care of the data center is masked in such a way (“tokenization”) that anonymizes what was previously sensitive data. Thus, even if that data is stolen, it is no longer considered sensitive personal information or personally identifying information, so it no longer falls under data protection regulations or requirements. In other words, breaches of systems holding tokenized data do not trigger the costly response and remediation efforts associated with breaches of systems holding sensitive personal information.

The Technical Story

A separate e-book explains the technical details behind this process and the software that automates it, as well as describing the benefits of encrypting and tokenizing data, which we collectively refer to as “masking.” The e-book also provides a brief explanation of the well-established public/private key methods used by the encryption process.

Grounded Confidence

CloudMask is unique in having its “CloudMask engine” certified through a Common Criteria for Information Technology Security Evaluation (Common Criteria) process, which is used by twenty-six federal governments to evaluate security products for their own use.

The process of independent evaluation assesses whether a product’s functional claims live up to the way it is coded and performs. Many products claim to be “bank-grade” or “military-grade,” both of which are subjective assessments.

CloudMask is the only data-masking product capable of working with SaaS offers to achieve Common Criteria certification. More expensive competitors like Cipher Cloud and Ionic have not achieved such objective criteria. Technical advisors can access CloudMask’s Common Criteria Assessment here.

It’s easy to get started with CloudMask. Visit www.cloudmask.com