perspec sys knowledge_series__solving_privacy_residency_and_security
DESCRIPTION
TRANSCRIPT
PerpecSys Inc. ©2012. All rights reserved.
Solving Privacy,
Residency and Security
in the Cloud
THE PERSPECSYS KNOWLEDGE SERIES
PerpecSys Inc. ©2012. All rights reserved.
Data Compliance and the Enterprise
Cloud Computing is generating an incredible amount of excitement and interest from companies of
every size, across every business category. It is the most transformative technology in decades and
heralds an evolution in computing that has virtually every analyst group declaring that Cloud Computing
is the new computing paradigm. In response to concerns about information access and usage, by both
public and private corporations, Cloud Computing has spawned an entirely new body of law, generated
new policies, created new standards, and raised new concerns.
Whether government imposed regulations within a given jurisdiction like the Patriot Act, PIPEDA, or the
EU Data Protection Directive, or industry-specific regulations such as Payment Card Industry (PCI) for
retailers, HIPAA for healthcare information, or Sarbanes Oxley for enterprises, organizations must
adhere to an ever-changing set of standards, laws, and guidelines in order to safeguard their company’s
private and business sensitive data and still comply with the law.
So how can public and private sector companies leverage the enumerable and quantifiable benefits of
the cloud, while maintaining total control over their corporation’s private and business sensitive data?
Enter the Cloud
At the most basic level, the procurement of a cloud service is like any other purchase, firms must assess
the operational risk and compliance implications as they do with any other application or service.
Exposures that may be associated with a cloud service and which warrant particular attention include:
Data privacy, restrictions on access to data (whether by the organization, industry, or
government regulators)
Data residency, where the data resides
Compliance with privacy regulations across the geographies in which the service is being
employed
It is time to address the cloud’s opportunities with respect to its challenges. More specifically, the challenges the cloud represents in terms of privacy, residency and security.
The PerspecSys PRS solution is the only proven commercial solution that allows companies to run their
business applications in the cloud and store their private and business-sensitive data behind their
corporate firewall. The PerspecSys PRS solution is designed to assist those organizations that want to
leverage cloud computing, but are constrained by compliance, regulatory, political, or policy
requirements.
PerpecSys Inc. ©2012. All rights reserved.
Cloud Adoption Challenges
Organizations want to maintain control
over their data for business, political,
policy, legislative, competitive, and
technical compliance reasons.
While primarily driven by regulatory
requirements with respect to data
control, companies are also concerned
about cloud application’s ability to be
mission critical. The PerspecSys PRS
solution enables enterprise adoption by
extending the cloud application’s
Privacy, Residency, and Security
capabilities, providing support for
disaster recovery planning, backup and
recovery, access control, business
continuity, and other characteristics
that define an application as mission
critical. The PRS solution can also
address cloud adoption fears about
vendor lock-in, meeting service-level
agreements, losing control of underlying
infrastructure, having the ability to
selectively interoperate with multiple
clouds, and integrate with current in-
house applications.
Information Privacy and
Security
Most jurisdictions around the globe
have adopted some form of information
privacy regulations. Indeed, these
regulations vary from location to
location, making it very difficult to
determine which location has
jurisdiction over your data. High-end
theft of corporate information for the
purposes of identity theft have
engendered regulatory compliance
Privacy
In many cases, in order to comply with specific privacy
requirements, business-sensitive information must be
managed more stringently than non-sensitive data. As a
result, some cloud adoption strategies involve keeping
sensitive information within the enterprise (i.e. out of
the cloud), and non-sensitive information can be stored
in the cloud.
Residency
Where is the data? Who has access to it? Who controls
it? Who manages it? What laws and jurisdiction govern
it? In the current state of cloud computing law, keeping
data behind the corporate firewall is the only strategy
that can be said to guarantee which jurisdiction will
govern it. Keeping private and sensitive data in the
cloud exposes it to multiple jurisdictions for many years
to come.
Security
Since the organization is liable and culpable for any
and all data breaches, which can result in very
significant penalties, data security and risk analysis has
been a part of any systems operations compliance
policy for decades. Cloud computing requires an
additional layer of security and engenders an
additional layer of risk. Who can access your data?
How can they access it? How do you maintain control
over your business sensitive data?
PerpecSys Inc. ©2012. All rights reserved.
requirements forcing organizations to manage ’private or personal’ information in a much more secure
manner, or face the legal consequences. Most prevalent in the financial services, health care, and public
sectors, organizations must adopt stringent business processes and procedures for the management of
private and business sensitive information.
Data Residency
Going beyond information privacy and security, many jurisdictions have enacted specific legislation
regarding the location and handling of specific pieces of information. For example:
Many financial services institutions are required to have personal information (PI) always locally
resident.
Compliance requirements prohibit certain forms of information from leaving the jurisdiction
altogether.
Information cannot leave the enterprise or even the department, because information in transit
is subject to the laws of multiple jurisdictions.
Companies entrusted with healthcare, some public sector, and/or PI data are often required by
law to store and manage data locally, and guarantee that no foreign national has access to the
data.
Laws governing data residency and privacy apply to all the operations on the data, including
data backup, which often must be conducted within the enterprise, or at a minimum, within the
governing jurisdiction or boundaries defined by the specific statute. In many instances, cloud
vendors store data in one geography, but back up the data in another geography, breaking
jurisdictional compliance requirements.
With these data compliance requirements, Cloud adoption is often constrained, with some
organizations opting to only use a limited subset of the functionality, while others forgo usage of cloud-
based applications altogether.
The PerspecSys PRS Solution
The PerspecSys PRS solution is comprised of a series of software components that can be deployed with
flexible configuration options to meet a wide range of requirements.
PerspecSys PRS Server
The core of any PerspecSys PRS solution is the PerspecSys PRS Server. The PerspecSys PRS Server
provides the main privacy, residency, and security data management services. No programming is
required—the server is graphically installed and configured, designed to be run with very little
management support. Cloud application-specific requirements are supported by installing and
configuring application-specific adaptors.
PerpecSys Inc. ©2012. All rights reserved.
PerspecSys PRS Reverse Proxy Server
The PerspecSys PRS Reverse Proxy Server allows organizations with sophisticated internet access
requirements to employ reverse proxy and proxy chain strategies for cloud application access.
The PerspecSys PRS Reverse Proxy Server allows cloud application customers to further secure their
cloud application access by mitigating risks normally associated with cloud security, including phishing
attacks, unauthorized external access, and denial of service attacks.
The PerspecSys PRS Reverse Proxy Server complements cloud application access and security
configurations to ensure that only authorized users can access the cloud application from the enterprise.
When coupled with the PerspecSys PRS Server, the PerspecSys PRS Reverse Proxy Server adds a
powerful dimension to the security aspects of cloud data compliance.
PerspecSys PRS MTA Server
The PerspecSys PRS MTA Server is a Mail Transfer Agent that works in conjunction with a cloud
application’s email services. Cloud applications may allow users to directly email customers and contacts
from within the application, using standard templates, marketing campaign services, and other email-
related functionality. However, if the email address and associated contact information is considered
sensitive, this functionality typically cannot be used if the sensitive contact information is not in the
cloud application.
The PerspecSys PRS MTA Server allows the cloud application to leverage PRS services from the
PerspecSys PRS Server, thereby restoring the real email address and other sensitive information within
the email, and then forwarding the email on to the corporate email server for delivery, while not
exposing the sensitive email information to the cloud application.
The PRS MTA Server has the added benefit of ensuring that email from your organization is routed
through your own mail servers, leveraging the existing investment in corporate email security, handling
polices, and support systems such as spam filtering and virus detection.
PerpecSys Inc. ©2012. All rights reserved.
The PerspecSys PRS Solution at Work
Privacy
Sitting between the enterprise desktop browser and company’s firewall, the PerspecSys PRS solution
seamlessly intercepts the conversations between users and the cloud applications, replacing business
sensitive data with replacement data in the cloud application. As defined by the organization,
information that cannot, or should not, leave the enterprise or jurisdiction remains in a database behind
the organization’s firewall, while cloud application users experience virtually all of the functionality of
the cloud application, regardless of where the data resides.
The PerspecSys PRS solution is also capable of "encryption on the fly". Instead of storing and managing
the information locally, information is encrypted before it is sent to the Cloud application, and
decrypted on the return. The cloud application data itself, if accessed directly, would appear only as an
encrypted list of values. In this way, if the PerspecSys PRS solution or the Cloud application is ever
compromised, the attacker would not be able to piece together any usable information as it is not in any
usable format.
The key value of the PerspecSys PRS solution is the preservation of functionality, including searching,
reporting, integration, customization, and other cloud application functionality required by the
enterprise, even though the cloud application contains no sensitive data.
Residency
For Data Residency, the PerspecSys PRS solution is able to identify specific pieces of data, save them to a
local database, and send randomly generated replacement values (tokens) to the Cloud application. The
real data stays resident locally, governed by local statutes and operating under corporate policy. The
PerpecSys Inc. ©2012. All rights reserved.
Cloud application operates with the replacement information. The key point is that there is no physical
way that the real data can be derived from the token value.
The PerspecSys PRS solution allows you to categorize cloud application data into four categories:
1. Tokens
2. Sortable Tokens
3. Encrypted Values
4. Clear Text
Data, on a field-by-field basis, is protected by one of these obfuscation strategies. Users accessing the
cloud application through the PerspecSys PRS solution can perform advanced searches (wildcards
included) on the data, no matter how it was obfuscated.
Security
One optional component of the PerspecSys PRS solutions is the PerspecSys PRS Reverse Proxy Server.
The PerspecSys PRS Reverse Proxy Server ensures that only authorized access to the cloud application
occurs from the organization. When properly configured, the PerspecSys PRS Reverse Proxy Server
creates a secure authentication link between your organization and the cloud.
The PerspecSys PRS solution also extends the cloud application security model by making it finer
grained. This includes, for example,
restricting access to specific
information based on the user’s
location. This ensures compliance with
jurisdictional requirements, for
example, Swiss bank laws where
information should not leave a
particular jurisdiction. The PerspecSys
PRS solution can also extend access
controls, such as Single Sign On (SSO),
to be more flexible, especially in multi-
jurisdictional implementations of the
cloud application.
Looking forward there is little doubt that cloud computing
will play an increasingly important role for both public and
private enterprises. Organizations that employ cloud
platforms will benefit from the increased scalability,
security, and portability of their cloud-based applications.
Cloud applications will also help companies significantly
reduce time-to-market, realize substantial cost-savings and
react more quickly to changing market conditions. With
these and other benefits, cloud computing is here to stay.
If your organization really wants to leverage all the
advantages that the cloud has to offer while addressing
your privacy, residency, and security concerns, contact
PerspecSys to find out how the PRS solution can work for
you.
Contact us today to learn more.
P (905) 857-0411
PerspecSys, the PerspecSys logo and the PerspecSys Information Server\PRS Server™ logo are trademarks or registered trademarks of PerspecSys Inc.
in Canada, other countries or both. Other company images, product, and service names, may be trademarks or service marks of others. References in this
publication to PerspecSys products or services do not imply that PerspecSys intends to make them available in all countries in which PerspecSys
operates.