Thales Blog

No Question - Enterprises Are Using SaaS - But Concerns About Data Are High

June 17, 2016

Rates of Sensitive Data useEnterprises today are migrating to the cloud whether there are security implications or not. But as SaaS usage grows, so too do concerns about meeting compliance, regulation and safety needs for sensitive enterprise data within SaaS environments.

Click To Tweet: Enterprise #SaaS usage up,  even with sensitive data, & so are concerns @akicklighter

  • 85 percent of enterprises reporting that they use sensitive data in cloud environments
  • 53 percent using sensitive data within SaaS environments.

Why are they concerned? Enterprises struggle with being able to trust cloud providers.  Increasingly, small and medium business feels that cloud applications are probably managed more securely than they could do it themselves, but even so have compliance and regulatory requirements that require limiting access to sensitive and regulated data.  So the fact that the infrastructure at the cloud provider may be more secure, doesn't necessarily lead to their level of concern being lower.

Larger enterprises, on the other hand, usually have the resources to operate more securely, and implement best practices.  But the cost equations that drive cloud adoption apply to them as well. SaaS and IaaS providers that specialize are able to offer services with a range of features, scalability and functionality unavailable to all but the largest enterprises.  But they are also driven by compliance and regulation to limit access to sensitive data, and are more worried about what they "can't see" in their cloud providers environment.  It's off their premise, mostly out of their control and a growing concern.

Concerns are high across the board. Here's what the results were from our survey behind the 2016 Vormetric Data Threat Report: Enterprise concerns with SaaS and Cloud adoption

SaaS environments are a special problem.  In IaaS and PaaS environments control over the virtual machines, containers, applications and OS's that make up the implementation make it easier to add protections for data that can protect against a breach or incident at the cloud provider, and meet compliance requirements for access to data.  But for SaaS, the application is like a black box to the enterprise.  They only get to use the interfaces and information and don't have visibility or control over underlying infrastructure.

Here's what enterprise said would allow them to use more cloud resources:

Increasing cloud adoption

At first we had what I'll call "half-way" solutions to this problem.  Solutions that encrypted or tokenized data before it entered the SaaS environment.  The problem?  Lot's of business functionality in the SaaS environment stopped working.  If you've replaced a name with an encrypted block .... It won't show up in searches, sort correctly or be available for other analysis for instance.  These "half-way" solutions proved to be only a stopgap for organizations with no other choices.

But today, there are starting to be solutions to this problem that promise to eventually give a fully functional solution for SaaS applications.

A great example is what Salesforce is doing.  Salesforce set very high expectations for data security when it announced Salesforce Shield, a new set of services that includes a strong set of data security features, such as auditing, encryption, access controls, event monitoring and data archiving. What they’ve done is made available a strong, well thought out encryption and access control capability built into their applications that enables enterprises to meet these needs, without the sacrifice of functionality that previous third party gateways and applications required in the past.  There are still a few areas that need work - encryption keys for instance, are difficult to manage in ways that both meet compliance/regulation and are intuitive for enterprises that don't have an encryption expert on staff - But this is still an exceptionally strong solution.

Other SaaS providers are managing enterprise encryption keys themselves for customers, or allowing customers to do so themselves within their infrastructure.  A few examples taken from Vormetric's customer base of over 30 SaaS providers:

  • AirVault: AirVault handles that maintenance records of a very high percentage of commercial aircraft being flown today.  Commercial airlines are a high-profile industry – and such a familiar part of our everyday lives – that the risk of attracting attention from Internet offenders is evident. In 2014, the FAA recorded a daily average of nearly 60 million cyberrelated “alerts”, up dramatically from 4 million per day in 2011. Without focused efforts to mitigate the escalating number of threats, the rapidly intensifying situation had the potential to impact operational compliance and continued airworthiness of the industry. As a result, AirVault deployed Vormetric Transparent Encryption to consolidate access policies and encryption key management throughout its Microsoft-based infrastructure.
  • Empyrean: Empyrean is an advanced human resources technology and service company focused on administration of employee benefits for corporations of all sizes. Empyrean handles massive amounts of sensitive employee data every day and while its customers need robust levels of security, there are some complicated considerations. Their clients want to know about security procedures, such as how their data is destroyed if they should retire from using their services. The company wanted to have a security solution that would set it apart from the competition, scale with client growth and accommodate individual customer needs. The deployment of Vormetric Transparent Encryption proved to be seamless and had minimal impact on Empyrean’s clients. Empyrean installed it across their whole environment, giving them the ability to fully leverage the sophisticated key management capabilities and to perform targeted data destruction by customer and business unit.
  • CloudHesive: As a leading multi-vendor cloud managed services provider, including encryption management, CloudHesive focuses on helping companies securely and with compliance, realize the compelling benefits of a cloud-based infrastructure. The flexibility and ease of deployment of Vormetric's Transparent Encryption solution dovetailed perfectly with CloudHesive’s services model to offer a robust set of security solutions for not only their own deployments but also for hybrid and customers’ on-premise infrastructures.
  • Bridgeway: Known for being one of the most recommended and highest rated providers of legal management solutions, Bridgeway Software, Inc. is continually evolving its model of delivering quality software and services to clients. Bridgeway wanted to ensure the integrity of customers’ data against malicious cyber-based threats with an industry-leading protection solution. Bridgeway implemented several Vormetric Transparend Encryption to isolate customer data between customers and from unauthorized internal access within it's multi-tenant infrastructure.

As we see continued growth with cloud and SaaS, vendors will also continue implementing strong security solutions to ensure customers’ data remains secure. Vormetric offers one of the most robust solutions to meet the needs of both SaaS providers and their end customers - allowing multiple options for encryption in cloud and SaaS environments, and control of encryption key management where it makes the most sense - at the cloud provider, in another cloud or application, or within enterprises premises.