Another approach that some vendors take is to use a form of encryption that preserves the ability to search and sort data.
New York-based Vaultive Inc., provides a gateway to Office 365's Exchange platform and plans to add support for other Microsoft cloud products.
The application currently supports mailboxes, calendar, notes and tasks.
"The current support is for all service-side operations you expect Exchange to provide," said co-founder and chief strategy officer Ben Matzkel. "E-discovery. Legal holds. Personal archives. Filtering. Data loss prevention. All of these things in most cases require some sort of insight into the data."
To accomplish this, Vaultive combines "well-known cryptography algorithms and tools and cryptographic hashes" with additional meta-data in such a way that cloud applications can continue to perform operations on encrypted data and get the results as if it was plain text.
"It works for indexing, sorting, creating reports, joining data from different sources and correlating them," Matzkel told CSO. "If you're doing something like spellcheck, where the actual word needs to get to the application for it to work, we can implement that in the proxy itself."
This approach has some downsides, however.
"A lot of these function-preserving encryption methods are not as secure," said security expert Tsion Gonen, chief strategy officer at Baltimore-based SafeNet Inc. "There's a compromise you have to make between security and preserving functionality. But it's definitely better than nothing if you have a compliance issue."
Another potential downside to this approach is that not all functionality can be preserved. No type of encryption, for example, will allow spell check to work. Vendors typically move this functionality into the proxy itself.
"But it's really cumbersome and takes a long time," Gonen told CSO. "And how long can companies do this? Every time the cloud vendor comes out with a new version, they have to do it again."
If a company is willing to let a vendor see the plain data temporarily in order to process it, several vendors are offering encryption appliances. These are physical or virtual machines that encrypt and decrypt data for a vendor to use while ensuring that stored data is fully encrypted — without ever letting the vendor see the keys.
These vendors include Tel Aviv-based Porticor Ltd., Austin-based Gazzang, Inc., and San Jose-based Vormetric, Inc.
Regulated industries such as health-care providers and payment companies are among the early adopters of encryption appliances, according to Ariel Dan, co-founder and marketing EVP at Porticor.
"Porticor is deployed as an additional virtual instance in the vendor's environment," Dan told CSO. "Everything that passes through Porticor is encrypted, everything that passes back to the vendor is decrypted."
Sign up for MIS Asia eNewsletters.