As a result, all the data stored by the vendor is in an encrypted state, and the vendor doesn't have the keys. Neither does Porticor — the customer holds the keys and decides when to use them.
Only a minimum amount of data is exposed, and only for a short time. It is theoretically possible for a hacker with deep knowledge of the vendor's application to grab that data as it is being used, but the level of effort required would be significant.
"It adds a significant hurdle to protect the data from hackers," said Dan.
Porticor claims to differentiate itself from other companies in this space with a unique "homomorphic split key" system based on a mathematical algorithm that allows the key to be passed from the customer to the Porticor appliance in an encrypted form, so that even if it is stolen, the hackers won't be able to use it to decrypt the stored data.
Another vendor with a similar encryption appliance is Austin-based Gazzang, Inc. which focuses on health care and financial sector clients and the cloud vendors that serve them.
One customer is Rockford, Ill.-based financial planning vendor ScenarioNow Inc., which uses Gazzang's zNcrypt appliance to secure its tools when they decided to offer cloud-based versions to their customers.
"One of the largest concerns our clients have is security of their financial information," said ScenarioNow CEO Patrick Sullivan in a statement.
Gazzang's zNcrypt adds an additional level of security in allowing enterprises to determine how and when their data can be accessed by the cloud vendor.
"What you really want is to enable the SaaS vendor to get to the data for normal day-in and day-out processing, but to need special permission for things like backup or copy," Gazzang CEO Larry Warnock told CSO. "So, say, if more than 50 records are accessed at once, this is probably a nefarious action. And with a key manager that supports policies, a SaaS vendor can even ask for multi-factor authentication for certain functions."
Other SaaS vendors that use Gazzang include Appcelerator, Castlight, Everbridge and Fireapps, the company said.
The best known of these vendors is Vormetric, which is primarily used internally by enterprises to secure their data, to allow their encryption keys to by controlled by a security manager so that nobody in the IT department can access sensitive data. According to the company, 17 of the Fortune 25 companies are customers, including four of the top five commercial banks.
The Vormetric tools are also increasingly being used by SaaS vendors to lock down their cloud applications, and put control of the keys in customer hands. In addition to encrypting data at rest and protecting the keys, the Vormetric appliance also allows for fine-grained access controls.
Sign up for MIS Asia eNewsletters.