By Sramana Mitra and guest author Siddharth Garg
Sramana Mitra: How can the [data owner have the obligation]? I mean, unless Salesforce.com is involved in the process of securing the data, a customer of Salesforce.com cannot possibly secure that data without Salesforce.com’s being involved in the process. It is just not architecturally viable.
Chris Burchett: Well, there are people who are building tools that will let you, for example, tokenize or encrypt certain aspects of your data that go to Saleforce.com. For example, as a reserve proxy kind of situation in DMZ, as data passes through the reverse proxy, it gets tokenized as it goes into Salesforce, and as it comes out it is encrypted or the token gets replaced with the actual value.
SM: Thinking of Salesforce.com’s customers, they have hundreds and thousands of small and medium enterprises (SMEs) that don’t have any technical capability. You said yourself earlier that it is the business side of the organization, not the IT side, that has made the decision to go with Salesforce. I am just using Salesforce as an example; this is a supplier and you could replace Salesforce with any number of SaaS suppliers. So, these SMEs don’t have any knowledge of encryption or security or data security.
CB: Sure. You are right!
SM: They are relying on Salesforce to make sure their data is secure.
CB: Well, they may be relying on Windows too to make sure that the data is secure, and they may not be encrypting their laptops! So, welcome to my world! People don’t always do what is best for the protection of their data. And in the case of SaaS in particular, I think even to give the SaaS providers a little bit of credit, the technology is not right now easy to deploy in such a way, as I said before. That is, they can still provide the same kind of services that they have been providing and encrypt the data in such a way that only when the enterprise is logged in is the data open.
So, it is partly that the [number of] possible ways in which you can use the cloud has exploded, and the security of data in those situations has not quite caught up. And it is partly that people don’t always prioritize the protection of their data. That is why it was just three to five years ago when data protection law started to emerge, right? I mean, how is that possible?
SM: This is where I am. I have been probing this within a lot of enterprises, and I am asking them how they view security as a barrier to cloud adoption. By and large, this is within the past year or so, or maybe even two years. The answer is that yes, they trust that the SaaS vendors and cloud vendors to provide a certain level of data security and service agreement and so forth. But listening to you, I am not so sure if that is necessarily a sound view.
CB: I agree with you. If you take a look at organizations such as the Cloud Security Alliance, they have over the last few years put together a guidance document, and it outlines 13 different knowledge domains with guidance, you know, things to consider as you look at the cloud. And if I were to boil it down, one of the fundamental things is this: If you have less control as an enterprise, then you need to have more in your service-oriented architectures (SOAs), and you need to be able to audit your cloud provider, and that is the case with SaaS.
As you go to the other end of the spectrum through the platform, which would [be the] middle ground to infrastructure, then you have all the control, frankly, and the onus is on you to protect your compliance needs and do all those good governance and risk management things. That, I think, is why when people say they are OK with the security of the cloud. I think probably a lot of times they are talking about, “Yes, I trust my SaaS provider.” And let’s give some credit to companies like Salesforce that have taken it up seriously. They have done a good job up to a point without providing what I think is important for the data – that is, data encryption.
What is fundamentally needed for the cloud to really take off is the ability for an enterprise to control the encryption keys and the data and have it reside in somebody’s else’s infrastructure. There is SaaS, and I think what is even more important [is] platform as a service (PaaS) or infrastructure as a service (IaaS) for a computer or storage. You think about the high-profile announcement about BP losing a laptop with the spreadsheet on it. A very unfortunate event, but if you think about it, if you look at the emergence of storage services like Dropbox, for example, I wonder how many enterprises have spreadsheets just like that one that that was lost on the BP laptop sitting in a Dropbox drive somewhere, and they don’t even know it.
CB: From a compliance perspective, that is an issue for people.