Cloud Security Alliance Guidance for Cloud Users

The Cloud
Security Alliance, the not-for-profit organization that sets best practices
for cloud security, has incorporated in implementation
guidance issued by the Security as a Service Working Group a set of
recommendations for cloud end users to adopt encryption of data in use as a
best practice.

The guidance notes that it is critical that the customer, and not the cloud
service provider, is responsible for the security and encryption protection
controls necessary to meet their requirements.

In its guidance focused on email security and encryption (SecaaS
Implementation Guidance – Category 4: Email Security), the CSA specifies as a
best practice that organizations should adopt technologies that allow sorting
and searching of encrypted text, while reducing the amount of data needing to
be decrypted. Specifically, the organization recommends encrypting
data before it goes to the cloud and maintaining segregation of duties by
keeping the encryption keys in the direct control of the customer, not the
cloud provider.

Implementation guidance for encryption as a service (SecaaS Implementation
Guidance – Category 8: Encryption) also notes that once data is safely
transmitted to a cloud service provider, it should be stored, transmitted and
processed in a secure way.

This CSA guidance aligns with Vaultive’s capabilities for pre-cloud
encryption and approach of implementing three states of cloud data encryption –
encryption of data-at-rest, data-in-transit and data-in-use – as well as
limiting access to the encryption keys exclusively to authorized users within
the organization where the data originates, and trusted parties.

Vaultive, Inc. is a provider of cloud
data encryption solutions designed to maintain the control, security and
compliance of data processed by cloud-based services.

In line with the CSA guidance related both to cloud encryption and
email security, Vaultive’s advanced encryption capabilities are designed to
enable cloud end users to maintain control and ownership of organizational data
processed by third-party services in order to address concerns including data
security, compliance, unauthorized disclosure and data residency or privacy
regulations.

As a result, the cloud provider never has access to customer data in its
unencrypted form, and enterprise cloud data remains unreadable if an
unauthorized third-party attempts access – or even if the data is disclosed in
response to a government request.

At CSA Congress 2012 held in Orlando, FL, Vaultive will be
conducting a session on best practices for maintaining control and ownership of
data in the cloud and the delineation of roles and responsibilities between
cloud service providers and end users.

"Cloud Security Alliance
Implementation Guides help organizations effectively decipher what best
practices should be and sets the global standard for companies seeking to
utilize the cloud in a secure manner. We are very pleased that the
recommendations made in latest version of the CSA guidance mirror Vaultive’s
own approach to cloud data encryption," said Maayan Tal, co-founder
and CTO of Vaultive. "Vaultive
allows organizations to implement the three complete states of data encryption
to ensure sensitive data is secure in the cloud at all times, just as the CSA
advises."

CSA
Implementation Guidance research seeks to establish a stable, secure baseline
for cloud operations in order to provide a practical, actionable road map for
managers wanting to adopt the cloud paradigm safely and securely. In
keeping with its mission, the CSA released third edition of its CSA
guidance to provide greater clarity around the area of Security as a Service.