Responding to the Myths about CipherCloud’s Encryption Technology

A couple of recent discussions in a few board threads contributed to by our competitors have questioned CipherCloud’s approach to delivering cloud information protection.

Most of the comments and posts were based on very limited publically available information, some of which was outdated. As a result I thought I would take a few minutes to provide some clarity on this topic.

To start off, I wanted to provide some clarity to the question of whether CipherCloud uses homomorphic encryption.  The answer is NO.  Homomorphic encryption is far from ready for practical usage due to performance and lack of capabilities.

But, CipherCloud does use publicly available, well researched, and NIST validated cryptographic algorithms that have been implemented in compliance with FIPS 140-2 standards.  We also leverage our reverse proxy architecture, which is always in the data path, and incorporates in-depth knowledge of cloud applications for in-line processing and transformation of data on-the-fly to support common operations including search and sort.

CipherCloud, also to be rather direct, and address some of the concerns that were raised in the threads, does NOT implement 1:1 mapping or ECB mode for any customer deployments.

The cited CipherCloud  product demo in the board threads (which is quite outdated) was focused on highlighting our reverse-proxy concept for cloud information protection to organizations using cloud applications. Some of the fundamental security features made available today (e.g. full field encryption, randomization through IVs, etc.) were either disabled because we were not comfortable sharing such IP on the internet while our patents are still pending, or not available at the time of recording. I’m sure most of you will appreciate that cloud information protection is one of the most desired spaces for investment, and many competitors are attempting to replicate CipherCloud’s  success. CipherCloud continues to invest significantly on R&D efforts to offer ongoing security improvements to customers with each new release of the product.

In addition to having conducted independent third-party cryptographic design reviews, CipherCloud is currently in the process of obtaining our FIPS 140-2 certification, which can be verified by visiting the following NIST website: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf.  All of our customers, that I know of, have selected our solution as the recognized standard for cloud information protection after a thorough evaluation, testing, and scrutiny of our product’s design and implementation by their cryptographers and key management experts.

As to the DMCA Notice sent to a site hosting images from a CipherCloud video, CipherCloud’s  legal team like most other companies actively regulates the usage of our intellectual property, including copyright. But, based on feedback from the community, we are implementing a modified policy to avoid such incidents going forward and wholeheartedly apologize for the temporary disruption to the discussion threads on the internet.

I understand and appreciate the interest in the market to better understand our technology, and I am happy to discuss additional details around our encryption implementation with our customers, prospects and partners. If you are interested in learning more, please contact CipherCloud directly via our website at info@ciphercloud.com

2 replies
  1. Anders
    Anders says:

    I have read Dr. Kotharis articles in the Guardian of June 13.th. with great interest, about securing encryption in the cloud by AES-256, but after Mr. Edward Snowdens disclosure about PRISSM one gets a little worried about privacy. It raises some questions. Two of them are :

    1) Is Ciphercloud in any way subject to the activities of PRISSM ?

    2) Can you guarantee that the AES-256 algorithm is not weakened and/or contains backdoors.

    Best reards,

    Anders

    Reply
    • Willy Leichter
      Willy Leichter says:

      CipherCloud is not subject to PRISM as we are not a cloud provider – we build software that our customer deploy on their own premises. Regarding any back doors to AES-256 – this is a widely vetted and tested open standard. If there were back doors, they would have been discovered and quickly exploited by hackers. In addition our system has been put through rigorous third-party testing and validation by security-conscious customers including major global banks.

      Reply

Trackbacks & Pingbacks

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>