Frequently Asked Questions
About Our Products
How is the CipherCloud Platform sold?
CipherCloud products are licensed on a subscription basis, based on the size of the organization (typically measured by users, or throughput). In addition, there are one-time license fees per server, as well as integration services offered as needed.
How is the CipherCloud solution deployed?
CipherCloud is deployed as software that can be run on physical servers, virtual servers, or on private cloud instances, such as Amazon Web Services.
How complicated is deployment?
Deployment of the CipherCloud platform can be as short as a few weeks to somewhat longer depending on the customer’s requirements and configuration needs. CipherCloud uses a standard phased process including: 1. requirements gathering phase; 2. scope and architectural framework finalization; 3. development and configuration; 4. sandbox testing; 5. production roll-out.
How is CipherCloud integrated with cloud applications?
CipherCloud runs independently from cloud applications, typically at the perimeter of a customer’s network. CipherCloud is designed to work seamlessly with specific cloud applications including Salesforce, Box, Office 365, Gmail, AWS and other. The solution preserves the format and operations of encrypted data that is stored in the cloud, supporting search, sort, and reporting functions critical to end-users.
Does the CipherCloud Platform have to be inline?
No. CipherCloud can be deployed either as an inline gateway, or as a separate encryption service, connecting to cloud services via APIs. This flexibility supports a range of different use cases, and enables third-party applications to access encryption and decryption via CipherCloud Web Services.
What is the relationship between CipherCloud and cloud application providers?
CipherCloud partners closely with the cloud providers of protected applications. For example, CipherCloud is the only vendor in this space to have achieved full ISV partner status with Salesforce. CipherCloud is also in partner programs with Box, Office 365, AWS, ServiceNow and others.
Does CipherCloud support 3rd-party products integrated with Salesforce?
Yes. CipherCloud has an open integration framework that can connect to third-party applications, databases, or in-house systems that are part of a customer’s overall Salesforce infrastructure.
Can CipherCloud just protect a few fields of structured data?
Yes. Most customers encrypt data selectively, allowing public data to be visible to outsiders, while protecting specific fields with encryption or tokenization – such as credit card numbers, social security numbers, or other personal information. CipherCloud provides granular control to select the appropriate level of encryption on a field-by-field basis.
Can CipherCloud encrypt unstructured data or attachments?
Yes. CipherCloud can be used to protect unformatted data such as notes or Chatter posts, as well as well as text in most types of attachments including Word, Excel, PowerPoint, and PDF.
Can a single system protect multiple Salesforce Orgs?
CipherCloud is the only vendor that can protect multiple Salesforce Orgs within a single organization, with a single, centralized system. This dramatically reduces management costs and provides more consistent security and visibility across an enterprise, providing much greater assurance of compliance.
What type of encryption does CipherCloud use?
CipherCloud uses standards-based AES 265-bit encryption. The AES (Advanced Encryption Standard) was established by U.S. National Institute of Standards and Technology (NIST) in 2001 and is deployed by the U.S. Government and organizations globally. AES is a symmetric-key algorithm, using the same set of keys for encryption and decryption.
How does CipherCloud’s encryption differ from SSL encryption?
Encryption can be used in many different contexts, for very different purposes. For example, SSL creates a secure tunnel from an individual browser to an external web server. This is standard practice for online transactions such as banking or e-commerce (every time you see “https:” URL). This is an important component of overall security, but only secures the tunnel – not the content. Cloud providers (on the other end of the tunnel) still receive and process data in the clear. CipherCloud secures the actual content – regardless of how it is delivered or where it resides.
How does CipherCloud’s encryption differ from encryption solutions offered by cloud vendors?
Some cloud providers offer encryption of data at rest while in their servers, but many do not. However, even if data is encrypted by the cloud provider, they typically decrypt data during any type of data processing as they hold the keys. This leaves the data vulnerable to rogue insiders, mismanagement or forced legal disclosure, and many legal experts agree that this is not adequate for regulatory compliance. By comparison, with CipherCloud’s solution, the encryption keys never leave the organization, assuring compliance and protection of the data.
Has CipherCloud’s encryption been certified or validated by third-parties?
AES encryption has been certified by NIST under FIPS 197 and CipherCloud is in the final certification process for FIPS 140-2. The AES standard has been publicly published and extensively reviewed and tested by many independent organizations. In addition, CipherCloud’s implementation has gone through rigorous testing, code review and validation by dozens of major enterprise customers including the world’s largest banks.
The CipherCloud Platform has also undergone a detailed, hands-on testing and technical assessment by Coalfire, a leading IT audit and compliance firm. Coalfire validated CipherCloud’s software development process, and performed network analysis, penetration testing, and forensic analysis. Coalfire determined that CipherCloud adheres to industry best practices including Visa best practices for encryption and tokenization, NIST 800-57, NIST – FIPS 197, ANSI X9, ANSI x9 (x9.119 part 2), ISO, Payment Card Industry Data Security Standard (PCI DSS), Payment Application – Data Security Standard (PA-DSS). A detailed report from Coalfire is available on request.
How are encryption keys managed?
CipherCloud provides enterprise key management in compliance with NIST SP 800-57 standards. Multiple key storage options enable keys to be stored securely in the CipherCloud or stored separately on a KMIP-compliance key management server. Keys in CipherCloud remain encrypted at all times, and unique keys can be generated for each encryption scheme. CipherCloud provides capabilities to split keys between multiple custodians (to reduce internal threats) as well as key rotation and expiration without affecting legacy data.
How is encrypted data still searchable?
CipherCloud uses patented Searchable Strong Encryption (SSE) provides extensive, natural language searches of fully encrypted data by maintaining search index reference data on the gateway or in a secure enterprise database. A number of additional encryption techniques support searching and sorting for specific use cases, including partial encryption, format-preserving encryption, and order-preserving hashes (one-way functions for a specified number of leading characters). All of these options can be fine-tuned to meet the searching and security requirements of each type of data.
Is tokenization more secure than encryption?
CipherCloud’s encryption and tokenization solutions offer comparable levels of security. Tokenization helps meet stringent data residency regulations or corporate policies that require specific types of data to not leave the organization, even if encrypted.
Does CipherCloud include out-of-the-box DLP policies?
CipherCloud provides DLP solutions for Salesforce and Box with ready-to-use policies for common DLP triggers including credit card numbers, mag-stripe data, social security numbers, SWIFT codes, ABA routing numbers, and national drug codes (NDC). The solution also provides pre-built policies for common compliance requirements including PCI, GLBA, HIPAA, SOX, with new policy libraries being added frequently.
Does CipherCloud work with third-party DLP products?
Yes. CipherCloud can be integrated with, and support policies for most popular DLP products (including RSA and Symantec) through the ICAP protocol.
triggered the policy. After the specified time, the content is automatically rescanned to check for compliance
Can CipherCloud scan content already in cloud applications?
Yes. CipherCloud DLP solutions for Salesforce and Box provide on-demand scanning for content in existing Salesforce Orgs or Box folders. This can be done as needed – when new users are added, or to run periodic compliance audits on specific folders.
Who uses CipherCloud?
CipherCloud solutions have been sold to companies in over 25 countries and 11 industries. CipherCloud protects over 3 million end-users.
What types of industries use CipherCloud?
CipherCloud has been deployed in a range of industries that have regulated or proprietary information. These include financial services, banking, insurance, healthcare, pharmaceuticals, telco, media, hi-tech, and government.
Who founded CipherCloud?
CipherCloud was founded by Pravin Kothari in 2010. Pravin is the CEO of CipherCloud and is a security visionary with more than 20 years of experience building industry-leading companies and bringing innovative products to market. Pravin was the Founder & CTO of Agiliance, a leading Security Risk Management company, and Co-founder & VP Engineering of ArcSight, a leading security company, which was acquired by HP for $1.6 billion. Previously, Pravin was Co-founder & Chief Architect at Impresse Corporation and also held technical leadership positions at Verity, Attachmate, and Tata Consultancy Services. Pravin holds over a dozen patents in security technologies and is the inventor behind CipherCloud’s groundbreaking cloud encryption technology.
Pravin had the foresight to sense an opportunity in protecting sensitive enterprise information in the cloud and across multiple clouds. He also understood that since cloud data can reside in any country, it can be subject to local law enforcement that can seize that data. He founded CipherCloud to eliminate these critical issues and make it possible for organizations to enable their secure move to the cloud. Organizations have a desire to use more cloud applications and also have control over their sensitive information, but they are concerned that encryption breaks the application command, such as search and sort. Their cloud encryption gateway is designed in a way to enable organizations to protect their data in the cloud without sacrificing application functionality, user experience, or performance, and without making any changes to the cloud application.
Is encryption required by government regulations?
Most regulations do not specify technology, although Payment Card Industry Data Security Standard (PCI-DSS) compliance does require encryption. However, increasingly privacy, financial, and healthcare regulations are recognizing that if organizations encrypt data adequately, and maintain possession of their encryption keys, then they can qualify for a “safe harbor” exemption from breach notifications laws.
What compliance regulations has CipherCloud been used to meet?
CipherCloud has been deployed by customers to help meet regulations from the US Government (GLBA, SOX, PCI, HIPAA, HITECH, FISMA, FERPA, and others), US states (CA-1386 and similar privacy laws in 46 states), European Union (EU Data Protection Directives), UK (ICO regulations), Canada (PIPEDA, FOIPPA, PIPA), Australia (Privacy Amendment Act), and similar laws in more than 50 countries.
How does CipherCloud deal with legal disclosure laws such as the US Patriot Act?
Law enforcement in almost any country can compel cloud providers to turn over customer data, sometimes without even notifying the customer. This can be very problematic for customers with data that is protected by privacy laws, especially when that data crosses national boundaries. CipherCloud solutions solve this problem, putting organizations in exclusive control over any legal disclosures. Most organizations prefer (and are required to) disclose data precisely, and accurately, based on their legal obligations, but do not want third-party providers making these decisions for them.
Can’t CipherCloud be required to turn over encryption keys – just like a cloud provider?
No. CipherCloud never has access to a customer’s encryption keys unless specifically requested for support purposes. All encryption keys are generated after the software has been deployed at a customer’s site, and new keys can be generated and rotated by customers as frequently as needed.
What countries does CipherCloud operate in?
CipherCloud is headquartered in San Jose, California (USA) with offices in the United Kingdom, Australia, and partners throughout North America, Europe, Asia, and Latin America.