Skyhigh announced today that it has received a patent for its technology, which moves that encryption gateway into a hosted environment.
Enterprises looking to protect sensitive data stored in cloud services can funnel user traffic through on-premises encryption gateways that allow them to keep control of their encryption keys.
Moving the encryption process to Skyhigh's servers allows for easier access by remote employees, mobile users, business partners, or customers, said Rajiv Gupta, Skyhigh's CEO. He says the company offers these encryption gateways in various locations, allowing customers to comply with data residency and privacy laws.
Gupta said that his is the only company offering such services, and dismissed concerns that the patent was too broad, or not new.
"In this case, there is no prior art," he said. "It hasn’t been done before and certainly wasn’t before we filed for the patent."
He added the company will not be using the patent aggressively.
"We will not be patent trolls," he said. "For us, this patent primarily is defensive so that we are not impeded from addressing our customers’ needs."
The patent also discusses the process by which customer-controlled master keys are used to create derived keys that are, in turn, distributed to the proxies, where they are used for the encryption and decryption process but are never stored.
"The master keys never leave the customer premises, the derivation happens on premises," said Kaushik Narayan, Skyhigh's co-founder and CTO. "And we have all kinds of protections on our proxy so that you can't dump memory, you can't inspect memory."
Skyhigh's Cloud Access Security Broker currently supports Salesforce, Office 365, ServiceNow, Google Drive, Box, and Dropbox.
Competitive landscape
Some security experts say that Skyhigh's hosted encryption gateway is neither new nor unique.
"There is no shortage of prior art," said Dave Lewis, global security advocate at Cambridge, Mass.-based Akamai Technologies Inc. "I'm actually surprised that they got the patent. There's really nothing new here."
Lewis pointed to a book titled "IT Security Risk Management" by Tobias Ackermann, currently CTO at Casamundo GmbH, based in Germany.
"It came out two years before they applied for their patent, and that book references exactly this," he said. The book was published in 2012, and Skyhigh applied for their patent in 2014.
The Skyhigh patent also appears to overlap with the Key Management Interoperatbility Protocol, said Rich Campagna, VP of products at Campbell, Calif.-based security firm Bitglass, Inc.
KMIP dates back to 2010, and is a standard protocol for the exchange of encryption keys, he said, that is widely adopted commercially.
It includes a function that "is used to derive a symmetric key or Secret Data object from a key or secret data that is already known to the key management system," he said, adding that this is "exactly the process described in claim number one of the patent."
Garrett Bekker, analyst at New York-based 451 Research LLC, said that while Skyhigh has some unique aspects to their technology, several vendors already offer encryption gateways for cloud applications.
"They're not the only ones looking to separate keys from encryption," he said. "CipherCloud and Vaultive have been doing this for a good five or six years."
Vaultive Inc.
Boston-based Vaultive, Inc., offers a cloud encryption gateway that is typically hosted on premises, but that the customer can also run, on, say, Amazon cloud servers, or get it hosted for them by a regional reseller.
End users trying to connect to Office 365 would have a custom domain name that they would use, and would be blocked from logging into Office 365 directly, said Doug Lane, Vaultive's VP of product marketing. Email clients, both on PCs and on corporate and personal mobile devices, can also be configured to go through the gateway, he said.
"It seems like their patent is pretty broad and a lot of companies are doing this already," he said.
CipherCloud
"We can’t comment on the specifics of Skyhigh patent, but we don’t believe it is a game changer," said Willy Leichter, VP of marketing at San Jose-based CipherCloud. "They definitely do not have a patent on the entire concept of an encryption-decryption proxy in a hosted environment. CipherCloud and a number of other vendors have been doing that for years."
Leichter added that his company does more than just offer a scalable, transparent way to securely connect users with cloud service providers -- CipherCloud can also perform searches, sorts, and reports on data while it is still encrypted, with 17 patents on various techniques for doing so.
Inline integration, which protects data on a field-by-field basis, is available for many popular business cloud applications, including Salesforce, Force.com, ServiceNow, SAP, SuccessFactors and Adobe Analytics. In addition, there is also API integration for cloud-based collaboration and file sharing services.
Other offerings
Even Amazon has an offering in this space, said Michael Nye, a patent attorney at Harness, Dickey & Pierce, P.L.C.
Back in 2013, Amazon launched a hardware-based security appliance for managing encryption keys for its cloud customers.
However, the Skyhigh patent offers a lot of specifics, he said, and did not immediately strike him as being too broad. Plus, it was reviewed by an experienced examiner.
According to legal information company Justia, Dant Shaifer-Harriman has dealt with more than 200 patents, many of them in the area of information security.
"For what it’s worth, I have prosecuted an application in front of examiner Harriman," Nye added. "He definitely understands encryption, so I wouldn’t be surprised if his patentability determination was accurate."
Is it secure?
Skyhigh's process for distributing encryption keys to gateways on external servers doesn't necessarily guarantee security, said David Cash, a computer science professor at Rutgers University.
"If someone were to compromise the server, they would need to do it while the key is there and in memory," he said. "But that is much more difficult and mitigates most threats."
There are no absolutes in security, he added.
One common security problem is when the encryption keys are stored too close to the data that they are meant to protect, said Kevin Curran, IEEE Senior member and senior lecturer of computer science at the University of Ulster.
"A third party encryption key proxy hosted in the cloud could add a protection layer by keeping the keys separate from the encrypted data," he said. "That separation, no matter how it is implemented, is what is crucial in this model.”
Plus, on-premises solutions may offer more control but can create significant management challenges for IT departments, he added.
An increase in position, but it isn't bullet proof
"Sadly, most enterprises play fast and loose with their keys and only the most security conscious businesses and teams think of end-to-end data security," said Richard Stiennon, chief strategy officer at Finland-based Blancco Technology Group.
Skyhigh's technology makes it possible for an enterprise to encrypt its data in the cloud using its internally controlled encryption keys without exposing them to the rest of the world, he said.
Patents are important to technology companies to help them establish market dominance and confirm the value of their products, he said. "And for Skyhigh, it will likely help them increase their competitive position in the cloud encryption market."
"But at the same time, I don’t think this method is bullet proof either," he added. "Encryption keys held in memory are not impervious to attack. They can even end up recorded in memory snapshots taken of virtual environments that haven’t been properly and permanently erased."