Glass Class - Enacting Encryption
Hey, guys, this is Mike from Product Management, and I wanted to talk a little bit about protecting data inside of cloud applications. If you have a cloud app that stores files – we'll talk about unstructured data first and then focus on structured data in the next discussion – you have an app like Salesforce that allows you to store files, apps like O365, or a dedicated app like Box that does the same thing, then you may be concerned about the sensitivity of the data as it moves up to the cloud, or gets created there.
Sometimes you want a gateway between this and an end user to actually protect the data. If I'm a user down here, and I create something that's very sensitive, and I upload it to one of these apps, that may be okay, but that also might not be okay. Certain times you may want to protect the data from these actual applications themselves, with your own keys. So we can tie into HSMs, or key management services, to actually encrypt the data with your own keys before it lands in the app.
If my user down here creates a file, puts it up there in the application, we'll actually encrypt the file as it passes through the Bitglass proxy or, if you have API integrations depending on how you want to deploy, so that the content is protected inside these applications. What that means is that you can do things like securely share a file. So if I move a file up here, it's really sensitive and I want to share it to an external party, I can do so and I can share it to my buddy over here that I'm working with from a business perspective.
He can take that file and, much like an encryption solution for email, we can be taking them to a portal where they log in and create an account, we verify that it's the correct email, and then we're able to securely decrypt the file for them – so almost similar to a registration that you get in something like a Cisco-IronPort-type flow. What you're getting here is management of the keys with your HSM, protection of the data while in the application, and, then, still an ability to share the content outside. Also, if you download the content and you're still coming through the proxy, so you take this back and take it back down to a different PC and one of the buddy's at your work that also needs to look at the document, it's automatically decrypted on the fly.
So from a use-case perspective, it can support external sharing as well as internal sharing – all while protecting the data inside of the cloud.