Key Management


Key management is one of the most critical activities in ensuring that a security system is successful. With CloudMask, the user has exclusive access to their keys.

CloudMask relies on Identities, based on asymmetric key pairs, to authenticate, encrypt, and sign data. A single user may have one or more Identity, typically with a dedicated Identity for mobile devices. Watch Video 

While CloudMask integrates with Certificate Authorities (CA) to manage these Identities, organizations do not require a CA in order to use CloudMask. In such cases, CloudMask transparently uses the cryptographic engine to generate and manage asymmetric key pairs for its own purposes. Accordingly, three models of Identity management are supported:

1) Enterprise On-Premise CA, where CloudMask integrates with the organization's existing on-premise Certificate Authority.

2) Managed PKI, where CloudMask integrates with leading managed PKI offerings such as Entrust and WiseKey.

3) Built-in Identity Management, where CloudMask generates and manages asymmetric key pairs for each user Identity.

Encryption, Tokenization and Masking

Not all tokenization and encryption algorithm are created equal. Common tokenization algorithms apply a deterministic algorithm (at least partially) which can be used by attackers to deduce information about the users’ data. Instead, CloudMask patent technology applies random tokens which have no mathematical relation to the original data. The actual data is then encrypted using user’s certificate and never sent to the Cloud Application.

CloudMask patent technology provides Dynamic Data Masking (DDM) that masks production data in real-time.

Given that the encrypted data does not need to conform to restrictions formatting/length restriction that may be imposed by the Cloud Application, there is no restriction on the strength of the encryption algorithm. CloudMask supports leading FIPS-compliant encryption engines and users may configure CloudMask to use the desired encryption library along with applicable algorithms parameters.  Learn More


Insider Threats

Insider Threats

Insiders pose a substantial threat by virtue of their knowledge of, and access to, their employers’ systems and/or databases. Insiders can bypass existing physical and electronic security measures through legitimate measures. The use of security-gateway does not address insider threats, and in fact may increase its risk, since the gateway receives the user’s data in cleartext before applying its security algorithms.

CloudMask encrypts users data at the moment of its creation using their own certificates. The data is never in clear at any place except in the user access point – desktop, or mobile device. As a result, malicious insiders which may have network access, or even administrative privileges, do not have access to the cleartext data at any point in time.   Learn More

Consistencies Across Applications

Organizations’ existing security frameworks do not easily extend into cloud applications. Inconsistencies in Authentication and Authorization across different processes introduce vulnerability that can be exploited by attackers.

CloudMask offers certificate-based single-sign-on and data protection across unlimited number of applications. In doing so, it adheres to the organization’s security policies and established framework, irrespective of the delivery mechanized, on public cloud or private cloud.

In addition, CloudMask enables organizations to set fine-grained access controls. These controls restrict sharing and group access of particular data depending on the application, type of data, and the role of the creator.

As a result CloudMask helps in achieving a single organizational wide security framework that works consistently across the different applications while enforcing fine-grained access controls.

Across Applications

Data Loss Prevention (DLP)

Data Loss Prevention (DLP)

CloudMask tokenizes and encrypts users’ data at the moment of its creation, well before it leaves their machine. The Cloud Application receives meaningless data that has no mathematical relation to original user data. Unlike standard encryption algorithms, the tokens are compatible with the application data requirements and do not break its functionality.

As a result, threats of data leaks/loss – through unauthorized access, or hacked accounts – are eliminated without disrupting the Cloud Application functionality.

Global Security Certificate

When examining security solutions, clients need to examine the certifications that have been awarded to the solutions provider. For obvious reasons, claims cannot be taken at face value. Certification is the only proof that the vendor claims are checked according to a published standard that the client can rely on and that the tests have been performed by a trusted third party.

Any Data Protection service will have two major elements:

  1. The Crypto engine; that is responsible for encrypting the data according to a mathematical formula. The Federal Information Processing Standard (FIPS) Publication 140-2 is one of that provide certification that covers this element.
  2. The Solution integrity; this represents the end-to-end solution processes that include handling of data before and after encryption, key management, code protection, event handling, etc. The Common Criteria for Information Technology Security Evaluation (CC) is the main international standard (ISO/IEC 15408) for end-to-end computer security certification.

More than 95% of security attacks target the process deficiencies and the leakage between the different modules not on the crypto engine.

CloudMask received the Common Criteria Certification that managed by the Canadian Communications Security Establishment (CSE). CSE is Canada's national cryptologic agency. The assurance lab that has conducted the test for CloudMask is Computer Sciences Corporation (CSC), an American multinational corporation that provides information technology (IT) and professional services.    Learn More 


See the Potential with End-to-End Encryption for Google