Intelligent CISO Issue 09 | Page 75

The split index approach preserves ‘search’ by moving the search functionality from the app to the CASB. Unfortunately, using a CASB for encryption is not without its challenges. In order to preserve application functionality after data is encrypted, some CASBs actually reduce the strength of the encryption. When data is encrypted, the application is unable to read the encrypted data and therefore loses the ability to do anything with it. The ‘search’ function is perhaps the best example of this. If a customer file is encrypted and a sales person attempts www.intelligentciso.com | Issue 09 to search for it, the application would not be able to read the file and therefore the search function would be broken. Reducing the encryption strength allows a CASB vendor to ‘crack’ its own encryption in order to allow critical functions like search. These functionality issues can seriously impede the productivity benefits of adopting cloud applications in the first place. And so, some CASBs ‘solve’ the issues by limiting the strength of the cryptographic algorithm used. Of course, in doing so, it severely impairs the overall effectiveness of the encryption, making data much more vulnerable. This has left many businesses with a difficult trade-off between lost functionality or sub-optimal security, neither option being particularly appealing. Solving the security and functionality trade-off The latest development in cloud encryption is one that takes a ‘split index’ approach to searching cloud- based data, which gives businesses the best of both worlds. When first deployed, API connections are used to analyse cloud applications in use, identify sensitive data and let the business decide exactly what it wants to encrypt. The CASB will then replace all sensitive data with copies that have been encrypted. The business retains control over the encryption keys in this scenario. The encrypted data can then be stored in the cloud app or on premises. In the latter case, the only thing stored in the cloud application is an encrypted pointer to where the data lies in the local data store. The split index approach preserves ‘search’ by moving the search functionality from the app to the CASB. As data is encrypted, an encrypted local search index is generated on premises, 75