SOURCE: PerspecSys


April 23, 2014 09:00 ET

Tokenization and Data Residency: A Solution to a Global Cloud Adoption Problem

Perspecsys Discusses Key Cloud Security Issues Faced by World's Largest Corporations

MCLEAN, VA--(Marketwired - Apr 23, 2014) - The cloud makes things simple, but there are a lot of things that complicate the cloud. There is an increasingly complex web of regulations and laws being developed and altered as companies and governments around the globe grapple with cloud adoption and how to address data residency, data movement, sharing, surveillance, and threats.

Data Residency Laws

Countries such as Australia are among the many that have recently enacted regulations associated with data residency, or maintaining control over the location where regulated data and documents physically reside, and the European Union has similar legislation. In the case of the EU, violation of some of these new rules and putting sensitive data at risk could result in penalties as severe as two percent of company annual revenue.

"Companies have always tried to protect sensitive data, driven in part by the healthy fear of being the next breach victim, but the backlash is no longer just a loss of customer trust. New regulations are putting an actual price tag on not doing enough," said David Canellos, CEO of Perspecsys. "Companies need to know what information is being stored in the cloud in order to stay compliant with these new laws, as well as who can access the data and what would happen if it landed in the wrong hands."

When it comes to data residency (sometimes referred to as data sovereignty), these new laws are problematic for global or non-US-based enterprises as many cloud providers are located in the US. There are, of course, cases where the cloud service provider might have a local datacenter, but even then there is no guarantee that a company's data will not flow to back-up or secondary datacenters located in the US. But that is not the only issue hindering adoption, as a new report from Infosecurity Europe shows that in the wake of the Snowden controversy, 50 percent of information security professionals polled are either somewhat less likely or much less likely to trust US tech companies with sensitive information. So does that mean that companies cannot use the cloud if they are dealing with regulated or sensitive data? Not quite.

Gateways and Tokenization

A new class of products called Cloud Data Protection Gateways can be deployed by enterprises to keep sensitive data local and within full corporate control, even when adopting cloud services that may physically exist outside of the country. These gateways, using an underlying security technique known as tokenization, are unobtrusive ways to ensure data kept in the cloud remains both safe and compliant.

Tokenization is a process by which a sensitive data field, such as an account number or a national ID- number, is replaced with a surrogate value called a token. While various approaches to creating tokens exist, the strongest forms use a method where the surrogate tokens have no mathematical relation to the original data field. Perspecsys developed an infographic explaining tokenization here. Tokenization helps solve the data residency issue of storing data in a US-based cloud because it is not the data itself, but a meaningless string of numbers or letters (tokens) that are processed and stored in the US-based cloud. Strong tokens cannot be reversed back to their original values without access to the "look-up" table that matches them up to their original values. These tables are typically kept in a "hardened" database in a secure location inside a company's firewall (or a secure managed service provider's datacenter located in the company's home-country), which keeps it within the country of origin.

Tokenization differs significantly from encryption, as there is no cipher algorithm to mathematically transform sensitive data's surrogate value back to its original value. So while encryption clearly can be used to conceal a value, a mathematical link back to its true form still exists. Tokenization is unique in that it completely removes the original data from the systems in which the tokens reside. And when tokenization is deployed within a cloud data protection gateway, the end-user's experience with the cloud application is kept intact - they can still complete important functions like searching or running reports on data, even if it has been tokenized. 

"The reason why everyone turns to the cloud is its usability, so it has been a challenge for IT professionals to keep what makes the cloud attractive without sacrificing security or compliance," continued Canellos. "There are strong, but straight-forward, techniques such as tokenization available to not only remove these barriers to adoption, but also comply with increasingly strict data residency and sovereignty requirements. This can all be done without affecting the productivity and ease of use of public clouds, the very things that have drawn us to them in the first place."

To view an infographic on the value of tokenization, please visit:
For additional information about data residency, please visit:
For additional information about tokenization, please visit:

About Perspecsys
Perspecsys Inc. is a leading provider of cloud data control solutions that enable mission critical cloud applications to be adopted throughout the enterprise. Perspecsys gives organizations the ability to understand how employees are using cloud applications and take the necessary steps to protect sensitive information before it leaves the network. By removing the technical, legal and financial risks of placing sensitive data in the cloud, Perspecsys makes the public cloud private. Based in Toronto, Perspecsys Inc. is a privately held company backed by investors, including Intel Capital, Paladin Capital and Ascent Venture Partners. For more information please visit and follow us on Twitter @Perspecsys.