Salesforce.com Acquires SaaS Encryption Provider Navajo Systems

New encryption technology at Salesforce.com may ease customer concerns about data security in the cloud.

The software as a service (SaaS) giant quietly acquired Navajo Systems, an Israeli cloud security encryption vendor earlier this month, Salesforce.com told eWEEK Aug. 26. The company will announce the acquisition and provide more details on its product plans next week at its Dreamforce conference in San Francisco, according to the company's spokesperson, Rochelle Garner.

There are also reports that Salesforce will announce another acquisition at Dreamforce, of Assistly, which makes an application to add social media tools to customer communications. Assistly lets organizations interact with customers via Twitter, Facebook, email and other media via a single pane. "Salesforce.com doesn’t comment on rumor or speculation," Garner told eWEEK.

Customers are increasingly wary of storing corporate data in the cloud and expect certain guarantees that the data will be safe and protected when it is accessed, according to Jeff Hudson, CEO of Venafi, a company that provides an automated way to manage encryption keys. For many organizations, concerns about whether the data would be stored securely may be a barrier to cloud adoption.

Recent studies have shown that while organizations see the benefits of using cloud applications, they remain very concerned about protecting privacy and preventing data breaches or loss.

"Salesforce understands that," Hudson told eWEEK, adding that "encrypting data has become the de facto standard" for addressing customer concerns.

Founded in 2009, Navajo Systems was one of the application vendors for Salesforce to provide encryption services for customers. The Virtual Private SaaS (VPS) technology has been available as either a cloud service or an appliance sitting on the Salesforce customer's local or wide area network. All data going from the enterprise to the cloud application has been transparently encrypted by VPS before it even leaving the network. Users have been unaware of the process, and the sensitive corporate data has been unreadable on the cloud provider's servers.

Organizations that didn't want Salesforce to handle data security could use Navajo Systems, instead. With VPS, the customer retained full control and was solely responsible for its data security as the enterprise held all the encryption keys. Even if VPS was used as a cloud service, the customer had exclusive VPN access to secure its keys.

"This acquisition has the promise of providing greater customer assurance that the data in Salesforce is effectively 'guaranteed' safe," Hudson said.

Salesforce's Garner did not discuss any details of how the products will be integrated, and Navajo Systems did not respond to queries. All the pages on the Website have been have been taken down, and the site now displays a simple message: "Navajo Systems has decided to pursue a different strategy." It's unknown whether customers have been notified or how the acquisition will affect existing partnerships, such as with IBM. Navajo Systems has supported Smart business Development and Test on the IBM Cloud since March 2010.

It's also unclear if Salesforce will continue working with other SaaS encryption providers.

The acquisition would help Salesforce go after customers concerned about compliance and regulatory rules. With encryption technology integrated into its service, customers can now "check the box and say my data is encrypted at Salesforce," John Pescatore, vice president and distinguished analyst at Gartner, told Dark Reading earlier this week.

It's not enough to have data encrypted before leaving the organization. It's also critical that the encryption keys be stored and managed properly, Hudson said. It's important to track keys so that they don't get lost or misplaced when employees leave the company. If the key is lost, the encrypted data can no longer be accessed. The more an organization relies on encryption, the more important key management becomes, according to Hudson.

"At the end of the day, the encrypted data remains unsafe if the keys to unlock it are not well managed," Hudson said.