IBM Patents New Cloud Security Mechanism
IBM announced that its researchers have developed a new technique for protecting sensitive data prior to transmitting it to the cloud.
Big Blue's patented invention will overcome barriers to client adoption of cloud computing solutions by ensuring that private or proprietary information is secured before transferring it for processing by cloud computing services.
The new IBM security invention addresses cloud computing apprehensions by helping users protect confidential and private information in the cloud. This can help businesses meet regulatory requirements regarding the handling of sensitive client data. IBM received U.S. Patent #8,539,597: "Securing sensitive data for cloud computing" for the invention.
"Patents like this help to solve real-world security challenges that are inhibiting cloud computing growth," said Josyula Rao, IBM's director of security research, in a statement. "IBM's investment in research and development is producing innovations that will advance the company's cloud computing and security leadership."
IBM is no stranger to security innovations. The company provides the security intelligence to help organizations protect their people, data, applications and infrastructure. Moreover, IBM operates one of the world's broadest security research and development organizations. IBM manages and monitors 15 billion security events every day for nearly 4,000 clients around the world and holds more than 3,000 security patents.
Maintaining the privacy and security of sensitive data is frequently cited as one of the main reasons for client anxiety about cloud computing. Consequently, protecting vulnerable data from unintended exposure is a prerequisite for cloud service providers.
IBM's invention helps overcome security concerns by redacting, removing or replacing sensitive data from records that are being sent to the cloud for processing. It then restores the sensitive data when the records are returned from the cloud.
IBM's patented cloud technique enables clients to use cloud-based services without risking the release of sensitive data into cloud environments, alleviating security and privacy concerns due to information disclosure or attribution.
Unlike traditional data masking methods that use a gateway or reverse HTML proxy to encrypt or tokenize, this new IBM-designed method includes metadata describing what type of data redaction must occur for specific fields of a record. Types of redaction include tokenization, two-way hashing and exclusion.
IBM officials note that in this case, the application dynamically sends these instructions to a redactor that performs the operations described by the metadata, including maintaining stateful or previous information. This is comparable to a coat check person remembering which jacket belongs to which individual or token mappings that may be needed later to reconstitute redacted fields.
The redacted record is then sent to the cloud for processing. Next, the cloud processor will return the processed record with any additional data or result to the redactor, which restores the record with the previous stateful information to be stored in the sensitive data store, IBM said.
According to the abstract for the patent, the invention is described as:
"A system and associated method for securing sensitive data in a cloud computing environment. A customer system has proprietary data as a record stored in a database. The customer system associates a hashing directive with the record prior to sending the data out to a cloud for computing services. The hashing directive classifies each data field of the record into sensitive and transactional. The hashing directive controls a mode of hashing, either one-way hashing or two-way hashing for each sensitive data field associated with the hashing directive. A cloud receives the record secured according to the hashing directive and process the record to generate a result value for a cloud process result field of the record. The customer system reconstitutes the record according to the mode of hashing indicated in the hashing directive."