The document discusses the need for a paradigm shift in how organizations approach data security and protection given evolving threats. It introduces CloudMask, a solution that focuses on data-centric auditing and protection through masking data at the point of creation so that only meaningless masked data moves through applications and networks. CloudMask implements a zero trust model and centralized policy control to ensure data is only accessed based on need-to-know and pre-defined user roles. It provides end-to-end auditing of data from creation to consumption.

1. Renewed Context for the Defense and Security Sector
White Paper

2. ii RENEWED CONTEXT FOR THE DEFENSE AND SECURITY SECTOR
Renewed Context for the Defense and Security Sector
The risks facing the defense and security sector around the world are increasingly diverse.
Developments in technology and science, demographic trends and the changing character of conflict
makes achieving required levels of security more complex. In many cases, adversaries have access to
better skills and tools than the rest of us.
The evolving threat environment requires improved agility and responsiveness. Current systems of
innovation are dispersed and globalized, so accessing external capacity and solutions wherever
these can be found is crucial to success. Client requirements need to be met by focusing on strategic
outcomes and increasing collaboration with allies and partners.
Recent words of the Director General of MI5 serve as a timely warning: “My sharpest concern is
the growing gap between the increasingly challenging threat and the decreasing availability of
capabilities to address it.”
The questions that need to be asked are -
How can we close the growing gap between our capabilities and the threats we face?
How can we improve our capability to utilize the latest technology, while protecting our
information assets and being agile?
We need a paradigm shift!
With the increase in state sponsored and
organized cybercrime attacks, data protection
takes center stage. Organizations are moving
from legacy applications to those that store and
manipulate data in a hybrid environment. While
this is inescapable, the growing requirement for
secure collaboration across multiple jurisdictions
adds security challenges.
Previously, IT security specialists focused on
protecting the boundaries of their networks to
ensure strong perimeter security. This mindset
led to strong firewalls, tight access control
mechanisms, intrusion detection and prevention.
Times have changed; today our adversaries
have greater capabilities, boundaries are not
preventing them from reaching our data. At the
same time, our data is no longer confined to the
network where it can be protected.
It is no longer enough to rely on perimeter
security alone. Businesses need a more dynamic
technique that follows data throughout its
lifecycle from creation, in transit, storage and to
the point of consumption.
“My sharpest concern as
Director General of the MI5 is
the growing gap between the
increasingly challenging threat
and the decreasing availability of
capabilities to address it.”
Andrew Parker, Director General of UK MI5 – January 2015
The new paradigm is about Data Centric
Auditing and Protection (DCAP) which focuses
on protecting data, not the access to the data.
We implement a ‘need to know’ security
paradigm based on a zero trust model, to
ensure that even if the wrong person gets access
to the data, he is unable to use it.
The Paradigm Shift - Data Centric Auditing and Protection (DCAP)

3. iii RENEWED CONTEXT FOR THE DEFENSE AND SECURITY SECTOR
CloudMask Solution
CloudMask is your data’s last line of defense.
Our aim is to ensure data protection under
breach: ‘an infraction or violation of trust, faith,
or promise’. A breach can take place as a result
of the action of your employees, customers,
partners, hackers and even the government.
Accordingly, CloudMask’s focus is to protect
data throughout its lifecycle from creation to
consumption.
The technology transparently intercepts private
data at the point of creation on the end-user’s
device. The application using that data receives
valid but meaningless masked data, instead of
the original private data. Masked data passes
through the application without impacting it’s
functionality.
CloudMask detects and protects private data
according to configured security policies,
adapting to various cloud applications and
executing company-defined rules and policies.
The administration tool allows users to define
new applications and configure rules. As such,
CloudMask delivers a common solution that
works across applications, whether they are in-
house, commercial, on-premise or public-cloud
based.
CloudMask Components
ZERO TRUST:
Data visibility is granted on a need-to-know basis.
No implicit trust in any organization or vendor
infrastructure.
POLICY CONTROL:
Centralized management across data,
applications, users and devices. Enforce policies
and support auditing and monitoring of security
events.
DATA MASKING:
Meaningful data never leaves the end-user
device. Only masked data, which does not
disclose any private information, moves to the
application.
AUDITING AND REPORTING:
End-to-end reporting and data auditing is
used from the point of creation to the point of
consumption, in transit, processing and storage.
CloudMask secures data in a granular manner
and provides access to authorized users.
Access is based on pre-defined user roles and
the context within which the protection is to be
provided.
CloudMask understands these issues completely.
Our solutions are granular and take user
privileges into account, while ensuring that
application functionality is not impaired in any
way.
ZERO
TRUST
MASKING
DATA
POLICY
CONTROL02
01
03
04
AUDITING AND REPORTING
The CloudMask approach to data protection involves four key concepts:

4. About CloudMask
CloudMask Security Certification
CloudMask security is certified on two levels:
The Federal Information Processing
Standard (FIPS) Publication 140-2, is a U.S.
government computer security standard used
to accredit cryptographic modules. FIPS 140-
2 is published by the US National Institute of
Standards and Technology (NIST). CloudMask
uses different crypto engines. All are FIPS 140-2
compliant and certified.
The Common Criteria for Information
Technology Security Evaluation (abbreviated as
Common Criteria or CC) is the only international
standard (ISO/IEC 15408) for computer security
certification. CloudMask has been approved for
the Common Criteria that is managed by the
Canadian Communications Security Establishment
(CSE), Canada’s national cryptologic agency.
For more information, visit www.cloudmask.com or for
CloudMask videos see www.vimeo.com/cloudmask
Copyright© CloudMask 2015
Winner of the Canadian Innovation Commercialization Program (CICP), CloudMask is
the last line of defense, protecting data in the cloud and on premise even in the event
of a total breach. CloudMask’s solution is based on a zero trust model and works
on the premise that no one can be trusted with data - including cloud administrators,
governments, employees and even company IT administrators. CloudMask can
track, protect and control access of data throughout its lifecycle - from creation,
in transit, storage and processing to the point of consumption - enabling
businesses to meet data residency and privacy regulations. Eliminating the
need for special encryption gateways or VPNs simplifies the deployment
process and achieves zero deployment cost, minimizing time to implement.
CloudMask is accepted to the Common Criteria Certification to meet the
security certification required to operate with governments in 26 countries.