290 likes | 461 Views
Privacy in Public: How Organizations Can Securely Manage Sensitive Assets in the Cloud. November 25 , 2011. Keith Hale Director Northern EMEA SafeNet, Inc. | www.safenet-inc.com. Insert Your Name Insert Your Title Insert Date. #1 Inhibitor to Cloud Adoption is SECURITY.
E N D
Privacy in Public: How Organizations Can Securely Manage Sensitive Assets in the Cloud November 25, 2011 Keith Hale Director Northern EMEA SafeNet, Inc. | www.safenet-inc.com Insert Your Name Insert Your Title Insert Date
#1 Inhibitor to Cloud Adoption isSECURITY • “…Worldwide demand for cloud computing services will reach $222.5 billion by the year 2015.” —Global Industry Analysts “IDC predicts public cloud computing services alone will grow to $72.9 billion in 2015, up from $21.5 billion in 2010.”—CIO.com
Cloud Security Challenges User ID and Access:Secure Authentication, Authorization, Logging Data Co-Mingling: Multi-tenant data mixing, leakage, ownership Application Vulnerabilities: Exposed vulnerabilities and response Insecure Application APIs: Application injection and tampering Data Leakage: Isolating data Platform Vulnerabilities:Exposed vulnerabilities and response Insecure Platform APIs: Instance manipulation and tampering Data Location/ Residency:Geographic regulatory requirements Hypervisor Vulnerabilities:Virtualization vulnerabilities Data Retention:Secure deletion of data Application & Service Hijacking:Malicious application usage Privileged Users:Super-user abuse Service Outage:Availability Malicious Insider:Reconnaissance, manipulation, tampering Logging & Forensics:Incident response, liability limitation Perimeter/ Network Security:Secure isolation and access Physical Security:Direct tampering and theft • Fundamental Trust & Liability Issues • Data exposure in multi-tenancy • Separation of duties • Transfer of liability by cloud providers to data owners • Fundamental New Cloud Risks • New hypervisor technologies • Redefine trust and attestation • Regulatory Uncertainty in the Cloud • Regulations likely to require strong controls in the cloud
Data Mandates Extend to The Cloud. Period. • Externally Mandated • Governmental, regional, industry trade groups • Defines penalties and best-practices • Increasingly force uncomfortable public disclosures • Internally Mandated • Core intellectual Property • Safe harbor risk mitigation • Insider abuse concerns • Crusader abuse (wiki leaks) • Overlapping Mandates • Globalization of business • International nature of Internet • Nearly a guarantee
Key Considerations for Adopting Cloud • What worked for the data center, doesn’t necessarily translate into the Cloud • Re-evaluate your security framework and architectures
Private Cloud vs Public Cloud Security Scale Very Risky Pretty Risky Low Danger Private Public Risky High Danger • Secure Management • Hypervisor choice • Self-service Provisioning • Centralized Policies • CapEx • Cloud Provider Owns Infrastructure • Burst to Cloud On-demand • Elastic, Pay-as-You-Go • Utility Pricing • OpEx
The Cloud Changes All Security AssumptionsThe perimeter-based security model dissolves • Data Protection Assumed a Fixed Perimeter • Organization owns physical access • Organization owns OS stack • Organization owns application stack • Tradtional Security Controls Centered Around Perimeter Fortification • Established standards for process and physical controls • Controlled perimeter VLANs, Firewalls, IPS for OS stack • Controlled patch management, code review, patch management, host security for application stack IaaS PaaS SaaS • BUT the Perimeter Does Not Exist in the Cloud • Physical, switch fabric, OS, application stack, etc. are owned by the cloud provider • And application and data created and deleted dynamically • No visibility in cloud security controls • No standards of due care for cloud providers Cloud Owned Infrastructure
Driving Clarity in Shared Responsibility IaaS draws a clean and clear line of demarcation Hardware & Networking Virtualization APIs Data Engine & Platform APIs Application Presentation & APIs Middleware Application Engine Power & HVAC Abstraction Layer & Hypervisor Your Responsibility Software as a Service Platform as a Service Infrastructure as a Service IaaS Responsibility Architecture Service Security
Using the uniqueness of IaaS to focus PCI efforts Focusing on the Right Issues Some new controls may be needed, close look at Section 3.4 Some controls remain the same, including PCI Scan & Report Pen-test, Web scanning, etc. Authentication/Authorization MFA, IAM integration, entitlement management Vulnerability Management Code review/scan, developer ed., QA, etc. App/DB/File Data Protection App/DB/File Encryption, DAM/FAM, Process, etc. Patch Management Patch process, news lists, patch management Telemetry & Reporting • Isolation and Control Area • Centered around demarcation and the associated trust boundary Instance Authentication/ Authorization Instance Isolation
Emergence of Encryption as a Unifying Cloud Security Control • Strong encryption with key management is one of the core mechanisms that Cloud Computing systems should use to protect data. While encryption itself doesn’t necessarily prevent data loss, safe harbor provisions in laws and regulations treat lost encrypted data as not lost at all. The encryption provides resource protection while key management enables access to protected • resources. • - Cloud Security Alliance , “Security Guidance for Critical Areas of Focus in Cloud Computing” • Encryption is a fundamental technology for realizing cloud security • Isolate data in multi-tenant environments • Recognized universally by analysts and experts and underlying control for cloud data • Sets a high-water mark for demonstrating regulatory compliance adherence for data • Moves from Data Center tactic to Cloud strategic solution • Physical controls, underlying trust in processes, and isolation mitigated some use of encryption • Mitigating trust factors that don’t exist in the cloud. • Companies are looking to protect data in the cloud through encryption keys and robust key management. This enables companies to secure data from breaches as well as prevent the cloud provider from accessing the information if they decide to end their relationship with the cloud provider. • - Frost and Sullivan, Michael Suby • Encryption is one of the best ways to secure corporate data in the cloud, but it has to be encryption that the company controls. • - Forrester Research, Jonathan Penn
Examples of Cloud Use Cases 1 Strong Authentication for SaaS Applications 2 Protecting Customer Data in the Cloud 3 Taking Cloud-based Data Out of Compliance Scope
USE CASE #1 Authentication manager
Business Challenges • Security! Critical business info is now outside the data center but is protected only with a username and password • Management Headaches!IT has to manage provisioning and access controls for on-premise and SaaS applications • Usability!Employees need to remember multiple credentials to access several applications
Deployment: Extend Secure Access to the Cloud with an Authentication Manager and achieve: • Security: secure access for on-premise and SaaS applications • IT Friendly: Centrally manage all secure access from one authentication server • Employee Friendly: Provide easy logon for employees with SSO Cloud Applications SaaS Apps Salesforce.com Goggle Apps User authenticates using enterprise identity Authentication Manager
Business Challenges Private Companies moving: -Data -Applications -Customer Info Hybrid Data Applications Customer Information Public But it needs to stay safe!
Possible Deployment Scenario • Deploy Encryption device on-premise in the traditional datacenter. • Deploy DB encryption connector and Application encryption connector in the cloud. Customers get the same level of security in the cloud and the data remains compliant. Encryption device App Connector Database Application On-premise DB Connector Local crypto and key caching
Business Challenges • Organizations have to show compliance even if their data is in the cloud. • Many cloud-based applications just store sensitive information but don’t process it. • Encryption is one option for protecting sensitive data for but that keeps the servers handling sensitive data within compliance scope. • How can organizations capitalize on business benefits of cloud-based deployment and remove the applications that just store information out of scope?
Tokenization Replacement of sensitive data with data of a similar size that is not sensitive (a “token”) 1-to-1 mapping of tokens to sensitive data Customization of token formats Benefits Systems with tokens are taken out of scope of compliance audits such as PCI Data protection is “transparent” – no changes to database tables or file layouts No application changes for systems that don’t deal with the original data 7654 3219 8765 4321 1234 5678 9123 4567 DataSecure Token Servers 7654 3219 8765 4321 1234 5678 9123 4567 Vault Application Protected Zone
Possible Deployment Scenario • Deploy Encryption device and the token vault on-premise in the traditional datacenter. • Deploy Tokenization Service in the cloud or on-premise to serve tokenization requests. • Virtual application servers and databases serving business needs remain in the cloud. Encryption device
The Problem of Protecting Cloud DataUnique challenges to protecting data • Virtual Instances • Entire servers, applications, databases, etc. virtualized • Unsecured container of sensitive data • Susceptible to unlimited copying • Exposed to uncontrolled brute force attacks • Data in the Cloud • Isolation: Will live in multi-tenant environments • Ownership: Will be highly mobile/copyable & Exposed to co-resident lawful order surrender • Privileged users: Will be exposed to cloud admins • Virtual Storage • Data leakage exposure to physical and logical storage breach • Accessible to cloud administrators • Risk of data disclosure from misconfiguration or unanticipated changes in privacy terms • Cloud offered encryption suffers from separation of duties and audit-level encryption problems
ProtectV – Protection of data in the cloudManaging ProtectV instances across the cloud • Cloud APIs and Web Services • Authentication Automation • Bulk operations Centralized Management • SafeNet ProtectV Manager • Provides centralized management • Supports either customer premise or cloud deployments • Manages and coordinates ProtectV Security • Open APIs to cloud management • SafeNet KeySecure (on Premise) • Centralizes key management for persistence and flexibility • Secure key creation and storage • Key archiving and shredding • Easy integration with ProtectV Manager
SafeNet Data Protection Product Portfolio Strong Authentication HSM Data Encryption and Control High-Speed Network Encryption Offering the broadest range of authenticators, from smart cards and tokens to mobile phone auth—all managed from a single platform • SafeNet’s DataSecure – a Universalplatform deliveringintelligent data protection and control for information assets SafeNet high-speed network encryptors combine the highest performance with a unified managementplatform Offering The most secure, and easiest to integrate technology for securingPKI identities and transactions.
Questions? November 25, 2011 Keith Hale Director Northern EMEA SafeNet, Inc. | www.safenet-inc.com Insert Your Name Insert Your Title Insert Date