1. Cloud Compliance 101:
No PhD Required
Cloud Computing
forces the Data Governance Issue
Mike Smart
Insert Your Name
Solutions Marketing Director
Insert Your Title
Mike.Smart@safenet-inc.com
Insert Date - twitter
@rmsmart007
June 2011
2. Agenda
Cloud What the
The Bringing Questions
Adoption – Regulations Solving the
Compliance Predictive and
on the Say (or Problem
Problem Focus Answers
move… Don’t)
2
3. Cloud delivery models – all at once!
Traditional Virtualizated
Data Center Enterprise
Private Cloud
Public Cloud
Community
& Hybrid Clouds
5. Market Growth in Cloud Computing
Over 60% of enterprises plan to evaluate or pilot Server revenue in the public
some type of cloud-enabled offerings within the cloud category will grow
next 18 months. However, enterprises continue to
from $582 million in 2009 to
delay cloud adoption due to concerns surrounding
data security, privacy and compliance $718 million in 2014; Server
(Gartner Hype Cycle for Cloud Computing, 2010, David revenue for the private cloud
Mitchell Smith, July 27, 2010) market will grow from $7.3
billion to $11.8 billion
(IDC, May 2010)
SMB spending on cloud
computing will approach
$100 billion by 2014
(AMI Partners, August 2010)
6. EMEA & Cloud – Growth Starting 2011…
Source: 451Group
Source: 451Group
USA EMEA Americas
Europe APAC
7. UK’s Cloud Guidance & Governance
Government ICT Strategy - March 2011
http://www.cabinetoffice.gov.uk/content/government-ict-strategy
2. The government Cloud (g-Cloud) - Rationalizing the government ICT estate,
using cloud computing to increase capability and security, reduce costs and
accelerate deployment speeds.
Cloud 3. The Data Centre Strategy - Rationalizing data centers to reduce costs while
Direction increasing resilience and capability.
Set…
4. The government applications Store (g-aS) - Enabling faster procurement, greater
innovation, higher speed to deliver outcomes and reduced costs.
5. Shared services, moving systems to the government Cloud - Continually moving
to shared services delivered through the government Cloud for common activities.
Cloud Computing Security – December 2010
It is good practice to encrypt the data prior to it being transferred to
the online services company. This should render the data useless to any
hackers and snoopers without the key, regardless of the jurisdiction
it is in or who is processing it. Modern techniques increasingly allow
processing operations to be carried out whilst maintaining the security
and integrity of the data.
7
8. Trust is THE issue!
IT Security is stopping projects. Compliance/Audit has tons of
questions. Cloud growth IS being limited. All the birds are dead.
IT Security Group: The
cloud isn’t secure. I don’t
trust Providers. I don’t know
how to secure that thing!
Compliance Audit
Group: Show me your
security. Prove
compliance in Clouds.
Convince me!
8
9. Cloud Security Challenges
User ID and Access: Secure Authentication, Authorization, Logging Fundamental Trust & Liability Issues
Data Co-Mingling: Multi-tenant data mixing, leakage, ownership • Data exposure in multi-tenant
environments
Application Vulnerabilities: Exposed vulnerabilities and response
• Separation of duties from cloud
Insecure Application APIs: Application injection and tampering provider insiders
Data Leakage: Isolating data • Transfer of liability by cloud
Platform Vulnerabilities: Exposed vulnerabilities and response providers to data owners
Insecure Platform APIs: Instance manipulation and tampering
Fundamental New Cloud Risks
Data Location/ Residency: Geographic regulatory requirements
• New hypervisor technologies
Hypervisor Vulnerabilities: Virtualization vulnerabilities and architectures
Data Retention: Secure deletion of data • Redefine trust and attestation
Application & Service Hijacking: Malicious application usage in cloud environments
Privileged Users: Super-user abuse
Regulatory Uncertainty in the Cloud
Service Outage: Availability
• Regulations likely to require
Malicious Insider: Reconnaissance, manipulation, tampering strong controls in the cloud
Logging & Forensics: Incident response, liability limitation
Perimeter/ Network Security: Secure isolation and access
Physical Security: Direct tampering and theft
10. Trust & Hypervisors Challenge Us to Do Better
And encryption hits trust and isolation head-on
Pen-test, Web scanning, etc.
Scan & Report
MFA, IAM integration,
entitlement management
Authentication/Authorization
Code review/scan, newlists,
Vulnerability Management developer ed., QA, etc.
App/DB/File Encryption, G
App/DB/File Data Protection DAM/FAM, Process, etc. CSA Controls
A Matrix/
Patch process, newslists, patch
Patch Management
management P Assessment
Questions
Telemetry & Reporting New Technology Ground
CloudAudit
• Centered around Hypervisors
Instance Authentication/ Authorization • Or the associated trust boundary
Etc.
• Encryption the single greatest way to
address isolation/ trust
Instance Isolation
• Will also include building controls into
CSP/Hypervisor tools
Hypervisor Vulnerability Management
VLANs, Firewalls, IPS, NAC, SAS 70
Network Security etc.
ISO
27001
Physical Security
12. The Truth- You Are On Your Own for Now
Bad News: Confusing Regulatory Landscape
• Shared responsibility model- but demarcation is gray
• SAS 70 inadequate for common use in evaluating cloud providers
• Formal transfer of liability highly likely written into your cloud
contract
• You will have to have a detailed architecture and API conversation
to assess your responsibility
Good News: Everyone Trying to Solve the Problem
• XaaS know this, working hard to alleviate
• Cloud Security Alliance has Mapping Document
13. So where do we go from here???
Focus on First Principles
• Spirit and intent of regulations
• Thoughtful data handling
Sprinkled with the “New” Cloud
Issues
• These are where regulations will
focus
• Will be around the new area we
discussed before:
• Trust and Ownership
• Hypervisors
• Disclosure and Visibility
13
14. First Principles and Cloud Challenges
Disclosure/Visibility
Trust/Ownership
Hypervisor
Principle Issues
Limit use of <sensitive data> Big issue in SaaS, in your control for the most
X part in IaaS and PaaS
Use secure development practices X Issue in SaaS and PaaS
Control access to <sensitive data> Issues in all cases. Issues of user identification,
X X X authorization rights, privileged cloud user
Encrypt <sensitive data> in transit X Most likely already addressed, but customer to
X cloud, intracloud communication can be an issue
Optional <sensitive data> encrypt at rest Huge issue in data sitting in the cloud, across all
X X platforms.
Keep <sensitive data> confidential Main issue is guaranteeing the “trust” in data
X X X when you don’t “trust” the cloud.
Keep the integrity of <sensitive data> Main issue is guaranteeing the “trust” in data
X X X when you don’t “trust” the cloud.
Enforce separation of duties of Fundemenal issue of cloud employee and cloud
administrator access. Extends to both physical
<sensitive data> access and X X X and logical security. Invokes separation of duties
administration issues around all controls.
Report and audit your controls for X Can you prove it to your auditor.
14
15. Emergence of Encryption as a Unifying Cloud
Security Control
Encryption is a fundamental
technology for realizing cloud
security
• Isolate data in multi-tenant environments
• Recognized universally by analysts and experts
and underlying control for cloud data
• Sets a high-water mark for demonstrating
regulatory compliance adherence for data
Moves from Data Center tactic to
Cloud strategic solution
• Physical controls, underlying trust in processes, and
isolation mitigated some use of encryption
• Mitigating trust factors that don’t exist in the cloud.
16. How Encryption Solves Main Pain Points
Disclosure/Visibility
Trust/Ownership
Hypervisor
Principle Issues
Limit use of <sensitive data> Big issue in SaaS, in your control for the most
X part in IaaS and PaaS
Use secure development practices X Issue in SaaS and PaaS
Control access to <sensitive data> Encryption enables authentication and authorizationuser identification,
X X X
Issues in all cases. Issues of layer.
authorization rights, privileged cloud user
Encrypt <sensitive data> in transit X Most likely already addressed, but customer to
cloud, intracloud communication can be an issue
Optional <sensitive data> encrypt at rest Encryption directly addresses manyin data sitting in the cloud, across all
Huge issue regulator requirements. Shows
X standard of care. platforms.
high X
Keep <sensitive data> confidential Main issue is guaranteeing the “trust” in data
Encryption fundamentally isolates your data from other tenants in a
X cloud environment, shields from unauthorized data breach.
share
X X when you don’t “trust” the cloud.
Keep the integrity of <sensitive data> Encryption inherently provides for integrity controls. “trust” in data
X X X
Main issue is guaranteeing the
when you don’t “trust” the cloud.
Enforce separation of duties of Encryption can add additional authentication cloudauthorization layer
Fundemenal issue of and employee and cloud
administrator access. Extends to both physical
for users and administrators. Customer owned encryption definitively
<sensitive data> access and X X X and logical security. Invokes separation of duties
administration shows separation from cloud.
issues around all controls.
Encryption Key ownership is tangible proofyour auditor.
Can you prove it to to data ownership.
Report and audit your controls for X
Encrypt/Decrypt actions become easy log and audit proofs.
16
17. Encryption- Additional Upside
“Lawful Order” to Cloud Provider for Data
Issue: Cloud provider may turn over your data when another member of the cloud is
under criminal investigation. Your data is now viewable to law enforcement.
Resolution: Encrypted data unviewable by law enforcement. Law enforcement would
have to work through legal channels, under which you have guaranteed rights, to get
you to turn over decryption keys.
Destruction of Cloud Data
Issue: Is data in the cloud ever destroyed? Are you sure?
Resolution: Encryption makes data unusable in the cloud. “Key shredding” virtually
makes encrypted cloud data unrecoverable
Physical Location Issues of Cloud Data
Issue: Is cloud data now in new physical locations requiring new regulatory insight, or
violates existing regulatory law?
Resolution: Encrypted data can be moved anywhere in the cloud, but controlled
decryption with proper key release policy can define what localities may use data.
17
18. SafeNet Trusted Cloud Fabric
Maintaining Trust and Control in Virtualized Environments
19. SafeNet Offering – on AWS
SafeNet ProtectV™ and Data Secure, server- and storage-based encryption,
and application/database encryption, customers can now protect compliance-
impacted data stored and used in cloud environments.
ProtectV™Instance enables organizations to encrypt and secure
the entire contents of virtual servers, protecting these assets from
theft or exposure.
ProtectV™Volume enables enterprises to secure entire virtual
volumes in the cloud containing their data such as files or folders.
Data Secure with ProtectApp and ProtectDB enables
enterprises to encrypt and prove control over data in applications
hosted in the cloud.
Delivers:
• Data Isolation • Cloud Compliance
• Separation of Duties • Pre-Launch Authentication
• Multi-tenant Protection
19
21. SafeNet ProtectV in Amazon AWS!
#1 Select SafeNet AMIs
• EC2 and VPC
• 4 Public Images
• Windows 2003/2008, 32/64 bit
• Linux April/May
• (enable SSL Port 443 access)
#2 Set Encryption Options
• RDP Local Management Console
• Encrypt Local Instance
• Encrypt Attached Storage Volumes
• Set Encryption Level (AES 256)
• Set Secure Pre-Launch Authentication
Amazon
Amazon EBS
EC2 (& VPC)
#3 Pre-Launch Authentication
• Standard SSL Web Browser Session
• Secures at Pre-Boot Level
• Authenticate Instance for Launch
21
22. ProtectV and Scaling in Large Environments
ProtectV and ProtectV Manager
Cloud APIs
Centralized • Authentication Automation
Management • Activation/ Snapshot
SafeNet ProtectV Manager
• Provides centralized management
• Supports either customer premise or cloud deployments
• Manages and coordinates ProtectV Security
• Fully meshed encrypted volumes (enables transparent access)
•Open APIs to cloud management, customer provisioning,
reporting
SafeNet KeySecure (on Premise)
•Centralizes key management for persistence and flexibility
• Secure key creation and storage
• Key discovery
• Snapshot re-keying
• Key archiving and shredding
23. Additional Resources
Cloud Security Alliance
Excellent
Vendor Neutral
“Penn said that encryption is one of the best
ways to secure corporate data in the cloud,
SafeNet Website but “it has to be encryption that the company
controls.”
www.safenet-inc.com/cloudsecurity “One of the vendors that offers encryption-based cloud security products to
companies and government organizations is Maryland-based SafeNet.”
“One of the biggest issues our customers are running across is around the
Videos concept of trust in the cloud”, said Dean Ocampo, solutions strategy director at
SafeNet. “There isn’t a lot of insight among customers in understanding what
cloud providers are doing from a security perspective”, he told Infosecurity.
White Papers SafeNet Makes Formal Foray into
Cloud Security Market with Launch
Additional Resources of Trusted Cloud Fabric.”
“SafeNet, which has been around since 1993,
formally made the jump today from on-premise
security to cloud security with the introduction of a
new framework designed to extend their
established offerings into the cloud. Additionally,
they have extended and refined some of their
existing services to fit into the public cloud realm
via Amazon Web Services.”
23
24. Questions?
Cloud Compliance 101:
No PhD Required
Mike Smart
Insert Your Name
Solutions Marketing Director
Insert Your Title
Mike.Smart@safenet-inc.com
Insert Date - twitter
@rmsmart007
June 2011