To fully capitalize on the strategic potential of the cloud, enterprises will need to address a key challenge: security. SafeNet enables enterprises to overcome this challenge with a comprehensive set of flexible and modular security solutions – called the SafeNet Trusted Cloud Fabric. From authenticating in SaaS environments to ensuring compliance in the cloud, these practical solutions are ready today and can be adopted when and where they are needed.
Gen AI in Business - Global Trends Report 2024.pdf
A Security Practitioner’s Guide to the Cloud- Maintain Trust and Control in Virtualized Environments with SafeNet’s Trusted Cloud Fabric
1. A Security
Practitioner’s
Guide
to the Cloud
Maintain Trust and Control in Virtualized
Environments with SafeNet’s
Trusted Cloud Fabric
TRUSTED CLOUD
FABRIC
2. A Security Practitioner’s
Guide to the Cloud
Maintain Trust and Executive Summary- To fully capitalize on the strategic potential of the cloud,
enterprises will need to address a key challenge: security. SafeNet enables
Control in Virtualized enterprises to overcome this challenge with a comprehensive set of flexible and
Environments with modular security solutions – called the SafeNet Trusted Cloud Fabric. From
SafeNet’s Trusted authenticating in SaaS environments to ensuring compliance in the cloud,
Cloud Fabric. these practical solutions are ready today and can be adopted when and where
they are needed.
Introduction
“Forrester fully expects to see Today, over 60% of enterprises, both large and small, plan to evaluate or pilot some type
the emergence of highly secure of cloud-enabled offerings within the next 18 months1. For many applications, such as
and trusted cloud services sales force automation, project management, and marketing automation, SaaS-based
delivery has become the de facto standard. Yet for many enterprises, initial cloud initiatives
over the next five years, during
represent a virtual drop in the bucket in terms of what is ultimately possible.
which time cloud security will
grow into a $1.5 billion market Take, for instance, the case of a large multi-national retailer that looks to migrate its
and will shift from being an virtual machines from internally sourced to cloud-based resources during the holiday
season. Given that 70% of its retail business is conducted during this four-week period,
inhibitor to an enabler of cloud
the company stands to substantially reduce its IT operational expense through the less-
services adoption.”
demanding months of the year—and save millions in the process.
—Forrester Research It is with this type of strategic initiative that enterprises will begin to realize the full value
of the cloud’s elasticity and cost benefits. However, for these visions to become a reality,
a significant challenge needs to be addressed: guaranteeing security, trust, and control in
the cloud. What precautions do cloud providers have in place to guard against breaches?
How can businesses ensure sensitive data isn’t inadvertently co-mingling with another
client’s records in a virtualized, multi-tenant environment? How do businesses ensure and
demonstrate compliance of their cloud deployments?
Enterprises pursuing a host of cloud initiatives today are wrestling with these issues, and,
as the strategic value of cloud initiatives increases, so too does the security imperative.
These heightened security demands will spawn significant effort and investment from
enterprises and the security vendors that serve them. That’s why Forrester estimates cloud
security will grow into a $1.5 billion market in the next five years2.
Encryption: A Fundamental Control for the Cloud
As outlined above, before they can migrate strategic services and assets to the cloud,
organizations need to be able to migrate to cloud services, while retaining the requisite
security controls. Consequently, encryption is increasingly being recognized by security
experts and industry analysts as a fundamental control for organizations moving to
1 Gartner, “Hype Cycle for Cloud Computing, 2010”, David Mitchell Smith, July 27, 2010
2 Forrester, “Security And The Cloud: Looking At The Opportunity Beyond The Obstacle”, Jonathan Penn with
Heidi Shey, Christopher Mines, Chétina Muteba, October 20, 2010
A Security Practitioner’s Guide to the Cloud Whitepaper 2
3. the cloud. When implemented correctly, along with associated secure key and policy
SafeNet Information management approaches, encryption enables organizations to isolate data and associated
Lifecycle Protection policies—particularly in shared, multi-tenant environments. With these controls,
organizations can move to the cloud without making any compromises in their security
The SafeNet Trusted Cloud
posture or their compliance status.
Fabric is an extension
of SafeNet Information While encryption has been a critical security component within the traditional data center,
its strategic importance grows significantly in the cloud. In the past, physical controls,
Lifecycle Protection, a
inherent physical isolation, and the underlying levels of trust in the traditional data center
comprehensive framework
mitigated some potential needs for encryption. In the cloud, those physical barriers and
for securing data throughout trust factors dissolve completely, making encryption a significantly more strategic and
the information lifecycle. By critical control moving forward.
extending trust and control
when moving users, data, The Solution: SafeNet’s Trusted Cloud Fabric
systems, and applications SafeNet delivers the industry’s most complete cloud fabric for virtualized environments,
to virtualized environments, enabling enterprises to ensure trust throughout the lifecycle of enterprise data. The
SafeNet Trusted Cloud Fabric enables enterprises to…
SafeNet enables customers
to seamlessly integrate • Ensure security and compliance in the cloud. The SafeNet Trusted Cloud Fabric
any cloud model into their represents a complete ecosystem of security solutions, weaving together persistent
near-term and long-term protection, elastic encryption, anchored identity, and secured communication. With
these capabilities, SafeNet enables customers to retain complete control over how
technology and security
data is isolated, protected, and shared—even in multi-tenant cloud environments.
strategies.
• Take a practical migration path to the cloud. SafeNet offers a modular architecture
that gives organizations the flexibility to migrate to the cloud in the most effective
and efficient manner, and according to their specific timeframes, business objectives,
and security policies. SafeNet’s Trusted Cloud Fabric enables businesses to tackle
their most pressing security challenges, both in the near term and in the long term—
whether they’re looking to secure access to SaaS applications, encrypt storage in the
cloud, protect the communication links between private and public clouds, or address
a host of other objectives.
• Fully leverage the benefits of the cloud. The SafeNet Trusted Cloud Fabric features
high performance solutions built specifically to support virtualized environments.
In addition, SafeNet’s comprehensive solutions enable centralized governance and
management of sensitive data, applications, and systems across the data center and
the cloud. As a result, security teams can enjoy optimized administrative efficiency,
while businesses fully embrace cloud opportunities.
The Elements of the Trusted Cloud Fabric
When it comes to enterprise cloud initiatives, one size, strategy, or technology does not fit
all. Many enterprises will take disparate, multi-pronged approaches to the cloud, and will
need modular solutions that offer flexible integration points across public, private, and
hybrid clouds. SafeNet delivers a complete array of solutions, equipping enterprises with
the capabilities they need, when they need them—regardless of where they are in their
cloud adoption strategies. SafeNet offers these cloud-based solutions:
• Secure access for SaaS
• Secure cloud-based identities and transactions
• Secure virtual instances
• Secure cloud-based storage
• Secure cloud application data
• Secure cloud connections
A Security Practitioner’s Guide to the Cloud Whitepaper 3
4. Secure Virtual Storage Secure Cloud Applications
The Benefits of the
Trusted Cloud Fabric
• Stay in control. Bring Secure Cloud-Based
Secure Virtual Machines Identities and Transactions
private data center security
and control to public and
private clouds.
• Eliminate compromise.
Boost security without
compromising the elasticity,
scalability, or flexibility of Secure Cloud-Based
cloud deployments. Secure Access to SaaS Communications
• Keep it simple. Get
integrated, centralized
management,
administration, and
policy enforcement of
On-premise
all domains—including
internal data center and
private, public, and hybrid When organizations migrate data that is sensitive or regulated by mandates into these
clouds. environments, they can confront several tough questions: How do you keep information
• Make it persistent. Wrap isolated and secure in remote, multi-tenant environments, where many traditional security
protection around sensitive controls can’t be employed? How do you protect against unlimited copying of virtual
information throughout instances? How do you gain the fundamental visibility required to understand how virtual
its lifecycle, wherever it instances are being used? How do you enforce the separation of duties and granular controls
resides.
needed to mitigate the threat of cloud administrators abusing their super-user privileges?
To address these issues, organizations need to safeguard virtual instances and the sensitive
assets they contain. Organizations need to retain the requisite security controls to ensure
only authorized users access the sensitive data held in virtual instances at any given time.
For these reasons, encryption is increasingly being recognized as one of the fundamental
security controls for organizations migrating to the cloud. Through encryption, and
associated secure key and policy management, organizations can safeguard stakeholder
trust when adopting cloud offerings
Secure Access for SaaS
Multi-factor authentication—whether through the use of one-time password (OTP)
tokens, certificates, USB tokens, or smart cards—has grown increasingly critical as
organizations look to secure remote users’ access to corporate systems. As enterprises
move increasingly strategic business services to the cloud, security teams will need to
leverage centralized mechanisms that accommodate both traditional remote access
scenarios and cloud deployments.
The Solution
With SafeNet Authentication Manager, customers can leverage a unified authentication
infrastructure for both their on-premise and cloud-based services—providing a
centralized, comprehensive way to manage all access policies. When users try to access
one of the enterprise’s cloud services, for example a SaaS service like Salesforce.
com or GoogleApps, they will authenticate using their existing SafeNet authentication
mechanisms, such as smart cards, USB tokens, or OTP via the user’s mobile phone.
The Benefits
SafeNet’s comprehensive authentication solutions make it easy for enterprises to
maximize authentication security for SaaS applications. SafeNet solutions offer an
unparalleled array of advantages for enterprises moving to the cloud:
• Comprehensive platform. All SafeNet solutions that can all be managed through
A Security Practitioner’s Guide to the Cloud Whitepaper 4
5. SafeNet Authentication Manager, a central management server that enables identity
federation, access controls, and strong authentication to both on-premise and SaaS
applications.
• Deployment and form factor flexibility. SafeNet offers the broadest authentication
portfolio, including hardware tokens, software authentication, one-time password
solutions, and more, ensuring organizations have the solutions tailored to their specific
security and business objectives.
• Advanced reporting. SafeNet authentication platforms offer extensive reporting
capabilities that streamline compliance with a host of security regulations and policies.
SaaS Apps Cloud Applications
Salesforce.com
Federated SSO
to the cloud
Google Apps
User authenticates
using enterprise
identity
SafeNet Authentication
Manager (SAM)
Secured Identities and Transactions
The virtualized nature of the cloud removes many of the physical workflow and perimeter-
based control points that helped secure sensitive information in traditional in-house
deployments. In order to adopt cloud services, while ensuring the requisite levels of trust
and security, enterprises must take a data-centric approach to security. This entails
employing cryptographic operations, such as data encryption and digital signatures, to
ensure the confidentiality and integrity of data and business processes. At the same time,
the use of cryptography can’t jeopardize the performance and reliability of cloud resources.
The Solution
SafeNet offers the most advanced and secure network-based HSMs, which are ideally
suited to the demands of virtual and cloud infrastructures. SafeNet HSMs, including
SafeNet Luna SA, offer an unparalleled combination of features—including central key and
policy management, robust encryption support, flexible integration, and more—that form
the basis of a secure cloud platform. In addition, SafeNet is the only HSM solution provider
to protect keys in hardware, ensuring that the cryptographic keys, paramount to securing
your application and sensitive information, never leave the confines of the hardware
appliance. Finally, SafeNet offers HSMs that feature FIPS- and Common Criteria-certified
storage of cryptographic keys.
A Security Practitioner’s Guide to the Cloud Whitepaper 5
6. The Benefits
By employing SafeNet HSMs for their cloud environments, enterprises can realize a range
of significant benefits:
• Maximize security. SafeNet enables organizations to retain effective control
through group-based policies, robust user access controls, and central key and
policy management of remote systems. Armed with the comprehensive, advanced
capabilities of SafeNet’s HSMs, organizations can efficiently leverage the many
benefits of cloud services and stay compliant with all pertinent regulatory mandates
and security policies.
• Reduce administrative costs and overhead. Combining the security benefits of
hardware security modules with the cloud delivery model, security implementations
can be far less expensive than traditional in-house deployments, putting state-of-the-
art security capabilities within reach of even small- and medium-sized businesses for
the first time.
• Realize long term scalability and flexibility. Each SafeNet HSM can support up to
100 clients and 20 partitions, enabling organizations to maximize the return on their
investment, while enjoying maximum scalability and flexibility to accommodate
changing business and technical requirements.
Private
Public
On-premise
Hybrid
Hardware Security Module
Secured Virtual Instances
Today, enterprises are increasingly moving servers from traditional dedicated data centers
to shared, virtualized infrastructures, whether based in public or private clouds. Given that
these virtual servers often house the applications and databases that contain sensitive
corporate information—including personnel records, intellectual property, customer
information, and more—the lost or theft of these virtual assets can be disastrous.
In order to meet their regulatory or internal risk management policies, enterprises must
address a host of challenges posed by virtualized servers and all the instances they
contain, including controlling privileged administrator access, guarding against potential
unlimited copying, overcoming the lack of visibility and auditability, and mitigating the
exposure of raw data. To address these challenges and safeguard the sensitive information
held in virtual servers, organizations must go beyond simple user access controls and
actively secure virtual servers.
The Solution
In order to mitigate the risk virtual servers can pose to sensitive data, SafeNet offers
ProtectV Instance, which enables organizations to encrypt and secure entire contents of
A Security Practitioner’s Guide to the Cloud Whitepaper 6
7. virtual servers, protecting these assets from theft or exposure. With ProtectV Instance,
data contained on the drive is secured, even offline and during instance activation.
ProtectV Instance provides a critical separation of duties for control of virtual servers and
adds the critical visibility needed to audit cloud-based servers.
The Benefits
By leveraging full disk encryption for virtual servers in the cloud, enterprises can maintain
ownership and control of their sensitive data—and so safeguard against the damage of
unauthorized theft or manipulation. Even if a drive is replicated, a virtual analog of a lost
laptop, security teams can still rest assured that their sensitive data won’t be exposed to
unauthorized access. With ProtectV Instance, organizations can maximize the benefits of
their private and public cloud deployments, including infrastructure as a service (IaaS),
without compromising security.
Virtual Machines
On-premise
ProtectV™Instance
Hypervisor
Virtual Server
SafeNet DataSecure® (Supplemental Security Option):
• Manages encrypted instances • Security policy enforcement
• Lifecycle key management • Access control
Secured Cloud-based Storage
For many organizations, the prospect of leveraging elastic, pay-as-you-go services for
housing their exponentially expanding volumes of files and digital assets represents a
significant opportunity. For many organizations however, particularly those who must meet
regulatory mandates, security risks posed by keeping information in multi-tenant cloud
storage servers can make the cloud a nonstarter.
The Solution
With ProtectV Volume, security teams can encrypt entire storage volumes in cloud
deployments, ensuring cloud data is isolated and secured—even in shared, multi-tenant
cloud storage services. Given its seamless integration, ProtectV Volume can be deployed
in a broad range of cloud storage environments, regardless of the vendor or underlying
storage technology.
The Benefits
With SafeNet, enterprises can efficiently leverage many of the benefits of cloud services,
while retaining effective security controls. With SafeNet solutions, organizations can
leverage the cloud for applications that would have previously been off limits from a
security standpoint. With SafeNet, enterprises can realize a range of benefits:
• Boost user productivity. Through its transparent, seamless security enforcement,
SafeNet solutions enable authorized users to enjoy more consistent and
reliable access in a manner that is seamless and transparent, which can help
optimize productivity.
A Security Practitioner’s Guide to the Cloud Whitepaper 7
8. • Lower costs. By enabling comprehensive, cohesive security policy enforcement in the
cloud, SafeNet solutions enable organizations to move more business services into
the cloud, and so more fully enjoy the cost savings these models deliver. In addition,
by centralizing and streamlining security administration and enforcement, SafeNet
solutions deliver significant cost reductions.
• Increase business agility. Inherently, cloud offerings enable organizations to scale or
contract much more quickly and cost effectively than if they were relying on internally
hosted infrastructures. Through its support of dynamic cloud environments, SafeNet
solutions provide organizations with an unparalleled ability to take advantage of the
cloud’s flexibility to more quickly adapt to changing requirements.
Data
On-premise
ProtectV™Volume
Storage
Virtual Server
SafeNet DataSecure® (Supplemental Security Option):
• Manages file protection • Security policy enforcement
• Lifecycle key management • Access control
Secured Cloud Application Data
For virtually any enterprise, safeguarding the trust of consumers is essential. While
migrating applications to SaaS and PaaS enables dramatic cost savings for the
organization as well as ubiquitous access for users, this move means critical customer
data ultimately resides in an environment not owned or controlled by the organization.
Without active protection of the data entering the application, the potential risks
associated with this loss of control and trust are severe.
In order to satisfy both the economic benefits and security requirements of cloud-based
applications, organizations must satisfy several core requirements:
• Transparent application integration. Organizations must have the ability to encrypt
data in their own application development environment, with simple integration that
doesn’t require them to be cryptography experts.
• Centralized control and management. Controlling data must be centralized to minimize
operational costs and provide the capabilities required for auditing and separating
administrative duties.
• Flexible and agile deployment. Given that organizations will use multiple cloud
providers, and change service providers over time, organizations need capabilities that
enable flexible data protection controls when migrating to different vendors.
The Solution
In order to maintain security and business continuity while moving into the cloud,
businesses can deploy DataSecure on premise and configure and provision ProtectApp
to secure virtualized applications that interact with such sensitive data as credit cards,
personally identifiable information, and more. ProtectApp is available in a wide variety of
development platforms to enable transparent integration, while the centralized control
A Security Practitioner’s Guide to the Cloud Whitepaper 8
9. via DataSecure provides the flexibility to work with multiple cloud providers. The on-
premise DataSecure platform is anchored as the root of trust for policy enforcement and
lifecycle key management.
In the cloud, ProtectApp handles encryption and key caching locally to deliver optimal
performance. Because the data is protected as it is generated and stored on databases
in the cloud and the keys are kept with the application server, enterprises can ensure
sensitive data remains secure and demonstrate compliance with relevant mandates.
The Benefits
With SafeNet, organizations can utilize SaaS and PaaS for their applications, while also
protecting their own customers’ data. In addition, the flexibility of the solution enables the
deployment of these protections with minimal operational overhead and maximum agility
to work with multiple cloud providers.
Database Application
On-premise ProtectDB ProtectApp
Tokenization
Local crypto
and key caching
DataSecure® Secured Cloud Communications
Whether an organization is moving aggressively or tentatively into cloud-based services,
the reality is that just about every enterprise will have a hybrid mix of services—including
on-premise, private cloud, and public cloud—in place at any given time. As a result,
an organization’s sensitive assets will often need to be transported across a wide area
network (WAN) as data and processing are shared across these geographically distributed
deployments. To build a trusted hybrid multi-site infrastructure, enterprises need to employ
encryption to secure the transport of data across their WANs, while at the same time,
ensuring high-speed, low-latency communications between these distributed sites.
The Solution
Today, SafeNet offers advanced layer 2 encryption solutions that enable organizations to
secure WAN communications—while eliminating the challenges and obstacles presented
by traditional IPsec encryption approaches. SafeNet Ethernet Encryptors provide the
administrative efficiency and optimized performance and bandwidth utilization that make
it ideally suited to an enterprise’s private cloud environment.
The Benefits
With SafeNet Ethernet Encryptors, organizations can ensure trusted communications
across all their cloud-based and internally hosted sites, and so gain a range of benefits:
• Boost user productivity. Through its high performance and reliability, SafeNet enables
authorized users to quickly and securely transfer communications, media, and other
data from the enterprise to the cloud—optimizing productivity.
• Lower costs. By eliminating costly overhead for expensive transport pipes and providing
full throughput, SafeNet offers immediate cost savings in the cloud and across the
A Security Practitioner’s Guide to the Cloud Whitepaper 9