AWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNet

Insert Your Name

Insert Your Title

Insert Date

Cloud Compliance 101:

No PhD Required

Cloud Computing forces the Data Governance Issue

Mike SmartSolutions Marketing Director

[email protected]

@rmsmart007 - twitter

June 2011

Agenda

Cloud Adoption –

on the move…

The Compliance

Problem

What the Regulations

Say (or Don’t)

Bringing Predictive

Focus

Solving the Problem

Questions and

Answers

2

Cloud delivery models – all at once!

Public CloudCommunity

& Hybrid Clouds

Private Cloud

Traditional

Data Center

Virtualizated

Enterprise

Global Cloud Adoption – Moving fast…

4

* Gartner July 2010 – Cloud Hype Cycle

Market Growth in Cloud Computing

Over 60% of enterprises plan to evaluate or pilot

some type of cloud-enabled offerings within the

next 18 months. However, enterprises continue to

delay cloud adoption due to concerns surrounding

data security, privacy and compliance

(Gartner Hype Cycle for Cloud Computing, 2010, David

Mitchell Smith, July 27, 2010)

SMB spending on cloud

computing will approach

$100 billion by 2014

(AMI Partners, August 2010)

Server revenue in the public

cloud category will grow

from $582 million in 2009 to

$718 million in 2014; Server

revenue for the private cloud

market will grow from $7.3

billion to $11.8 billion

(IDC, May 2010)

EMEA & Cloud – Growth Starting 2011…

USA

Europe

EMEA

APAC

Americas

Source: 451Group

Source: 451Group

UK’s Cloud Guidance & Governance

7

Government ICT Strategy - March 2011

Cloud Computing Security – December 2010

It is good practice to encrypt the data prior to it being transferred to

the online services company. This should render the data useless to any

hackers and snoopers without the key, regardless of the jurisdiction

it is in or who is processing it. Modern techniques increasingly allow

processing operations to be carried out whilst maintaining the security

and integrity of the data.

2. The government Cloud (g-Cloud) - Rationalizing the government ICT estate,

using cloud computing to increase capability and security, reduce costs and

accelerate deployment speeds.

3. The Data Centre Strategy - Rationalizing data centers to reduce costs while

increasing resilience and capability.

4. The government applications Store (g-aS) - Enabling faster procurement, greater

innovation, higher speed to deliver outcomes and reduced costs.

5. Shared services, moving systems to the government Cloud - Continually moving

to shared services delivered through the government Cloud for common activities.

Cloud

Direction

Set…

http://www.cabinetoffice.gov.uk/content/government-ict-strategy

Trust is THE issue!

8

IT Security is stopping projects. Compliance/Audit has tons of

questions. Cloud growth IS being limited. All the birds are dead.

IT Security Group: The

cloud isn’t secure. I don’t

trust Providers. I don’t know

how to secure that thing!

Compliance Audit

Group: Show me your

security. Prove

compliance in Clouds.

Convince me!

Cloud Security Challenges

Fundamental Trust & Liability Issues

• Data exposure in multi-tenant

environments

• Separation of duties from cloud

provider insiders

• Transfer of liability by cloud

providers to data owners

Fundamental New Cloud Risks

• New hypervisor technologies

and architectures

• Redefine trust and attestation

in cloud environments

Regulatory Uncertainty in the Cloud

• Regulations likely to require

strong controls in the cloud

User ID and Access: Secure Authentication, Authorization, Logging

Data Co-Mingling: Multi-tenant data mixing, leakage, ownership

Application Vulnerabilities: Exposed vulnerabilities and response

Insecure Application APIs: Application injection and tampering

Data Leakage: Isolating data

Platform Vulnerabilities: Exposed vulnerabilities and response

Insecure Platform APIs: Instance manipulation and tampering

Data Location/ Residency: Geographic regulatory requirements

Hypervisor Vulnerabilities: Virtualization vulnerabilities

Data Retention: Secure deletion of data

Application & Service Hijacking: Malicious application usage

Privileged Users: Super-user abuse

Service Outage: Availability

Malicious Insider: Reconnaissance, manipulation, tampering

Logging & Forensics: Incident response, liability limitation

Perimeter/ Network Security: Secure isolation and access

Physical Security: Direct tampering and theft

Trust & Hypervisors Challenge Us to Do BetterAnd encryption hits trust and isolation head-on

Physical Security

Network Security

Hypervisor Vulnerability Management

Instance Isolation

Instance Authentication/ Authorization

Telemetry & Reporting

Patch Management

App/DB/File Data Protection

Vulnerability Management

Authentication/Authorization

Scan & Report

VLANs, Firewalls, IPS, NAC,

etc.

Patch process, newslists, patch

management

App/DB/File Encryption,

DAM/FAM, Process, etc.

Code review/scan, newlists,

developer ed., QA, etc.

MFA, IAM integration,

entitlement management

Pen-test, Web scanning, etc.

New Technology Ground• Centered around Hypervisors

• Or the associated trust boundary

• Encryption the single greatest way to

address isolation/ trust

• Will also include building controls into

CSP/Hypervisor tools

SAS 70

ISO

27001

CSA Controls

Matrix/

Assessment

Questions

CloudAudit

Etc.

G

A

P

Regulations Will Impact Cloud

Many regulations

11

That often overlap

The Truth- You Are On Your Own for Now

Bad News: Confusing Regulatory Landscape• Shared responsibility model- but demarcation is gray

• SAS 70 inadequate for common use in evaluating cloud providers

• Formal transfer of liability highly likely written into your cloud

contract

• You will have to have a detailed architecture and API conversation

to assess your responsibility

Good News: Everyone Trying to Solve the Problem• XaaS know this, working hard to alleviate

• Cloud Security Alliance has Mapping Document

So where do we go from here???

Focus on First Principles

• Spirit and intent of regulations

• Thoughtful data handling

Sprinkled with the “New” Cloud Issues

• These are where regulations will focus

• Will be around the new area we discussed before:

• Trust and Ownership

• Hypervisors

• Disclosure and Visibility

13

First Principles and Cloud Challenges

14

Principle Tru

st/

Ow

ners

hip

Hyp

erv

iso

r

Dis

clo

su

re/V

isib

ilit

y

Issues

Limit use of <sensitive data> XBig issue in SaaS, in your control for the most

part in IaaS and PaaS

Use secure development practices X Issue in SaaS and PaaS

Control access to <sensitive data> X X XIssues in all cases. Issues of user identification,

authorization rights, privileged cloud user

Encrypt <sensitive data> in transitX

X Most likely already addressed, but customer to

cloud, intracloud communication can be an issue

Optional <sensitive data> encrypt at rest X XHuge issue in data sitting in the cloud, across all

platforms.

Keep <sensitive data> confidential X X XMain issue is guaranteeing the “trust” in data

when you don’t “trust” the cloud.

Keep the integrity of <sensitive data> X X XMain issue is guaranteeing the “trust” in data

when you don’t “trust” the cloud.

Enforce separation of duties of

<sensitive data> access and

administrationX X X

Fundemenal issue of cloud employee and cloud

administrator access. Extends to both physical

and logical security. Invokes separation of duties

issues around all controls.

Report and audit your controls for X Can you prove it to your auditor.

Emergence of Encryption as a Unifying Cloud

Security Control

Encryption is a fundamental

technology for realizing cloud

security• Isolate data in multi-tenant environments

• Recognized universally by analysts and experts

and underlying control for cloud data

• Sets a high-water mark for demonstrating

regulatory compliance adherence for data

Moves from Data Center tactic to

Cloud strategic solution• Physical controls, underlying trust in processes, and

isolation mitigated some use of encryption

• Mitigating trust factors that don’t exist in the cloud.

How Encryption Solves Main Pain Points

16

Principle Tru

st/

Ow

ners

hip

Hyp

erv

iso

r

Dis

clo

su

re/V

isib

ilit

y

Issues

Limit use of <sensitive data> XBig issue in SaaS, in your control for the most

part in IaaS and PaaS

Use secure development practices X Issue in SaaS and PaaS

Control access to <sensitive data> X X XIssues in all cases. Issues of user identification,

authorization rights, privileged cloud user

Encrypt <sensitive data> in transit X Most likely already addressed, but customer to

cloud, intracloud communication can be an issue

Optional <sensitive data> encrypt at rest X XHuge issue in data sitting in the cloud, across all

platforms.

Keep <sensitive data> confidential X X XMain issue is guaranteeing the “trust” in data

when you don’t “trust” the cloud.

Keep the integrity of <sensitive data> X X XMain issue is guaranteeing the “trust” in data

when you don’t “trust” the cloud.

Enforce separation of duties of

<sensitive data> access and

administrationX X X

Fundemenal issue of cloud employee and cloud

administrator access. Extends to both physical

and logical security. Invokes separation of duties

issues around all controls.

Report and audit your controls for X Can you prove it to your auditor.

Encryption enables authentication and authorization layer.

Encryption directly addresses many regulator requirements. Shows

high standard of care.

Encryption inherently provides for integrity controls.

Encryption fundamentally isolates your data from other tenants in a

share cloud environment, shields from unauthorized data breach.

Encryption can add additional authentication and authorization layer

for users and administrators. Customer owned encryption definitively

shows separation from cloud.

Encryption Key ownership is tangible proof to data ownership.

Encrypt/Decrypt actions become easy log and audit proofs.

Encryption- Additional Upside

17

“Lawful Order” to Cloud Provider for Data

Issue: Cloud provider may turn over your data when another member of the cloud is

under criminal investigation. Your data is now viewable to law enforcement.

Resolution: Encrypted data unviewable by law enforcement. Law enforcement would

have to work through legal channels, under which you have guaranteed rights, to get

you to turn over decryption keys.

Destruction of Cloud Data

Issue: Is data in the cloud ever destroyed? Are you sure?

Resolution: Encryption makes data unusable in the cloud. “Key shredding” virtually

makes encrypted cloud data unrecoverable

Physical Location Issues of Cloud Data

Issue: Is cloud data now in new physical locations requiring new regulatory insight, or

violates existing regulatory law?

Resolution: Encrypted data can be moved anywhere in the cloud, but controlled

decryption with proper key release policy can define what localities may use data.

SafeNet Trusted Cloud FabricMaintaining Trust and Control in Virtualized Environments

SafeNet Offering – on AWS

19

SafeNet ProtectV™ and Data Secure, server- and storage-based encryption,

and application/database encryption, customers can now protect compliance-

impacted data stored and used in cloud environments.

ProtectV™Instance enables organizations to encrypt and secure

the entire contents of virtual servers, protecting these assets from

theft or exposure.

ProtectV™Volume enables enterprises to secure entire virtual

volumes in the cloud containing their data such as files or folders.

Delivers:

• Data Isolation

• Separation of Duties

• Cloud Compliance

• Pre-Launch Authentication

• Multi-tenant Protection

Data Secure with ProtectApp and ProtectDB enables

enterprises to encrypt and prove control over data in applications

hosted in the cloud.

SafeNet ProtectV in Amazon AWS

20

Amazon

EC2

Amazon

EBS

Protected Customer AMI

SafeNet ProtectV:

• Encrypted Volume

• Pre-Launch Authentication

• Policy + Key Management

• Protected EBS Volumes

SafeNet ProtectV in Amazon AWS!

21

Amazon

EC2 (& VPC)

Amazon

EBS

#1 Select SafeNet AMIs• EC2 and VPC

• 4 Public Images

• Windows 2003/2008, 32/64 bit

• Linux April/May

• (enable SSL Port 443 access)

#2 Set Encryption Options• RDP Local Management Console

• Encrypt Local Instance

• Encrypt Attached Storage Volumes

• Set Encryption Level (AES 256)

• Set Secure Pre-Launch Authentication

#3 Pre-Launch Authentication• Standard SSL Web Browser Session

• Secures at Pre-Boot Level

• Authenticate Instance for Launch

ProtectV and Scaling in Large EnvironmentsProtectV and ProtectV Manager

22

Cloud APIs

• Authentication Automation

• Activation/ Snapshot

Centralized

Management

SafeNet ProtectV Manager• Provides centralized management• Supports either customer premise or cloud deployments• Manages and coordinates ProtectV Security• Fully meshed encrypted volumes (enables transparent access)•Open APIs to cloud management, customer provisioning, reporting

SafeNet KeySecure (on Premise)•Centralizes key management for persistence and flexibility• Secure key creation and storage• Key discovery• Snapshot re-keying• Key archiving and shredding

23

Additional Resources

“Penn said that encryption is one of the best ways to secure corporate data in the cloud, but “it has to be encryption that the company controls.”

“One of the vendors that offers encryption-based cloud security products to companies and government organizations is Maryland-based SafeNet.”

“One of the biggest issues our customers are running across is around the concept of trust in the cloud”, said Dean Ocampo, solutions strategy director at SafeNet. “There isn’t a lot of insight among customers in understanding what cloud providers are doing from a security perspective”, he told Infosecurity.

SafeNet Makes Formal Foray into Cloud Security Market with Launch of Trusted Cloud Fabric.” “SafeNet, which has been around since 1993, formally made the jump today from on-premise security to cloud security with the introduction of a new framework designed to extend their established offerings into the cloud. Additionally, they have extended and refined some of their existing services to fit into the public cloud realm via Amazon Web Services.”

Cloud Security Alliance

Excellent

Vendor Neutral

SafeNet Website

www.safenet-inc.com/cloudsecurity

Videos

White Papers

Additional Resources

Insert Your Name

Insert Your Title

Insert Date

Questions?

Cloud Compliance 101: No PhD Required

Mike SmartSolutions Marketing Director

[email protected]

@rmsmart007 - twitter

June 2011