Whose Cloud Is It Anyway: Exploring Data Security Ownership and Control

Insert Your Name

Insert Your Title

Insert Date

Whose Cloud Is It Anyway?

Exploring Data Security, Ownership and

Control

David Etue

VP, Corporate Development Strategy

February 26, 2014

@djetue

Who We Are SafeNet is trusted to protect, control access to, and manage

the worlds most sensitive data and high value applications

We control access to the most

sensitive corporate information–

more than 35 million identities

protected via tokens, smartcards,

and mobile devices managed on-

premise and in the cloud.

We protect the most money that

moves–over 80% of the world’s

intra-bank fund transfers and

nearly $1 trillion per day.

We monetize the most high-value

software–more than 100 million

license keys protect and manage

on-premise, embedded, and cloud

applications globally.

We are the de facto root of trust–

deploying more than 86,000 key

managers and protecting up to

750,000,000 encryption keys.

FOUNDED

1983

REVENUE

~330m

EMPLOYEES

+1,500 In 25 countries

GLOBAL

+25,000 Customers in

100 countries

ACCREDITED

Products certified

to the highest

security standard

Cloud and Virtualization Are Changing the

Way IT is Managed and Consumed

3

Agile.

Now.

On demand.

Simple.

Secure?

Cloud Benefits Are Being Realized…

80% of mature cloud adopters are seeing:1

• Faster access to infrastructure

• Greater Scalability

• Faster Time to Market for Applications

50% of cloud users report benefits including:1

• Better application performance

• Expanded geographic reach

• Increased IT staff efficiency

4 © SafeNet Confidential and Proprietary

1RightScale State of

the Cloud Report

2013

http://www.rightscale.com/pdf/rightscale-state-of-the-cloud-report-2013.pdf




…But Cloud Benefits Are Driven by Sharing


And Security and Compliance Are Not the

Biggest Fans of Sharing…


Leading Inhibitors to Cloud Adoption

451 TheInfoPro 2013 Cloud Computing Outlook

– Cloud Computing Wave 5

Security and Compliance Concerns

With Shared Clouds


How Do You Maintain Ownership and Control Of Your

Information In A Multi-Tenant Environment?

Data Governance

Lack of Visibility

• Can you track all of my data instances?

Backups? Snapshots?

• Am I aware of government requests/discovery?

• Do you new when data is copied?

Data Compliance

Lack of Data Control

• Who is accessing my data?

• Can I illustrate compliance with internal and

external mandates?

• Is there an audit trail of access to my data?

Data Protection

Risk of Breach and

Data Loss

• Are all my data instances secure?

• Can I assure only authorized access to my data?

• Can I “pull the plug” on data that’s at risk of exposure or who’s lifecycle has expired?

New Risks Driving

Cloud Security Challenges

Increased Attack

Surface

Privileged Users

Ability to Apply

Security Controls

Control (or there

lack of)

New Risk:

Increased Attack Surface

New Risk:

New Definition of Privilege

New Risk:

Ability to Apply Security Controls

Security Management & GRC

Identity/Entity Security

Data Security App Sec

CSA Cloud Model

Host

Network

Infrastructure Security

Security Controls Mapping and Sized by Budget

New Risk:

Ability to Apply Security Controls

Most organizations

are trying to deploy

“traditional”

security controls in

cloud and virtual

environments…but

were the controls

even effective then?

Amazon EC2 - IaaS

The lower down the stack the Cloud

provider stops, the more security you are

tactically responsible for implementing &

managing yourself.

Salesforce - SaaS

Google AppEngine - PaaS

New Risk:

Control (or there lack of)

And Not Just The Traditional “Bad Guys"

Sensitive Data in

the Cloud

Adversaries

Government Discovery

Cloud Administrators

Auditors / Regulators

So, Whose Cloud Is It Anyway?

Model Private

Cloud

IaaS in Hybrid / Community /

Public Cloud

PaaS/SaaS

Whose Privilege

Users? Customer Provider Provider

Whose

Infrastructure? Customer Provider Provider

Whose VM /

Instance? Customer Customer Provider

Whose

Application? Customer Customer Provider

Law

Enforcement

Contact?

Customer Provider Provider

Making it Your Cloud:

Key Enablers to Cloud Security

Encryption (and Key Management)

Identity and Access Management with Strong Authentication

Segmentation

Privilege User Management

Detection and Response Capabilities

System Hardening

Asset, Configuration, and Change Management

Encryption: Un-Sharing in a Shared

Environment

Un-Sharing

FTW!!!

Clouds Love Crypto!!!*

*with good key management…

Typical Sources of Trust

Source Traditional

Data Center

Internal Cloud

(Private)

External

Cloud

(Public,

Community,

Hybrid)

“Own the Stack” Yes N/A No

System

Fingerprinting Yes No No

Trusted Platform

Module (TPM) Yes Maybe? No

Hardware Security

Module (HSM) –

Server Card

Yes Maybe? No

Hardware Security

Module (HSM) -

Network

Yes Yes Yes

Smartcard Yes Maybe Maybe

Leveraging Crypto In The Cloud


Sources of Trust

Customer Premise Cloud Provider

Customer

Controlled at

Service Provider

Trusted 3rd Party

+ Most Control + Architecture + Architecture + Multi Cloud

- Architecture - Security /

Separation - Multi Cloud - Integration

Hardware

Security

Module =

Trust Anchor



Sources of Trust


Customer

Controlled at

Service Provider

Trusted 3rd Party




Hardware

Security

Module =

Trust Anchor

Key Management

Applications

and Workloads



Sources of Trust


Customer

Controlled at

Service Provider

Trusted 3rd Party




Hardware

Security

Module =

Trust Anchor

Key Management

Applications

and Workloads

Highest

Assurance Most

Flexible

How Do You Apply Security Controls?




CSA Cloud Model

Host

Network


Security Controls Mapping and Sized by Budget

Need to Focus “Up The Stack”




CSA Cloud Model

Host

Network


Virtualization, Software Defined Networks,

and Public/Hybrid/Community Cloud Forces

a Change in How Security Controls Are

Evaluated and Deployed

Data Centric Security = Agility!




CSA Cloud Model

Host

Network


Insert Your Name

Insert Your Title

Insert Date

Thank You!!!

@djetue

safenet-inc.com

@SafeNetInc

facebook.com/SafeNetInc

http://twitter.com/djetue

http://twitter.com/djetue

http://www.safenet-inc.com/





https://twitter.com/SafeNetInc

https://twitter.com/SafeNetInc

http://www.facebook.com/SafeNetInc

http://www.facebook.com/SafeNetInc

Whose Cloud Is It Anyway: Exploring Data Security Ownership and Control

Technology

cloud security encryption

cloud applications

cloud users

cloud benefits

cloud report

security controls control

multi cloud architecture

traditional security