More Related Content
Similar to Safe Net: Cloud Security Solutions
Similar to Safe Net: Cloud Security Solutions (20)
Safe Net: Cloud Security Solutions
- 6. Cloud Security Challenges
User ID and Access: Secure Authentication, Authorization, Logging Fundamental Trust & Liability Issues
Data Co-Mingling: Multi-tenant data mixing, leakage, ownership Data exposure in multi-tenant
Application Vulnerabilities: Exposed vulnerabilities and response
environments
Insecure Application APIs: Application injection and tampering Separation of duties from cloud
provider insiders
Data Leakage: Isolating data
Transfer of liability by cloud
Platform Vulnerabilities: Exposed vulnerabilities and response
providers to data owners
Insecure Platform APIs: Instance manipulation and tampering
Fundamental New Cloud Risks
Data Location/ Residency: Geographic regulatory requirements
New hypervisor technologies
Hypervisor Vulnerabilities: Virtualization vulnerabilities
and architectures
Data Retention: Secure deletion of data
Redefine trust and attestation
Application & Service Hijacking: Malicious application usage in cloud environments
Privileged Users: Super-user abuse
Regulatory Uncertainty in the Cloud
Service Outage: Availability
Regulations likely to require
Malicious Insider: Reconnaissance, manipulation, tampering strong controls in the cloud
Logging & Forensics: Incident response, liability limitation
Perimeter/ Network Security: Secure isolation and access
Physical Security: Direct tampering and theft
© SafeNet Confidential and Proprietary
6
- 7. Emergence of Encryption as
Unifying Cloud Security Control
Encryption is a fundamental technology for
realizing cloud security
Isolate data in multi-tenant environments
Recognized universally by analysts and
experts and underlying control for cloud
data
Sets a high-water mark for demonstrating
regulatory compliance adherence for data
Moves from Data Center tactic to Cloud
strategic solution
Physical controls, underlying trust in
processes, and isolation mitigated some
use of encryption
Mitigating trust factors that don’t exist in
the cloud.
© SafeNet Confidential and Proprietary
7
- 8. SafeNet Trusted Cloud Fabric
Maintaining Trust and Control in Virtualized Environments
Delivering on cloud security needs:
Secure Virtual Storage Secure Cloud Applications
Control and visibility of users, data,
applications, and systems when
Secure Cloud-Based
moving into virtualized environments Secure Virtual Machines Identities and Transactions
Proven security and compliance
strategies designed and trusted for
the enterprise into cloud deployments
Secure Cloud-Based
Secure Access to SaaS Communications
Modular, flexible integration points
to deploy in any combination of
private, hybrid, or public cloud
models —implement what you want, On-premise
where you need it, when you need it
By extending trust and control SafeNet enables customers to seamlessly integrate any
cloud model into their near-term and long-term technology and security strategies
© SafeNet Confidential and Proprietary
8
- 9. Solving Today’s Core Cloud Security Barriers
with SafeNet Trusted Cloud Fabric
Business Goals (World Leading Bank) SafeNet Cloud Solution
1 Controlling Access to SaaS
Applications; Federating Identities
Secure Access to SaaS: SafeNet
Multi-Factor Authentication
Achieving Compliant Isolation and Secure Virtual Machines:
2 Separation of Duties in Multi-
Tenant Environments
SafeNet ProtectV™Instance
3 Maintaining Trust & Control in
Virtual Storage Volumes
Secure Virtual Storage:
SafeNet ProtectV™Volume
Secure Cloud Applications Without Secure Cloud Applications:
4 Impacting Performance; Maintain
Ownership of Keys
SafeNet DataSecure® and
ProtectApp
5 Secure Digital Signing and
PKI in the Cloud
Secure Cloud-Based Identities
and Transactions: SafeNet HSM
6 Connect Securely to
Private Clouds
Secure Cloud-Based
Communications: SafeNet HSE
© SafeNet Confidential and Proprietary
9
- 10. PROBLEM
Controlling Access to SaaS and Cloud Applications
Keeping data secure when you don’t own the system
Enforcing Authentication Strategy in the Cloud KEY POINTS
Multi-Factor authentication required for any apps • Single Sign On Access
Cloud or Physical • Federated Identities
Likely even more critical for cloud-based applications • Seamless Integration
• Rapid Provisioning
Lower level of trust, invocation of additional regulatory requirements
Authentication Sprawl
Separate authentication systems for each cloud provider
Operationally un-scalable
Typical user password/authentication fatigue and weak passwords
Preserving Flexibility
Likely to use multiple cloud providers simultaneously
Desire rapid re-provisioning to try new services
Preserve options in chaotic cloud market
The cloud market will consolidate- not if, but when
© SafeNet Confidential and Proprietary
10
- 11. SOLUTION
Secure Access to SaaS: SafeNet Multi-Factor Authentication
Protect access to cloud-based applications via centrally managed authentication
SaaS Apps Cloud Applications
Salesforce.com
Federated SSO
to the cloud
Goggle Apps
Security Features
Single authentication solution for both
on-premise and cloud based applications User authenticates
using enterprise
Federate identities between on-premise identity
solution to cloud based solutions using
SAML 2.0 protocol
Solution is form-factor agnostic: support
for HW OTP tokens, SW solutions and SafeNet Authentication
Out of Band Manager (SAM)
Google Apps and salesForce.com are
supported out-of-the-box
© SafeNet Confidential and Proprietary
11
- 12. PROBLEM
Securing Uncontrolled Virtual Instances
Achieving compliant isolation and separation of duties in multi-tenant environments
Unlimited Copying of Instances KEY POINTS
Instances could be copied without awareness • Data Isolation
• Separation of Duties
No visibility to instance location, no audit trail • Cloud Compliance
• Pre-Launch Authentication
Instances used by competitors and malicious users
• Multi-Tenant Protection
Enables unlimited brute force attacking
Return to original copy for next iteration of password guessing
Unsecured Container of Confidential Data
Identical to lost or stolen laptop, except the instance
is often a server
Virtual nature of makes the potential surface area
much larger
Not just a single entity lost, potentially unlimited number
© SafeNet Confidential and Proprietary
12
- 13. SOLUTION
Secure Virtual Machines: SafeNet ProtectV Instance TM
Control virtual machines in the cloud with secure instance encryption and authentication
Virtual Machines
TM
On-premise ProtectV Instance
Hypervisor
Virtual Server
Security Features
SafeNet DataSecure (Supplemental Security Option): FIPS level pre-launch instance encryption
• Manages encrypted instances • Security policy enforcement
Secure login interface (HTTPS)
• Lifecycle key management • Access control
Password, one time password, and
certificate based authentication options
Event logging and activation notification
© SafeNet Confidential and Proprietary
13
- 14. PROBLEM
Maintain Trust & Control in Virtual Storage Volumes
Loss of ownership in a shared storage environments
Issue of Data Leakage
KEY POINTS
Requires trust in meta-tagging or data isolation
strategy of cloud provider • Data Isolation
• Cloud Compliance
Risks from misconfiguration and cloud administrators
• Multi-Tenant Protection
Regulatory evidence of privacy and integrity controls
Trust and Control Issues
If cloud provider offers encryption:
Proper Key Handling
NIST Lifecycle compliance
Strength, uniqueness, rotation, etc.
NIST approved algorithms
Administration trust
Separation of Duties
© SafeNet Confidential and Proprietary
14
- 15. SOLUTION
Secure Virtual Storage: SafeNet ProtectV Volume TM
Maintain data privacy in shared storage environments with encrypted data isolation
On-premise
Data
TM
ProtectV Volume
Storage
Virtual Server
Security Features
SafeNet DataSecure (Supplemental Security Option): Multiple cloud storage options:
• Manages encrypted instances • Security policy enforcement TM
ProtectV Volume for storage servers
• Lifecycle key management • Access control
NetApp storage support
ProtectFile customer-based encryption
FIPS 140-2 Level 2 Security Certified Solution
Centralized Policy and NIST 800-57 Key
© SafeNet Confidential and Proprietary Lifecycle Management
15
- 16. PROBLEM
Secure Cloud Applications Without Impacting Performance
Maintain Root of Trust in Multi-Tenant Cloud Applications
A Matter of Trust KEY POINTS
Trust transferred to cloud provider • Maintain Ownership of
Keys
Lack of transparency in cloud security • Virtually No Performance
Degradation
SAS 70 not useful
• Achieves Cloud Efficiency
Risk and Liability Gains
• Centralized Control &
Cloud provider never accepts risk Management
Written in customer agreements • Transparent Application
Integration
How do you assess risk?
No established framework for assessing risk
Regulatory Uncertainty
No regulation address cloud directly
Auditors looking for demonstrable security controls, higher standard
© SafeNet Confidential and Proprietary
16
- 17. SOLUTION
Secure Cloud Applications: SafeNet DataSecure
and ProtectApp Volume
Enforce data protection in multi-tenant cloud deployed applications
Database Application
On-premise ProtectDB ProtectApp
Tokenization
Local crypto and key caching
Security Features
Multiple Cloud Storage Options:
DataSecure
ProtectApp for Cloud application level encryption
ProtectDB for cloud database encryption
Tokenization Manager for cloud data tokenization
FIPS 140-2 Level Security Certified Solution
Secure Policy Enforcement and NIST 800-57 Key Lifecycle Management
© SafeNet Confidential and Proprietary
17
- 18. PROBLEM
Loss of Digital Ownership and Control
Secure Digital Signing and PKI in the Cloud
Proving you are you
Where is root of trust in Digital Signing and PKI when it’s all virtual?
The challenge of attesting to ownership in a virtual world
Current focus of virtualization research KEY POINTS
Maintaining Keys in clouds • Broad cloud-based
platform integration
When your cloud provider handles keys
• Application and data
Appropriate key material separation
• High performing virtual
Proper lifecycle and policy handling transactions
Privileged user abuse
The Cryptography and Entropy Problem
Difficult to get true randomness in highly replicated and automated cloud
Flaws in cryptographic functions have huge consequences
September 2010 .NET encrypted cookie problem affects 25% of Internet servers.
© SafeNet Confidential and Proprietary
18
- 19. SOLUTION
Secure Cloud-Based Identities and Transactions:
SafeNet Hardware Security Options
Establish digital ownership and root of trust in virtual environments
Private
Public
On-premise
Security Features
Anchored root of trust for digital identities and transactions
FIPS 140-2 Level 2 security Certified Solution
Hybrid Multi-host partitioning 20 – 100 per HSM
Hardware
Security Module Virtual platform support (Xen/Hyper-V/ESX-i)
3rd party partner application support, and integration
guides on virtual platforms
Broad cloud-based platform integration
Application and data separation
© SafeNet Confidential and Proprietary
High performing virtual transactions
19
- 20. PROBLEM
Large Sensitive Data Transfers
Sending sensitive data in cloud bursting and storage
High Capacity, Highly Sensitive Data KEY POINTS
Transferring very sensitive data across • Data redundancy
trust boundaries • Real time data
transmission
Data Center to Private Cloud
• Continuous, encrypted
data transmission
Entire servers and bulk storage
May invoke encryption requirements (PCI)
Need for speed and efficiency
Multi-Gigabit links
Low latency requirements
VMotion and similar technologies
Streaming media and VoIP protocols
© SafeNet Confidential and Proprietary
20
- 21. SOLUTION
Secure Cloud-Based Communications:
SafeNet High Speed Encryptors
Transfer encrypted data communications at high-speed from enterprise to the cloud
On-premise
Private
High Speed
Encryption
Security Features
Multi-Gigabit L2 Low-Latency Encryption
Best-in-class FIPS 140-2 Level 3 Security Certified
Central policy management and seamless integration
Data redundancy
Real time data transmission
Continuous, Encrypted data transmission
© SafeNet Confidential and Proprietary
21
- 22. SafeNet Trusted Cloud Fabric
A practical blueprint for extending trust and control when moving
users, data, systems, and applications to virtualized environments
Solution Areas Secure Virtual
Storage
Secure Cloud
Applications
1. Strong Authentication for Cloud Services Secure Virtual Secure Cloud-Based
Machines Identities and Transactions
SafeNet Authentication Manger
SafeNet Token, Software, and Mobile Authentication
2. Secure Virtual Machines Secure Access to SaaS
Secure Cloud-Based
Communications
SafeNet ProtectV Instance
Add DataSecure for Lifecycle Key Management On-premise
3. Secure Virtual Storage
SafeNet ProtectV Volume
Add DataSecure for KM and ProtectFile for Unstructured Data Protection
4. Securing Cloud Application Data
SafeNet DataSecure, ProtectApp and ProtectDB
Add Tokenization Manager to Reduce Audit Scope
5. Trust Anchor for Cloud Identities and Transactions
SafeNet Hardware Security Modules
6. Secure Cloud Communications
SafeNet High Speed Encryptors
© SafeNet Confidential and Proprietary
22