Transcript of "AWS Summit 2011: Cloud Compliance 101: No PhD required - SafeNet"
Cloud Compliance 101: No PhD Required Cloud Computing forces the Data Governance IssueMike SmartInsert Your NameSolutions Marketing DirectorInsert Your TitleMike.Smart@safenet-inc.comInsert Date - twitter@rmsmart007June 2011
Agenda Cloud What the The Bringing QuestionsAdoption – Regulations Solving the Compliance Predictive and on the Say (or Problem Problem Focus Answers move… Don’t) 2
Cloud delivery models – all at once! Traditional Virtualizated Data Center Enterprise Private Cloud Public Cloud Community & Hybrid Clouds
Global Cloud Adoption – Moving fast… * Gartner July 2010 – Cloud Hype Cycle 4
Market Growth in Cloud Computing Over 60% of enterprises plan to evaluate or pilot Server revenue in the public some type of cloud-enabled offerings within the cloud category will grow next 18 months. However, enterprises continue to from $582 million in 2009 to delay cloud adoption due to concerns surrounding data security, privacy and compliance $718 million in 2014; Server (Gartner Hype Cycle for Cloud Computing, 2010, David revenue for the private cloud Mitchell Smith, July 27, 2010) market will grow from $7.3 billion to $11.8 billion (IDC, May 2010) SMB spending on cloud computing will approach $100 billion by 2014 (AMI Partners, August 2010)
EMEA & Cloud – Growth Starting 2011… Source: 451GroupSource: 451Group USA EMEA Americas Europe APAC
UK’s Cloud Guidance & Governance Government ICT Strategy - March 2011 http://www.cabinetoffice.gov.uk/content/government-ict-strategy 2. The government Cloud (g-Cloud) - Rationalizing the government ICT estate, using cloud computing to increase capability and security, reduce costs and accelerate deployment speeds. Cloud 3. The Data Centre Strategy - Rationalizing data centers to reduce costs whileDirection increasing resilience and capability. Set… 4. The government applications Store (g-aS) - Enabling faster procurement, greater innovation, higher speed to deliver outcomes and reduced costs. 5. Shared services, moving systems to the government Cloud - Continually moving to shared services delivered through the government Cloud for common activities. Cloud Computing Security – December 2010 It is good practice to encrypt the data prior to it being transferred to the online services company. This should render the data useless to any hackers and snoopers without the key, regardless of the jurisdiction it is in or who is processing it. Modern techniques increasingly allow processing operations to be carried out whilst maintaining the security and integrity of the data. 7
Trust is THE issue! IT Security is stopping projects. Compliance/Audit has tons of questions. Cloud growth IS being limited. All the birds are dead. IT Security Group: The cloud isn’t secure. I don’t trust Providers. I don’t know how to secure that thing! Compliance Audit Group: Show me your security. Prove compliance in Clouds. Convince me! 8
Cloud Security ChallengesUser ID and Access: Secure Authentication, Authorization, Logging Fundamental Trust & Liability IssuesData Co-Mingling: Multi-tenant data mixing, leakage, ownership • Data exposure in multi-tenant environmentsApplication Vulnerabilities: Exposed vulnerabilities and response • Separation of duties from cloudInsecure Application APIs: Application injection and tampering provider insidersData Leakage: Isolating data • Transfer of liability by cloudPlatform Vulnerabilities: Exposed vulnerabilities and response providers to data ownersInsecure Platform APIs: Instance manipulation and tampering Fundamental New Cloud RisksData Location/ Residency: Geographic regulatory requirements • New hypervisor technologiesHypervisor Vulnerabilities: Virtualization vulnerabilities and architecturesData Retention: Secure deletion of data • Redefine trust and attestationApplication & Service Hijacking: Malicious application usage in cloud environments Privileged Users: Super-user abuse Regulatory Uncertainty in the CloudService Outage: Availability • Regulations likely to requireMalicious Insider: Reconnaissance, manipulation, tampering strong controls in the cloudLogging & Forensics: Incident response, liability limitationPerimeter/ Network Security: Secure isolation and accessPhysical Security: Direct tampering and theft
Trust & Hypervisors Challenge Us to Do BetterAnd encryption hits trust and isolation head-on Pen-test, Web scanning, etc. Scan & Report MFA, IAM integration, entitlement management Authentication/Authorization Code review/scan, newlists, Vulnerability Management developer ed., QA, etc. App/DB/File Encryption, G App/DB/File Data Protection DAM/FAM, Process, etc. CSA Controls A Matrix/ Patch process, newslists, patch Patch Management management P Assessment Questions Telemetry & Reporting New Technology Ground CloudAudit • Centered around Hypervisors Instance Authentication/ Authorization • Or the associated trust boundary Etc. • Encryption the single greatest way to address isolation/ trust Instance Isolation • Will also include building controls into CSP/Hypervisor tools Hypervisor Vulnerability Management VLANs, Firewalls, IPS, NAC, SAS 70 Network Security etc. ISO 27001 Physical Security
Regulations Will Impact Cloud Many regulations That often overlap 11
The Truth- You Are On Your Own for Now Bad News: Confusing Regulatory Landscape • Shared responsibility model- but demarcation is gray • SAS 70 inadequate for common use in evaluating cloud providers • Formal transfer of liability highly likely written into your cloud contract • You will have to have a detailed architecture and API conversation to assess your responsibility Good News: Everyone Trying to Solve the Problem • XaaS know this, working hard to alleviate • Cloud Security Alliance has Mapping Document
So where do we go from here??? Focus on First Principles • Spirit and intent of regulations • Thoughtful data handling Sprinkled with the “New” Cloud Issues • These are where regulations will focus • Will be around the new area we discussed before: • Trust and Ownership • Hypervisors • Disclosure and Visibility 13
First Principles and Cloud Challenges Disclosure/Visibility Trust/Ownership HypervisorPrinciple IssuesLimit use of <sensitive data> Big issue in SaaS, in your control for the most X part in IaaS and PaaSUse secure development practices X Issue in SaaS and PaaSControl access to <sensitive data> Issues in all cases. Issues of user identification, X X X authorization rights, privileged cloud userEncrypt <sensitive data> in transit X Most likely already addressed, but customer to X cloud, intracloud communication can be an issueOptional <sensitive data> encrypt at rest Huge issue in data sitting in the cloud, across all X X platforms.Keep <sensitive data> confidential Main issue is guaranteeing the “trust” in data X X X when you don’t “trust” the cloud.Keep the integrity of <sensitive data> Main issue is guaranteeing the “trust” in data X X X when you don’t “trust” the cloud.Enforce separation of duties of Fundemenal issue of cloud employee and cloud administrator access. Extends to both physical<sensitive data> access and X X X and logical security. Invokes separation of dutiesadministration issues around all controls.Report and audit your controls for X Can you prove it to your auditor. 14
Emergence of Encryption as a Unifying CloudSecurity Control Encryption is a fundamental technology for realizing cloud security • Isolate data in multi-tenant environments • Recognized universally by analysts and experts and underlying control for cloud data • Sets a high-water mark for demonstrating regulatory compliance adherence for data Moves from Data Center tactic to Cloud strategic solution • Physical controls, underlying trust in processes, and isolation mitigated some use of encryption • Mitigating trust factors that don’t exist in the cloud.
How Encryption Solves Main Pain Points Disclosure/Visibility Trust/Ownership HypervisorPrinciple IssuesLimit use of <sensitive data> Big issue in SaaS, in your control for the most X part in IaaS and PaaSUse secure development practices X Issue in SaaS and PaaSControl access to <sensitive data> Encryption enables authentication and authorizationuser identification, X X X Issues in all cases. Issues of layer. authorization rights, privileged cloud userEncrypt <sensitive data> in transit X Most likely already addressed, but customer to cloud, intracloud communication can be an issueOptional <sensitive data> encrypt at rest Encryption directly addresses manyin data sitting in the cloud, across all Huge issue regulator requirements. Shows X standard of care. platforms. high XKeep <sensitive data> confidential Main issue is guaranteeing the “trust” in data Encryption fundamentally isolates your data from other tenants in a X cloud environment, shields from unauthorized data breach. share X X when you don’t “trust” the cloud.Keep the integrity of <sensitive data> Encryption inherently provides for integrity controls. “trust” in data X X X Main issue is guaranteeing the when you don’t “trust” the cloud.Enforce separation of duties of Encryption can add additional authentication cloudauthorization layer Fundemenal issue of and employee and cloud administrator access. Extends to both physical for users and administrators. Customer owned encryption definitively<sensitive data> access and X X X and logical security. Invokes separation of dutiesadministration shows separation from cloud. issues around all controls. Encryption Key ownership is tangible proofyour auditor. Can you prove it to to data ownership.Report and audit your controls for X Encrypt/Decrypt actions become easy log and audit proofs. 16
Encryption- Additional Upside “Lawful Order” to Cloud Provider for Data Issue: Cloud provider may turn over your data when another member of the cloud is under criminal investigation. Your data is now viewable to law enforcement. Resolution: Encrypted data unviewable by law enforcement. Law enforcement would have to work through legal channels, under which you have guaranteed rights, to get you to turn over decryption keys. Destruction of Cloud Data Issue: Is data in the cloud ever destroyed? Are you sure? Resolution: Encryption makes data unusable in the cloud. “Key shredding” virtually makes encrypted cloud data unrecoverable Physical Location Issues of Cloud Data Issue: Is cloud data now in new physical locations requiring new regulatory insight, or violates existing regulatory law? Resolution: Encrypted data can be moved anywhere in the cloud, but controlled decryption with proper key release policy can define what localities may use data. 17
SafeNet Trusted Cloud FabricMaintaining Trust and Control in Virtualized Environments
SafeNet Offering – on AWSSafeNet ProtectV™ and Data Secure, server- and storage-based encryption,and application/database encryption, customers can now protect compliance-impacted data stored and used in cloud environments. ProtectV™Instance enables organizations to encrypt and secure the entire contents of virtual servers, protecting these assets from theft or exposure. ProtectV™Volume enables enterprises to secure entire virtual volumes in the cloud containing their data such as files or folders. Data Secure with ProtectApp and ProtectDB enables enterprises to encrypt and prove control over data in applications hosted in the cloud.Delivers:• Data Isolation • Cloud Compliance• Separation of Duties • Pre-Launch Authentication • Multi-tenant Protection 19
SafeNet ProtectV in Amazon AWS!#1 Select SafeNet AMIs• EC2 and VPC• 4 Public Images• Windows 2003/2008, 32/64 bit• Linux April/May• (enable SSL Port 443 access) #2 Set Encryption Options • RDP Local Management Console • Encrypt Local Instance • Encrypt Attached Storage Volumes • Set Encryption Level (AES 256) • Set Secure Pre-Launch Authentication Amazon Amazon EBSEC2 (& VPC) #3 Pre-Launch Authentication • Standard SSL Web Browser Session • Secures at Pre-Boot Level • Authenticate Instance for Launch 21
ProtectV and Scaling in Large Environments ProtectV and ProtectV Manager Cloud APIsCentralized • Authentication AutomationManagement • Activation/ Snapshot SafeNet ProtectV Manager • Provides centralized management • Supports either customer premise or cloud deployments • Manages and coordinates ProtectV Security • Fully meshed encrypted volumes (enables transparent access) •Open APIs to cloud management, customer provisioning, reporting SafeNet KeySecure (on Premise) •Centralizes key management for persistence and flexibility • Secure key creation and storage • Key discovery • Snapshot re-keying • Key archiving and shredding
Additional Resources Cloud Security Alliance Excellent Vendor Neutral “Penn said that encryption is one of the best ways to secure corporate data in the cloud, SafeNet Website but “it has to be encryption that the company controls.”www.safenet-inc.com/cloudsecurity “One of the vendors that offers encryption-based cloud security products to companies and government organizations is Maryland-based SafeNet.” “One of the biggest issues our customers are running across is around the Videos concept of trust in the cloud”, said Dean Ocampo, solutions strategy director at SafeNet. “There isn’t a lot of insight among customers in understanding what cloud providers are doing from a security perspective”, he told Infosecurity. White Papers SafeNet Makes Formal Foray into Cloud Security Market with Launch Additional Resources of Trusted Cloud Fabric.” “SafeNet, which has been around since 1993, formally made the jump today from on-premise security to cloud security with the introduction of a new framework designed to extend their established offerings into the cloud. Additionally, they have extended and refined some of their existing services to fit into the public cloud realm via Amazon Web Services.” 23
Questions? Cloud Compliance 101: No PhD RequiredMike SmartInsert Your NameSolutions Marketing DirectorInsert Your TitleMike.Smart@safenet-inc.comInsert Date - twitter@rmsmart007June 2011
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.