This document discusses security challenges with cloud computing and sharing data in a multi-tenant environment. It notes that while cloud computing provides benefits like scalability and efficiency, security and compliance needs are not fully addressed due to increased risks from a larger attack surface, new definitions of privileged users, and difficulties applying security controls in shared environments. The document advocates approaches like encryption and strong authentication to help customers maintain ownership and control of their data and enable security in cloud models.
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Whose Cloud Is It Anyway: Exploring Data Security Ownership and Control
1. Whose Cloud Is It Anyway?
Exploring Data Security, Ownership and
Control
David Etue Name
Insert Your
VP, Corporate Development Strategy
Insert Your Title
February 26, 2014
Insert Date
@djetue
2. Who We Are
SafeNet is trusted to protect, control access to, and manage
the worlds most sensitive data and high value applications
FOUNDED
REVENUE
GLOBAL
EMPLOYEES
ACCREDITED
1983
~330m
+25,000
+1,500
Customers in
100 countries
In 25 countries
Products certified
to the highest
security standard
We protect the most money that
moves–over 80% of the world’s
intra-bank fund transfers and
nearly $1 trillion per day.
We are the de facto root of trust–
deploying more than 86,000 key
managers and protecting up to
750,000,000 encryption keys.
We monetize the most high-value
software–more than 100 million
license keys protect and manage
on-premise, embedded, and cloud
applications globally.
We control access to the most
sensitive corporate information–
more than 35 million identities
protected via tokens, smartcards,
and mobile devices managed onpremise and in the cloud.
3. Cloud and Virtualization Are Changing the
Way IT is Managed and Consumed
Agile.
Now.
On demand.
Simple.
Secure?
3
12. New Risk:
Ability to Apply Security Controls
Security Controls Mapping and Sized by Budget
Security Management & GRC
Identity/Entity Security
Data Security
App Sec
Host
Network
Infrastructure Security
CSA Cloud Model
13. New Risk:
Ability to Apply Security Controls
Most organizations
are trying to deploy
“traditional”
security controls in
cloud and virtual
environments…but
were the controls
even effective then?
14. New Risk:
Control (or there lack of)
Salesforce - SaaS
The lower down the stack the Cloud
provider stops, the more security you are
tactically responsible for implementing &
managing yourself.
Google AppEngine - PaaS
Amazon EC2 - IaaS
15. And Not Just The Traditional “Bad Guys"
Government
Discovery
Adversaries
Cloud
Administrators
Sensitive
Data in
the
Cloud
Auditors /
Regulators
16. So, Whose Cloud Is It Anyway?
Model
Private
Cloud
IaaS
PaaS/SaaS
in Hybrid / Community /
Public Cloud
Whose Privilege
Users?
Customer
Provider
Provider
Whose
Infrastructure?
Customer
Provider
Provider
Whose VM /
Instance?
Customer
Customer
Provider
Whose
Application?
Customer
Customer
Provider
Law
Enforcement
Contact?
Customer
Provider
Provider
17. Making it Your Cloud:
Key Enablers to Cloud Security
Encryption (and Key Management)
Identity and Access Management with Strong Authentication
Segmentation
Privilege User Management
Detection and Response Capabilities
System Hardening
Asset, Configuration, and Change Management
20. Typical Sources of Trust
Source
Traditional
Data Center
Internal Cloud
(Private)
External
Cloud
(Public,
Community,
Hybrid)
“Own the Stack”
Yes
N/A
No
System
Fingerprinting
Yes
No
No
Trusted Platform
Module (TPM)
Yes
Maybe?
No
Hardware Security
Module (HSM) –
Server Card
Yes
Maybe?
No
Hardware Security
Module (HSM) Network
Yes
Yes
Yes
Smartcard
Yes
Maybe
Maybe
24. How Do You Apply Security Controls?
Security Controls Mapping and Sized by Budget
Security Management & GRC
Identity/Entity Security
Data Security
App Sec
Host
Network
Infrastructure Security
CSA Cloud Model
25. Need to Focus “Up The Stack”
CSA Cloud Model
Security Management & GRC
Identity/Entity Security
Data Security
App Sec
Host
Virtualization, Software Defined Networks,
Network
and Public/Hybrid/Community Cloud Forces
Infrastructure Security
a Change in How Security Controls Are
Evaluated and Deployed
26. Data Centric Security = Agility!
CSA Cloud Model
Security Management & GRC
Identity/Entity Security
Data Security
App Sec
Host
Network
Infrastructure Security