Your SlideShare is downloading. ×
  • Like
  • Save
Regulatory compliant cloud computing rethinking web application architectures for the cloud by arshad noor, cto strong auth
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Regulatory compliant cloud computing rethinking web application architectures for the cloud by arshad noor, cto strong auth

  • 368 views
Published

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
368
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. A web-application architecture for Secure Cloud ComputingProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 1
  • 2. In the beginning... ● Your data-center ● Your mainframe or mini-computer Internal Internal Network Operations ● Your network ● Your Operations staff ● Your single-tiered, App CCN PIN monolithic applications DB KM OS Hardware Company PerimeterProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 2
  • 3. The PC-LAN ● Your data-center ● Your PC server ● Your PC client Internal Internal Network Operations ● Your network ● Your firewall ● Your Operations staff DB KM App CCN PIN OS OS ● Your two-tiered, Hardware Hardware client-server applications Company PerimeterProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 3
  • 4. The WWW ● Your data-center ● Your PC servers ● Your network ● Your firewall Internal Internal Network Operations ● Your Operations staff ● Your three-tiered, web applications DB KM AppSrv CCN PIN OS OS Hardware Hardware I Browser OS Hardware Company PerimeterProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 4
  • 5. The Public Cloud ● Cloud Service Providers CSP CSP (CSP) data-center Network Operations ● CSPs hardware ● CSPs Hypervisor App CSPs Network CCN PIN ● DB KM ? ? ? ? OS ● CSPs Operations staff Hypervisor Hardware ● Unknown guests in VMs CSP Perimeter ● Your applications and data?Provable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 5
  • 6. EKM in the Public Cloud? CSP CSP Network Operations Internal Internal Network Operations App CCN PIN LAN HSM DB OS ? ? ? ? Hypervisor Company Perimeter Hardware CSP PerimeterProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 6
  • 7. EKM with SaaS? SaaS Application Users SaaS SaaS Network Operations I Web Application EKMI VPN API ? ? ? ? ? Internal OS Operations Hardware Company Perimeter SaaS PerimeterProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 7
  • 8. Whats missing? ● Methodology to use the Cloud without being vulnerable ● Controls to ensure that neither CSP nor attacker can compromise your dataProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 8
  • 9. The Paradigm Shift Regulatory Compliant Cloud Computing (RC3) Architecture to secure data in the Cloud with proof of compliance.Provable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 9
  • 10. RC3 Characteristics 1) Data-classification 2) Separate processing zones 3) Encryption Key Management InfrastructureProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 10
  • 11. RC3 Data Classification ● Class-1 – Sensitive and regulated data – SSN, CCN, ACH, Medical, etc. ● Class-2 – Sensitive but unregulated data – Application Credentials, Salaries, Sales figures, etc. ● Class-3 – Non-sensitive dataProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 11
  • 12. Data – Before RC3 Employee EID 12345 Class-1 data SSN 111-22-3333 Firstname John Lastname Doe HireDate 01/01/2011 Class-2 data Supervisor 23456 Salary 55000 Location 123 ....Provable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 12
  • 13. Data – After RC3 Employee EID 12345 SSN 9999000000003912 Firstname 9999000000005126 Class-3 data Lastname 9999000000005127 HireDate 01/01/2011 Supervisor 23456 Salary 9999000000007184 Location 123 ....Provable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 13
  • 14. Another way – After RC3 Employee EID 12345 RC3Data 9999000000001212 <EmployeeRC3Data> HireDate 01/01/2011 <SSN>111-22-3333</SSN> <Firstname>John</Firstname> Supervisor 23456 <Lastname>Doe</Lastname> <Salary>55000</Salary> Location 123 </EmployeeRC3Data> ,,,,Provable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 14
  • 15. Data – Before RC3 Bank Account AID 12345678 Firstname Jane Class-2 data Lastname Smith SSN 111-22-4444 Class-1 data BranchID 123 AccountType 1 DateOpened 02/02/2012 Balance 794.25 ....Provable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 15
  • 16. Data – After RC3 Bank Account AID 9999000000023745 Firstname 9999000000071847 Lastname 9999000000071849 Class-3 data SSN 9999000000088764 BranchID 123 AccountType 1 DateOpened 02/02/2012 Balance 794.25 ....Provable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 16
  • 17. Another way – After RC3 Bank Account AID 9999000000023745 RC3Data 9999000000026458 <BankAccountRC3Data> BranchID 123 <SSN>111-22-4444</SSN> AccountType 1 <Firstname>Jane</Firstname> <Lastname>Smith</Lastname> DateOpened 02/02/2012 </BankAccountRC3Data> Balance 794.25 ....Provable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 17
  • 18. Data – Before RC3 Patient PID 1234567 SSN 111-222-5555 Firstname John Lastname Smith Class-2 data Gender M DateOfBirth 03/03/1953 Class-1 data BloodType O+ .... Blood Report PID 1234567 Class-2 data ReportDate 04/04/2012 RBC 5.1 Class-1 data WBC 7.5 ....Provable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 18
  • 19. Data – After RC3 Patient PID 9999000000023745 SSN 9999000000057599 Firstname 9999000000045910 Lastname 9999000000045911 Gender M Class-3 data DateOfBirth 03/03/1953 BloodType O+ .... Blood Report PID 9999000000023745 ReportDate 04/04/2012 RBC 5.1 WBC 7.5 ....Provable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 19
  • 20. Another way – After RC3 Patient PID 9999000000023745 RC3Data 9999000000079921 Gender M DateOfBirth 03/03/1953 <PatientRC3Data> BloodType O+ <SSN>111-22-5555</SSN> <Firstname>John</Firstname> .... <Lastname>Smith</Lastname> </PatientRC3Data> Blood Report PID 9999000000023745 ReportDate 04/04/2012 RBC 5.1 WBC 7.5 ....Provable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 20
  • 21. Yet another way – After RC3 Patient PID 9999000000023745 RC3Data 9999000000079921 BloodType O+ .... <PatientRC3Data> <SSN>111-22-5555</SSN> <Firstname>John</Firstname> <Lastname>Smith</Lastname> <Gender>M</Gender> <DOB>03/03/1953</DOB> </PatientRC3Data> Blood Report PID 9999000000023745 ReportDate 04/04/2012 RBC 5.1 WBC 7.5 ....Provable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 21
  • 22. RC3 Zones ● Regulated Zone (Secure Zone) – Class-1 and Class-2 data-processing & storage – Enterprise Key Management Infrastructure (EKMI) ● Cloud Zone (Public Zone) – Class-3 data-processing & storage – Can, optionally, store C1/C2 tokens (C3-equivalent) – NO CRYPTOGRAPHY – NO IDENTITY MANAGEMENT SYSTEM – NO INBOUND CONNECTION TO REGULATED ZONEProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 22
  • 23. WEB-APPLICATION MODELProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 23
  • 24. Basic web application Transaction Confirmation 2 Web Application Server Web-site Customer Details 1 Product Details Shipping Details Payment Details Company PerimeterProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 24
  • 25. With Redirection Company Perimeter Transaction Confirmation 4 Web Application Server Customer Details Product Details Shipping Details 1 Payment Confirmation 3 2 Payment Details Payment Processor Payment Processor PerimeterProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 25
  • 26. SECURE CLOUD COMPUTING FOR E-COMMERCE RC3 MODELProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 26
  • 27. E-COMMERCE - 1 Cloud Zone WebApp Web IAM 1 Application Authentication Credentials Regulated Zone Company Perimeter or MSPProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 27
  • 28. E-COMMERCE - 2 Cloud Zone WebApp 2 Session Token Web 2 Application Session Token Regulated Zone Company Perimeter or MSPProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 28
  • 29. E-COMMERCE - 3 Cloud Zone Customer ID Address Order Detail WebApp Session Token 3 Customer ID Address Order Detail Web Application Regulated Zone Company Perimeter or MSPProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 29
  • 30. E-COMMERCE - 4 Cloud Zone Customer ID Address Order Detail WebApp 4 Web Session Token Application Customer ID Name Credit Card Number Card Expiry Date Regulated Zone Card Verification Value Amount Phone E-mail address Company Perimeter or MSPProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 30
  • 31. E-COMMERCE - 5 Cloud Zone Customer ID Address CCN Name Order Detail WebApp 5 CCN Web Application Regulated Zone Company Perimeter or MSPProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 31
  • 32. E-COMMERCE - 6 Cloud Zone Customer ID Address CCN Name Order Detail WebApp Token 6 Web Application Regulated Zone Company Perimeter or MSPProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 32
  • 33. E-COMMERCE - 7 Cloud Zone Customer ID Address CCN Name Order Detail WebApp Token 7 Token Web Application Regulated Zone Company Perimeter or MSPProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 33
  • 34. FULL TRANSACTION Cloud Zone Customer ID Address CCN Name Order Detail WebApp Token 7 Token Session Token 3 Customer ID 5 CCN Token 6 Address Order Detail 4 Web Session Token Application Customer ID Name Credit Card Number Card Expiry Date Regulated Zone Card Verification Value Amount Phone E-mail address Company Perimeter or MSPProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 34
  • 35. HOW DO YOU TRANSITION TO RC3?Provable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 35
  • 36. RC3 in the Enterprise Public Zone Customer ID CCN Name Web Address Application Order Detail Token Token 7 Session Token 3 Customer ID 5 CCN Token 6 Address Order Detail Session Token Web Customer ID Name Application Credit Card Number Card Expiry Date Card Verification Value Amount Regulated Zone Phone E-mail address 4 Company Perimeter or MSPProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 36
  • 37. RC3 in Private Clouds Cloud Zone o p e n ta c k s Customer ID CCN Name Address Order Detail WebApp Token Token 7 Session Token 3 Customer ID 5 CCN Token 6 Address Order Detail Session Token Web Customer ID Name Application Credit Card Number Card Expiry Date Card Verification Value Amount Regulated Zone Phone E-mail address 4 Company Perimeter or MSPProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 37
  • 38. RC3 in Public Clouds Cloud Zone Customer ID Address CCN Name Order Detail WebApp Token 7 Token Session Token 3 Customer ID 5 CCN Token 6 Address Order Detail 4 Web Session Token Application Customer ID Name Credit Card Number Card Expiry Date Regulated Zone Card Verification Value Amount Phone E-mail address Company Perimeter or MSPProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 38
  • 39. RC3 rules for the Cloud ● Do NOT store/use cryptographic keys in the Cloud ● Do NOT store/use plaintext sensitive data in the Cloud ● Do NOT store credentials to anything in the Cloud ● Do NOT use CSP-supplied cryptographic keys ● DO change your Server SSL keys very frequently ● DO consider digitally signing/verifying Cloud data in the Regulated Zone ● Assume the worst (that your applications and data are operating on the open internet) and design for itProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 39
  • 40. Resources ● Regulatory Compliant Cloud Computing (RC3) – http://www.ibm.com/developerworks/cloud/library/cl-regcloud/index.html – http://www.infoq.com/articles/regulatory-compliant-cloud-computing – http://bit.ly/rc3issa ● Cryptographic engine (enables RC3 applications) – http://www.cryptoengine.org ● CryptoCabinet (RC3 sample application) – http://www.cryptocabinet.orgProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 40
  • 41. RC3 Application Demo 1 5 Local PC 2 3 4 LDAP Corporate PerimeterProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 41
  • 42. RC3 Case Study ● Document-management e-commerce company in US ● Serving financial, health-care and legal markets ● Private Cloud ● Millions of documents – Sizes ranging from a few kilobytes to gigabytes ● Needed PCI-DSS level security ● Needed automatic ramp-up/ramp-down capabilityProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 42
  • 43. RC3 Case Study Web Portal .... Corporate PerimeterProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 43
  • 44. Questions? ● Contact Information – Arshad Noor – arshad.noor@strongauth.com – +1 (408) 331-2001Provable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 44