A web-application       architecture for   Secure Cloud ComputingProvable regulatory compliance!   StrongAuth, Inc. Propri...
In the beginning...                                       ●   Your data-center                                       ●   Y...
The PC-LAN                                       ●   Your data-center                                       ●   Your PC se...
The WWW                                            ●   Your data-center                                            ●   You...
The Public Cloud                                          ●   Cloud Service Providers         CSP               CSP       ...
EKM in the Public Cloud?                                              CSP                 CSP                             ...
EKM with SaaS?        SaaS Application Users           SaaS            SaaS                                        Network...
Whats missing?    ●   Methodology to use the Cloud without        being vulnerable    ●   Controls to ensure that neither ...
The Paradigm Shift                               Regulatory                             Compliant Cloud                   ...
RC3 Characteristics    1) Data-classification    2) Separate processing zones    3) Encryption Key Management Infrastructu...
RC3 Data Classification    ●   Class-1        –   Sensitive and regulated data        –   SSN, CCN, ACH, Medical, etc.    ...
Data – Before RC3   Employee   EID          12345               Class-1 data   SSN          111-22-3333   Firstname    Joh...
Data – After RC3                                  Employee                                  EID          12345            ...
Another way – After RC3                                      Employee                                      EID          12...
Data – Before RC3   Bank Account   AID            12345678   Firstname      Jane              Class-2 data   Lastname     ...
Data – After RC3                              Bank Account                              AID            9999000000023745   ...
Another way – After RC3                                     Bank Account                                     AID          ...
Data – Before RC3  Patient  PID            1234567  SSN            111-222-5555  Firstname      John  Lastname       Smith...
Data – After RC3                              Patient                              PID            9999000000023745        ...
Another way – After RC3                                    Patient                                    PID            99990...
Yet another way – After RC3                                Patient                                PID            999900000...
RC3 Zones    ●   Regulated Zone (Secure Zone)        –   Class-1 and Class-2 data-processing & storage        –   Enterpri...
WEB-APPLICATION MODELProvable regulatory compliance!   StrongAuth, Inc. Proprietary                                    Ver...
Basic web application                          Transaction                          Confirmation                          ...
With Redirection        Company Perimeter                                         Transaction                             ...
SECURE CLOUD COMPUTING               FOR E-COMMERCE                       RC3 MODELProvable regulatory compliance!    Stro...
E-COMMERCE - 1                                                   Cloud Zone                                               ...
E-COMMERCE - 2                                                   Cloud Zone                                               ...
E-COMMERCE - 3                                   Cloud Zone                                                        Custome...
E-COMMERCE - 4                                                            Cloud Zone                                      ...
E-COMMERCE - 5                                   Cloud Zone                                                  Customer ID  ...
E-COMMERCE - 6                                       Cloud Zone                                                      Custo...
E-COMMERCE - 7                                              Cloud Zone                                                    ...
FULL TRANSACTION                                                                 Cloud Zone                               ...
HOW DO YOU TRANSITION                   TO RC3?Provable regulatory compliance!   StrongAuth, Inc. Proprietary             ...
RC3 in the Enterprise                                                Public Zone                                          ...
RC3 in Private Clouds                                                  Cloud Zone                                         ...
RC3 in Public Clouds                                                      Cloud Zone                                      ...
RC3 rules for the Cloud  ●   Do NOT store/use cryptographic keys in the Cloud  ●   Do NOT store/use plaintext sensitive da...
Resources    ●   Regulatory Compliant Cloud Computing (RC3)        –   http://www.ibm.com/developerworks/cloud/library/cl-...
RC3 Application Demo        1                                         5      Local PC         2                           ...
RC3 Case Study    ●   Document-management e-commerce company in US    ●   Serving financial, health-care and legal markets...
RC3 Case Study              Web Portal                              ....                                      Corporate Pe...
Questions?    ●   Contact Information        –   Arshad Noor        –   arshad.noor@strongauth.com        –   +1 (408) 331...
Upcoming SlideShare
Loading in …5
×

Regulatory compliant cloud computing rethinking web application architectures for the cloud by arshad noor, cto strong auth

673 views
557 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
673
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Regulatory compliant cloud computing rethinking web application architectures for the cloud by arshad noor, cto strong auth

  1. 1. A web-application architecture for Secure Cloud ComputingProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 1
  2. 2. In the beginning... ● Your data-center ● Your mainframe or mini-computer Internal Internal Network Operations ● Your network ● Your Operations staff ● Your single-tiered, App CCN PIN monolithic applications DB KM OS Hardware Company PerimeterProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 2
  3. 3. The PC-LAN ● Your data-center ● Your PC server ● Your PC client Internal Internal Network Operations ● Your network ● Your firewall ● Your Operations staff DB KM App CCN PIN OS OS ● Your two-tiered, Hardware Hardware client-server applications Company PerimeterProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 3
  4. 4. The WWW ● Your data-center ● Your PC servers ● Your network ● Your firewall Internal Internal Network Operations ● Your Operations staff ● Your three-tiered, web applications DB KM AppSrv CCN PIN OS OS Hardware Hardware I Browser OS Hardware Company PerimeterProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 4
  5. 5. The Public Cloud ● Cloud Service Providers CSP CSP (CSP) data-center Network Operations ● CSPs hardware ● CSPs Hypervisor App CSPs Network CCN PIN ● DB KM ? ? ? ? OS ● CSPs Operations staff Hypervisor Hardware ● Unknown guests in VMs CSP Perimeter ● Your applications and data?Provable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 5
  6. 6. EKM in the Public Cloud? CSP CSP Network Operations Internal Internal Network Operations App CCN PIN LAN HSM DB OS ? ? ? ? Hypervisor Company Perimeter Hardware CSP PerimeterProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 6
  7. 7. EKM with SaaS? SaaS Application Users SaaS SaaS Network Operations I Web Application EKMI VPN API ? ? ? ? ? Internal OS Operations Hardware Company Perimeter SaaS PerimeterProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 7
  8. 8. Whats missing? ● Methodology to use the Cloud without being vulnerable ● Controls to ensure that neither CSP nor attacker can compromise your dataProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 8
  9. 9. The Paradigm Shift Regulatory Compliant Cloud Computing (RC3) Architecture to secure data in the Cloud with proof of compliance.Provable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 9
  10. 10. RC3 Characteristics 1) Data-classification 2) Separate processing zones 3) Encryption Key Management InfrastructureProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 10
  11. 11. RC3 Data Classification ● Class-1 – Sensitive and regulated data – SSN, CCN, ACH, Medical, etc. ● Class-2 – Sensitive but unregulated data – Application Credentials, Salaries, Sales figures, etc. ● Class-3 – Non-sensitive dataProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 11
  12. 12. Data – Before RC3 Employee EID 12345 Class-1 data SSN 111-22-3333 Firstname John Lastname Doe HireDate 01/01/2011 Class-2 data Supervisor 23456 Salary 55000 Location 123 ....Provable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 12
  13. 13. Data – After RC3 Employee EID 12345 SSN 9999000000003912 Firstname 9999000000005126 Class-3 data Lastname 9999000000005127 HireDate 01/01/2011 Supervisor 23456 Salary 9999000000007184 Location 123 ....Provable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 13
  14. 14. Another way – After RC3 Employee EID 12345 RC3Data 9999000000001212 <EmployeeRC3Data> HireDate 01/01/2011 <SSN>111-22-3333</SSN> <Firstname>John</Firstname> Supervisor 23456 <Lastname>Doe</Lastname> <Salary>55000</Salary> Location 123 </EmployeeRC3Data> ,,,,Provable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 14
  15. 15. Data – Before RC3 Bank Account AID 12345678 Firstname Jane Class-2 data Lastname Smith SSN 111-22-4444 Class-1 data BranchID 123 AccountType 1 DateOpened 02/02/2012 Balance 794.25 ....Provable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 15
  16. 16. Data – After RC3 Bank Account AID 9999000000023745 Firstname 9999000000071847 Lastname 9999000000071849 Class-3 data SSN 9999000000088764 BranchID 123 AccountType 1 DateOpened 02/02/2012 Balance 794.25 ....Provable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 16
  17. 17. Another way – After RC3 Bank Account AID 9999000000023745 RC3Data 9999000000026458 <BankAccountRC3Data> BranchID 123 <SSN>111-22-4444</SSN> AccountType 1 <Firstname>Jane</Firstname> <Lastname>Smith</Lastname> DateOpened 02/02/2012 </BankAccountRC3Data> Balance 794.25 ....Provable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 17
  18. 18. Data – Before RC3 Patient PID 1234567 SSN 111-222-5555 Firstname John Lastname Smith Class-2 data Gender M DateOfBirth 03/03/1953 Class-1 data BloodType O+ .... Blood Report PID 1234567 Class-2 data ReportDate 04/04/2012 RBC 5.1 Class-1 data WBC 7.5 ....Provable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 18
  19. 19. Data – After RC3 Patient PID 9999000000023745 SSN 9999000000057599 Firstname 9999000000045910 Lastname 9999000000045911 Gender M Class-3 data DateOfBirth 03/03/1953 BloodType O+ .... Blood Report PID 9999000000023745 ReportDate 04/04/2012 RBC 5.1 WBC 7.5 ....Provable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 19
  20. 20. Another way – After RC3 Patient PID 9999000000023745 RC3Data 9999000000079921 Gender M DateOfBirth 03/03/1953 <PatientRC3Data> BloodType O+ <SSN>111-22-5555</SSN> <Firstname>John</Firstname> .... <Lastname>Smith</Lastname> </PatientRC3Data> Blood Report PID 9999000000023745 ReportDate 04/04/2012 RBC 5.1 WBC 7.5 ....Provable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 20
  21. 21. Yet another way – After RC3 Patient PID 9999000000023745 RC3Data 9999000000079921 BloodType O+ .... <PatientRC3Data> <SSN>111-22-5555</SSN> <Firstname>John</Firstname> <Lastname>Smith</Lastname> <Gender>M</Gender> <DOB>03/03/1953</DOB> </PatientRC3Data> Blood Report PID 9999000000023745 ReportDate 04/04/2012 RBC 5.1 WBC 7.5 ....Provable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 21
  22. 22. RC3 Zones ● Regulated Zone (Secure Zone) – Class-1 and Class-2 data-processing & storage – Enterprise Key Management Infrastructure (EKMI) ● Cloud Zone (Public Zone) – Class-3 data-processing & storage – Can, optionally, store C1/C2 tokens (C3-equivalent) – NO CRYPTOGRAPHY – NO IDENTITY MANAGEMENT SYSTEM – NO INBOUND CONNECTION TO REGULATED ZONEProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 22
  23. 23. WEB-APPLICATION MODELProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 23
  24. 24. Basic web application Transaction Confirmation 2 Web Application Server Web-site Customer Details 1 Product Details Shipping Details Payment Details Company PerimeterProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 24
  25. 25. With Redirection Company Perimeter Transaction Confirmation 4 Web Application Server Customer Details Product Details Shipping Details 1 Payment Confirmation 3 2 Payment Details Payment Processor Payment Processor PerimeterProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 25
  26. 26. SECURE CLOUD COMPUTING FOR E-COMMERCE RC3 MODELProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 26
  27. 27. E-COMMERCE - 1 Cloud Zone WebApp Web IAM 1 Application Authentication Credentials Regulated Zone Company Perimeter or MSPProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 27
  28. 28. E-COMMERCE - 2 Cloud Zone WebApp 2 Session Token Web 2 Application Session Token Regulated Zone Company Perimeter or MSPProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 28
  29. 29. E-COMMERCE - 3 Cloud Zone Customer ID Address Order Detail WebApp Session Token 3 Customer ID Address Order Detail Web Application Regulated Zone Company Perimeter or MSPProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 29
  30. 30. E-COMMERCE - 4 Cloud Zone Customer ID Address Order Detail WebApp 4 Web Session Token Application Customer ID Name Credit Card Number Card Expiry Date Regulated Zone Card Verification Value Amount Phone E-mail address Company Perimeter or MSPProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 30
  31. 31. E-COMMERCE - 5 Cloud Zone Customer ID Address CCN Name Order Detail WebApp 5 CCN Web Application Regulated Zone Company Perimeter or MSPProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 31
  32. 32. E-COMMERCE - 6 Cloud Zone Customer ID Address CCN Name Order Detail WebApp Token 6 Web Application Regulated Zone Company Perimeter or MSPProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 32
  33. 33. E-COMMERCE - 7 Cloud Zone Customer ID Address CCN Name Order Detail WebApp Token 7 Token Web Application Regulated Zone Company Perimeter or MSPProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 33
  34. 34. FULL TRANSACTION Cloud Zone Customer ID Address CCN Name Order Detail WebApp Token 7 Token Session Token 3 Customer ID 5 CCN Token 6 Address Order Detail 4 Web Session Token Application Customer ID Name Credit Card Number Card Expiry Date Regulated Zone Card Verification Value Amount Phone E-mail address Company Perimeter or MSPProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 34
  35. 35. HOW DO YOU TRANSITION TO RC3?Provable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 35
  36. 36. RC3 in the Enterprise Public Zone Customer ID CCN Name Web Address Application Order Detail Token Token 7 Session Token 3 Customer ID 5 CCN Token 6 Address Order Detail Session Token Web Customer ID Name Application Credit Card Number Card Expiry Date Card Verification Value Amount Regulated Zone Phone E-mail address 4 Company Perimeter or MSPProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 36
  37. 37. RC3 in Private Clouds Cloud Zone o p e n ta c k s Customer ID CCN Name Address Order Detail WebApp Token Token 7 Session Token 3 Customer ID 5 CCN Token 6 Address Order Detail Session Token Web Customer ID Name Application Credit Card Number Card Expiry Date Card Verification Value Amount Regulated Zone Phone E-mail address 4 Company Perimeter or MSPProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 37
  38. 38. RC3 in Public Clouds Cloud Zone Customer ID Address CCN Name Order Detail WebApp Token 7 Token Session Token 3 Customer ID 5 CCN Token 6 Address Order Detail 4 Web Session Token Application Customer ID Name Credit Card Number Card Expiry Date Regulated Zone Card Verification Value Amount Phone E-mail address Company Perimeter or MSPProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 38
  39. 39. RC3 rules for the Cloud ● Do NOT store/use cryptographic keys in the Cloud ● Do NOT store/use plaintext sensitive data in the Cloud ● Do NOT store credentials to anything in the Cloud ● Do NOT use CSP-supplied cryptographic keys ● DO change your Server SSL keys very frequently ● DO consider digitally signing/verifying Cloud data in the Regulated Zone ● Assume the worst (that your applications and data are operating on the open internet) and design for itProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 39
  40. 40. Resources ● Regulatory Compliant Cloud Computing (RC3) – http://www.ibm.com/developerworks/cloud/library/cl-regcloud/index.html – http://www.infoq.com/articles/regulatory-compliant-cloud-computing – http://bit.ly/rc3issa ● Cryptographic engine (enables RC3 applications) – http://www.cryptoengine.org ● CryptoCabinet (RC3 sample application) – http://www.cryptocabinet.orgProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 40
  41. 41. RC3 Application Demo 1 5 Local PC 2 3 4 LDAP Corporate PerimeterProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 41
  42. 42. RC3 Case Study ● Document-management e-commerce company in US ● Serving financial, health-care and legal markets ● Private Cloud ● Millions of documents – Sizes ranging from a few kilobytes to gigabytes ● Needed PCI-DSS level security ● Needed automatic ramp-up/ramp-down capabilityProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 42
  43. 43. RC3 Case Study Web Portal .... Corporate PerimeterProvable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 43
  44. 44. Questions? ● Contact Information – Arshad Noor – arshad.noor@strongauth.com – +1 (408) 331-2001Provable regulatory compliance! StrongAuth, Inc. Proprietary Version 1.2 – August 2012 44

×