Safe Net: Cloud Security Solutions


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Safe Net: Cloud Security Solutions

  1. 1. February 2011Ondrej ValentRegional Channel Sales 1
  2. 2. 2
  3. 3. 3
  4. 4. 4
  5. 5. Cloud Security Solutions February 2011 Customer Use Case Scenarios© SafeNet Confidential and Proprietary
  6. 6. Cloud Security Challenges User ID and Access: Secure Authentication, Authorization, Logging  Fundamental Trust & Liability Issues Data Co-Mingling: Multi-tenant data mixing, leakage, ownership Data exposure in multi-tenant Application Vulnerabilities: Exposed vulnerabilities and response environments Insecure Application APIs: Application injection and tampering Separation of duties from cloud provider insiders Data Leakage: Isolating data Transfer of liability by cloud Platform Vulnerabilities: Exposed vulnerabilities and response providers to data owners Insecure Platform APIs: Instance manipulation and tampering  Fundamental New Cloud Risks Data Location/ Residency: Geographic regulatory requirements New hypervisor technologies Hypervisor Vulnerabilities: Virtualization vulnerabilities and architectures Data Retention: Secure deletion of data Redefine trust and attestation Application & Service Hijacking: Malicious application usage in cloud environments Privileged Users: Super-user abuse  Regulatory Uncertainty in the Cloud Service Outage: Availability Regulations likely to require Malicious Insider: Reconnaissance, manipulation, tampering strong controls in the cloud Logging & Forensics: Incident response, liability limitation Perimeter/ Network Security: Secure isolation and access Physical Security: Direct tampering and theft© SafeNet Confidential and Proprietary 6
  7. 7. Emergence of Encryption as Unifying Cloud Security Control  Encryption is a fundamental technology for realizing cloud security Isolate data in multi-tenant environments Recognized universally by analysts and experts and underlying control for cloud data Sets a high-water mark for demonstrating regulatory compliance adherence for data  Moves from Data Center tactic to Cloud strategic solution Physical controls, underlying trust in processes, and isolation mitigated some use of encryption Mitigating trust factors that don’t exist in the cloud.© SafeNet Confidential and Proprietary 7
  8. 8. SafeNet Trusted Cloud Fabric Maintaining Trust and Control in Virtualized Environments Delivering on cloud security needs: Secure Virtual Storage Secure Cloud Applications Control and visibility of users, data, applications, and systems when Secure Cloud-Based moving into virtualized environments Secure Virtual Machines Identities and Transactions Proven security and compliance strategies designed and trusted for the enterprise into cloud deployments Secure Cloud-Based Secure Access to SaaS Communications Modular, flexible integration points to deploy in any combination of private, hybrid, or public cloud models —implement what you want, On-premise where you need it, when you need it By extending trust and control SafeNet enables customers to seamlessly integrate any cloud model into their near-term and long-term technology and security strategies © SafeNet Confidential and Proprietary 8
  9. 9. Solving Today’s Core Cloud Security Barriers with SafeNet Trusted Cloud Fabric Business Goals (World Leading Bank) SafeNet Cloud Solution 1 Controlling Access to SaaS Applications; Federating Identities Secure Access to SaaS: SafeNet Multi-Factor Authentication Achieving Compliant Isolation and Secure Virtual Machines: 2 Separation of Duties in Multi- Tenant Environments SafeNet ProtectV™Instance 3 Maintaining Trust & Control in Virtual Storage Volumes Secure Virtual Storage: SafeNet ProtectV™Volume Secure Cloud Applications Without Secure Cloud Applications: 4 Impacting Performance; Maintain Ownership of Keys SafeNet DataSecure® and ProtectApp 5 Secure Digital Signing and PKI in the Cloud Secure Cloud-Based Identities and Transactions: SafeNet HSM 6 Connect Securely to Private Clouds Secure Cloud-Based Communications: SafeNet HSE© SafeNet Confidential and Proprietary 9
  10. 10. PROBLEM Controlling Access to SaaS and Cloud Applications Keeping data secure when you don’t own the system Enforcing Authentication Strategy in the Cloud KEY POINTS Multi-Factor authentication required for any apps • Single Sign On Access Cloud or Physical • Federated Identities Likely even more critical for cloud-based applications • Seamless Integration • Rapid Provisioning Lower level of trust, invocation of additional regulatory requirements Authentication Sprawl Separate authentication systems for each cloud provider Operationally un-scalable Typical user password/authentication fatigue and weak passwords Preserving Flexibility Likely to use multiple cloud providers simultaneously Desire rapid re-provisioning to try new services Preserve options in chaotic cloud market The cloud market will consolidate- not if, but when © SafeNet Confidential and Proprietary 10
  11. 11. SOLUTIONSecure Access to SaaS: SafeNet Multi-Factor AuthenticationProtect access to cloud-based applications via centrally managed authentication SaaS Apps Cloud Applications Federated SSO to the cloud Goggle Apps Security Features Single authentication solution for both on-premise and cloud based applications User authenticates using enterprise Federate identities between on-premise identity solution to cloud based solutions using SAML 2.0 protocol Solution is form-factor agnostic: support for HW OTP tokens, SW solutions and SafeNet Authentication Out of Band Manager (SAM) Google Apps and are supported out-of-the-box© SafeNet Confidential and Proprietary 11
  12. 12. PROBLEM Securing Uncontrolled Virtual Instances Achieving compliant isolation and separation of duties in multi-tenant environments Unlimited Copying of Instances KEY POINTS Instances could be copied without awareness • Data Isolation • Separation of Duties No visibility to instance location, no audit trail • Cloud Compliance • Pre-Launch Authentication Instances used by competitors and malicious users • Multi-Tenant Protection Enables unlimited brute force attacking Return to original copy for next iteration of password guessing Unsecured Container of Confidential Data Identical to lost or stolen laptop, except the instance is often a server Virtual nature of makes the potential surface area much larger Not just a single entity lost, potentially unlimited number © SafeNet Confidential and Proprietary 12
  13. 13. SOLUTIONSecure Virtual Machines: SafeNet ProtectV Instance TMControl virtual machines in the cloud with secure instance encryption and authentication Virtual Machines TM On-premise ProtectV Instance Hypervisor Virtual Server Security FeaturesSafeNet DataSecure (Supplemental Security Option): FIPS level pre-launch instance encryption• Manages encrypted instances • Security policy enforcement Secure login interface (HTTPS)• Lifecycle key management • Access control Password, one time password, and certificate based authentication options Event logging and activation notification© SafeNet Confidential and Proprietary 13
  14. 14. PROBLEM Maintain Trust & Control in Virtual Storage Volumes Loss of ownership in a shared storage environments Issue of Data Leakage KEY POINTS Requires trust in meta-tagging or data isolation strategy of cloud provider • Data Isolation • Cloud Compliance Risks from misconfiguration and cloud administrators • Multi-Tenant Protection Regulatory evidence of privacy and integrity controls Trust and Control Issues If cloud provider offers encryption: Proper Key Handling NIST Lifecycle compliance Strength, uniqueness, rotation, etc. NIST approved algorithms Administration trust Separation of Duties © SafeNet Confidential and Proprietary 14
  15. 15. SOLUTIONSecure Virtual Storage: SafeNet ProtectV Volume TMMaintain data privacy in shared storage environments with encrypted data isolation On-premise Data TM ProtectV Volume Storage Virtual Server Security FeaturesSafeNet DataSecure (Supplemental Security Option): Multiple cloud storage options:• Manages encrypted instances • Security policy enforcement TM ProtectV Volume for storage servers• Lifecycle key management • Access control NetApp storage support ProtectFile customer-based encryption FIPS 140-2 Level 2 Security Certified Solution Centralized Policy and NIST 800-57 Key© SafeNet Confidential and Proprietary Lifecycle Management 15
  16. 16. PROBLEM Secure Cloud Applications Without Impacting Performance Maintain Root of Trust in Multi-Tenant Cloud Applications A Matter of Trust KEY POINTS Trust transferred to cloud provider • Maintain Ownership of Keys Lack of transparency in cloud security • Virtually No Performance Degradation SAS 70 not useful • Achieves Cloud Efficiency Risk and Liability Gains • Centralized Control & Cloud provider never accepts risk Management Written in customer agreements • Transparent Application Integration How do you assess risk? No established framework for assessing risk Regulatory Uncertainty No regulation address cloud directly Auditors looking for demonstrable security controls, higher standard © SafeNet Confidential and Proprietary 16
  17. 17. SOLUTIONSecure Cloud Applications: SafeNet DataSecureand ProtectApp VolumeEnforce data protection in multi-tenant cloud deployed applications Database Application On-premise ProtectDB ProtectApp Tokenization Local crypto and key caching Security Features Multiple Cloud Storage Options: DataSecure ProtectApp for Cloud application level encryption ProtectDB for cloud database encryption Tokenization Manager for cloud data tokenization FIPS 140-2 Level Security Certified Solution Secure Policy Enforcement and NIST 800-57 Key Lifecycle Management© SafeNet Confidential and Proprietary 17
  18. 18. PROBLEM Loss of Digital Ownership and Control Secure Digital Signing and PKI in the Cloud Proving you are you Where is root of trust in Digital Signing and PKI when it’s all virtual? The challenge of attesting to ownership in a virtual world Current focus of virtualization research KEY POINTS Maintaining Keys in clouds • Broad cloud-based platform integration When your cloud provider handles keys • Application and data Appropriate key material separation • High performing virtual Proper lifecycle and policy handling transactions Privileged user abuse The Cryptography and Entropy Problem Difficult to get true randomness in highly replicated and automated cloud Flaws in cryptographic functions have huge consequences September 2010 .NET encrypted cookie problem affects 25% of Internet servers. © SafeNet Confidential and Proprietary 18
  19. 19. SOLUTIONSecure Cloud-Based Identities and Transactions:SafeNet Hardware Security OptionsEstablish digital ownership and root of trust in virtual environmentsPrivate Public On-premise Security Features Anchored root of trust for digital identities and transactions FIPS 140-2 Level 2 security Certified SolutionHybrid Multi-host partitioning 20 – 100 per HSM Hardware Security Module Virtual platform support (Xen/Hyper-V/ESX-i) 3rd party partner application support, and integration guides on virtual platforms Broad cloud-based platform integration Application and data separation© SafeNet Confidential and Proprietary High performing virtual transactions 19
  20. 20. PROBLEM Large Sensitive Data Transfers Sending sensitive data in cloud bursting and storage High Capacity, Highly Sensitive Data KEY POINTS Transferring very sensitive data across • Data redundancy trust boundaries • Real time data transmission Data Center to Private Cloud • Continuous, encrypted data transmission Entire servers and bulk storage May invoke encryption requirements (PCI) Need for speed and efficiency Multi-Gigabit links Low latency requirements VMotion and similar technologies Streaming media and VoIP protocols © SafeNet Confidential and Proprietary 20
  21. 21. SOLUTIONSecure Cloud-Based Communications:SafeNet High Speed EncryptorsTransfer encrypted data communications at high-speed from enterprise to the cloud On-premise Private High Speed Encryption Security Features Multi-Gigabit L2 Low-Latency Encryption Best-in-class FIPS 140-2 Level 3 Security Certified Central policy management and seamless integration Data redundancy Real time data transmission Continuous, Encrypted data transmission© SafeNet Confidential and Proprietary 21
  22. 22. SafeNet Trusted Cloud Fabric A practical blueprint for extending trust and control when moving users, data, systems, and applications to virtualized environments Solution Areas Secure Virtual Storage Secure Cloud Applications 1. Strong Authentication for Cloud Services Secure Virtual Secure Cloud-Based Machines Identities and Transactions SafeNet Authentication Manger SafeNet Token, Software, and Mobile Authentication 2. Secure Virtual Machines Secure Access to SaaS Secure Cloud-Based Communications SafeNet ProtectV Instance Add DataSecure for Lifecycle Key Management On-premise 3. Secure Virtual Storage SafeNet ProtectV Volume Add DataSecure for KM and ProtectFile for Unstructured Data Protection 4. Securing Cloud Application Data SafeNet DataSecure, ProtectApp and ProtectDB Add Tokenization Manager to Reduce Audit Scope 5. Trust Anchor for Cloud Identities and Transactions SafeNet Hardware Security Modules 6. Secure Cloud Communications SafeNet High Speed Encryptors© SafeNet Confidential and Proprietary 22