Decentralized cloud an industrial reality with higher resilience by jean-pa...
Regulatory compliant cloud computing rethinking web application architectures for the cloud by arshad noor, cto strong auth
1. A web-application
architecture for
Secure Cloud Computing
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 1
2. In the beginning...
● Your data-center
● Your mainframe or
mini-computer
Internal Internal
Network Operations ● Your network
● Your Operations staff
● Your single-tiered,
App
CCN
PIN
monolithic applications
DB KM
OS
Hardware
Company Perimeter
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 2
3. The PC-LAN
● Your data-center
● Your PC server
● Your PC client
Internal Internal
Network Operations ● Your network
● Your firewall
● Your Operations staff
DB KM App
CCN
PIN
OS OS ● Your two-tiered,
Hardware Hardware
client-server
applications
Company Perimeter
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 3
4. The WWW
● Your data-center
● Your PC servers
● Your network
● Your firewall
Internal Internal
Network Operations ● Your Operations staff
● Your three-tiered, web
applications
DB KM AppSrv
CCN
PIN
OS OS
Hardware Hardware
I Browser
OS
Hardware
Company Perimeter
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 4
5. The Public Cloud
● Cloud Service Provider's
CSP CSP
(CSP) data-center
Network Operations
● CSP's hardware
● CSP's Hypervisor
App
CSP's Network
CCN
PIN ●
DB KM ? ? ? ?
OS ● CSP's Operations staff
Hypervisor
Hardware ● Unknown guests in VMs
CSP Perimeter ● Your applications and
data?
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 5
6. EKM in the Public Cloud?
CSP CSP
Network Operations
Internal Internal
Network Operations
App
CCN
PIN
LAN HSM
DB
OS
? ? ? ?
Hypervisor
Company Perimeter
Hardware
CSP Perimeter
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 6
7. EKM with SaaS?
SaaS Application Users SaaS SaaS
Network Operations
I
Web Application
EKMI VPN
API ? ? ? ? ?
Internal OS
Operations
Hardware
Company Perimeter SaaS Perimeter
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 7
8. What's missing?
● Methodology to use the Cloud without
being vulnerable
● Controls to ensure that neither CSP nor
attacker can compromise your data
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 8
9. The Paradigm Shift
Regulatory
Compliant Cloud
Computing (RC3)
Architecture to secure
data in the Cloud with
proof of compliance.
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 9
10. RC3 Characteristics
1) Data-classification
2) Separate processing zones
3) Encryption Key Management Infrastructure
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 10
11. RC3 Data Classification
● Class-1
– Sensitive and regulated data
– SSN, CCN, ACH, Medical, etc.
● Class-2
– Sensitive but unregulated data
– Application Credentials, Salaries, Sales figures, etc.
● Class-3
– Non-sensitive data
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 11
12. Data – Before RC3
Employee
EID 12345 Class-1 data
SSN 111-22-3333
Firstname John
Lastname Doe
HireDate 01/01/2011 Class-2 data
Supervisor 23456
Salary 55000
Location 123
....
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 12
13. Data – After RC3
Employee
EID 12345
SSN 9999000000003912
Firstname 9999000000005126
Class-3 data Lastname 9999000000005127
HireDate 01/01/2011
Supervisor 23456
Salary 9999000000007184
Location 123
....
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 13
14. Another way – After RC3
Employee
EID 12345
RC3Data 9999000000001212
<EmployeeRC3Data> HireDate 01/01/2011
<SSN>111-22-3333</SSN>
<Firstname>John</Firstname> Supervisor 23456
<Lastname>Doe</Lastname>
<Salary>55000</Salary> Location 123
</EmployeeRC3Data> ,,,,
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 14
15. Data – Before RC3
Bank Account
AID 12345678
Firstname Jane Class-2 data
Lastname Smith
SSN 111-22-4444 Class-1 data
BranchID 123
AccountType 1
DateOpened 02/02/2012
Balance 794.25
....
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 15
16. Data – After RC3
Bank Account
AID 9999000000023745
Firstname 9999000000071847
Lastname 9999000000071849
Class-3 data SSN 9999000000088764
BranchID 123
AccountType 1
DateOpened 02/02/2012
Balance 794.25
....
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 16
17. Another way – After RC3
Bank Account
AID 9999000000023745
RC3Data 9999000000026458
<BankAccountRC3Data> BranchID 123
<SSN>111-22-4444</SSN> AccountType 1
<Firstname>Jane</Firstname>
<Lastname>Smith</Lastname> DateOpened 02/02/2012
</BankAccountRC3Data>
Balance 794.25
....
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 17
18. Data – Before RC3
Patient
PID 1234567
SSN 111-222-5555
Firstname John
Lastname Smith
Class-2 data
Gender M
DateOfBirth 03/03/1953
Class-1 data
BloodType O+
....
Blood Report
PID 1234567 Class-2 data
ReportDate 04/04/2012
RBC 5.1 Class-1 data
WBC 7.5
....
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 18
19. Data – After RC3
Patient
PID 9999000000023745
SSN 9999000000057599
Firstname 9999000000045910
Lastname 9999000000045911
Gender M
Class-3 data DateOfBirth 03/03/1953
BloodType O+
....
Blood Report
PID 9999000000023745
ReportDate 04/04/2012
RBC 5.1
WBC 7.5
....
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 19
20. Another way – After RC3
Patient
PID 9999000000023745
RC3Data 9999000000079921
Gender M
DateOfBirth 03/03/1953
<PatientRC3Data> BloodType O+
<SSN>111-22-5555</SSN>
<Firstname>John</Firstname> ....
<Lastname>Smith</Lastname>
</PatientRC3Data>
Blood Report
PID 9999000000023745
ReportDate 04/04/2012
RBC 5.1
WBC 7.5
....
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 20
21. Yet another way – After RC3
Patient
PID 9999000000023745
RC3Data 9999000000079921
BloodType O+
....
<PatientRC3Data>
<SSN>111-22-5555</SSN>
<Firstname>John</Firstname>
<Lastname>Smith</Lastname>
<Gender>M</Gender>
<DOB>03/03/1953</DOB>
</PatientRC3Data>
Blood Report
PID 9999000000023745
ReportDate 04/04/2012
RBC 5.1
WBC 7.5
....
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 21
22. RC3 Zones
● Regulated Zone (Secure Zone)
– Class-1 and Class-2 data-processing & storage
– Enterprise Key Management Infrastructure (EKMI)
● Cloud Zone (Public Zone)
– Class-3 data-processing & storage
– Can, optionally, store C1/C2 tokens (C3-equivalent)
– NO CRYPTOGRAPHY
– NO IDENTITY MANAGEMENT SYSTEM
– NO INBOUND CONNECTION TO REGULATED ZONE
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 22
24. Basic web application
Transaction
Confirmation
2
Web
Application
Server
Web-site
Customer Details
1 Product Details
Shipping Details
Payment Details
Company Perimeter
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 24
25. With Redirection
Company Perimeter
Transaction
Confirmation 4
Web
Application
Server
Customer Details
Product Details
Shipping Details
1
Payment
Confirmation 3
2 Payment Details
Payment
Processor
Payment Processor Perimeter
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 25
26. SECURE CLOUD COMPUTING
FOR E-COMMERCE
RC3 MODEL
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 26
27. E-COMMERCE - 1
Cloud Zone
WebApp
Web
IAM 1
Application
Authentication
Credentials
Regulated Zone
Company Perimeter or MSP
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 27
28. E-COMMERCE - 2
Cloud Zone
WebApp
2
Session Token
Web
2
Application
Session Token
Regulated Zone
Company Perimeter or MSP
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 28
29. E-COMMERCE - 3
Cloud Zone
Customer ID
Address
Order Detail
WebApp
Session Token
3 Customer ID
Address
Order Detail
Web
Application
Regulated Zone
Company Perimeter or MSP
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 29
30. E-COMMERCE - 4
Cloud Zone
Customer ID
Address
Order Detail
WebApp
4
Web
Session Token
Application Customer ID
Name
Credit Card Number
Card Expiry Date
Regulated Zone Card Verification Value
Amount
Phone
E-mail address
Company Perimeter or MSP
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 30
31. E-COMMERCE - 5
Cloud Zone
Customer ID
Address
CCN Name Order Detail
WebApp
5 CCN
Web
Application
Regulated Zone
Company Perimeter or MSP
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 31
32. E-COMMERCE - 6
Cloud Zone
Customer ID
Address
CCN Name Order Detail
WebApp
Token 6
Web
Application
Regulated Zone
Company Perimeter or MSP
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 32
33. E-COMMERCE - 7
Cloud Zone
Customer ID
Address
CCN Name Order Detail
WebApp Token
7
Token
Web
Application
Regulated Zone
Company Perimeter or MSP
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 33
34. FULL TRANSACTION
Cloud Zone
Customer ID
Address
CCN Name Order Detail
WebApp Token
7
Token
Session Token
3 Customer ID
5 CCN Token 6 Address
Order Detail
4
Web
Session Token
Application Customer ID
Name
Credit Card Number
Card Expiry Date
Regulated Zone Card Verification Value
Amount
Phone
E-mail address
Company Perimeter or MSP
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 34
35. HOW DO YOU TRANSITION
TO RC3?
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 35
36. RC3 in the Enterprise
Public Zone
Customer ID
CCN Name Web Address
Application Order Detail
Token
Token
7
Session Token
3 Customer ID
5 CCN Token 6 Address
Order Detail
Session Token
Web Customer ID
Name
Application Credit Card Number
Card Expiry Date
Card Verification Value
Amount
Regulated Zone Phone
E-mail address 4
Company Perimeter or MSP
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 36
37. RC3 in Private Clouds
Cloud Zone
o p e n ta c k
s Customer ID
CCN Name Address
Order Detail
WebApp Token
Token
7
Session Token
3 Customer ID
5 CCN Token 6 Address
Order Detail
Session Token
Web Customer ID
Name
Application Credit Card Number
Card Expiry Date
Card Verification Value
Amount
Regulated Zone Phone
E-mail address 4
Company Perimeter or MSP
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 37
38. RC3 in Public Clouds
Cloud Zone
Customer ID
Address
CCN Name Order Detail
WebApp Token
7
Token
Session Token
3 Customer ID
5 CCN Token 6 Address
Order Detail
4
Web
Session Token
Application Customer ID
Name
Credit Card Number
Card Expiry Date
Regulated Zone Card Verification Value
Amount
Phone
E-mail address
Company Perimeter or MSP
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 38
39. RC3 rules for the Cloud
● Do NOT store/use cryptographic keys in the Cloud
● Do NOT store/use plaintext sensitive data in the Cloud
● Do NOT store credentials to anything in the Cloud
● Do NOT use CSP-supplied cryptographic keys
● DO change your Server SSL keys very frequently
● DO consider digitally signing/verifying Cloud data in
the Regulated Zone
● Assume the worst (that your applications and data are
operating on the open internet) and design for it
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 39
41. RC3 Application Demo
1
5
Local PC 2
3
4
LDAP
Corporate Perimeter
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 41
42. RC3 Case Study
● Document-management e-commerce company in US
● Serving financial, health-care and legal markets
● Private Cloud
● Millions of documents
– Sizes ranging from a few kilobytes to gigabytes
● Needed PCI-DSS level security
● Needed automatic ramp-up/ramp-down capability
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 42
43. RC3 Case Study
Web Portal
....
Corporate Perimeter
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 43
44. Questions?
● Contact Information
– Arshad Noor
– arshad.noor@strongauth.com
– +1 (408) 331-2001
Provable regulatory compliance! StrongAuth, Inc. Proprietary
Version 1.2 – August 2012 44