w w w . t h a l e s e s e c u r i t y . c o m

THALES ENABLES CONTROL AND PROTECTION OF CLOUD STORAGE Add comprehensive security to the cost savings, agility, and flexibility of cloud computing Ensure compliance with data protection requirements Move your data and workloads across cloud providers as your business needs change

Identify attacks faster with data access logging to industry leading SIEM applications Secure your sensitive data with keys that you control and that are not accessible to the cloud service provider Limit access to cloud data only to specific, authorized users, devices and processes

For many enterprises the debate about leveraging cloud computing has been settled, as the improvements in agility, cost savings, and time to market make the choice obvious. As with all repositories of sensitive data, however, security is a top consideration as organizations decide to what extent, and for which applications and data, they should use the cloud. This leads to such questions as:

Are you confident in the security of your critical data, regardless of where it resides in the cloud environment? Can you provide verifiable evidence to auditors that data is maintained in compliance with data protection mandates? In the instance of a breach, how can you be sure the key used to encrypt your data isn’t compromised? What happens if the cloud provider is compelled by a subpoena to expose your data to investigators?

While your cloud service provider may promote its own security capabilities, answering these questions – and ensuring that your data is protected – is ultimately your responsibility.

<Thales e-Security>

CLOUD DATA SECURITY AND CONTROL

2_<Thales Enables Secure Cloud Computing And Storage>

<Thales e-Security>

THALES ENABLES CONTROL AND PROTECTION OF CLOUD STORAGE

ADVANCED DATA ENCRYPTION FOR THE CLOUDEnterprises are widely deploying data-at-rest encryption on server data and endpoints. Meanwhile, customers and providers of cloud services increasingly use encryption to meet their confidentiality, data integrity and accountability requirements. To be truly effective, however your cloud encryption strategy must be backed by strong key management processes that account for and protect keys over their entire lifecycle.

When determining where to maintain your encryption keys you’ll need to consider such factors as:

Applicable data protection mandates such as PCI-DSS, GDPR and others The type and value of the data being protected Your overall risk profile

These considerations will help guide whether you store your keys on premises, with the cloud provider, or some combination thereof.

CLOUD SECURITY APPROACHESTo fully and confidently capitalize on the power of the cloud, you need the assurance and easy verification that your data – and encryption keys if your data is encrypted – are kept under your control using the highest levels of security. This requires key management, authentication, and encryption tools that can scale with your business applications and needs, including protecting keys separately from your data – a common requirement of data protection regulations and mandates.

Cloud security methods vary based on whether you are using a cloud service provider’s infrastructure or platform as a service offering (IaaS or PaaS), or using other cloud services such as a Managed Service Provider (MSP) or Software as a Service provider (SaaS).

For any of the categories, critical questions to ask include:

Is the provider offering encryption? If so, can I manage encryption keys for my data? If the provider does not offer encryption, can I bring my encryption to the cloud?

BRING YOUR OWN KEYIf your IaaS, PaaS, SaaS or other provider offers encryption, then, to alleviate the concern about unauthorized access to encryption keys, as well as potential compliance violations, organizations can utilize a bring your own key (BYOK) approach. With BYOK, you generate, protect, wrap and export the keys used to encrypt the data that resides in the cloud environment, strengthening the security of your keys while ensuring separation of the keys and the data. Depending on the cloud provider’s BYOK model, your key will either reside securely in the provider’s nShield HSM or will be used for the specified purpose and then discarded.

BYOK SOLUTIONS FOR PUBLIC CLOUD PROVIDERSnShield BYOK for Amazon Web Services As an Amazon Web Services (AWS) customer, you can use your own keys with the AWS Key Management Service (KMS). With nShield BYOK, your nShield HSM generates, stores, and manages the keys you count on to secure your sensitive cloud-hosted applications, databases and bulk storage. After a pre-determined period, your keys in the cloud will be destroyed.

nShield BYOK for Google Cloud Platform Thales nShield HSMs let you bring your own keys, known in Google Cloud Platform (GCP) as “Customer-supplied Encryption Keys (CSEK),” to the GCP Cloud Key Management Service (KMS). With nShield BYOK for Google Cloud Platform, your on-premises nShield HSM generates, stores, wraps and exports keys to GCP on your behalf. After a pre-determined time period, your keys in the cloud will be destroyed.

nShield BYOK for Microsoft Azure When used with Microsoft Azure Key Vault, your Thales nShield HSM lets you to create, manage and bring your own keys to Microsoft Azure from your own premises. Our BYOK deployment package provides everything you need to safely generate and transfer your own keys to the Microsoft Azure cloud.

<Thales Enables Secure Cloud Computing And Storage>_3

BRING YOUR OWN ENCRYPTIONVormetric Transparent Encryption for AWS, Google Cloud Platform and Microsoft Azure With Vormetric Transparent Encryption, your organization can make use of the flexibility and scalability available from the cloud services provider, while safeguarding intellectual property without a noticeable degradation in performance. Vormetric Transparent Encryption encrypts data within your cloud instances, provides policy-based data access controls, integrated key management, and provides detailed Security Intelligence information about data access.

Vormetric Transparent Encryption deployment options vary by public cloud provider:

You can install Vormetric Transparent Encryption Agents on any supported virtual operating system provided by the public cloud provider, and then manage all agents from an DSM deployed on your premises or any cloud. AWS: A licensed configuration of both the Vormetric Data Security Manager and Transparent Encryption Agents is available in the AWS marketplace, or Thales can deploy Data Security Manager instances into your account based on separate license purchase. Azure: You can instantiate a Vormetric Data Security Manger from the Microsoft Azure Marketplace. GCP: Bring your Transparent Encryption Agents to GCP.

Vormetric Cloud Encryption Gateway for AWS Part of a cloud security strategy also includes ensuring that data is encrypted before it even leaves the enterprise and that they keys are maintained separately from the data.

Part of the Vormetric Data Security Platform, the Vormetric Cloud Encryption Gateway encrypts sensitive data before it is saved to Amazon Simple Storage Services (S3). Data never leaves the enterprise unencrypted or unaccounted for, while the encryption keys remain securely on the customer premises.

SOLUTIONS FOR SOFTWARE AS A SERVICE PROVIDERSVormetric KMaaS for Salesforce Shield Vormetric Key Management as a Service (KMaaS) integrates with Salesforce Shield’s BYOK feature and allows Salesforce customers to generate and maintain their encryption keys on premise, providing complete control over their encryption keys and helping ensure compliance with data protection and data residency requirements.

Thales is continuing to develop relationships with other SaaS providers to encrypt sensitive data and enable customers to bring their own keys to enhance regulatory compliance.

SOLUTIONS FOR MANAGED SERVICE PROVIDERSVormetric Transparent Encryption Services Many Managed Service, IaaS, PaaS and Hosting providers offer Vormetric Transparent Encryption services. Some offer each customer access to their domain of the multi-tenant Vormetric Data Security Manager (DSM); others provide a completely managed encryption service. Others, such as co-location providers, enable their customers to bring their own encryption to their cages. In these environments, customers typically retain their Vormetric DSM on their own premises and manage Transparent Encryption Agents encrypting data in the cloud.

nShield Hosted Services Thales partners with numerous Managed Service Providers that offer hosted PKI and private cloud services underpinned by nShield HSMs. The nShield offers MSPs’ customers FIPS 140-2 Level 3 protection for their most sensitive root and CA private keys, as well as a secure runtime environment. The nShield’s remote management capabilities and support for high transaction volumes provide MSPs a competitive advantage over other alternatives.

SOLUTIONS FOR CONTAINERSVormetric Transparent Encryption for Docker Vormetric Transparent Encryption Docker Extension enables enterprises deploying production applications to Docker environments in the cloud to safely use sensitive and regulated data. Data encryption, access control and data access audit logging protect information stored within Docker containers, and on external storage accessed by Docker. Policies allow easy isolation of data on a container by container basis, preventing cross container exposure. To meet compliance and best practice requirements, encryption keys and policies can be safely managed remotely, from the enterprise’s data center.

More detailed information about all Thales cloud security offerings is available at www.thalesesecurity.com/cloud-security

About Thales e-SecurityThales e-Security + Vormetric have combined to form the leading global data protection and digital trust management

company. Together, we enable companies to compete confidently and quickly by securing data at-rest, in-motion, and

in-use to effectively deliver secure and compliant solutions with the highest levels of management, speed and trust across

physical, virtual, and cloud environments. By deploying our leading solutions and services, targeted attacks are thwarted

and sensitive data risk exposure is reduced with the least business disruption and at the lowest life cycle cost.

Thales e-Security and Vormetric are part of Thales Group. www.thales-esecurity.com.

© T

hale

s - A

pril

2017

• P

LB62

48

Follow us on:

Americas – Thales e-Security Inc. 900 South Pine Island Road, Suite 710, Plantation, FL 33324 USA • Tel:+1 888 744 4976 or +1 954 888 6200 • Fax:+1 954 888 6211 • E-mail: sales@thalesesec.comAsia Pacific – Thales Transport & Security (HK) Lt, Unit 4101-3, 41/F, Sunlight Tower, 248 Queen’s Road East, Wanchai, Hong Kong • Tel:+852 2815 8633 • Fax:+852 2815 8141 • E-mail: asia.sales@thales-esecurity.comEurope, Middle East, Africa – Meadow View House, Long Crendon, Aylesbury, Buckinghamshire HP18 9EQ • Tel:+44 (0)1844 201800 • Fax:+44 (0)1844 208550 • E-mail: emea.sales@thales-esecurity.com

w w w . t h a l e s e s e c u r i t y . c o m

About Thales e-SecurityThales e-Security is the leader in advanced data security solutions and services that deliver trust wherever information is created, shared or stored. We ensure that the data belonging to companies and government entities is both secure and trusted in any environment – on-premise, in the cloud, in data centers or big data environments – without sacrificing business agility. Security doesn’t just reduce risk, it’s an enabler of the digital initiatives that now permeate our daily lives – digital money, e-identities, healthcare, connected cars and with the internet of things (IoT) even household devices. Thales provides everything an organization needs to protect and manage its data, identities and intellectual property and meet regulatory compliance – through encryption, advanced key management, tokenization, privileged user control and high assurance solutions. Security professionals around the globe rely on Thales to confidently accelerate their organization’s digital transformation. Thales e-Security is part of Thales Group.