Welcome to the

SafeNet Executive

Day!

Новые

ГоризонтыИнформа

ционной

Безопасности

Data protection in the

age of Cloud and

Virtualization

Rami Shalom, VP, DEC

Product Management,

SafeNet

State of Data Security

Security

professionals

believe they will

suffer a breach.

*Based on a SafeNet Survey of 230 security professionals.

State of Data Security

Organizations

continue to rely

on the same

technologies.

*Based on a SafeNet Survey of 230 security professionals.

State of Data Security

Doubt in security

industry’s ability

to detect and

prevent breaches.

*Based on a SafeNet Survey of 230 security professionals.

State of Data Security

Recognition that if

perimeters failed,

high value data

would not be safe.

*Based on a SafeNet Survey of 230 security professionals.

Cloud migration has a lot to do with it…

Loss of Control Creates New

Security and Compliance Concerns

8

[wrt Virtualization, Forrester] The

insider threat elevates privileged user

management to a whole new level: "I'll

see your domain admin and raise you

one virtualization admin account.‖

My Datacentre

• My Facility

• My machines

• My admins

• My control

• My responsibility

• My accountability

Finance Compliant Customer Regulated Data

Development

Cloud - Starting Point

Direction

Financial: 70% Reduction in IT Infrastructure spend (VMware)

Quality: Automation reduces the volume of

incidents by 27%, and event and incident handling

time by 40% (VMware)

Agility: Provisioning in minutes (from weeks!)

Value

Destination

12 © SafeNet Confidential and Proprietary

Our Datacentre • Our facility

• Our machines

• Our admins

• Our control

• Our responsibility

• My accountability

Their Cloud • Their facility

• Their machines

• Their admins

• Their control

• Their responsibility

• My accountability

Finance Compliant

Customer Regulated Data

Development

Finance Compliant

Customer Regulated Data

Development

Cloud Adoption and Security Concerns

Creating the Perfect Storm

13

Cloud adoption nascent but

soaring b/c of ROI potential

IaaS alone $2.4B -> $6.8B 3 years

Security concerns are the

overwhelming #1 concern for

moving to the cloud.

451 Group, August 2012 report

Who Said?

14 © SafeNet Confidential and Proprietary

―Despite the acknowledged benefits of cloud computing,

wide scale deployment of cloud computing services can

trigger a number of data protection risks, mainly a lack of

control over personal data as well as insufficient

information with regard to how, where and by whom the

data is being processed/sub-processed.‖

It is an independent European advisory body on data

protection and privacy. Its tasks are described in Article 30 of Directive

95/46/EC and Article 15 of Directive 2002/58/EC.

ARTICLE 29 DATA PROTECTION WORKING PARTY

Opinion 05/2012 on Cloud Computing Adopted July 1, 2012

The risk.

Securing The Traditional Infrastructure

Involves securing:

• Datacenter Facilities (Locked doors, alarms, surveillance cameras)

• Physical Network (Firewalls, Routers, VPNs, IDS & IPS)

• Physical Storage (Separate networks, wipe drives)

• Physical Servers (OS updates, disable services, antivirus, enable logging)

• Applications (Apply security patches, run with minimal system privileges)

• Users/Administrators (Directory Services, logging, force password resets, enable two-factor authentication)

Virtualization Introduces Additional

Components to the Datacenter

Datacenter Facilities

Physical Networks

Virtual Networks

Physical Storage

Virtual Storage

Physical Servers

Hypervisor

Virtual Machines

Applications

Users/Administrators

Virtual Administrators

Virtualization Vulnerabilities

18

Securing the Virtualization Layer

Virtual Networks

Virtual Storage

Hypervisor

Virtual Machines (VM)

Virtual Administrators

Management Isolation Jumpbox, indirect access

Administrator Isolation Domain admins, protect root

Virtual Machine Isolation Protect multiple VMs per host

Hypervisor Hardening Follow hardening guide, apply

security updates, host-firewall

Storage Isolation Restrict access, enable Chap for

iSCSI, separate network/vlan.

Network Isolation Separate vMotion, FT, storage,

mgmt and VM traffic, disable

promiscuous mode, VM traffic may

not reach physical network, logical

controls needed

Additional Challenges of Data Center

Consolidation VM VM VM VM VM VM

Physical

Server with

restrictive

security

policy

Physical

Server with

permissive

security

policy

A restricted workload can move from a secure physical

server to an unsecure one without the security admin’s

knowledge!

Traditional physical security policies do not translate well to a virtual

environment. VMs are more dynamic than physical servers. How can they

be secured without creating air gaps and lowering our ROI.

Multiple copies of the VM exist that can be instantiated without anyone’s

knowledge if removed from the environment.

Revoking access to sensitive data in the event of a breach is a far

more difficult problem on VMs than on physical servers.

And then, there’s the data itself!

How secure is my data in a virtualized world?

VMs are easy to copy (and steal.)

Virtual data objects are easy to

move.

Cloud introduces a new class of

privileged users and

administrators—server, storage,

backup, and application—all

operating independently.

VMs have multiple instances,

snapshots and backups of data.

APP APP APP APP

OS OS OS OS

Hypervisor

Compute Layer

Storage

Backup

Snapshots Snapshots

Shredding data capability if

data at risk or switch providers

Who Secures the Cloud?

Challenges in Virtual Datacenters & Clouds

Are all my data instances secure?

How will encryption affect my virtualization solution?

Can I assure only authorized access ?

Can I ―pull the plug‖ on data at risk of exposure?

Data Protection

Prevent leaks or unauthorized access

Who is accessing my data?

Can I enforce an effective access control policy?

Can I present a trusted audit trail?

Control

Set effective access policies

Where are all my data instances?

Can I trace every legitimate copy/ instantiation?

Can I trace unauthorized copying?

Visibility

Where is your data and what is it doing

Control versus Accountability?

“An organization cannot outsource accountability. Ever.” -Cloud Security Alliance

“…outsourcing maintenance of controls is not the same as

outsourcing responsibility for the data overall.” -PCI DSS Cloud Computing Guidelines v2

“…Regarding third-party or public clouds, clients should

consider that while they can outsource the day-to-day

operational management of the data environment, they retain

responsibility for the data they put in the cloud.” -PCI DSS Cloud Computing Guidelines v2

The solution.

State of Data Protection:

Protect What Matters, Where it Matters

WHERE IS YOUR DATA? WHERE ARE YOUR KEYS?

Virtual Machines

File

Server

s

Databases

Site-to-site

Data in Motion

Applications

SaaS Apps

Live Data

1

Virtualized Data

3

Key Management

and Root of Trust

4

Access

5

Stored Data

2

Warning

• Pockets of Encryption

• Operational Inefficiencies

• Audit Deficiencies & Failures

• Sensitive Data Exposure

Protecting What Matters, Where it

Matters

Virtual Machine

SafeNet Solutions for Virtualized

Architectures

Virtual Machine Virtual Machine

Compute Storage Network

Virtual

Compute

CPU

Virtual

Storage

NAS / SAN

Man

ag

em

en

t

Root-of-

trust and

trusted

crypto

Database As-

A-Service

Isolation of

virtual

machines

Strong

Authenticatio

n

Application

Guest OS

Application Application

Guest OS Guest OS

Virtual

Network

Physical

Network

Storage

Encryption

Hypervisor

ProtectV Maintain Control of Your Data Through Your Virtualization

and Cloud Migration

ProtectV Manager VM

VM

ProtectV enables VM encryption to:

• Isolate Virtual Machines and Storage

• Authorize server launches with StartGuard

• Track key access to all copies of your data

• Revoke key access after a breach No need for special discovery of sensitive data

• All data is encrypted, even in archive (ex: snapshots, backups & clones)

StorageSecure Isolate Data in Multi-tenant NAS Environments

30

Health

Solutions

Storage Head

Isolated Data

Shares

Pharmaceutical

Solutions

Patient

Relationship

Medical-

Surgical

•Encryption-enabled separation of data in shared virtual environments

•Separation of inter and intra departmental data

•Protect data belonging to security sensitive departments

•Enables hosting multiple customers on the same HW

Hardware Security

Module (HSM)

Applications

Virtual Machines

Backup

Media

Storage

KeySecure

SafeNet Key Management

Heterogeneous

Open standards-based

Physical or virtual

High assurance

Why Customers Choose SafeNet

Comprehensive Information Lifecycle Protection More ways to protect data than any other vendor- in Databases,

Applications, File Servers, Mainframes, Desktops, and more.

Trusted by Largest Organizations for Critical Data Proven track record of protecting critical data and transactions –

trillions of dollars in bank transfers, stored streaming videos, and

from M1 tanks to Air Force One.

Confidence in the Most Certified Solutions SafeNet has more FIPS 140-2 and Common Criteria certifications

than any vendor, giving peace of mind to our customers.

High Performance for High Volume Deployment For the largest enterprise deployments - dedicated hardware and

optimized software scales to millions of protected records and

trillions of transactions.

Спасибо