A SecurityPractitioner’sGuide to the CloudMaintain Trust and Control in Virtualized Environments with SafeNet’s Trusted Cloud Fabric

TRUSTED CLOUDFABRIC

A Security Practitioner’s Guide to the Cloud Whitepaper 2

Executive Summary- To fully capitalize on the strategic potential of the cloud, enterprises will need to address a key challenge: security. SafeNet enables enterprises to overcome this challenge with a comprehensive set of flexible and modular security solutions – called the SafeNet Trusted Cloud Fabric. From authenticating in SaaS environments to ensuring compliance in the cloud, these practical solutions are ready today and can be adopted when and where they are needed.

IntroductionToday, over 60% of enterprises, both large and small, plan to evaluate or pilot some type of cloud-enabled offerings within the next 18 months1. For many applications, such as sales force automation, project management, and marketing automation, SaaS-based delivery has become the de facto standard. Yet for many enterprises, initial cloud initiatives represent a virtual drop in the bucket in terms of what is ultimately possible.

Take, for instance, the case of a large multi-national retailer that looks to migrate its virtual machines from internally sourced to cloud-based resources during the holiday season. Given that 70% of its retail business is conducted during this four-week period, the company stands to substantially reduce its IT operational expense through the less-demanding months of the year—and save millions in the process.

It is with this type of strategic initiative that enterprises will begin to realize the full value of the cloud’s elasticity and cost benefits. However, for these visions to become a reality, a significant challenge needs to be addressed: guaranteeing security, trust, and control in the cloud. What precautions do cloud providers have in place to guard against breaches? How can businesses ensure sensitive data isn’t inadvertently co-mingling with another client’s records in a virtualized, multi-tenant environment? How do businesses ensure and demonstrate compliance of their cloud deployments?

Enterprises pursuing a host of cloud initiatives today are wrestling with these issues, and, as the strategic value of cloud initiatives increases, so too does the security imperative. These heightened security demands will spawn significant effort and investment from enterprises and the security vendors that serve them. That’s why Forrester estimates cloud security will grow into a $1.5 billion market in the next five years2.

Encryption: A Fundamental Control for the CloudAs outlined above, before they can migrate strategic services and assets to the cloud, organizations need to be able to migrate to cloud services, while retaining the requisite security controls. Consequently, encryption is increasingly being recognized by security experts and industry analysts as a fundamental control for organizations moving to

1 Gartner, “Hype Cycle for Cloud Computing, 2010”, David Mitchell Smith, July 27, 2010 2 Forrester, “Security And The Cloud: Looking At The Opportunity Beyond The Obstacle”, Jonathan Penn with

Heidi Shey, Christopher Mines, Chétina Muteba, October 20, 2010

Maintain Trust and Control in Virtualized Environments with SafeNet’s Trusted Cloud Fabric.

A Security Practitioner’s Guide to the Cloud

“Forrester fully expects to see the emergence of highly secure and trusted cloud services over the next five years, during which time cloud security will grow into a $1.5 billion market and will shift from being an inhibitor to an enabler of cloud services adoption.”

—Forrester Research

A Security Practitioner’s Guide to the Cloud Whitepaper 3

the cloud. When implemented correctly, along with associated secure key and policy management approaches, encryption enables organizations to isolate data and associated policies—particularly in shared, multi-tenant environments. With these controls, organizations can move to the cloud without making any compromises in their security posture or their compliance status.

While encryption has been a critical security component within the traditional data center, its strategic importance grows significantly in the cloud. In the past, physical controls, inherent physical isolation, and the underlying levels of trust in the traditional data center mitigated some potential needs for encryption. In the cloud, those physical barriers and trust factors dissolve completely, making encryption a significantly more strategic and critical control moving forward.

The Solution: SafeNet’s Trusted Cloud FabricSafeNet delivers the industry’s most complete cloud fabric for virtualized environments, enabling enterprises to ensure trust throughout the lifecycle of enterprise data. The SafeNet Trusted Cloud Fabric enables enterprises to…

• Ensure security and compliance in the cloud. The SafeNet Trusted Cloud Fabric represents a complete ecosystem of security solutions, weaving together persistent protection, elastic encryption, anchored identity, and secured communication. With these capabilities, SafeNet enables customers to retain complete control over how data is isolated, protected, and shared—even in multi-tenant cloud environments.

• Take a practical migration path to the cloud. SafeNet offers a modular architecture that gives organizations the flexibility to migrate to the cloud in the most effective and efficient manner, and according to their specific timeframes, business objectives, and security policies. SafeNet’s Trusted Cloud Fabric enables businesses to tackle their most pressing security challenges, both in the near term and in the long term—whether they’re looking to secure access to SaaS applications, encrypt storage in the cloud, protect the communication links between private and public clouds, or address a host of other objectives.

• Fully leverage the benefits of the cloud. The SafeNet Trusted Cloud Fabric features high performance solutions built specifically to support virtualized environments. In addition, SafeNet’s comprehensive solutions enable centralized governance and management of sensitive data, applications, and systems across the data center and the cloud. As a result, security teams can enjoy optimized administrative efficiency, while businesses fully embrace cloud opportunities.

The Elements of the Trusted Cloud FabricWhen it comes to enterprise cloud initiatives, one size, strategy, or technology does not fit all. Many enterprises will take disparate, multi-pronged approaches to the cloud, and will need modular solutions that offer flexible integration points across public, private, and hybrid clouds. SafeNet delivers a complete array of solutions, equipping enterprises with the capabilities they need, when they need them—regardless of where they are in their cloud adoption strategies. SafeNet offers these cloud-based solutions:

• Secure access for SaaS

• Secure cloud-based identities and transactions

• Secure virtual instances

• Secure cloud-based storage

• Secure cloud application data

• Secure cloud connections

The SafeNet Trusted Cloud

Fabric is an extension

of SafeNet Information

Lifecycle Protection, a

comprehensive framework

for securing data throughout

the information lifecycle. By

extending trust and control

when moving users, data,

systems, and applications

to virtualized environments,

SafeNet enables customers

to seamlessly integrate

any cloud model into their

near-term and long-term

technology and security

strategies.

SafeNet Information Lifecycle Protection

A Security Practitioner’s Guide to the Cloud Whitepaper 4

When organizations migrate data that is sensitive or regulated by mandates into these environments, they can confront several tough questions: How do you keep information isolated and secure in remote, multi-tenant environments, where many traditional security controls can’t be employed? How do you protect against unlimited copying of virtual instances? How do you gain the fundamental visibility required to understand how virtual instances are being used? How do you enforce the separation of duties and granular controls needed to mitigate the threat of cloud administrators abusing their super-user privileges?

To address these issues, organizations need to safeguard virtual instances and the sensitive assets they contain. Organizations need to retain the requisite security controls to ensure only authorized users access the sensitive data held in virtual instances at any given time. For these reasons, encryption is increasingly being recognized as one of the fundamental security controls for organizations migrating to the cloud. Through encryption, and associated secure key and policy management, organizations can safeguard stakeholder trust when adopting cloud offerings

Secure Access for SaaSMulti-factor authentication—whether through the use of one-time password (OTP) tokens, certificates, USB tokens, or smart cards—has grown increasingly critical as organizations look to secure remote users’ access to corporate systems. As enterprises move increasingly strategic business services to the cloud, security teams will need to leverage centralized mechanisms that accommodate both traditional remote access scenarios and cloud deployments. The Solution With SafeNet Authentication Manager, customers can leverage a unified authentication infrastructure for both their on-premise and cloud-based services—providing a centralized, comprehensive way to manage all access policies. When users try to access one of the enterprise’s cloud services, for example a SaaS service like Salesforce.com or GoogleApps, they will authenticate using their existing SafeNet authentication mechanisms, such as smart cards, USB tokens, or OTP via the user’s mobile phone. The Benefits SafeNet’s comprehensive authentication solutions make it easy for enterprises to maximize authentication security for SaaS applications. SafeNet solutions offer an unparalleled array of advantages for enterprises moving to the cloud:

• Comprehensive platform. All SafeNet solutions that can all be managed through

•Stay in control. Bring private data center security and control to public and private clouds.

•Eliminate compromise. Boost security without compromising the elasticity, scalability, or flexibility of cloud deployments.

•Keep it simple. Get integrated, centralized management, administration, and policy enforcement of all domains—including internal data center and private, public, and hybrid clouds.

•Make it persistent. Wrap protection around sensitive information throughout its lifecycle, wherever it resides.

The Benefits of the Trusted Cloud Fabric

Secure Access to SaaSSecure Cloud-Based

Communications

Secure Virtual MachinesSecure Cloud-Based

Identities and Transactions

Secure Virtual Storage Secure Cloud Applications

On-premise

A Security Practitioner’s Guide to the Cloud Whitepaper 5

SafeNet Authentication Manager, a central management server that enables identity federation, access controls, and strong authentication to both on-premise and SaaS applications.

• Deployment and form factor flexibility. SafeNet offers the broadest authentication portfolio, including hardware tokens, software authentication, one-time password solutions, and more, ensuring organizations have the solutions tailored to their specific security and business objectives.

• Advanced reporting. SafeNet authentication platforms offer extensive reporting capabilities that streamline compliance with a host of security regulations and policies.

Secured Identities and TransactionsThe virtualized nature of the cloud removes many of the physical workflow and perimeter-based control points that helped secure sensitive information in traditional in-house deployments. In order to adopt cloud services, while ensuring the requisite levels of trust and security, enterprises must take a data-centric approach to security. This entails employing cryptographic operations, such as data encryption and digital signatures, to ensure the confidentiality and integrity of data and business processes. At the same time, the use of cryptography can’t jeopardize the performance and reliability of cloud resources.

The SolutionSafeNet offers the most advanced and secure network-based HSMs, which are ideally suited to the demands of virtual and cloud infrastructures. SafeNet HSMs, including SafeNet Luna SA, offer an unparalleled combination of features—including central key and policy management, robust encryption support, flexible integration, and more—that form the basis of a secure cloud platform. In addition, SafeNet is the only HSM solution provider to protect keys in hardware, ensuring that the cryptographic keys, paramount to securing your application and sensitive information, never leave the confines of the hardware appliance. Finally, SafeNet offers HSMs that feature FIPS- and Common Criteria-certified storage of cryptographic keys.

Google Apps

User authenticatesusing enterpriseidentity

Salesforce.com

SaaS Apps

SafeNet AuthenticationManager (SAM)

Federated SSOto the cloud

Cloud Applications

A Security Practitioner’s Guide to the Cloud Whitepaper 6

The BenefitsBy employing SafeNet HSMs for their cloud environments, enterprises can realize a range of significant benefits:

• Maximize security. SafeNet enables organizations to retain effective control through group-based policies, robust user access controls, and central key and policy management of remote systems. Armed with the comprehensive, advanced capabilities of SafeNet’s HSMs, organizations can efficiently leverage the many benefits of cloud services and stay compliant with all pertinent regulatory mandates and security policies.

• Reduce administrative costs and overhead. Combining the security benefits of hardware security modules with the cloud delivery model, security implementations can be far less expensive than traditional in-house deployments, putting state-of-the-art security capabilities within reach of even small- and medium-sized businesses for the first time.

• Realize long term scalability and flexibility. Each SafeNet HSM can support up to 100 clients and 20 partitions, enabling organizations to maximize the return on their investment, while enjoying maximum scalability and flexibility to accommodate changing business and technical requirements.

Secured Virtual Instances Today, enterprises are increasingly moving servers from traditional dedicated data centers to shared, virtualized infrastructures, whether based in public or private clouds. Given that these virtual servers often house the applications and databases that contain sensitive corporate information—including personnel records, intellectual property, customer information, and more—the lost or theft of these virtual assets can be disastrous.

In order to meet their regulatory or internal risk management policies, enterprises must address a host of challenges posed by virtualized servers and all the instances they contain, including controlling privileged administrator access, guarding against potential unlimited copying, overcoming the lack of visibility and auditability, and mitigating the exposure of raw data. To address these challenges and safeguard the sensitive information held in virtual servers, organizations must go beyond simple user access controls and actively secure virtual servers.

The SolutionIn order to mitigate the risk virtual servers can pose to sensitive data, SafeNet offers ProtectV Instance, which enables organizations to encrypt and secure entire contents of

Hardware Security Module

Public

Private

Hybrid

On-premise

A Security Practitioner’s Guide to the Cloud Whitepaper 7

virtual servers, protecting these assets from theft or exposure. With ProtectV Instance, data contained on the drive is secured, even offline and during instance activation. ProtectV Instance provides a critical separation of duties for control of virtual servers and adds the critical visibility needed to audit cloud-based servers.

The BenefitsBy leveraging full disk encryption for virtual servers in the cloud, enterprises can maintain ownership and control of their sensitive data—and so safeguard against the damage of unauthorized theft or manipulation. Even if a drive is replicated, a virtual analog of a lost laptop, security teams can still rest assured that their sensitive data won’t be exposed to unauthorized access. With ProtectV Instance, organizations can maximize the benefits of their private and public cloud deployments, including infrastructure as a service (IaaS), without compromising security.

Secured Cloud-based StorageFor many organizations, the prospect of leveraging elastic, pay-as-you-go services for housing their exponentially expanding volumes of files and digital assets represents a significant opportunity. For many organizations however, particularly those who must meet regulatory mandates, security risks posed by keeping information in multi-tenant cloud storage servers can make the cloud a nonstarter.

The SolutionWith ProtectV Volume, security teams can encrypt entire storage volumes in cloud deployments, ensuring cloud data is isolated and secured—even in shared, multi-tenant cloud storage services. Given its seamless integration, ProtectV Volume can be deployed in a broad range of cloud storage environments, regardless of the vendor or underlying

storage technology.

The BenefitsWith SafeNet, enterprises can efficiently leverage many of the benefits of cloud services, while retaining effective security controls. With SafeNet solutions, organizations can leverage the cloud for applications that would have previously been off limits from a security standpoint. With SafeNet, enterprises can realize a range of benefits:

• Boost user productivity. Through its transparent, seamless security enforcement, SafeNet solutions enable authorized users to enjoy more consistent and reliable access in a manner that is seamless and transparent, which can help optimize productivity.

Hypervisor

Virtual Machines

On-premiseProtectV™Instance

Virtual Server

SafeNet DataSecure® (Supplemental Security Option):• Manages encrypted instances• Lifecycle key management

• Security policy enforcement• Access control

A Security Practitioner’s Guide to the Cloud Whitepaper 8

• Lower costs. By enabling comprehensive, cohesive security policy enforcement in the cloud, SafeNet solutions enable organizations to move more business services into the cloud, and so more fully enjoy the cost savings these models deliver. In addition, by centralizing and streamlining security administration and enforcement, SafeNet solutions deliver significant cost reductions.

• Increase business agility. Inherently, cloud offerings enable organizations to scale or contract much more quickly and cost effectively than if they were relying on internally hosted infrastructures. Through its support of dynamic cloud environments, SafeNet solutions provide organizations with an unparalleled ability to take advantage of the cloud’s flexibility to more quickly adapt to changing requirements.

Secured Cloud Application Data For virtually any enterprise, safeguarding the trust of consumers is essential. While migrating applications to SaaS and PaaS enables dramatic cost savings for the organization as well as ubiquitous access for users, this move means critical customer data ultimately resides in an environment not owned or controlled by the organization. Without active protection of the data entering the application, the potential risks associated with this loss of control and trust are severe.

In order to satisfy both the economic benefits and security requirements of cloud-based applications, organizations must satisfy several core requirements:

• Transparent application integration. Organizations must have the ability to encrypt data in their own application development environment, with simple integration that doesn’t require them to be cryptography experts.

• Centralized control and management. Controlling data must be centralized to minimize operational costs and provide the capabilities required for auditing and separating administrative duties.

• Flexible and agile deployment. Given that organizations will use multiple cloud providers, and change service providers over time, organizations need capabilities that enable flexible data protection controls when migrating to different vendors.

The SolutionIn order to maintain security and business continuity while moving into the cloud, businesses can deploy DataSecure on premise and configure and provision ProtectApp to secure virtualized applications that interact with such sensitive data as credit cards, personally identifiable information, and more. ProtectApp is available in a wide variety of development platforms to enable transparent integration, while the centralized control

SafeNet DataSecure® (Supplemental Security Option):• Manages file protection• Lifecycle key management

• Security policy enforcement• Access control

On-premise Data

Storage

Virtual Server

ProtectV™Volume

A Security Practitioner’s Guide to the Cloud Whitepaper 9

via DataSecure provides the flexibility to work with multiple cloud providers. The on-premise DataSecure platform is anchored as the root of trust for policy enforcement and lifecycle key management.

In the cloud, ProtectApp handles encryption and key caching locally to deliver optimal performance. Because the data is protected as it is generated and stored on databases in the cloud and the keys are kept with the application server, enterprises can ensure sensitive data remains secure and demonstrate compliance with relevant mandates.

The BenefitsWith SafeNet, organizations can utilize SaaS and PaaS for their applications, while also protecting their own customers’ data. In addition, the flexibility of the solution enables the deployment of these protections with minimal operational overhead and maximum agility to work with multiple cloud providers.

Secured Cloud CommunicationsWhether an organization is moving aggressively or tentatively into cloud-based services, the reality is that just about every enterprise will have a hybrid mix of services—including on-premise, private cloud, and public cloud—in place at any given time. As a result, an organization’s sensitive assets will often need to be transported across a wide area network (WAN) as data and processing are shared across these geographically distributed deployments. To build a trusted hybrid multi-site infrastructure, enterprises need to employ encryption to secure the transport of data across their WANs, while at the same time, ensuring high-speed, low-latency communications between these distributed sites.

The Solution Today, SafeNet offers advanced layer 2 encryption solutions that enable organizations to secure WAN communications—while eliminating the challenges and obstacles presented by traditional IPsec encryption approaches. SafeNet Ethernet Encryptors provide the administrative efficiency and optimized performance and bandwidth utilization that make it ideally suited to an enterprise’s private cloud environment.

The BenefitsWith SafeNet Ethernet Encryptors, organizations can ensure trusted communications across all their cloud-based and internally hosted sites, and so gain a range of benefits:

• Boost user productivity. Through its high performance and reliability, SafeNet enables authorized users to quickly and securely transfer communications, media, and other data from the enterprise to the cloud—optimizing productivity.

• Lower costs. By eliminating costly overhead for expensive transport pipes and providing full throughput, SafeNet offers immediate cost savings in the cloud and across the

On-premise

DataSecure®

ProtectDB ProtectApp

Database Application

Local cryptoand key caching

Tokenization

A Security Practitioner’s Guide to the Cloud Whitepaper 10

Contact Us: For all office locations and contact information, please visit www.safenet-inc.comFollow Us: www.safenet-inc.com/connected

©2011 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet. All other product names are trademarks of their respective owners. WP (EN)-02.17.11

enterprise. In addition, as cloud models evolve, businesses can easily add new devices into their existing cloud environment. By centralizing and streamlining security administration, management, and enforcement, SafeNet delivers significant cost reductions.

• Increase business agility. Inherently, cloud offerings enable organizations to scale or contract much more quickly and cost effectively than if they were relying on internally hosted network infrastructures. Through its support of dynamic cloud environments, SafeNet provides organizations with an unparalleled ability to take advantage of the

cloud’s flexibility to more quickly adapt to changing requirements.

SafeNet Trusted Cloud FabricSafeNet delivers the industry’s most complete cloud fabric for virtualized environments, enabling enterprises to ensure trust throughout the lifecycle of enterprise data. The SafeNet Trusted Cloud Fabric™ represents a complete ecosystem that weaves together persistent protection, elastic encryption, anchored identity, and secured communication. With these capabilities, SafeNet brings trust to customers by delivering ownership and control over how data is isolated, protected, and shared—even in multi-tenant cloud environments. An extension of SafeNet Information Lifecycle Protection, the SafeNet Trusted Cloud Fabric™ enables customers to seamlessly integrate any cloud model into their near-term and long-term security strategies.

About SafeNet, Inc.Founded in 1983, SafeNet is a global leader in information security. SafeNet protects its customers’ most valuable assets, including identities, transactions, communications, data and software licensing, throughout the data lifecycle. More than 25,000 customers across both commercial enterprises and government agencies and in over 100 countries trust their

information security needs to SafeNet.

On-premise

High Speed Encryptor

Private