Upload
amazon-web-services
View
1.171
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Insert Your Name
Insert Your Title
Insert Date
Cloud Compliance 101:
No PhD Required
Cloud Computing forces the Data Governance Issue
Mike SmartSolutions Marketing Director
@rmsmart007 - twitter
June 2011
Agenda
Cloud Adoption –
on the move…
The Compliance
Problem
What the Regulations
Say (or Don’t)
Bringing Predictive
Focus
Solving the Problem
Questions and
Answers
2
Cloud delivery models – all at once!
Public CloudCommunity
& Hybrid Clouds
Private Cloud
Traditional
Data Center
Virtualizated
Enterprise
Global Cloud Adoption – Moving fast…
4
* Gartner July 2010 – Cloud Hype Cycle
Market Growth in Cloud Computing
Over 60% of enterprises plan to evaluate or pilot
some type of cloud-enabled offerings within the
next 18 months. However, enterprises continue to
delay cloud adoption due to concerns surrounding
data security, privacy and compliance
(Gartner Hype Cycle for Cloud Computing, 2010, David
Mitchell Smith, July 27, 2010)
SMB spending on cloud
computing will approach
$100 billion by 2014
(AMI Partners, August 2010)
Server revenue in the public
cloud category will grow
from $582 million in 2009 to
$718 million in 2014; Server
revenue for the private cloud
market will grow from $7.3
billion to $11.8 billion
(IDC, May 2010)
EMEA & Cloud – Growth Starting 2011…
USA
Europe
EMEA
APAC
Americas
Source: 451Group
Source: 451Group
UK’s Cloud Guidance & Governance
7
Government ICT Strategy - March 2011
Cloud Computing Security – December 2010
It is good practice to encrypt the data prior to it being transferred to
the online services company. This should render the data useless to any
hackers and snoopers without the key, regardless of the jurisdiction
it is in or who is processing it. Modern techniques increasingly allow
processing operations to be carried out whilst maintaining the security
and integrity of the data.
2. The government Cloud (g-Cloud) - Rationalizing the government ICT estate,
using cloud computing to increase capability and security, reduce costs and
accelerate deployment speeds.
3. The Data Centre Strategy - Rationalizing data centers to reduce costs while
increasing resilience and capability.
4. The government applications Store (g-aS) - Enabling faster procurement, greater
innovation, higher speed to deliver outcomes and reduced costs.
5. Shared services, moving systems to the government Cloud - Continually moving
to shared services delivered through the government Cloud for common activities.
Cloud
Direction
Set…
http://www.cabinetoffice.gov.uk/content/government-ict-strategy
Trust is THE issue!
8
IT Security is stopping projects. Compliance/Audit has tons of
questions. Cloud growth IS being limited. All the birds are dead.
IT Security Group: The
cloud isn’t secure. I don’t
trust Providers. I don’t know
how to secure that thing!
Compliance Audit
Group: Show me your
security. Prove
compliance in Clouds.
Convince me!
Cloud Security Challenges
Fundamental Trust & Liability Issues
• Data exposure in multi-tenant
environments
• Separation of duties from cloud
provider insiders
• Transfer of liability by cloud
providers to data owners
Fundamental New Cloud Risks
• New hypervisor technologies
and architectures
• Redefine trust and attestation
in cloud environments
Regulatory Uncertainty in the Cloud
• Regulations likely to require
strong controls in the cloud
User ID and Access: Secure Authentication, Authorization, Logging
Data Co-Mingling: Multi-tenant data mixing, leakage, ownership
Application Vulnerabilities: Exposed vulnerabilities and response
Insecure Application APIs: Application injection and tampering
Data Leakage: Isolating data
Platform Vulnerabilities: Exposed vulnerabilities and response
Insecure Platform APIs: Instance manipulation and tampering
Data Location/ Residency: Geographic regulatory requirements
Hypervisor Vulnerabilities: Virtualization vulnerabilities
Data Retention: Secure deletion of data
Application & Service Hijacking: Malicious application usage
Privileged Users: Super-user abuse
Service Outage: Availability
Malicious Insider: Reconnaissance, manipulation, tampering
Logging & Forensics: Incident response, liability limitation
Perimeter/ Network Security: Secure isolation and access
Physical Security: Direct tampering and theft
Trust & Hypervisors Challenge Us to Do BetterAnd encryption hits trust and isolation head-on
Physical Security
Network Security
Hypervisor Vulnerability Management
Instance Isolation
Instance Authentication/ Authorization
Telemetry & Reporting
Patch Management
App/DB/File Data Protection
Vulnerability Management
Authentication/Authorization
Scan & Report
VLANs, Firewalls, IPS, NAC,
etc.
Patch process, newslists, patch
management
App/DB/File Encryption,
DAM/FAM, Process, etc.
Code review/scan, newlists,
developer ed., QA, etc.
MFA, IAM integration,
entitlement management
Pen-test, Web scanning, etc.
New Technology Ground• Centered around Hypervisors
• Or the associated trust boundary
• Encryption the single greatest way to
address isolation/ trust
• Will also include building controls into
CSP/Hypervisor tools
SAS 70
ISO
27001
CSA Controls
Matrix/
Assessment
Questions
CloudAudit
Etc.
G
A
P
Regulations Will Impact Cloud
Many regulations
11
That often overlap
The Truth- You Are On Your Own for Now
Bad News: Confusing Regulatory Landscape• Shared responsibility model- but demarcation is gray
• SAS 70 inadequate for common use in evaluating cloud providers
• Formal transfer of liability highly likely written into your cloud
contract
• You will have to have a detailed architecture and API conversation
to assess your responsibility
Good News: Everyone Trying to Solve the Problem• XaaS know this, working hard to alleviate
• Cloud Security Alliance has Mapping Document
So where do we go from here???
Focus on First Principles
• Spirit and intent of regulations
• Thoughtful data handling
Sprinkled with the “New” Cloud Issues
• These are where regulations will focus
• Will be around the new area we discussed before:
• Trust and Ownership
• Hypervisors
• Disclosure and Visibility
13
First Principles and Cloud Challenges
14
Principle Tru
st/
Ow
ners
hip
Hyp
erv
iso
r
Dis
clo
su
re/V
isib
ilit
y
Issues
Limit use of <sensitive data> XBig issue in SaaS, in your control for the most
part in IaaS and PaaS
Use secure development practices X Issue in SaaS and PaaS
Control access to <sensitive data> X X XIssues in all cases. Issues of user identification,
authorization rights, privileged cloud user
Encrypt <sensitive data> in transitX
X Most likely already addressed, but customer to
cloud, intracloud communication can be an issue
Optional <sensitive data> encrypt at rest X XHuge issue in data sitting in the cloud, across all
platforms.
Keep <sensitive data> confidential X X XMain issue is guaranteeing the “trust” in data
when you don’t “trust” the cloud.
Keep the integrity of <sensitive data> X X XMain issue is guaranteeing the “trust” in data
when you don’t “trust” the cloud.
Enforce separation of duties of
<sensitive data> access and
administrationX X X
Fundemenal issue of cloud employee and cloud
administrator access. Extends to both physical
and logical security. Invokes separation of duties
issues around all controls.
Report and audit your controls for X Can you prove it to your auditor.
Emergence of Encryption as a Unifying Cloud
Security Control
Encryption is a fundamental
technology for realizing cloud
security• Isolate data in multi-tenant environments
• Recognized universally by analysts and experts
and underlying control for cloud data
• Sets a high-water mark for demonstrating
regulatory compliance adherence for data
Moves from Data Center tactic to
Cloud strategic solution• Physical controls, underlying trust in processes, and
isolation mitigated some use of encryption
• Mitigating trust factors that don’t exist in the cloud.
How Encryption Solves Main Pain Points
16
Principle Tru
st/
Ow
ners
hip
Hyp
erv
iso
r
Dis
clo
su
re/V
isib
ilit
y
Issues
Limit use of <sensitive data> XBig issue in SaaS, in your control for the most
part in IaaS and PaaS
Use secure development practices X Issue in SaaS and PaaS
Control access to <sensitive data> X X XIssues in all cases. Issues of user identification,
authorization rights, privileged cloud user
Encrypt <sensitive data> in transit X Most likely already addressed, but customer to
cloud, intracloud communication can be an issue
Optional <sensitive data> encrypt at rest X XHuge issue in data sitting in the cloud, across all
platforms.
Keep <sensitive data> confidential X X XMain issue is guaranteeing the “trust” in data
when you don’t “trust” the cloud.
Keep the integrity of <sensitive data> X X XMain issue is guaranteeing the “trust” in data
when you don’t “trust” the cloud.
Enforce separation of duties of
<sensitive data> access and
administrationX X X
Fundemenal issue of cloud employee and cloud
administrator access. Extends to both physical
and logical security. Invokes separation of duties
issues around all controls.
Report and audit your controls for X Can you prove it to your auditor.
Encryption enables authentication and authorization layer.
Encryption directly addresses many regulator requirements. Shows
high standard of care.
Encryption inherently provides for integrity controls.
Encryption fundamentally isolates your data from other tenants in a
share cloud environment, shields from unauthorized data breach.
Encryption can add additional authentication and authorization layer
for users and administrators. Customer owned encryption definitively
shows separation from cloud.
Encryption Key ownership is tangible proof to data ownership.
Encrypt/Decrypt actions become easy log and audit proofs.
Encryption- Additional Upside
17
“Lawful Order” to Cloud Provider for Data
Issue: Cloud provider may turn over your data when another member of the cloud is
under criminal investigation. Your data is now viewable to law enforcement.
Resolution: Encrypted data unviewable by law enforcement. Law enforcement would
have to work through legal channels, under which you have guaranteed rights, to get
you to turn over decryption keys.
Destruction of Cloud Data
Issue: Is data in the cloud ever destroyed? Are you sure?
Resolution: Encryption makes data unusable in the cloud. “Key shredding” virtually
makes encrypted cloud data unrecoverable
Physical Location Issues of Cloud Data
Issue: Is cloud data now in new physical locations requiring new regulatory insight, or
violates existing regulatory law?
Resolution: Encrypted data can be moved anywhere in the cloud, but controlled
decryption with proper key release policy can define what localities may use data.
SafeNet Trusted Cloud FabricMaintaining Trust and Control in Virtualized Environments
SafeNet Offering – on AWS
19
SafeNet ProtectV™ and Data Secure, server- and storage-based encryption,
and application/database encryption, customers can now protect compliance-
impacted data stored and used in cloud environments.
ProtectV™Instance enables organizations to encrypt and secure
the entire contents of virtual servers, protecting these assets from
theft or exposure.
ProtectV™Volume enables enterprises to secure entire virtual
volumes in the cloud containing their data such as files or folders.
Delivers:
• Data Isolation
• Separation of Duties
• Cloud Compliance
• Pre-Launch Authentication
• Multi-tenant Protection
Data Secure with ProtectApp and ProtectDB enables
enterprises to encrypt and prove control over data in applications
hosted in the cloud.
SafeNet ProtectV in Amazon AWS
20
Amazon
EC2
Amazon
EBS
Protected Customer AMI
SafeNet ProtectV:
• Encrypted Volume
• Pre-Launch Authentication
• Policy + Key Management
• Protected EBS Volumes
SafeNet ProtectV in Amazon AWS!
21
Amazon
EC2 (& VPC)
Amazon
EBS
#1 Select SafeNet AMIs• EC2 and VPC
• 4 Public Images
• Windows 2003/2008, 32/64 bit
• Linux April/May
• (enable SSL Port 443 access)
#2 Set Encryption Options• RDP Local Management Console
• Encrypt Local Instance
• Encrypt Attached Storage Volumes
• Set Encryption Level (AES 256)
• Set Secure Pre-Launch Authentication
#3 Pre-Launch Authentication• Standard SSL Web Browser Session
• Secures at Pre-Boot Level
• Authenticate Instance for Launch
ProtectV and Scaling in Large EnvironmentsProtectV and ProtectV Manager
22
Cloud APIs
• Authentication Automation
• Activation/ Snapshot
Centralized
Management
SafeNet ProtectV Manager• Provides centralized management• Supports either customer premise or cloud deployments• Manages and coordinates ProtectV Security• Fully meshed encrypted volumes (enables transparent access)•Open APIs to cloud management, customer provisioning, reporting
SafeNet KeySecure (on Premise)•Centralizes key management for persistence and flexibility• Secure key creation and storage• Key discovery• Snapshot re-keying• Key archiving and shredding
23
Additional Resources
“Penn said that encryption is one of the best ways to secure corporate data in the cloud, but “it has to be encryption that the company controls.”
“One of the vendors that offers encryption-based cloud security products to companies and government organizations is Maryland-based SafeNet.”
“One of the biggest issues our customers are running across is around the concept of trust in the cloud”, said Dean Ocampo, solutions strategy director at SafeNet. “There isn’t a lot of insight among customers in understanding what cloud providers are doing from a security perspective”, he told Infosecurity.
SafeNet Makes Formal Foray into Cloud Security Market with Launch of Trusted Cloud Fabric.” “SafeNet, which has been around since 1993, formally made the jump today from on-premise security to cloud security with the introduction of a new framework designed to extend their established offerings into the cloud. Additionally, they have extended and refined some of their existing services to fit into the public cloud realm via Amazon Web Services.”
Cloud Security Alliance
Excellent
Vendor Neutral
SafeNet Website
www.safenet-inc.com/cloudsecurity
Videos
White Papers
Additional Resources
Insert Your Name
Insert Your Title
Insert Date
Questions?
Cloud Compliance 101: No PhD Required
Mike SmartSolutions Marketing Director
@rmsmart007 - twitter
June 2011