Agenda

� Business and Compliance Challenges

� ProtectV - Data Protection in the Cloud

� What does ProtectV look like in the cloud?

� How is ProtectV architected?

1

What’s Wrong With This Picture?

2

“Future investment will be in the direction of virtualization-aware security solutions that overcome the challenges of scale, application mobility, and cloud-readiness.”

Forrester

PCI DSS Cloud Computing Guidelines, 6.1.1 Risk Management, p. 22

« [...] In traditional environments, the physical location of sensitive data

can be restricted to dedicated systems, facilitating the identification and

implementation of effective risk-mitigation controls. However, the advent

of new technologies requires a reevaluation of traditional risk strategies.

For example, data in cloud environments is no longer tied to a physical

system or location, reducing the effectiveness of traditional securitymechanisms to protect data from risk.»

Data Security Gaps Remain

3

How secure is my data in a virtualized world?

VMs introduces a new class of privileged users and administrators - server, storage, backup, and

application - all operating independently.

Storage

Hypervisor

Hardware Layer

BackupBackupSnapshots

App

OS

App

OS

App

OS

App

OS

App

OS

App

OS

App

OS

VMs are easy to copy (and steal).

VMs are easy to move.

VMs have multiple snapshots and backups of data.

E-commerce

App server

DR Site

And what about your DR site?

Data Security Gaps Remain

How secure is my data in a virtualized world?

Storage

Hypervisor

Hardware Layer

BackupBackupSnapshots

App

OS

App

OS

App

OS

App

OS

App

OS

App

OS

App

OS

VMs are easy to copy (and steal).

VMs are easy to move.

VMs have multiple snapshots and backups of data.

E-commerce

App server

DR Site

PCI DSS Cloud Computing Guidelines, 6.4 Data Security

Considerations, p. 25«[...] the client may not know the locationof their data, or the data may exist in oneor more of several locations at anyparticular time. Additionally, a client mayhave little or no visibility into the controlsprotecting their stored data. This can makevalidation of data security and accesscontrols for a specific data set particularlychallenging»«Cardholder data stored in memory couldalso be written to disk for recovery or highavailability purposes (for example, in thecase of virtual machine suspension orsnapshot). Such stored data may easily be“forgotten” and so not protected by datasecurity controls.»

Cloud Migration

E-commerce

App server

Cloud/Virtual

Administrators

(can manage VMs)(can manage virtual disks)

Payment info or other

sensitive data

Cloud/Virtual

AdministratorsInternal Admins

Users

Data ownership and governance in an untrustedenvironment

Lawful surrender of data

Shredding data capability if data at risk or switch providers

VMs introduce a new class of privileged users and administrators—server, storage, backup, and application—all operating independently.

PCI DSS Cloud Computing Guidelines, 6.4.6 Data Security Considerations, p. 27

« [...] Clients may choose to ensure that all data is encrypted withstrong cryptography to reduce the risk to any residual data left behind

on CSP systems»

Just ask the market….� “In the future, you will encrypt data — both in motion and at rest — by

default. This data-centric approach to security is a much more effective way to keep up with determined cybercriminals.”

� “Over the next few years, expect to see the adoption of other ways to protect and control data... The most promising technology is the use of encryption for intellectual property.”

� “Encryption is becoming a fundamental technology for protecting data in the cloud.”

� “As a general rule, cybercriminals cannot sell encrypted data in the open markets on the invisible Internet; encrypted data has no value, thus destroying malicious actors’ primary incentive to steal it.”

6

PCI DSS Cloud Computing Guidelines, 6.4.5 Data Encryption and Cryptographic Key

Management, p. 26

«Strong data-level encryption should beenforced on all sensitive or potentially sensitivedata stored in a public cloud.»

But Not So Fast….. YOU FORGOT YOUR KEYS….

� Encryption is the only time proven, trusted, compliant way

to control access to, and protect high value data.

� BUT as they say…. Encryption is easy, managing it and making it work in scale is hard.

7

“As the use of encryption grows and various solutions are deployed, key management becomes exponentially critical and complex. Mismanagement of keys can expose an organization to unnecessary risk.”

says:

PCI DSS Cloud Computing Guidelines, 6.4.5 Data Encryption and Cryptographic Key Management, p. 26

«[...] it is recommended that cryptographic keys used to encrypt/decrypt

sensitive data be stored and managed independently from the cloud

service where the data is located. At a minimum, key-management

servers should be located in a separate network segment and

protected with separate access credentials .»

ProtectV - Data Protection for the Cloud

ProtectV is the industry’s first comprehensive

high-assurance solution for securing both

virtual infrastructure and data.

This gives you the freedom to migrate to virtual and cloud

environments while maintaining full ownership, compliance and

control of data.

8

ProtectV: Secures the Entire VM Lifecycle

Every time that you provision VMs, ProtectV

makes it efficient, fast, and automated

You must be

authenticated and

authorized to

launch a VM

All data and VMs are

encrypted

Every time you

delete a cryptographic

key, it “digitally shreds”

the data, rendering

all copies of VMs

inaccessible

Every copy of VM

in storage or

backup is

encrypted

Provision

Start

Daily OperationsSnapshot

Delete

1

2

34

5

Deployment Scenario: Public Cloud

Public Cloud

ProtectV Manager (HA)

Trusted on-premise location

ProtectV Client

KeySecure (HA)

Enterprise Key Manager: KeySecure

11

• Centralizes key management for security, persistence and

flexibility (FIPS 140-2 level 3 validation in progress)

• Secure key creation and storage

� not only for ProtectV+ storage protection (NetApp / iSCSI, NFS, CIFS)

+ tape encryption

+ data encryption in applications

+ database or file encryption (DataSecure)

• Key archiving and shredding

• Virtual appliance available as an option

PCI DSS Virtualization Guidelines

� p. 32 Do not virtualize critical resources used in the

generation of cryptographic keys

� 4.1.4 Implement defense in depth […] consider how

security can be applied to protect each technical layer,

including but not limited to […] VMs, […] application, and

data layers.

With SafeNet key management

and key vaulting infrastructure,

not only VMs but also

applications and data layers can

be protected

Crypto Foundation to Address Compliancesfor Virtual Resources

• 3.6 Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data […]

• 8.2 In addition to assigning a unique ID, employ [... strong authentication ...] methods to authenticate all users

• 8.4 Render all passwords unreadable during transmission and storage on all system components using strong cryptography.

• 10.5 Secure audit trails so they cannot be altered.

• 3.1.1.b, 3.3, 4.2, 6.4.3/4, 6.5.3, …

PCI DSS 3.4, 3.6, 8.2, 8.4, 10.5, …

• p. 32 Do not virtualize critical resources used in the generation of cryptographic keys

• 4.1.4 Implement defense in depth […] consider how security can be applied to protect each technical layer, including but not limited to […] VMs, […] application, and data layers.

PCI DSS Virtualization Guidelines

• Articolo 22, comma 6 d.lgs 196/03 Protezione dati giudiziari e sanitari• Art. 98 d.lgs. 30/05 - Codice della Proprietà Industriale• SOX, HIPAA, …

Beyond PCI DSS

Roles – segregation of duties

KeySecure (HA)

ProtectV Manager (HA)

ProtectV Clients

HTTPS

SSL

Secure

Channel

Key ManagerAdmins

ProtectV Admins

VM Users

VM Admins

ProtectV Delivers

15

� Unified management – at-a-glance dashboard view

and central audit point

� On-premise key management audit for encryption key

usage

Visibility and proof of data governance

� Pre-launch user authorization to access a VM

� Encryption based separation of duties across virtual

and physical environments

� Unified HW based FIPS 140-2 level 3 compliant key

management to ensure VM and data ownership

Ownership and control of your

data

� Encryption of entire VM

� Encryption of associated storage volumes (mapped

drives), VM instances (snapshots, backups) and

locations (DR sites etc.)

� Even the entire OS partition is protected

Complete VM encryption

Grazie!

Lunch time