7b security in the software defined data center ugo...data ownership and governance in an untrusted...
TRANSCRIPT
Agenda
� Business and Compliance Challenges
� ProtectV - Data Protection in the Cloud
� What does ProtectV look like in the cloud?
� How is ProtectV architected?
1
What’s Wrong With This Picture?
2
“Future investment will be in the direction of virtualization-aware security solutions that overcome the challenges of scale, application mobility, and cloud-readiness.”
Forrester
PCI DSS Cloud Computing Guidelines, 6.1.1 Risk Management, p. 22
« [...] In traditional environments, the physical location of sensitive data
can be restricted to dedicated systems, facilitating the identification and
implementation of effective risk-mitigation controls. However, the advent
of new technologies requires a reevaluation of traditional risk strategies.
For example, data in cloud environments is no longer tied to a physical
system or location, reducing the effectiveness of traditional securitymechanisms to protect data from risk.»
Data Security Gaps Remain
3
How secure is my data in a virtualized world?
VMs introduces a new class of privileged users and administrators - server, storage, backup, and
application - all operating independently.
Storage
Hypervisor
Hardware Layer
BackupBackupSnapshots
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
VMs are easy to copy (and steal).
VMs are easy to move.
VMs have multiple snapshots and backups of data.
E-commerce
App server
DR Site
And what about your DR site?
Data Security Gaps Remain
How secure is my data in a virtualized world?
Storage
Hypervisor
Hardware Layer
BackupBackupSnapshots
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
App
OS
VMs are easy to copy (and steal).
VMs are easy to move.
VMs have multiple snapshots and backups of data.
E-commerce
App server
DR Site
PCI DSS Cloud Computing Guidelines, 6.4 Data Security
Considerations, p. 25«[...] the client may not know the locationof their data, or the data may exist in oneor more of several locations at anyparticular time. Additionally, a client mayhave little or no visibility into the controlsprotecting their stored data. This can makevalidation of data security and accesscontrols for a specific data set particularlychallenging»«Cardholder data stored in memory couldalso be written to disk for recovery or highavailability purposes (for example, in thecase of virtual machine suspension orsnapshot). Such stored data may easily be“forgotten” and so not protected by datasecurity controls.»
Cloud Migration
E-commerce
App server
Cloud/Virtual
Administrators
(can manage VMs)(can manage virtual disks)
Payment info or other
sensitive data
Cloud/Virtual
AdministratorsInternal Admins
Users
Data ownership and governance in an untrustedenvironment
Lawful surrender of data
Shredding data capability if data at risk or switch providers
VMs introduce a new class of privileged users and administrators—server, storage, backup, and application—all operating independently.
PCI DSS Cloud Computing Guidelines, 6.4.6 Data Security Considerations, p. 27
« [...] Clients may choose to ensure that all data is encrypted withstrong cryptography to reduce the risk to any residual data left behind
on CSP systems»
Just ask the market….� “In the future, you will encrypt data — both in motion and at rest — by
default. This data-centric approach to security is a much more effective way to keep up with determined cybercriminals.”
� “Over the next few years, expect to see the adoption of other ways to protect and control data... The most promising technology is the use of encryption for intellectual property.”
� “Encryption is becoming a fundamental technology for protecting data in the cloud.”
� “As a general rule, cybercriminals cannot sell encrypted data in the open markets on the invisible Internet; encrypted data has no value, thus destroying malicious actors’ primary incentive to steal it.”
6
PCI DSS Cloud Computing Guidelines, 6.4.5 Data Encryption and Cryptographic Key
Management, p. 26
«Strong data-level encryption should beenforced on all sensitive or potentially sensitivedata stored in a public cloud.»
But Not So Fast….. YOU FORGOT YOUR KEYS….
� Encryption is the only time proven, trusted, compliant way
to control access to, and protect high value data.
� BUT as they say…. Encryption is easy, managing it and making it work in scale is hard.
7
“As the use of encryption grows and various solutions are deployed, key management becomes exponentially critical and complex. Mismanagement of keys can expose an organization to unnecessary risk.”
says:
PCI DSS Cloud Computing Guidelines, 6.4.5 Data Encryption and Cryptographic Key Management, p. 26
«[...] it is recommended that cryptographic keys used to encrypt/decrypt
sensitive data be stored and managed independently from the cloud
service where the data is located. At a minimum, key-management
servers should be located in a separate network segment and
protected with separate access credentials .»
ProtectV - Data Protection for the Cloud
ProtectV is the industry’s first comprehensive
high-assurance solution for securing both
virtual infrastructure and data.
This gives you the freedom to migrate to virtual and cloud
environments while maintaining full ownership, compliance and
control of data.
8
ProtectV: Secures the Entire VM Lifecycle
Every time that you provision VMs, ProtectV
makes it efficient, fast, and automated
You must be
authenticated and
authorized to
launch a VM
All data and VMs are
encrypted
Every time you
delete a cryptographic
key, it “digitally shreds”
the data, rendering
all copies of VMs
inaccessible
Every copy of VM
in storage or
backup is
encrypted
Provision
Start
Daily OperationsSnapshot
Delete
1
2
34
5
Deployment Scenario: Public Cloud
Public Cloud
ProtectV Manager (HA)
Trusted on-premise location
ProtectV Client
KeySecure (HA)
Enterprise Key Manager: KeySecure
11
• Centralizes key management for security, persistence and
flexibility (FIPS 140-2 level 3 validation in progress)
• Secure key creation and storage
� not only for ProtectV+ storage protection (NetApp / iSCSI, NFS, CIFS)
+ tape encryption
+ data encryption in applications
+ database or file encryption (DataSecure)
• Key archiving and shredding
• Virtual appliance available as an option
PCI DSS Virtualization Guidelines
� p. 32 Do not virtualize critical resources used in the
generation of cryptographic keys
� 4.1.4 Implement defense in depth […] consider how
security can be applied to protect each technical layer,
including but not limited to […] VMs, […] application, and
data layers.
With SafeNet key management
and key vaulting infrastructure,
not only VMs but also
applications and data layers can
be protected
Crypto Foundation to Address Compliancesfor Virtual Resources
• 3.6 Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data […]
• 8.2 In addition to assigning a unique ID, employ [... strong authentication ...] methods to authenticate all users
• 8.4 Render all passwords unreadable during transmission and storage on all system components using strong cryptography.
• 10.5 Secure audit trails so they cannot be altered.
• 3.1.1.b, 3.3, 4.2, 6.4.3/4, 6.5.3, …
PCI DSS 3.4, 3.6, 8.2, 8.4, 10.5, …
• p. 32 Do not virtualize critical resources used in the generation of cryptographic keys
• 4.1.4 Implement defense in depth […] consider how security can be applied to protect each technical layer, including but not limited to […] VMs, […] application, and data layers.
PCI DSS Virtualization Guidelines
• Articolo 22, comma 6 d.lgs 196/03 Protezione dati giudiziari e sanitari• Art. 98 d.lgs. 30/05 - Codice della Proprietà Industriale• SOX, HIPAA, …
Beyond PCI DSS
Roles – segregation of duties
KeySecure (HA)
ProtectV Manager (HA)
ProtectV Clients
HTTPS
SSL
Secure
Channel
Key ManagerAdmins
ProtectV Admins
VM Users
VM Admins
ProtectV Delivers
15
� Unified management – at-a-glance dashboard view
and central audit point
� On-premise key management audit for encryption key
usage
Visibility and proof of data governance
� Pre-launch user authorization to access a VM
� Encryption based separation of duties across virtual
and physical environments
� Unified HW based FIPS 140-2 level 3 compliant key
management to ensure VM and data ownership
Ownership and control of your
data
� Encryption of entire VM
� Encryption of associated storage volumes (mapped
drives), VM instances (snapshots, backups) and
locations (DR sites etc.)
� Even the entire OS partition is protected
Complete VM encryption
Grazie!
Lunch time