Ariel Dan Co-Founder, Executive VP

Cloud compliance and data security issues Identifying and dealing with security risks in IaaS clouds

• About Porticor

• Cloud compliance and data security issues

• Use cases

Agenda

2

About Porticor

Gila

d P

aran

n-N

issa

ny • CEO, Founder

• G.ho.st Cloud OS

• SAP CTO – SMB solutions

• TopTier – Portal & Web Navigator

Yaro

n S

hef

fer • CTO, Co-founder

• Security guru

• Check Point

• Co-chair: IETF ipsecme A

riel

Dan

• EVP Sales & Marketing, co-founder

• Websense

• Enterprise Sales - New York and New Jersey

• EMEA channel sales

• Port Authority DLP

Executive team

4

Porticor

Founded 2010, Tel Aviv, Israel

Problem we solve

Maintaining trust, control and confidentiality while using cloud infrastructure

Solution

Porticor® Virtual Private Data™ system

Up in minutes, works in most clouds: AWS, VMware, IBM

Only key management solution that is truly safe in the cloud, due to unique technology

Porticor Overview

5

The “Swiss Banker” metaphor Customer has a key, “Banker” has a key

Master key with Homomorphic key encryption

Patented Key-splitting and Homomorphic Key Encryption

6

Approaches to Cloud Key Management - A Challenge

7

Cloud provider

User account

Database server/s

Key Management SaaS vendor

key management server in the datacenter • Expensive: hardware, licenses,

operational overhead, etc… • There’s a tension between security and

performance

key management in a cloud hosted by a security vendor • Problematic: puts your encryption keys in somebody

else’s hands

Cloud Compliance and Security Issues

“IT security is a bit like cleaning the toilets - When you get it right nobody notices or bothers to phone you to congratulate on a job well done, but when it goes wrong everyone is up to their neck in brown stuff.”

Stephen Bonner, Partner at KPMG

9

1. How do I maintain control?

2. While leveraging cloud advantages

3. And keeping “cloudy” costs

Top cloud security concerns

10

When data is stored

•Insiders steal content

•Human error – content exposed

•Malicious Disk snap-shots

•Cloud Providers can read data

•Civil lawsuits, EU Data Dir., USA Patriot Act

•…

When data is in use

•Administrators of VMs may be malicious

•Cloud employees may achieve access to VMs

•Memory snap-shots

•…

Security Encryption requirements

•Encryption of data and all related keys

•Segmentation and compartmentalization

•Splitting secrets as in e.g. PCI

Robustness requirements

•Ensuring a breach in one place (e.g. a single application server) does not expose the entire system

•Ensuring (clear text) data and keys stay in certain geographies

Compliance and

regulation

Security & Compliance Concerns

11

PCI DSS Cloud Computing Guidelines

12

Cloud Security is a Shared Responsibility

13

Use Cases

App1 AppN

Region1US

Region specific KMS

App1 AppN

Region2 EU

Region specific KMS

App1 AppN

Region3 APAC

Region specific KMS

KMS

HSM

DC ATL

KMS

HSM

DC LHR

KMS

HSM

DC SING

Use case 1: A Large Global ISV

15

Challenge

•A large ISV would like to deploy its software globally across the US, EU, and APAC. Compliance needs to be maintained per region specific legislation

•Sensitive information must be encrypted

•Encryption keys must be owned and maintained by the ISV (not the cloud provider or security vendor)

•Reduce cost of solution

How Porticor was used

•Physical HSMs removed

•Segregation and separation through encryption

•Split-knowledge using split-key management

Result

•Regulatory compliance achieved while costs reduced significantly. Per region presence no longer requires a physical data center next to each cloud location.

ISV global AWS deployment - multiple continents

Use case 2: Cloud Disaster Recovery

17

Challenge

• Maintain PCI compliance

• Reduce DR costs significantly

• Maintain control over the encryption keys

How Porticor was used

• Virtual appliance on premise and on DRaaS cloud

• Split-Key Management as a Service

• The encryption key is in the sole possession of the end customer (not the DR provider)

Result

• Cost reduced dramatically using DRaaS

• PCI maintained by keeping the encryption keys with the end user

Cloud Disaster Recovery

• Updated HIPAA Omnibus rules put more liability on ISVs’ as “Business Associates”

• There is a lively discussion on whether cloud providers should be defined as business associates and sign "BAAs"

• “…only breaches involving unsecured PHI are required to be reported, and encryption is the only way to secure such data…”

Healthcare - Background

19

Use case 3: Healthcare ISV

20

Challenge

• Maintain HIPAA compliance

• Automate the key management and encryption process

• Distribute keys to end users

How Porticor was used

• API Integration for encryption keys creation, revocation, etc…

• Tokens creation and distribution directly to end users

• A cluster of Porticor Virtual Appliances for full redundancy

Result

• Fully integrated with ISV’s workflow

• PHI data is always encrypted - and the patient and Doctor maintain control through personal tokens

Healthcare ISV

Questions?

Ariel Dan, Phone: 718.407.0003 Email: ariel@porticor.com Skype: ariel.porticor