cloud compliance and data security issues -...
TRANSCRIPT
Ariel Dan Co-Founder, Executive VP
Cloud compliance and data security issues Identifying and dealing with security risks in IaaS clouds
• About Porticor
• Cloud compliance and data security issues
• Use cases
Agenda
2
About Porticor
Gila
d P
aran
n-N
issa
ny • CEO, Founder
• G.ho.st Cloud OS
• SAP CTO – SMB solutions
• TopTier – Portal & Web Navigator
Yaro
n S
hef
fer • CTO, Co-founder
• Security guru
• Check Point
• Co-chair: IETF ipsecme A
riel
Dan
• EVP Sales & Marketing, co-founder
• Websense
• Enterprise Sales - New York and New Jersey
• EMEA channel sales
• Port Authority DLP
Executive team
4
Porticor
Founded 2010, Tel Aviv, Israel
Problem we solve
Maintaining trust, control and confidentiality while using cloud infrastructure
Solution
Porticor® Virtual Private Data™ system
Up in minutes, works in most clouds: AWS, VMware, IBM
Only key management solution that is truly safe in the cloud, due to unique technology
Porticor Overview
5
The “Swiss Banker” metaphor Customer has a key, “Banker” has a key
Master key with Homomorphic key encryption
Patented Key-splitting and Homomorphic Key Encryption
6
Approaches to Cloud Key Management - A Challenge
7
Cloud provider
User account
Database server/s
Key Management SaaS vendor
key management server in the datacenter • Expensive: hardware, licenses,
operational overhead, etc… • There’s a tension between security and
performance
key management in a cloud hosted by a security vendor • Problematic: puts your encryption keys in somebody
else’s hands
Cloud Compliance and Security Issues
“IT security is a bit like cleaning the toilets - When you get it right nobody notices or bothers to phone you to congratulate on a job well done, but when it goes wrong everyone is up to their neck in brown stuff.”
Stephen Bonner, Partner at KPMG
9
1. How do I maintain control?
2. While leveraging cloud advantages
3. And keeping “cloudy” costs
Top cloud security concerns
10
When data is stored
•Insiders steal content
•Human error – content exposed
•Malicious Disk snap-shots
•Cloud Providers can read data
•Civil lawsuits, EU Data Dir., USA Patriot Act
•…
When data is in use
•Administrators of VMs may be malicious
•Cloud employees may achieve access to VMs
•Memory snap-shots
•…
Security Encryption requirements
•Encryption of data and all related keys
•Segmentation and compartmentalization
•Splitting secrets as in e.g. PCI
Robustness requirements
•Ensuring a breach in one place (e.g. a single application server) does not expose the entire system
•Ensuring (clear text) data and keys stay in certain geographies
Compliance and
regulation
Security & Compliance Concerns
11
PCI DSS Cloud Computing Guidelines
12
Cloud Security is a Shared Responsibility
13
Use Cases
App1 AppN
Region1US
Region specific KMS
App1 AppN
Region2 EU
Region specific KMS
App1 AppN
Region3 APAC
Region specific KMS
KMS
HSM
DC ATL
KMS
HSM
DC LHR
KMS
HSM
DC SING
Use case 1: A Large Global ISV
15
Challenge
•A large ISV would like to deploy its software globally across the US, EU, and APAC. Compliance needs to be maintained per region specific legislation
•Sensitive information must be encrypted
•Encryption keys must be owned and maintained by the ISV (not the cloud provider or security vendor)
•Reduce cost of solution
How Porticor was used
•Physical HSMs removed
•Segregation and separation through encryption
•Split-knowledge using split-key management
Result
•Regulatory compliance achieved while costs reduced significantly. Per region presence no longer requires a physical data center next to each cloud location.
ISV global AWS deployment - multiple continents
Use case 2: Cloud Disaster Recovery
17
Challenge
• Maintain PCI compliance
• Reduce DR costs significantly
• Maintain control over the encryption keys
How Porticor was used
• Virtual appliance on premise and on DRaaS cloud
• Split-Key Management as a Service
• The encryption key is in the sole possession of the end customer (not the DR provider)
Result
• Cost reduced dramatically using DRaaS
• PCI maintained by keeping the encryption keys with the end user
Cloud Disaster Recovery
• Updated HIPAA Omnibus rules put more liability on ISVs’ as “Business Associates”
• There is a lively discussion on whether cloud providers should be defined as business associates and sign "BAAs"
• “…only breaches involving unsecured PHI are required to be reported, and encryption is the only way to secure such data…”
Healthcare - Background
19
Use case 3: Healthcare ISV
20
Challenge
• Maintain HIPAA compliance
• Automate the key management and encryption process
• Distribute keys to end users
How Porticor was used
• API Integration for encryption keys creation, revocation, etc…
• Tokens creation and distribution directly to end users
• A cluster of Porticor Virtual Appliances for full redundancy
Result
• Fully integrated with ISV’s workflow
• PHI data is always encrypted - and the patient and Doctor maintain control through personal tokens
Healthcare ISV
Questions?
Ariel Dan, Phone: 718.407.0003 Email: [email protected] Skype: ariel.porticor