1 Page 1 Securing Sensitive Data within Amazon Web Services EC2 and EBS Challenges and Solutions to Protecting Data within the AWS Cloud Vormetric, Inc N. 1st Street, San Jose, CA United States: United Kingdom: South Korea:
2 Page 2 In this white paper, we ll cover the specific problems around data protection when using servers within Amazon Web Services (AWS) environments. This includes both problems specific to the environment, the motivations that drive the need for this data protection, and recent changes in the cyber threats that highlight the need for this protection. We ll next examine the core elements of a data protection solution for AWS implementations, and then review how Vormetric s Data Firewall for AWS delivers a complete solution to the problem. The Need for EC2 and EBS Data Protection AWS dominates the market for cloud-based virtual infrastructure service. It tops all measures for dollar volume, compute capacity available, services and number of customers. With a keen understanding of what developers, SaaS and IT organizations want, it has pioneered new markets and continued to keep a commanding lead on the competition. AWS offerings epitomize flexibility offering an almost dizzying array of services, and service types available for providing cloud-based infrastructure to organizations. By far the most popular service set, however, is to run server instances within Amazon s Elastic Compute Cloud (EC2) and to store persistent data associated with those servers using Amazon s Elastic Block Store (EBS). Amazon s Security Focus Management, Network and Identity Amazon offers layered security within their management and network environment, but doesn t lock down EC2 and EBS accessible data. Amazon s customized Xen hypervisor isolates instances within their network, a hardened host management plane provides administration, multi-factor cloud administrator authentication is available, management actions are logged and audited, and a mandatory inbound network firewall protects hosted systems. Amazon will even allow you to limit access to instances based on their Identity and Access Management (IAM) service, use of their Virtual Private Cloud (VPC), or your own internal Directory Service. However, within your AWS instances the responsibility for the protection of the data is yours. EBS storage data is usually directly linked to instances within AWS, appearing as a volume within the local system environment. EBS protection from AWS focuses on access control (with IAM) and on features that ensure availability, not on specific protections for data stored within the EBS volume. Drivers for Data Protection within AWS Environments Whether an organization is the newest startup, building a new scalable virtual infrastructure for a SaaS application, or an established enterprise that wants to take advantage of the business flexibility and economic benefits of using AWS, the fundamental drivers for securing the data that will power your organization are common: Compliance with industry and government regulations Protection from data breach disclosure requirements Intellectual property (IP) protection...in the end, customers are responsible. Customers will always be responsible in the public cloud for their applications and their data. Gartner Kyle Hilgendorf Principle Research Analyst Blog: Cloud Security Configurations: Who is Responsible? April 2, 2013
3 Page 3 Compliance with industry and government regulations is a core driver. Regulations such as PCI-DSS, USA HIPAA/HITECH and South Korea s PIPA require specific data access controls and protections for privileged users to protected data, separation of duties, auditing, and in some cases also include the requirement to encrypt data. Failure to meet the requirements of a compliance audit can be daunting and result in the loss of certification followed by loss of business. Protection from data breach disclosure and remediation requirements is next. Data breach laws world-wide such as the UK Data Protection Act, EU Data Protection Directive as well as US Federal and State data protection laws raise the bar in data security, posing fines and notification requirements in the event of a data breach, and providing specific protections and safe harbor criteria for encrypted data. Types of data that requires protection includes most personally identifiable information names, addresses, medical data, and more. Most enterprises, and many government organizations, also have a substantial set of intellectual property in the form of planning documents, manufacturing methods, designs, user profiles, source code and other data. If publicly disclosed, or acquired by a business or government rival, this information can cause severe damage to organizations in the form of financial losses, loss of trust or even in failure to protect national security interests (for public sector entities). Expanded threats to data across both Enterprises and AWS The last few years have seen a well documented change in the threats organizations are encountering. For years, the vast majority of hackers were motivated by a desire for fame, recognition or support for a specific cause. Increasingly hacking has turned into a mainstream criminal or government activity. Organized groups are looking for specific data sets that can lead to financial gain or national advantage. Major financial institutions and business institutions are direct targets for government entities on opposite ends of ideological spectrums the goal being to destabilize entire economies. Manufacturers have become prime targets, as their critical know-how, formulas, product plans and other information are sought. Criminal organizations target game sites to gain credential sets that can be used to compromise accounts within financial or other organizations. It s a different world from just a few years ago and sensitive data is the target. Threat vectors have also changed. Advanced Persistent Threats (APTs) are on every security organization s mind. Victims of these attacks don t even know that their perimeter security has been penetrated for an average of 243 days, they all have up-to-date antivirus software, and 100% of breaches involved stolen credentials (Mandiant 2013 Threat Landscape Report). In this sort of an atmosphere, organizations are understandably reluctant to add another potential set of risks by putting critical infrastructure outside their perimeter in an AWS cloud environment....sending 10 phishing s approaches the point where most attackers would be able to slap a guaranteed sticker on getting a click. Verizon Data Breach Report 2013, page 38, The Inevitability of The Click
4 Page 4 Another threat vector is the privileged user. The risks that privileged users create have recently been highlighted by the disclosures of Edward Snowden as a system administrator he had access to data that should never have been available to someone with his role within the organization. Hearing about this, organizations have to wonder If I place my data within AWS, won t even more privileged users (cloud administrators) have access to my data? In addition AWS snapshots create another risk vector. Privileged users that have access to snapshots of EC2 instances that include critical data in local storage, also have access to the information that they contain. As with other privileged accounts, if they are compromised, or used by a malicious insider, that data snapshots contain creates another possible exposure point. The result of this set of risks is that organizations need fundamental questions answered about securing their data when deploying to AWS. Is it possible to meet compliance requirements when using AWS? How can my organization maintain control of our sensitive data? Will use of AWS increase my risks and lead to to a data breach? Even within my enterprise, privileged user control can be a problem Will using AWS increase this risk? Advanced persistent threats (APTs) Will using AWS increase my threat profile? How will I maintain and prove data residency in AWS? Core Solution Elements Answering these questions requires implementation of a data-centric security strategy for your AWS instances. A data-centric solution places the security controls and protections directly around the target the data. Protections must reside at the file system level accessed by your EC2 instances, both local and in EBS. The solution should also protect data wherever it resides, including snapshots, backup location repositories and disaster recovery (DR) locations. tion Solution Diagram ume gents Access logs Integrated Encryption and Key Management. Locking down data using strong industry standard algorithms is the first step. Integrated, centralized encryption key management should Vormetric be seamless and simple and should offer options for securing your keys within your AWS Vault implementation for deployment scenarios that match usage needs; all in the the AWS cloud, or in Agent logs hybrid cloud implementation such as an AWS SA Secure Vaulting VPC (where compute assets reside both locally and DBA (Certificates, in AWS). Keys) VPC implementations should offer key management either in the cloud or within your User Users data center. Keys must be both properly secured, stored separately Processes from data, and never revealed, even to security administrators. Application Access Attempts ic Data anager This combination of strong encryption with integrated key management is required to meet base compliance Database Data Firewall requirements, provide Vormetric a safe harbor from Data Breach disclosures and as a best practice for protecting critical information. FS Agent Access & Encryption Toolkit FS Agent Volume Agent Agent Policies/Mgmt Access Policies with Privileged User access controls to encrypted data. When used with EC2 and EBS, Amazon s IAM service is focused Allow on controlling / Block network access to instances and is not focused on access to data accessible from Encrypt/Decrypt Automate Storage within the AWS instance. To prevent Deployment exposure of data within instances to unauthorized users, there must be strong, centrally Key & Encryption managed access control policies that strictly enforce when to decrypt data at the file system Management
5 Page 5 level. Users and groups for controlling data access should be linked to system users (as defined within the instance) and if an Amazon VPC is used, should link to an organization s Directory Services solution. Access should be based on a Least Privilege basis i.e. a person should only have access to what they need in order to perform assigned tasks. A trial period that audits data access should be available to make the process of setting policy simple. Policy controls should default to deny any user or process access to the sensitive data when there is no business need for that access. Privileged users, such as system administrators, or Linux Root users, need access to file metadata, and the capability to perform backups and other system management functions, but at the same time, should not be able to access sensitive information. This should be accomplished by integration of these controls with encryption capabilities allowing privileged users to perform systems management, update, and other standard functions without seeing protected database tables or other files in the clear (they only see the scrambled, encrypted information). Data should be decrypted only for authorized users and processes. Especially for Linux systems, controls should be able to track how a user became a role. A root user in a Linux environment can escalate to become a database user. Solutions used should be able to track the chain of privilege and identify this type of behavior, and identify users based on their original role blocking access if that original role does not have authorization to access data. Requirements for use of these types of controls for access to sensitive data are essential elements for many compliance regimes PCI DSS, HIPAA / HITECH, and others as well as a best practice for preventing data breaches and protection of intellectual property. Proper use allows for shared storage scenarios where each party can only see their own data HR, Finance and R&D for instance sharing a server instance, but never able to access data from other departments. I ve been a systems engineer, systems administrator...when you re in positions of priviliged acces like a sytems administrator for the intelligence community, you re exposed to a a lot more information on a broader scale than the average employee. Edward Snowden, Former infrasturcture analyst at the NSA June 2013
6 Page 6 Policy-based access controls to encrypted data also solves the problems associated with snapshots, backup locations and DR implementations. For snapshots and backups encrypted data within the image or backup file makes the data inaccessible until restored, and the appropriate policy is applied. For DR, bringing up a DR location should be as simple as applying the same policy used to the source AWS instance to the data at the DR location. Separation of Roles for Security and Systems Management. Another key requirement to solving these problems is to have strict segregation of security management and systems management roles. Security roles for data protection should be separate from roles for network security (when personnel permits) and should be able to only make changes to policy around access to data. Further Security roles should have no access beyond data access policies to system instances within Amazon. Systems management roles should have no visibility into security management, and no capability to effect changes to data access policies. Security Intelligence Detailed access logging and auditing. Policy-based access controls to encrypted data solve many of the immediate problems of making sure that users have appropriate access to data, blocking access to data by privileged users, for instance. But at the same time, there are additional problems not addressed by simple policy based control. For example, when an APT compromises an account with privileges that allow access to data, or when a malicious insider s role includes sensitive data access. To identify threats in these situations requires a two stage approach. The first element of which is to make available detailed information about what users and processes are accessing data, and the second is to analyze data access patterns to identify unusual or anomalous activity. Solutions should include the capability to select data collection levels. For instance, when collecting file system access information for a database table, accesses by the database process should be able to be excluded from logs (as these are always allowed, and not a useful pattern for analysis). Audit reports should be a base feature of a solution in this area. These reports should be able to meet the needs for reporting of access information as required by compliance auditors. Data collected should also include access to the Security Management infrastructure Enabling you to use this information to watch the watcher by getting detailed information about both attempted access to security management infrastructure, and the patterns of usage of your Security Administrators. Many organizations understand that data and system access is the first step to understanding and isolating potential data breaches due to malicious insiders or advanced threats. Splunk and Vormetric together can quickly and efficiently help businesses protect intellectual property and other data the business wishes to be kept private. Bill Gaylord, Splunk, SVP of Business Development
7 Page 7 Security Intelligence SIEM Analysis, Alerts and Reports. The second part of a Security Intelligence implementation for data access is to be able to make use of the detailed information within access logs. One use of this information is immediate alerting on unauthorized data access. Log data collected should show when unauthorized users attempt to access either protected data, or the security management infrastructure. Security Information Event Management (SIEM) analysis of this allows for monitoring and alerting when these events occur. The second major use is for usage pattern recognition by users and processes that are authorized for access to data. SIEM systems allow creation of both top user information and baselines for typical usage. Both of these can result in alerts on a deviation from normal behavior. One example of anomaly detection and reporting is to monitor for top user access rates. When a privileged user who doesn t typically access financial information files begins to appear as a top user, this behavior change could indicate that an account has been compromised by an APT or that a malicious insider incident is in process. Baseline patterns are another use case that should be addressed. Baselines capture typical access patterns over a period of time (typically over a weekly or monthly period). This allows alerting based on unexpected behavior patterns. An example would be an account that typically accesses only certain classes of data at month end, that begin to continuously accessing much more diverse data sets over multiple weekends, it may indicate a problem. Integration Capabilities. Beyond Directory Services integration policy control, deployment, governance risk and compliance and other tool integrations are needed. Whether an all in cloud implementation, or an Amazon VPC/VPN hybrid model integration, capabilities are need to work with other infrastructure within your environment. Web-based APIs and/or command line integration options that allow this integration are required to make the connection. In addition, integration capability should allow data protection solutions to dynamically adjust policy based on real-time threat analysis. This is a core requirement for SaaS providers as well allowing them the flexibility they need to be able to scale infrastructure with customer demand. Multi-tenancy and Business Unit Segregation. For SaaS organizations who are implementing their infrastructure within AWS, multi-tenancy is a core requirement, allowing them to segment data access and management by customer. This allows for the use of common underlying infrastructure without the risk of customers or
8 Page 8 administrators mixing or contaminating data from one customer with another s. For enterprises that have a data-across-borders requirement or the need to simply isolate business units from each other (as frequently occurs for large-multinational organizations as well as for defense and aerospace oriented enterprises) the capability to isolate management and data access allows the use of common application and infrastructure without higher resources requirements. Scalability and Performance. Solutions should easily support environments within AWS from a small set of servers to large AWS infrastructures and hybrid solutions using Amazon VPC or elastic computing with on-premise resources. The performance of solutions should result in minimal changes to transaction times, and no changes to SLAs. The Vormetric Data Firewall for AWS Environments Available as a 30 day free trial via Vormetric.com (customers are responsible for their own AWS infrastructure charges), a paid offering via Amazon Web Service Marketplace and under a Bring Your Own License (BYOL) model, the Vormetric Data Firewall for Amazon Web Services (AWS) provides a full solution to the core needs for data protection within AWS environments. The solution includes: Integrated Encryption and Key Management that provides the enforcement of protection for data at the file system level within AWS instances EC2 and EBS Access Policies with Privileged User access controls to encrypted data that decrypts data only for authorized users and processes, while allowing people with systems and cloud management roles to perform their work without exposure to sensitive data Separation of Roles for Security and Systems Management that supports best practices for security and systems management Source data for Security Intelligence in the form of access data for encrypted information and the Vormetric Data Security management environment in the form of SIEM compatible logs. For customers just starting in this area, an off-the-shelf Splunkbase App is available to apply this intelligence data to create actionable reports and monitoring
9 Page 9 APIs and command line interfaces for integration with other infrastructure tools Multi-tenancy and business unit segregation support within the management infrastructure Highly scalable management infrastructure High performance operation that supports existing SLAs and operations Transparent The solution is transparent enabling critical system processes to continue without exposing data. Using protections at the file system level, the solution allows administrators to see the meta-data and file system structure, but reveals only encrypted data to those accounts. At the same time, processes and users that legitimately require access (such as a database process to a database table file) have access to unencrypted data (cleartext). Strong The Vormetric solution firewalls your data using a policy-driven approach, which is linked to LDAP and system accounts to provide granular access to protected structured information (in databases) or unstructured data (in file systems) by process, user, time and other parameters. It even monitors and prevents access by tracking how users assume their role. If a Root user creates a new account with data access rights, and then escalates to log in as the new account, Vormetric will still identify actions performed by this new account with the Root user and prevent access to cleartext data. As a result of these capabilities privileged users can manage systems without risk of exposure to protected information. Efficient The Vormetric Data Firewall for AWS is a high performance, low overhead solution - The result is minimal changes to response times for operational processes. Easy to Deploy AWS deployments for the available 30 day Free Trial (available from Vormetric.com, AWS account required) and AWS Marketplace versions deploy in minutes, broader deployments across more extensive enterprise and cloud deployments in days to weeks, not weeks to months. Vormetric Data Firewall for AWS offerings and components Core components of the solution include the two core components the Vormetric Data Firewall Data Security Manager and Vormetric Data Firewall for AWS Client Systems. The Vormetric Data Firewall Data Security Manager (DSM) for AWS provides the secure management of encryption, keys, access controls, and integration across client systems within your AWS environment This includes in depth data access policy control, auditing/reporting, management, and integration to LDAP and other tools. The Vormetric File System agent is available for AWS CentOS bit, and is ready for immediate connection and use with a Vormetric Firewall for AWS Data Security Manager. Offerings available include a 30 day free trial version, a pay by the hour AWS marketplace offering and a Bring Your Own License (BYOL) available from Vormetric and its partners. The free trial version includes a single Data Security Manager and can support up to 5 Vormetric Data Firewall for AWS Client systems. Free trials can be upgraded to production systems. Similarly the AWS Marketplace version includes a Vormetric DSM, and licenses for up to 5 Vormetric AWS Client Systems. BYOL is more flexible, allowing for additional clients, more client system versions beyond CentOS, and extended deployment scenarios that include highly scalable deployments within AWS as well as hybrid deployment capabilities for managing keys and policy from VPC or on premise locations.
10 Page 10 AWS Deployment models Vormetric supports deployment models for All in the Cloud and extended Enterprise scenarios with hybrid AWS and Enterprise deployments. Each scenario includes the rich data protection solution set available from Vormetric. The AWS Marketplace version is available for immediate activation with both a pay-as-you go model that makes it easy to implement. Client software installs simply on CentOS clients with up to 5 server client systems supported. SaaS and larger enterprise customers will typically deploy larger numbers of client instances within AWS, and may support multiple customers with independent infrastructure sets while managing data security centrally. Last, enterprise customers that wish to keep control of their keys locally within their enterprise, and manage data security for their AWS cloud instances with their local private clouds, virtualized environments and physical servers, can use Amazon s VPC with a VPN link to AWS server instances.
11 Page 11 Regardless of the deployment scenario, The Vormetric Data Firewall for AWS reduces risk narrowing attack surfaces by taking a data centric approach to security. This approach allows organizations to take advantage of the convenience, business flexibility and scalability of AWS environments while meeting compliance requirements beyond what AWS can support without Vormetric s unique capabilities, safeguarding against data breaches, and protecting critical IP. About Vormetric Vormetric is the industry leader in data security solutions that span physical, virtual and cloud environments. Data is the new currency and Vormetric helps over 1200 customers, including 17 of the Fortune 25 and many of the world s most security conscious government organizations, to meet compliance requirements and protect what matters their sensitive data from both internal and external threats. The company s scalable solution suite protects any file, any database and any application anywhere it resides with a high performance, market-leading data firewall that incorporates application transparent encryption, privileged user access controls, automation and security intelligence. Copyright 2013 Vormetric, Inc. All rights reserved. Vormetric is a registered trademark of Vormetric, Inc. All other trademarks are the property of their respective owners. No part of this publication may be reproduced, stored in a retrieval system or transmitted, in any form or by any means, photocopying, recording or otherwise, without prior written consent of Vormetric.