Encryption, Key Management, and Consolidation in Today s Data Center

Transcription

1 Encryption, Key Management, and Consolidation in Today s Data Center Unlocking the Potential of Data Center Consolidation whitepaper Executive Summary Today, organizations leadership teams are striving to meet their competitive demands for agility and innovation, while wringing the most value from their IT expenditures. Consequently, these executives continue to pursue data center consolidation by reducing the number of physical data center sites, expanding the use of virtualization, and adopting cloud initiatives. At the same time, these trends are playing out in the midst of an ever-changing, ever-more dangerous threat landscape. Insiders continue to inflict damage, and in virtualized and cloud environments, more privileged users can gain access sensitive data. In addition, external attacks and attackers are increasingly sophisticated. In this evolving environment, data protection strategies become increasingly critical, and ever more challenging. How are organizations contending with these demands? This paper draws on an extensive survey to provide a look at how organizations worldwide are adapting their security to today s environments. The paper reveals how organizations are prioritizing multi-layer data protection approaches, such as encryption and centralized key management, in order to establish critical security controls that address today s security realities. Many organizations are reducing the number of physical sites, and moving to an increasingly hybrid mix of physical, virtualized, and cloud infrastructures. This shift presents fundamental implications for the security teams. Introduction: The Dynamic Nature of IT and Security As business leaders look to maintain their organizations competitive advantage, they continue to embrace such advancements as big data, mobility and cloud-based-services. In the process, management continues to evaluate whether their IT infrastructure can support these changing dynamics, and ultimately further their efforts to make their organizations more efficient, agile, scalable, and cost effective. These assessments are fueling a move to consolidate data centers with many organizations reducing the number of physical sites, and moving to an increasingly hybrid mix of physical, virtualized, and cloud infrastructures. This shift presents fundamental implications for the security teams who must adapt to these new realities. These groups have to support more data, more storage, more locations, more access points, and more system administrators while at the same time contending with an ever more dangerous threat landscape. Today, organizations have to contend with increasingly sophisticated, well-funded cyber criminals, and with the continued specter of devastating data breaches maliciously or inadvertently caused by administrators and internal staff. 1

2 Key Takeaways Encryption and key management will unlock the potential of consolidation and cloud Significant obstacles remain for organizations looking to do data center consolidation, including large demands and small staff Those who can combine cloud with security and compliance will win Traditional perimeter technologies continue to be proven fallible and are no longer an adequate defense for protecting against a security breach. The fact is that data today is being stored across a hybrid IT landscape including on premise, on mobile devices, and in the cloud. Further, organizations are growing increasingly reliant on the offerings of external service providers. These new realities mean that security teams must focus on protecting the data itself, wherever it resides. While traditional perimeter security defenses were adequate in the past, that isn t the case any longer. Encryption and key management are the most secure controls for protecting data across the infrastructure stack including in applications, databases, files, storage systems, networks, virtual machines, and cloud environments while also addressing compliance demands for data ownership, data residency, accountability, and insider access to sensitive data. More than ever, encryption represents a critical capability to ensure privileged users are limited to need-to-know access and that data is rendered unreadable in the event of a security breach: administrators can just delete the decryption keys and the data is worthless to attackers. By deploying encryption and centralized key management strategies, organizations can retain control over their sensitive data, whether that data resides in traditional physical data centers, virtualized environments, or with cloud service providers. Given the increasingly vital role of encryption, and the hybrid nature of the IT infrastructure, SafeNet recently undertook an extensive survey that provided an in-depth inquiry into the current encryption and key management market, including drivers, technologies, and approaches. In addition, in order to provide some context on the environments in which encryption is being employed, the survey examined the status of organizations data center consolidation initiatives. Data center consolidation was considered both in terms of a reduction in data center sites and the movement of physical data center assets to virtualized environments, the latter of which is the more critical trend when evaluating the implications on both data protection and compliance, and through which consolidation is typically realized. This paper offers a detailed look at the survey s findings, outlining some of the most important results and some of their key implications for security teams in enterprises, as well as service and cloud providers. The following section highlights the survey s key findings, and subsequent sections offer more details on each of these areas. Key Takeaways Following are some of the key takeaways that the survey results provide: Encryption and key management will unlock the potential of consolidation and cloud. Data center consolidation was a high priority for many respondents, but the survey also indicated that there is a significant gap between that objective and current realities. In addition, concerns connected to the traditional data center remain, including the potential loss of cryptographic keys. Of those survey respondents who view consolidation as important, 62% said their biggest worry was losing control of cryptographic keys. There is a clear indication in the survey that current security concerns, like more effective and secure management of cryptographic keys, are a critical prerequisite to data center consolidation and cloud migration. Why we re not there yet. In spite of the fact that 73% of survey participants recognized that management efficiency and cost saving were key advantages of data center consolidation and virtualization, they are still delaying decisions on consolidation projects citing technical difficulties at an astounding 53%. However, this may not be surprising considering that 56.7% cited having less than five employees managing encryption projects globally within their organization. This may also explain why, while a different study found that two-thirds of workloads running on x86 servers are now virtualized 1, only one-fifth of respondents indicated they are currently doing any encryption in their virtual environments. It is not that the business benefits are not there, 1 ServerWatch, Taking Stock of the State of the Server Virtualization Market, Paul Rubens, August 5, 213, 2

3 Key Statistics When sourcing business applications, 74% of respondents are looking for solutions that support compliance and security Only one-fifth of respondents are currently encrypting data in virtualized environments About three-quarters of respondents said data center consolidation is either very or quite important, but less than one-quarter have actually done anything about it Around three-quarters of respondents store at least some encryption keys in software or encryption is really that challenging, it is that the staffing is not in place to support the consolidation project. Those who can combine cloud with security and compliance will win. Success in the cloud requires a focus on security, including addressing baseline security controls, such as identity and access management (IAM), anti-virus, and so on. Further, specific controls like encryption and key management are even more important for demonstrating adherence to many different compliance mandates, especially in virtualized and cloud environments. For example, the Payment Card Industry Data Security Standard (PCI DSS) has very stringent guidelines when it comes to encrypting credit card data in physical, virtual, and cloud environments. There are also standards bodies, like the Cloud Security Alliance, who have an established set of guidelines and best practices, although not mandated, to further outline these security protocols. Keys to Unlock the Potential of Consolidation and Cloud The Takeaways Survey respondents voiced a broad and strong consensus around the importance and benefits of data center consolidation. 74% viewed it as important. Over three-quarters cite the benefit of fewer locations to manage, and around one-quarter feel that centralized key management How important is data center consolidation to your organization? Very important Quite important Not currently important is a benefit of consolidation. While there s this clear consensus as to the importance and benefits of consolidation, there s also clear consensus that not many have done it. In fact, only a quarter have completed a consolidation effort. So why hasn t it happened? A survey report jointly produced by the Cloud Security Alliance and ISACA provided some insight into the critical nature of security in this arena. The survey looked into the barriers to cloud adoption, polling both users and service providers on factors that had a negative influence on cloud adoption and innovation. Of the 11 highest-rated categories, the top three were related to security: information security, data ownership/custodian responsibilities, and regulatory compliance 2. The SafeNet survey concurs with these findings and provides some further details for examining the security obstacles. The survey makes clear that employing encryption, and guarding against the potential loss of cryptographic keys, are critical prerequisites to consolidation. The results illustrate that challenges in addressing these requirements may be a contributing factor to the slower progress in consolidation efforts, including moving workloads from physical machines to virtualized systems. 2 Cloud Security Alliance and ISACA Cloud Computing Market Maturity: Study Results, page 18 3

4 For some AWS customers who have migrated much of their infrastructure to AWS, HSM [hardware security modules] appliances are the last remaining devices in their data centers. 3 Furthermore, for many organizations, even if virtual machines or services are running in the cloud, for security and compliance reasons, encryption keys continue to be held within the enterprise data center. For example, consider the following statement from an Amazon Web Services (AWS) product manager: For some AWS customers who have migrated much of their infrastructure to AWS, HSM [hardware security modules] appliances are the last remaining devices in their data centers. 3 Where do you secure your cryptographic keys? Software Hardware Software and hardware I don t know 73.6% of respondants have at least some cryptographic keys in software which in effect is the IT security equivalent of leaving house keys stored under the front door mat. The results infer that key management is critical to consolidation and cloud initiatives and something that organizations need to get right before they migrate potentially sensitive applications and data to virtualized infrastructures (or quickly address if they have already done this migration). Almost three-quarters of respondents, 73.6%, have at least some cryptographic keys in software which in effect is the IT security equivalent of leaving house keys stored under the front door mat. Only 8.3% are securing keys solely in hardware, which is less than half as many respondents as those who said they didn t know where keys were stored, which was the answer of 18% of respondents. These realities are further exacerbated by management approaches in place. Currently, 45.6% don t manage cryptographic keys centrally, which sets the stage for inefficiency, overlapping efforts, inconsistent policy enforcement, difficulty in auditing, and more. By supporting customers in these security efforts, service providers and cloud vendors will be able to accelerate adoption of their cloud computing, storage, and application services. The Implications Encrypted data is only as secure and available as the keys used to encrypt it. For instance, when keys are stored in servers, they are susceptible to compromise and loss, which exposes sensitive encrypted data to those same risks. To address these gaps, organizations will increasingly need to leverage purpose-built key management platforms that offer robust security and availability. These purpose-built platforms allow users to store and manage keys in hardware, where they are more protected and controlled. By leveraging hardware for key management and storage, along with built-in granular security controls and separation of duties, users have full control over their encryption service, and further assurance that sensitive data and keys won t be exposed to administrators or other tenants within a multi-tenant infrastructure. In addition to bolstering the security of keys, security teams must also ensure they are adopting key management approaches that align with today s dynamic, virtualized data center and cloud-based environments. As a result, organizations will be able to fully leverage the flexibility and economic advantages of virtualization while maximizing their security and consistently adhering to compliance mandates. 3 Amazon Web Services, AWS CloudHSM Use Cases (Part One of the AWS CloudHSM Series), AWS-CloudHSM-Series 4

5 Why We re Not There Yet The Takeaways The survey results offer some clear indications that for all the potential benefits respondents see when they look to consolidation, they also are quite clear on the obstacles to getting to a place where they can fully capitalize on the opportunities. In a word, it s security that stands in the way. This is true of implementing encryption in the emerging consolidated and virtualized data center. While by most accounts the majority of server workloads are running in virtualized server environments, only 2.6% are doing encryption in virtualized environments. To provide some context into security challenges, it s important to understand some common themes prevalent among respondents: Almost 4% cited PCI DSS as an important area of focus. Rigorous Mandates Apply A significant percentage are either regulated or in some way concerned about stringent security mandates. Almost 4% cited PCI DSS as an important area of focus. In addition, almost half of respondents were concerned with government validations, with 29.7% looking to align with the United States Federal Information Processing Standard (FIPS), Level 14-2, and 19.4% focused on Common Criteria, Level 4. Which of these compliance mandates/security validations matter to your organization? (select all that apply) % FIPS 14-2 Common Criteria Level 4 PCI DSS P2PE I don t know Given the significant percentages of respondents that are concerned with PCI DSS, FIPS, and Common Criteria, it is clear that for most organizations today, robust security mechanisms are a requirement. These standards specify the need for strong encryption and key management best practices. For example, they mandate secure protocols are used, and that cryptographic keys are managed, audited, and logged in a highly secure fashion. These requirements don t go away when organizations move to cloud and virtualized environments. Small Teams Have Big Demands Respondents were asked how many departments had encryption requirements. 17.9% had over ten departments requiring encryption. On the other end of the spectrum, 41.3% had to support encryption for one to three departments, and 16.2% had between four and six groups to support. 5

6 How many different departments within your organization require some form of encryption for their applications, databases, and so on? I don t know 27.5% have more than 1 applications that require encryption. The survey also looked at the number of business applications that required encryption. The biggest category of responses fell between one and five applications, which netted a 39.8% response. However, 27.5% have more than 1 applications that require encryption. In total, over 42% have more than five applications that have a demand for encryption. How many business applications do you have that require encryption? More than 1 I don t know Several survey questions explored the breadth and nature of today s encryption deployments. When it comes to the type of encryption in use, by far, the highest response was for endpoints such as laptops, tablets, smartphones, and so on which netted over a 7% response. Web and other applications, databases, file servers, and identity-based authentication were the other categories that were chosen by at least 4% of respondents. Currently, only 2.6% are doing encryption in their virtual infrastructures. 6

7 How are you currently using encryption today? % Endpoints eg laptops, tablets, smartphones File servers Databases Web and other applications Financial applciations Storage Virtual infrastructure External IT (eg cloud, partner, outsourcing) Identity based authentication Electronic signatures (eg edocs) None I don t know More than half of respondents are using between one and three different encryption tools. Given the breadth of encryption deployments in place, it is not surprising to see that it is exceedingly common for organizations to have several different encryption solutions in use. More than half of respondents are using between one and three different tools. 14.1% are using between four and six different platforms. This creates a huge headache for the IT teams tasked with managing all the encryption keys associated with these different point solutions. How many different encryption solutions does your organziation currently use? I don t know 58.2% indicated that globally they have less than five people involved with encryption management. While encryption teams have to support many forms of encryption, many applications, and many tools, there s one thing there isn t a lot of: staff members. When it comes to staffing levels, a significant percentage of respondents are managing encryption with relatively small teams. Well over half, 58.2%, indicated that globally they have less than five people involved with encryption management. How many people are involved in the management of your encryption, globally? < >5 7

8 The Implications In short, those responsible for encryption have significant security and compliance requirements, a lot of implementations to support, and few resources to make it all happen. The following section looks at these security and compliance requirements in more detail. Those Who Can Combine Cloud with Security and Compliance Will Win 71% look for compliance and security when sourcing business applications. 71.4% also cited ease of use. The Takeaways Sourcing New Applications: Security and Compliance are Key The survey looked at the topic of sourcing new applications, and the criteria brought to bear in solution selection. Survey respondents made clear that, as decision makers seek to bring on new business applications, security and compliance play a crucial role in the sourcing decision. In fact, 71% look for compliance and security when sourcing business applications. Many also cited ease of use, which received a 71.4% response, and fast time to market received 46.8%. What do you look for when sourcing new business applications? % Fast time to market Compliance and security Ease of use Cloud-based Encryption Services a Potential Solution? Half the respondents viewed cloud-based encryption solutions as a viable option for supporting the encryption needs of multiple business applications. The reality for most IT organizations is that there are broad demands for multi-layer encryption. Data and applications need to be protected across a hybrid environment, and there needs to be multiple solutions employed to address all the security and technical demands of the business. At the same time, organizations operate in cost-constrained environments, with limited staff and resources available to support security and compliance efforts. The more organizations can centralize, streamline, and separate encryption administration, the better they ll be able to address security and compliance demands. For service providers and cloud vendors, these findings point to a clear opportunity. 71% of respondents view security and compliance to be of highest importance when sourcing business applications. One clear insight as to why is that, of that group, 59% are currently struggling with auditing their current data center estates. Therefore, it is incumbent upon cloud vendors and service providers to deliver solutions that have seamlessly integrated security capabilities within their services and solutions so they can make it practical for customers to retain the security and controls they need. For offerings like encryption as a service to be a viable option for organizations, legitimate demands for control, particularly control over cryptographic keys, will need to be addressed, which is vital in ensuring compliance. To address these mandates, service providers and cloud vendors will need to begin prioritizing encryption at multiple levels, including storage, database, file, virtual workload, and application. Further, they need to deliver unified key management platforms that enforce separation of duties in multi-tenant environments. By doing so, these organizations will enable customers to more fully leverage the advantages of the cloud, while retaining the controls they need to ensure adherence with security policies and compliance mandates. 8

9 With multi-layer encryption and centralized key management, organizations can accelerate their cloud, virtualization, and consolidation initiatives, while retaining the controls they need to protect sensitive data, adhere to internal security policies, and comply with regulatory and government mandates. Conclusion In recent years, the data center, and the very way IT services are delivered, has undergone some fundamental changes and the pace of those changes only continues to accelerate. As organizations move to the cloud and virtualized environments, many cost benefits are being realized, but critical security and compliance requirements grow more pressing. To support data center consolidation initiatives, organizations will need to adopt new approaches and encryption technologies that support today s dynamic data centers and service provider environments. With multi-layer encryption and centralized key management, organizations can accelerate their cloud, virtualization, and consolidation initiatives, while retaining the controls they need to protect sensitive data, adhere to internal security policies, and comply with regulatory and government mandates. The service providers and cloud vendors that can deliver solutions that further these objectives will be able to capitalize on significant market opportunities. In particular, the management of cryptographic keys will be a key enabler to unlocking the potential of consolidation initiatives. While the move to the cloud enables clients to offload a lot of efforts, ultimately, enterprises will continue to be responsible for the data entrusted to them. It is through key management that organizations will be able to more fully leverage the cloud while meeting their security and compliance commitments. About the Survey This white paper draws from a survey that SafeNet conducted in Fall 213. The survey polled more than 58 individuals. Respondents were comprised of security and IT executives from a range of industries, including financial services, healthcare, technology, media, consumer packaged goods, retail, and more. Survey respondents had a truly global makeup, with more than 5 countries represented. 9

10 About SafeNet Data Protection Solutions SafeNet data protection solutions provide multi-layer encryption with centralized key management and storage. SafeNet delivers the comprehensive encryption platforms that enable security professionals to safeguard sensitive data in data centers, virtualized data centers, and private and public clouds. SafeNet enables customers to encrypt sensitive data at the storage, file, virtual instance, database, and application layer, while managing encryption security policies and encryption keys centrally. In addition, SafeNet supports format-preserving tokenization for a wide variety of data types. Through this multi-layer approach, SafeNet enables organizations to: Separate administration of systems and applications from the data stored or processed within these infrastructure layers, ensuring privileged users can t see sensitive data. Take advantage of lower-cost operational models, while consistently enforcing security policies. Centralize encryption management across physical, virtual, and public cloud environments, and efficiently deliver detailed logs and compliance reporting for internal and external auditors. Employ key vaulting and secure cryptographic resources, both in data center and multitenant environments, in order to retain full ownership and control of their encryption service. With these capabilities, organizations can institute a defense-in-depth strategy that delivers high levels of security for sensitive data, regardless of where it resides even if there s been a breach of other controls. About SafeNet Founded in 1983, SafeNet, Inc. is one of the largest information security companies in the world, and is trusted to protect the most sensitive data for market-leading organizations around the globe. SafeNet s data-centric approach focuses on the protection of high value information throughout its lifecycle, from the data center to the cloud. More than 25, customers across commercial enterprises and government agencies trust SafeNet to protect and control access to sensitive data, manage risk, ensure compliance, and secure virtual and cloud environments. Contact Us: For all office locations and contact information, please visit Follow Us: SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet. All other product names are trademarks of their respective owners. WP (EN) 17Dec213 1