Keep Your Data Secure in the Cloud Using encryption to ensure your online data is protected from compromise

Transcription

1 Protection as a Priority TM Keep Your Data Secure in the Cloud to ensure your online data is protected from compromise Abstract The headlines have been dominated lately with massive data breaches exposing sensitive personal information and account data on millions upon millions of customers. Such breaches may cause some IT admins to question the wisdom of storing data in the cloud, sensitive or not, and leave organizations wondering whether cloud data storage is worth it. Cloud computing provides an array of benefits for companies of all sizes, but it also introduces some new and unique challenges when it comes to data protection. Trusting your data to be stored in the cloud requires extra diligence to ensure it is protected and that any applicable compliance requirements are met. This white paper will discuss the benefits of data storage in the cloud, and how Zecurion Zserver Storage can help ensure that your data in the cloud is protected from exposure or compromise.

2 Benefits of Cloud Storage Storing data locally in your own data center has a number of limitations. Storage capacity and redundancy are limited by the server and drive space available in the data center. Increasing capacity to meet demand is costly and time-consuming. If demand falls off, you are left with wasted capacity sitting idle. In the event of a hardware failure or power outage in the data center, your data will be unavailable, and could possibly end up corrupted or permanently damaged. In the event of a catastrophe, any backup data stored locally could be wiped out along with the production data, which would be devastating for most companies. Leveraging cloud data storage addresses these issues and provides a scalable, reliable, cost- effective storage solution. Benefits vary from vendor to vendor and depend on the service level you negotiate, but here are some of the primary benefits of storing data in the cloud: Scalability. Cloud computing allows you to quickly and easily scale capacity, either increasing or decreasing available storage space to meet current demands. That means you will be able to handle unexpected spikes in capacity needs without having to over-invest in hardware that will spend most of the time idle. Redundancy. Cloud storage providers generally provide multiple sites that are geographically separate, but with mirrored copies of all data. Hardware failures, power outages, or natural disasters affecting a site will be transparent to you because your data will still be accessible from the alternate sites. Hardware Upgrades. Hardware changes so rapidly that your data center investment can be bordering on obsolescence when you have barely implemented it. A third-party vendor dedicated to providing hosted online storage will invest in hardware and infrastructure upgrades over time so you get the benefit of newer technology without having to constantly re-invest in new hardware. Disaster Recovery / Business Continuity. Storing data in the cloud also means that it is being stored offsite. In the event of a catastrophe or natural disaster impacting the local office, the data itself will still be protected and available online. Business will be able to continue almost seamlessly from alternate locations, and the data will be immediately available once normal operations resume at the primary office facility. Cost. Considering what you get, scalable, redundant storage that also doubles as a disaster recovery and business continuity solution, the cost of cloud storage is typically quite reasonable. Consider as well that, by engaging a third-party host for your data, you don t have to hire personnel to manage data storage in-house, with their associated salaries and Park Ave South 11th floor New York, NY

3 benefits, and that, with the economies of scale offered by a cloud storage provider, adding additional space is a fraction of the investment that would be required for new hardware, and the power and cooling necessary to accomplish the same thing in an internal data center It s Still Your Data Regardless of where you store your data, it is still your data. Whether it is stored in a local data center, or hosted in the cloud, it is your responsibility to ensure that sensitive data is protected from unauthorized access and data breaches. With compliance mandates like SOX (Sarbanes-Oxley), HIPAA (Health Insurance Portability and Accountability Act), PCI-DSS (Payment Card Industry Data Security Standard), GLBA (Gramm-Leach- Bliley Act), and more, most organization fall under at least once requirement governing the protection of data. Personally identifiable information (PII) like employees or customers Social Security numbers, birth dates, driver s license numbers, account details, and other similar information is particularly sensitive. Confidential company details like financial projections, trade secrets, or proprietary business practices should also be protected from unauthorized access. Storing unencrypted data in the cloud is an invitation for a data breach. It would be very easy for a configuration error to expose the data, and an attacker that manages to get past the network defenses would have complete access to your sensitive information. Encrypting the data is a start, but it is also important that you encrypt your own data, and control the encryption keys. Some online data storage providers encrypt data, but maintain control of the encryption keys. That means your data may be protected from view by other parties, but there is nothing preventing data center personnel from accessing or viewing the data, and you have to trust that the provider is capable of securely managing the keys. There are many reports and anecdotal stories of sensitive or confidential data being exposed on second hand hardware. Computer systems that are sold, or thrown away often contain information that should be erased before disposal. Better yet, the sensitive data should be encrypted in the first place, in which case protecting the data is as simple as removing the encryption key Park Ave South 11th floor New York, NY

4 Protecting Your Data with Zecurion Encrypting sensitive files to prevent unauthorized access is an ideal method of protecting the data. One of the issues, organizations and IT administrators have with encryption, though, is that encryption solutions are often cumbersome to implement and maintain. IT administrators are overloaded with responsibilities as it is, and need security tools that simplify rather than complicate their duties. Ideally, cloud storage providers would offer some form of encryption or data protection tools for their customers, but they rarely do. Even in situations where a cloud storage provider does encrypt data, if the provider manages the encryption keys, the data may still be at risk, and the data protection may not meet data security compliance standards. Fortunately, you can seamlessly, and transparently encrypt and protect your own data with Zserver Suite. Zserver Storage transparently encrypts data in real-time as it is written to storage media, even in the cloud, and decrypts it when the data is read back. This allows the data to always be stored in an encrypted format ensuring that it is not accessible by unauthorized personnel and/or a system that does not hold the correct encryption key. Implemented properly, Zserver Storage can be an effective tool for encrypting sensitive corporate data stored in the cloud as well. Using Zserver Storage in the Cloud Each of the cloud-based servers used for processing sensitive data as a part of the standard environment, and normal daily operations, must have Zserver Storage installed on it. A separate, dedicated server ideally a local server not in the cloud data center, must be allocated to function as the Zserver EKMS (Enterprise Key Management Server). The Zserver EKMS stores all encryption keys which are used to encrypt and decrypt the data by the Zserver Storage software on the cloud-based servers. Each of the cloud-based servers with Zserver Storage installed must be registered within the Zserver EKMS in order to be able to connect to the EKMS and load encryption keys from it. After that, all of the cloud-based servers running Zserver Storage will be able to automatically load the necessary encryption keys from EKMS and to open encrypted disks. Only servers that are registered in EKMS by the admin are able to load the encryption keys. In addition, all traffic to and Park Ave South 11th floor New York, NY

5 from EKMS is encrypted so the keys are securely transported to or from EKMS, and when they are stored on EKMS. Servers running Zserver Storage, and registered in the EKMS, automatically perform encryption of the data on specified partitions. In case the server with access to sensitive data needs to be restarted, it will automatically reconnect to the Zserver EKMS, load the necessary encryption keys, and open the encrypted partitions to people with authorized access to those servers. Access to encrypted data will not be possible by unauthorized users or applications. Even if the physical hard drive or storage media are lost or stolen, the Zecurion encryption will prevent unauthorized access to all encrypted data. Zecurion Zserver Storage server encryption is only available for Windows 2000 SP4, Windows Server 2003 SP1, and Windows Server 2008 platforms. The Zecurion encrypted servers and the Zserver EKMS must be part of the same Windows domain, or at least within domains with an established trust relationship. In the event of a server restart, whether intentional or unexpected, the Zecurion encrypted server must be able to connect to the Zserver EKMS to authenticate the encryption keys and resume access to protected data Park Ave South 11th floor New York, NY

6 Manage Encryption Keys with EKMS Encryption of data is by far the most secure way of protecting information available today. It offers unparalleled security, if implemented correctly. Until recently, this protection came with significant overhead of the encryption keys administration and management. This is because encryption keys are not easily replaced or recovered. In fact, data encrypted with a strong algorithm and a long enough key are virtually unbreakable and irrecoverable if the key is lost. On the other hand, any disclosure of the key to an unauthorized party or a system can easily result in costly data breaches. Therefore, it is imperative for an enterprise to fully understand the encryption key management life cycle before committing to a solution. Centralized Secure Encryption Key Repository Safekeeping of encryption keys is facilitated by centralized repository encrypted by a master key. A master key can be generated using encryption key quorum (recommended). This provides enhanced security of keys used to encrypt company s data. EKMS extends roll-based granular access management to both the repository and the keys themselves, allowing segregation of duties, such as generating keys, accessing key particulars, loading keys from EKMS, other administrative tasks. Encryption Key Quorum The Zserver Enterprise Key Management Server (EKMS) is built by data encryption experts with deep knowledge and understanding of the data encryption complexity and key management challenges organizations are facing today. EKMS was designed on the premise that no single entity should be granted sole possession of an encryption key. This is implemented by means of encryption key quorums. An encryption key quorum is a minimum required number of two or more key fragments to assemble the encryption key. For example, an organization can safely generate a high number of key fragments (up to 75) and set the quorum to 2 fragments. This will enable the organization to provide each system administrator with a single key fragment, requiring at least two administrators to load the encryption key. This process effectively eliminates dependence on any single staff member, while abolishing the need to reencrypt data when a key fragment is lost or an employee leaves the organization. Key fragments are stored on smart cards or other secure storage media. Auto-Loading Encryption Keys Server maintenance often requires servers to be taken offline and restarted. This causes encryption keys to offload from memory. While working with several servers may not impose significant administrative overhead, when operating with hundreds or more, manually loading the keys is much more challenging. EKMS allows streamlining these tasks by automatically loading corresponding encryption keys when servers are brought back online. EKMS ensures server integrity by validating each server s certificate prior to loading the key, avoiding any network conflicts or changes in hardware Park Ave South 11th floor New York, NY

7 Managing Cloud Security Security in the cloud is a major obstacle that prevents many organizations from employing this computing services delivery model and taking advantage of available cost savings. By outsourcing all or some parts of its IT functions (or infrastructure), an organization often relinquishes the ownership and/or control over its informational assets to a third-party provider. This is a tremendous risk for many businesses, as they struggle to assess their cost savings against potential damages from data breaches or losses. Using locally-hosted EKMS, or smartcards to store encryption keys, organizations can safely encrypt data stored in the cloud while maintaining control over the keys needed to decrypt it. Summary There are a variety of operational and financial benefits to embracing cloud data storage, but those benefits come with some unique risks as well. Using Zecurion Zserver Storage to encrypt data, and storing the encryption keys locally with EKMS or on a smartcard enables organizations to take advantage of cloud data storage while ensuring that sensitive data will not be exposed or compromised Park Ave South 11th floor New York, NY

8 About Zecurion Zecurion is a leading global provider of security protection of corporate information from internal threats, emphasizing reliable and transparent backup encryption, server storage security, security as well as control of peripheral devices in corporate networks with clear, easy-to-use administrative interfaces and tools. Zecurion s unique forensic capabilities are unmatched, providing an additional layer of risk management through the shadowing and storage of communications transactions for future auditing. Zecurion s solutions are successfully protecting the internal assets and intellectual property for more than 10,000 companies worldwide. Zgate, Zlock, Zserver, and Zdiscovery have been recognized for technology and security protection. Zecurion is led by an executive team experienced in developing security software and deployment across the enterprise. With over a decade of experience in developing encryption-based security solutions, Zecurion allows IT departments to efficiently protect corporate information from internal threats, as well as from loss or theft of backup storage media. As organizations realize the operational and financial benefits of cloud computing and transition data storage from internal resources to cloud-based data storage services, Zecurion provides an effective, intuitive, and cost-effective solution for encrypting and protecting sensitive data no matter where it resides Park Ave South 11th floor New York, NY