VORMETRIC CLOUD ENCRYPTION GATEWAY Enabling Security and Compliance of Sensitive Data in Cloud Storage

Transcription

1 VORMETRIC CLOUD ENCRYPTION GATEWAY Enabling Security and Compliance of Sensitive Data in Cloud Storage Vormetric, Inc N. 1st Street, San Jose, CA United States: United Kingdom: South Korea:

2 TABLE OF CONTENTS INTRODUCTION... 2 Proliferating Data Repositories... 2 Increasing Security Threats... 3 Intensifying Compliance Mandates... 3 THE MANDATE: MOVE DATA TO CLOUD STORAGE SECURELY... 3 CLOUD STORAGE SECURITY: THE CHALLENGES... 4 THE SOLUTION: SECURING SENSITIVE DATA IN CLOUD STORAGE... 4 VORMETRIC CLOUD ENCRYPTION GATEWAY: KEY FEATURES... 5 VORMETRIC CLOUD ENCRYPTION GATEWAY: BENEFITS... 6 DEPLOYMENT SCENARIOS... 7 Amazon S Box... 8 PART OF THE VORMETRIC DATA SECURITY PLATFORM... 9 CONCLUSION... 10

3 Page 2 Increasingly, sensitive and strategic corporate data is finding its way into cloud storage environments. At the same time, data breaches continue to grow more prevalent and costly. This paper offers an in-depth description of the challenges confronting IT teams as they look to keep sensitive data secure in corporate cloud deployments. In addition, the paper offers an introduction to the Vormetric Cloud Encryption Gateway. The paper reveals how Vormetric delivers a single platform that enables security teams to safeguard sensitive data across their cloud and on-premises environments, while centrally managing policies and keys. INTRODUCTION: THE DAUNTING CHALLENGES FOR TODAY S IT AND SECURITY TEAMS PROLIFERATING DATA REPOSITORIES For today s IT organizations, rapid, substantive change continues to occur. If there s one thing that remains constant amidst all this change it is this: there s more. IT teams have to contend with these facts: There s more data. On everything from user devices to backend archives, capacity continues to grow, and data volumes keep expanding to fill this capacity. To support big data initiatives, IT organizations continue to aggregate data from more sources, which leads to exponential increases in the volumes of data that must be managed. There are more user devices, applications, and systems. These expanding data volumes, coupled with the proliferation of bring-your-own-device initiatives and the ubiquity of mobile applications, all mean that there are more devices and infrastructure that IT teams have to support. There are more computing models, locations, and facilities. Beyond the data center, organizations are relying on a number of cloud services, whether delivered via infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), software-as-a-service (SaaS) models, or a combination thereof. At the same time, there are increasing numbers of remote, externally distributed environments and servers, including remote offices, externally hosted Sensitive Data is Dispersing and Growing environments, disaster recovery and backup sites, and more. Becoming harder to secure Physical Virtual Outsourced Enterprise Data Centers Private, Public, Hybrid Clouds IaaS, PaaS, SaaS Sources Nodes Analytics Remote Servers Big Data Figure 1: Sensitive data is dispersing and growing, which makes it increasingly difficult to secure sensitive assets and maintain compliance

4 Page 3 INCREASING SECURITY THREATS It is within this context of proliferation that the task of IT security, already tough, grows increasingly daunting. Given all the increasing volumes and locations of data outlined above, the simple reality is this: Sensitive data can show up in more locations and be exposed to more threats. And today, the threats are significant. Costly attacks waged by well-funded and sophisticated nation-states and cyber-criminal organizations are growing increasingly frequent. Further, business and technical leaders are increasingly cognizant of the threats posed by insiders. The 2015 Vormetric Insider Threat Report found that 89% of executives felt their organizations were more at risk from insider attacks. Given the risks being posed from inside and outside the organization, and the dramatically expanding locations that house sensitive data, it should come as no surprise that devastating breaches continue to occur. The Vormetric report revealed that 40% of organizations experienced a breach or failed audit. 1 INTENSIFYING COMPLIANCE MANDATES For many organizations, the need to strengthen security and mitigate the risk of these breaches and threats is being intensified by regulatory and privacy mandates. Given their forced disclosure rules, many mandates can contribute to dramatically escalating brand damage when sensitive data is compromised. Further, the mandates themselves continue to grow more stringent and complex. For example, compared to version 2.0, 3.0 of the Payment Card Industry Data Security Standard (PCI DSS) has 27% more rules. Further, it will require 188 more work days to comply with the new standard. 2 Those organizations being tasked with complying with the Health Insurance Portability and Accountability Act (HIPAA) are facing similarly intensifying scrutiny and pressure. In the wake of breaches, the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) has issued fines ranging from $800,000 to $4.2 million. 3 Further, starting in 2015, hundreds of healthcare organizations may be the subject of random audits by the OCR. THE MANDATE: MOVE DATA TO CLOUD STORAGE SECURELY As the prior sections make clear, there s more data, more places it can be exposed, more sophisticated attackers trying to get at that data, and steeper costs if it should be compromised. To contend with these realities, organizations must expand their safeguards across larger data sets and more environments. This is particularly true of cloud implementations, which represent an increasingly large and strategic portion of the IT computing landscape and a critical area of vulnerability if the appropriate defenses aren t employed. The 2015 Vormetric Insider Threat Report, Cloud and Big Data Edition, illustrates how strategic the cloud has become in this regard. According to the report: 80% of enterprises now use cloud-based services and infrastructure. 54% of global organizations are hosting sensitive data in the cloud. 83% of U.S. respondents are very or extremely concerned with the threat levels posed by cloud storage environments. When queried about the location that raised the most security concerns, 46% cited the cloud, making it the highest-ranked category. 4 1 Vormetric, 2015 Vormetric Insider Threat Report: Trends and Future Directions in Data Security, 2 Gartner, What's Changing and How to Respond to PCI v3.0, 20 August 2014, Avivah Litan, Rajpreet Kaur 3 SearchHealthIT, As HIPAA audits loom, most docs remain unprepared, Shaun Sutner, January 2015, 4 Vormetric, 2015 Vormetric Insider Threat Report: Trends and Future Directions in Data Security,

5 Page 4 CLOUD STORAGE SECURITY: THE CHALLENGES Now, most corporate users and business groups are highly reliant upon cloud storage offerings like Box and Amazon Simple Storage Service (Amazon S3). These services have been proven to help businesses enhance collaboration, flexibility, cost efficiency, and data availability. Given this increasing reliance, cloud storage environments continue to house more sensitive and strategic assets. As a result, it is increasingly vital that organizations employ strong safeguards in these environments. This isn t a requirement that IT leadership can ignore. It is important to recognize that this move to cloud storage has happened and will happen with or without IT s involvement. If there isn t a company-sanctioned cloud storage service, employees will use their own and in the process create a new set of risks for enterprise data. However, while the need for strong security in cloud environments is critical, addressing this requirement can present security and compliance teams with a number of specific challenges: Limited visibility and control. Given the multi-tenant, externally hosted nature of these cloud services, security teams and the auditors they work with fundamentally lack visibility into the nature of security mechanisms in place, making it difficult to track and demonstrate compliance. In addition, sensitive files may be copied, downloaded, and uploaded by employees without any controls or logging of these activities. In the event of a breach, security teams may lack the intelligence they need to do proper forensics. Privileged user exposure. In cloud storage environments, administrators within the cloud service provider organization may be able to access or manipulate sensitive client data. Vulnerability to government subpoenas. News reports have made it clear that government agencies are increasingly using subpoenas of service providers, including cloud providers, to further criminal investigations. For organizations storing their data in the cloud, this can mean that corporate data may be handed over to agencies, potentially without executives ever knowing, let alone providing their consent. In recent years, data-at-rest encryption has emerged as an increasingly fundamental requirement and this is particularly true for cloud storage environments. By encrypting sensitive assets, security teams can begin to establish the vital controls needed to guard against unauthorized access to sensitive files. Further, encryption can help establish the visibility IT teams need to track and demonstrate compliance with security policies and regulatory mandates. Because of these and other attributes, the use of encryption has spread within many organizations. However, in recent years, many IT teams have employed encryption in a more tactical, isolated fashion, for example, with one tool used to encrypt data in one vendor s database, another tool used to encrypt data in a specific application, and so on. Given the rapidly escalating demands outlined above, these piecemeal approaches are growing increasingly untenable. THE SOLUTION: SECURING SENSITIVE DATA IN CLOUD STORAGE Vormetric offers robust solutions that enable organizations to contend with both proliferating data and security threats. The company s data-at-rest solutions help customers secure their most sensitive assets against the most critical risks, including advanced persistent threat (APT) attacks and abuse by privileged users. The Vormetric Data Security Platform delivers capabilities for transparent file-level encryption, tokenization, application-layer encryption, integrated key management, and security intelligence. All these capabilities are delivered through a centralized, uniformly managed platform that offers unparalleled administrative efficiency and cost effectiveness.

6 Page 5 With the Vormetric Data Security Platform, organizations can secure data no matter where it resides, including across data centers and in virtualized, big data, and cloud environments. The Vormetric Data Security Platform features the Vormetric Cloud Encryption Gateway, a solution that enables organizations to safeguard sensitive data in cloud storage environments. With the, organizations can encrypt files in cloud storage, without having to add another point tool that compounds the complexity IT teams have to contend with. The is delivered as a virtual appliance that can be deployed in the cloud or in the customer s data center. The solution encrypts sensitive data before it is saved to the cloud storage environment, enabling security teams to establish the visibility and control they need around sensitive assets. Like other Vormetric encryption offerings, the solution relies on the Vormetric Data Security Manager for key and policy management. As a result, customers never need to relinquish control of cryptographic keys to the provider and data never leaves the enterprise premises unencrypted or unaccounted for. Security Intelligence DSM Personal Computers Mobile Devices Vormetric Cloud Encryption Gateway Servers Enterprise Premise Cloud Storage and other SaaS Figure 2: The offers capabilities for encrypting and controlling data in Box, Amazon S3, and, in the future, additional cloud storage and SaaS environments THE VORMETRIC CLOUD ENCRYPTION GATEWAY: KEY FEATURES With the, organizations can leverage a strong set of capabilities: Robust, persistent controls. When the solution is implemented, sensitive data may be copied, shared, and distributed in an array of environments, but security teams can keep localized control over policies and keys. As a result, they can enforce policies and track data access, even as sensitive data is saved and distributed in cloud storage environments. On-premises key management. By leveraging this solution, customers can ensure that their security team retains control over cryptographic keys at all times. The keys can be retained on premise, ensuring they ll never be accessible by the cloud provider. Further, keys can be stored in a FIPS level 3-certified hardware appliance. Detailed visibility and auditability. The gives administrators detailed visibility into data access, access attempts, and more. In the event of a breach or audit, detailed forensics data can be provided. In addition, the solution features dashboards that offer intuitive insights into usage of the cloud storage application.

7 Page 6 Agile performance. Through its virtualized appliance architecture, the offers elastic scaling that enables IT teams to efficiently accommodate changing performance and scalability demands. Intelligent risk detection. The can automatically scan cloud environments and discover unencrypted files that violate security policies. As a result, security teams can effectively mitigate the exposure associated with having users intentionally or unintentionally circumvent policies. Transparent, efficient implementation. The significantly streamlines the process of implementing and managing security. IT teams don t need to modify applications or workflows when deploying the solution. In addition, in Amazon S3 environments, security teams can leverage their Active Directory implementation to more efficiently manage user and group access policies. Flexible service extensibility. The solution is built on an extensible architecture that features Vormetric Security Blades. Blades for Amazon S3 and Box were made available in the first product release. In the future, Vormetric and its partners will deliver additional blades for a range of other cloud storage environments and SaaS solutions. S3 Cloud Storage Provider SaaS Provider Figure 3: By adding Vormetric Security Blades, customers can easily expand the services supported by the THE VORMETRIC CLOUD ENCRYPTION GATEWAY: BENEFITS Organizations can realize the following benefits with the : Boost operational efficiency. With the Vormetric Data Security Platform, IT organizations can establish strong, centralized controls over encryption keys and policies for a range of environments, including cloud storage, other cloud deployments, big data environments, and across the enterprise. As a result, they can address their proliferating data volumes and escalating security threats and compliance demands, with optimal efficiency. Strengthen security and compliance controls. The enables security organizations to establish strong, persistent controls around sensitive data. The solution provides the capabilities needed to ensure sensitive data isn t exposed through unauthorized usage, copying, or sharing; government subpoena; or the cloud provider s privileged users. With these capabilities, IT organizations can track and demonstrate compliance with relevant security policies and regulatory mandates.

8 Page 7 Leverage cloud environments more broadly. With the, security concerns don t have to keep limiting an organization s use of cloud storage. Instead, businesses can more broadly adopt cloud storage environments, and harness all the benefits they offer, without introducing risk. The solution helps IT teams become business enablers, supporting the business as it seeks to rely on cloud storage environments for a broader set of users and use cases, including those that entail the management of sensitive and regulated data. Maximize cost efficiency. Existing Vormetric customers can leverage their investments and expertise in the Vormetric Data Security Platform to extend encryption into cloud storage environments. New customers can leverage a single platform to secure data across their data centers, remote locations, big data analytics, and a range of cloud services. DEPLOYMENT SCENARIOS AMAZON S3 The encrypts sensitive assets before they leave the enterprise and are saved to Amazon S3. The solution then decrypts these assets on the enterprise premises when they are retrieved by authorized users. Files used in storage, backups, archives, disaster recovery, and other areas can be transmitted to the gateway, where they are encrypted. Transactions are logged and the secured data is passed on to Amazon S3. The keys and policies associated with accessing this data remain in the customer facility. This prevents hackers, Amazon Web Services (AWS) administrators, and other unauthorized users from gaining access to sensitive data stored in Amazon S3. DSM Keys API/Browser Unstructured data (files, archives, backups) Transparently encrypted Transparently decrypted Vormetric Cloud Encryption Gateway Data is ALWAYS encrypted on S3 Encrypted data (files, archives, backups) Enterprise Figure 4: Files destined for Amazon S3 are encrypted on premises and encryption keys never leave the control of the enterprise With the, security teams can begin encrypting data in existing applications that are written to Amazon S3 API specifications, without making any code changes. The gateway only processes data manipulation API calls, such as GET, PUT, and POST. Other commands are passed through without any changes. In addition, the features a cloud storage monitoring capability. With this feature, organizations can ensure that, even if a user bypasses the encryption gateway and saves a file to an Amazon S3 repository, the solution can automatically identify this unencrypted file, and transparently encrypt it. Through this capability, security teams can more effectively and efficiently ensure policies are consistently enforced on all files in a specific repository.

9 Page 8 BOX The protects user data stored in the Box Enterprise File Synchronization and Sharing (EFSS) service. With the solution, security teams can ensure that their organization s data is always encrypted when it resides in Box, and control access to that data at all times. With the solution, sensitive data never leaves the customer premise unencrypted. Further, the encryption keys are always in the customer s facility and under the security team s control. This prevents hackers, Box administrators, and other unauthorized users from gaining access to sensitive data stored in Box. When the is implemented, users create files as they normally would. Then, when they save or transfer their files to Box, data can be directed to the gateway. The gateway then transparently encrypts the data and logs the transaction. With this solution, employees can more efficiently and securely collaborate with other employees as well as a range of external colleagues and vendors. When an authorized user, whether the original author or someone the author has designated as a recipient, attempts to access the file, it is transparently decrypted as it passes through the gateway. This enables secure collaboration, while providing an audit trail that is useful in demonstrating data security compliance to auditors. Using the s cloud storage monitoring feature, security administrators can automatically ensure that all files residing in a secure folder are encrypted, even if some files were originally saved to the folder in an unencrypted format. Enterprise User data DSM API/Browser Keys Transparently encrypted & decrypted Transparently encrypted & decrypted Home Vormetric Cloud Encryption Gateway Data is ALWAYS encrypted on Box Figure 5: Files destined for Box are encrypted on premises and encryption keys never leave the control of the enterprise security team By implementing the, enterprise IT teams can provide an environment for secure file sharing, collaboration, and back up, without having to change applications or the user experience. In Box environments, the gateway only processes content-focused API calls. Other calls are passed through the gateway without any changes. If organizations have existing applications that are written to Box API specifications, they can use the to start encrypting data from these applications, without having to make any code changes.

10 Page 9 PART OF THE VORMETRIC DATA SECURITY PLATFORM The is part of the Vormetric Data Security Platform. Today, some of the largest and most security-conscious organizations in the world rely on the Vormetric Data Security Platform for securing sensitive and regulated data in databases and files. The Vormetric Data Security Platform offers a flexible set of technologies that can address a range of security and compliance use cases. Vormetric solutions can secure data across a range of environments, including cloud environments, big data analytics platforms, and physical and virtual servers. In addition to the, the Vormetric Data Security Platform features solutions for transparent encryption, tokenization with dynamic data masking, application-layer encryption, key management, privileged user access control, and security intelligence log collection. With this platform s comprehensive, unified capabilities, IT teams can efficiently scale to address their expanding security and compliance requirements, while significantly reducing total cost of ownership (TCO). As outlined above, can secure sensitive data in Amazon S3 and Box, and, in the future, a range of additional cloud storage and SaaS environments. In addition, Vormetric offers solutions that can secure sensitive data in these cloud environments: IaaS. Most commonly, Vormetric Transparent Encryption is deployed to protect sensitive data in IaaS environments. This product features an agent that runs in the file system to provide high-performance encryption and least-privileged access controls for files, directories, and volumes. Access policies and cryptographic keys are managed through the Vormetric Data Security Manager, which can run on premises or in the cloud. PaaS. Vormetric Tokenization with Dynamic Data Masking is the primary product used to protect sensitive data in PaaS environments. This product makes it easy for application developers to use format-preserving tokenization to protect sensitive fields in databases. The solution enables compliance with PCI DSS and other regulations, while minimizing disruption and administrative overhead. With the solution, security teams can tokenize and de-tokenize data on-premises and ensure that sensitive data never leaves the enterprise. To learn more, please visit User Premises Vormetric Transparent Encryption DSM Vormetric Tokenization Vormetric Cloud Encryption Gateway Infrastructure as a Service (laas) Platform as a Service (PaaS) Software as a Service (SaaS) You Manage Managed by Provider Application Data Runtime Middleware O/S Virtualization Serves Storage Networking You Manage Managed by Provider Application Data Runtime Middleware O/S Virtualization Serves Storage Networking Managed by Provider Application Data Runtime Middleware O/S Virtualization Serves Storage Networking Encryption Keys Vormetric Transparent Encryption Agent Figure 6: Vormetric Data Security Platform delivers comprehensive security and on-premises key management across various cloud models

11 Page 10 CONCLUSION The utilization of cloud storage continues to grow increasingly common and strategic. As a result, more and more sensitive data is ultimately residing in these environments. To comply with security policies and regulatory mandates, these sensitive assets must be encrypted. IT organizations need to address this demand and enable secure cloud storage, or employees will circumvent policies and leverage their own cloud services. With the, organizations can meet this demand, while minimizing the cost and operational effort required to secure sensitive assets, both across cloud environments and across the enterprise. ABOUT VORMETRIC Vormetric (@Vormetric) is the industry leader in data security solutions that span physical, virtual and cloud environments. Data is the new currency and Vormetric helps over 1,500 customers, including 17 of the Fortune 30 and many of the world s most security conscious government organizations, to meet compliance requirements and protect what matters their sensitive data from both internal and external threats. The company s scalable Vormetric Data Security Platform protects any file, any database and any application anywhere it resides with a high performance, market-leading data security platform that incorporates application transparent encryption, privileged user access controls, automation and security intelligence. For more information, please visit:

12 GLOBAL HEADQUARTERS 2545 N. 1ST STREET, SAN JOSE, CA TEL: FAX: EMEA HEADQUARTERS 200 Brook Drive Green Park, Reading, RG2 6UB United Kingdom Tel: Fax: APAC HEADQUARTERS 27F, Trade Tower, Samsung-dong, Gangnam-gu, Seoul. ( ) Tel: Copyright 2015 Vormetric, Inc. All rights reserved. Vormetric is a registered trademark of Vormetric, Inc. All other trademarks are the property of their respective owners. No part of this publication may be reproduced, stored in a retrieval system or transmitted, in any form or by any means, photocopying, recording or otherwise, without prior written consent of Vormetric