CloudLink CypherX - A Defendection

Transcription

1 Introduction Enterprises and governments most valuable commodities are their data. Sensitive information is the lifeblood of enterprises everywhere, but it is also coveted by those of malicious intent that want to acquire it for profit, business advantage, hacktivism or espionage. As the growth of digital assets increases, so has the need to control and secure these assets, both from a compliance and a competitive stand-point. AFORE CloudLink CypherX is a defense in depth software solution that protects data in cloud based applications, VDI, and virtual applications from malicious cloud administrators, and protects data from malicious insiders, malware and advanced persistent threats (APTs) in enterprise environments. CypherX defeats malware and APTs by creating secure virtual containers around trusted applications. Within these containers the data is persistently encrypted so that, even if a virtual machine in the cloud, or an on-premise PC or server is comprised, critical enterprise data are continuously protected by CypherX s security envelope. This protection remains with the data at all times, wherever they go. Only trusted users on trusted machines, running trusted applications, can decrypt the data. CypherX runs on Microsoft Windows operating systems and is application agnostic. It consists of a security controller and agents that are deployed within VDI, virtual machines, PCs and servers. The security controller allows administrators to define policies based on objects within Microsoft Active Directory (AD). The security policies and encryption keys remain under the sole control of the security controller and the master encryption keys never leave the security controller. Challenges Traditional Security Measures Insufficient for Advanced Cyber Threats Today s Information Systems (IS) face increasingly advanced and persistent cyber threats. Numerous security breaches have proven that it is not sufficient to rely on existing perimeter-based security solutions and detection based anti-virus solutions. A recent study found that, on average, zero-day attacks escape detection for ten months. Within these ten months, businesses suffer loss of intellectual property and/or customer information and damage to their brands, as a result. Things are now at the point where, from an information security standpoint, businesses must assume they have been compromised and implement effective countermeasures to protect their business assets against malware embedded inside their trusted infrastructure. Data-centric protection has become increasingly important. Increasing Adoption of Cloud Computing Traditionally, enterprise computing infrastructure has been highly centralized, making it easy to control and secure data. However, computing resources are now increasingly decentralized and boundaries around them have begun to blur. Enterprises are spending more and more money deploying security solutions that provide less and less control over their most sensitive information. More and more, enterprises are adopting cloud computing services to reduce IT cost and increase business agility. Significant numbers of applications and large amounts of data reside in clouds that are managed and secured by external Cloud Service Providers (CSPs). The loss of physical security, new threats posed by multi-tenancy - particularly within multi-tenant virtual application server farms - and the relinquishing of administrative control to third party administrators are just some of the reasons why new Page 1 of 7

2 security measures are needed to ensure that digital assets remain under enterprise control and remain secure against new and emerging threats to virtual and cloud based environments. Mobility of Enterprise End User Computing The widespread adoption of sophisticated mobile devices has driven the need to deploy virtual end-user workloads that are easily accessible from anywhere; i.e. virtual desktops and virtual applications. Such solutions offer enterprises significant cost savings while giving their employees the speed, flexibility and mobility required in today s competitive markets. As a result, data must be agile and mobile. New paradigms in data control and security are needed in order to successfully transition into the mobile and cloud computing era. End Users are the Weakest Links Data breaches stem from a variety of sources, but most happen behind the firewall. This may be due to malicious intent or accidental usage on the part of employees and IT personnel. Traditionally, enterprises have used a combination of systems and solutions to restrict end-users privileges. Technologies such as full disk encryption or perimeter security were used to prevent data breaches relating to data remanence, loss of devices and usage of removable storage devices such as flash disks. Disabling USB devices, limiting end-user experience in browsers and clients, and the enforcement of desktop physical security are all strategies that may have been sufficiently successful within traditional IS infrastructures, but have proven overly oppressive to end-users and, more importantly, highly ineffective in an increasingly mobile and decentralized world. The ability to keep data secure and under enterprise control while giving users the flexibility they need to remain productive has proven elusive because of security and compliance requirements. Data encryption seemed to be the solution, but current implementations have proven less than effective at securing and controlling data. Until now The Right Encryption for Data Protection Facing all the challenges mentioned above, enterprises must adopt a defense in depth security approach to protect their data, whether on-premise behind a firewall, or in the cloud. Encryption of sensitive data is the cornerstone of security in the new era of wide open, widely distributed computing. Most current encryption solutions fall into one of three well-known categories: full disk, volume-based or filebased. All of these mechanisms suffer from the same weakness: encryption is not persistent and can be easily stripped off through everyday usage. Data leakage, whether malicious or unintentional, comes from common sources including attachments, simple file copies to targets that do not support encryption, and file storage within web services such as Dropbox. Even simple actions such as copying and pasting from one application to another using the clipboard can easily circumvent data encryption, intentionally or not. It should be noted that a significant level of data leakage occurs accidently because the end-user is unaware that his or her actions circumvent enterprise security mechanisms. This common weakness stems from the fact that all applications are treated equally. If a user has access rights to data then all applications, including malware, executed by that user have access to that data. To solve this problem, CloudLink CypherX introduces security policies that control access to encrypted data on a per application basis. This gives only specific (i.e. trusted) applications the ability to access the data while all other applications cannot, providing enterprise customers true fire-and-forget data security. Once encrypted, data can only be accessed by a trusted user running a trusted application on a trusted machine. CloudLink CypherX provides total control and encryption of data that TRULY persists beyond the enterprise perimeter. Page 2 of 7

3 The CloudLink CypherX Solution CloudLink CypherX is a new approach designed to give enterprises a tool to secure and control their data within enterprise and virtualized cloud environments. CloudLink CypherX creates secure virtual containers for trusted applications and persistently encrypts the applications data. The data are protected by a unique trust domain which is the combination of a trusted user, a trusted application and a trusted machine. Only trusted users can decrypt and process the data on trusted machines running trusted applications. Data remains secure during its entire life cycle, with policy preventing it from being saved unencrypted. Control of cryptographic keys and user/application/machine policy remains in the hands of the enterprise, regardless of workload deployment. Through application-level policies, CloudLink CypherX allows enterprise data owners or security administrators to control and secure their digital assets. In case of malware and APTs, an attacker may impersonate a trusted user by stealing his or her credentials and infiltrating the enterprise network to access critical business assets. However, the attacker can only exfiltrate encrypted data from the trusted domain to an external entity. The violation of any one of the three trust conditions (machine, application and user) results in the inability to decrypt the data. Common data leakage stems from a variety of everyday sources, such as removable storage devices, attachments or even clipboard operations. In an increasingly open and mobile computing world, it is easy for accidental leakage to occur, making theft even easier for a malicious agent. CloudLink CypherX curtails data leakage by enforcing application level policies that ensure that data emitted by trusted applications are only accessible by trusted applications under trusted conditions. For example, one common source of data leakage is the system clipboard (a method for copying and pasting used in most operating systems). Without CloudLink CypherX, nothing prevents an employee from copying and pasting data from one application to the next. It is trivial for someone of ill intent to issue a select * query to a database and then copy and paste the results to a web mail application. CloudLink CypherX restricts copy/paste operations to applications of equal or higher trust. Another way for enterprises to lose control of their digital assets is through attachments. Solutions such as Microsoft Exchange offer IT administrators some security capabilities when it comes to file attachments, but now that many enterprises are beginning to adopt diverse cloud based services such as Google Gmail to fill their corporate needs, it has become more difficult to control the flow of data through . CloudLink CypherX ensures that digital assets are encrypted at the file level and that the files remain encrypted in their secure containers regardless of location, i.e. even when sent as attachments through web-based services such as Gmail. CloudLink CX s application-level policy enforcement and file-level encryption uniquely enable it to control and secure data in widely distributed unprotected environments. Encrypted data may leave the enterprise perimeter, but only a trusted user running a trusted application on a trusted machine will be able to access that data. CloudLink CypherX is so powerful that sensitive digital assets can be stored on a public share without risk. CloudLink CypherX consists of two distinct parts. The Security Controller that is hosted within the enterprise, giving the enterprise total control over policies and cryptographic keys, and the CloudLink CypherX Client that is hosted as an agent within a physical machine, virtual machine or bundled within a virtual application package such as Microsoft App-V, VMware ThinApp or Citrix XenApp. The Security Controller The Security Controller is a virtual appliance that is deployed within the enterprise in order to ensure that policy and key control remain squarely in the hands of the data owner. The primary role of the controller is to securely aggregate and deploy security policies to all trusted clients, as well as manage cryptographic keys, including Page 3 of 7

4 securing and storing keys in an external key manager such as RSA Data Protection Manager. Strong role-based separation of duties ensures that only security administrators are able to make policy changes within CloudLink CypherX. Policy is managed using the Security Controller s web-based management interface and leverages objects defined in Active Directory. Schema changes are not required since the policies leverage existing objects such as users, groups and machine accounts. Moreover, enterprises can deploy more than one controller for failover purposes, geographical distribution, as well as providing easy scalability as the number of CloudLink CypherX clients rise. The CloudLink CypherX Client The CloudLink CypherX client is a Microsoft Windows based agent that can be deployed as an operating system service to control an entire physical or virtual machine. The client can also be bundled as a component of a virtual application package, such as those created by App-V or ThinApp, and used to control and secure all digital assets within the package. As a centrally deployed agent within a machine, CloudLink CypherX provides policy enforcement and encryption for all applications that are executed on that machine. For example, cloud based VDI can be secured by CloudLink CypherX. The CloudLink CypherX client is hypervisor-agnostic, meaning that it can be hosted within any virtual machine on any hypervisor. It allows for the migration of a virtual machine running in one hosted environment to a different hosted environment without any risk of compromising security or compliance. Enterprises can deploy virtual machines, such as virtual desktops, within hosted multi-tenant environments while maintaining the same high level of control and security over their digital assets. As a bundled component within a virtual application package, CloudLink CypherX provides control and security of all assets within the package. Control and security of digital assets follow the virtual application wherever it is deployed. Enterprises are able to safely deploy such applications into any hosted environment, including multitenant virtual application farms. All communications between the CloudLink CypherX Client and the Security Controller occur within an SSL tunnel, regardless of the underlying infrastructure. CloudLink CypherX Core Features Application-Level Granularity of Policies CloudLink CypherX introduces the concept of applications as securable objects, empowering administrators to define policies enforced against specific applications. This approach to control and security ensures that sensitive data can only be accessed by a trusted user, running a trusted application on a trusted machine. Strong access controls and encryption are enforced on any and all data that an application can emit, whether by writing data to a file, exchanging data using the system clipboard or using other channels for data exchange. Persistent Encryption Because of its application-level policy enforcement capabilities, CloudLink CypherX is able to provide truly persistent file encryption that follows the file wherever it goes, including when a file leaves the perimeter of the controlled environment. Encrypted files remain encrypted even when they are sent through as attachments, Page 4 of 7

5 stored in Dropbox, backed-up, replicated or copied to a mobile device. Regardless of where it goes, the file s data will ALWAYS REMAIN SECURE. This feature allows IT administrators to move workloads to any virtual infrastructure, including public clouds, without fear that sensitive enterprise data will fall into the wrong hands. This enables secure and compliant enduser computing in wide open, widely distributed virtual infrastructures, including multi-tenant infrastructures. Hosted services such as Dropbox and Windows Live Sync can now be leveraged freely without risk to security or compliance. Trust Levels A hierarchy of trust levels allows security administrators to carefully control who can access data and from where based on clear policies defined within Active Directory groups. Any changes made to group membership - for example, when a new employee is added to Active Directory, when an existing employee moves from one group to another or when someone leaves the company - are automatically reflected in CloudLink CypherX policy. Ease of Use The CloudLink CypherX client is totally transparent to end-users. Encryption and decryption are done automatically based on security policy. The end-user is able to continue working just as they did before, without any restrictions, giving them the level of flexibility and openness they need in order to be productive in an increasingly mobile and distributed computing world. Policy management is done through the Security Controller s intuitive web-based interface and uses existing Active Directory objects, keeping policy management complexity to a minimum. A clear separation of roles is enforced between IT administrators and security administrators as the management interface requires the administrative user to be a member of the CloudLink CypherX Security Administrators group. Moreover, initial deployment of the CloudLink CypherX client is automatic and controlled by well-established Microsoft Windows policies. Policy and Keys in Data Owner Control Data owners retain control over all policies and cryptographic keys, no matter where the applications are deployed and where the data reside, in-house or in a cloud. This gives enterprise customers much greater control over their digital assets and helps them reduce the technical and administrative complexities required to meet their regulatory compliance targets. All policies are hosted and managed within the enterprise domain as are the one or more security controllers. Policies and the master cryptographic keys remain under the control of data owners at all times. Performance Leveraging accelerated AES 256 cryptographic operations, CloudLink CypherX only encrypts data accessed by trusted applications. Other data, such as system files, remain in plaintext and cause no impact on performance when accessed. CloudLink CypherX keeps the need for encryption and decryption operations to an Page 5 of 7

6 absolute minimum and provides equal or better performance when compared with full disk or volume-based encryption solutions. Scalability Because of its encryption efficiency and agent-based approach, CloudLink CypherX does not suffer the scalability challenges encountered by solutions that attempt to centralize encryption and policy enforcement for multiple workloads. The ability to easily deploy more than one controller across a geographically disperse topology allows the enterprise to manage failover scenarios as well as easily deal with any sort of scalability issues pertaining to policy deployment and key management. Tamper Proof Auditing All events generated by the CloudLink CypherX agent as well as all of the events generated by policy changes within the management interface are digitally signed and sequentially numbered so that any attempt at tampering is automatically detected and prevented. As such, CloudLink CypherX is able to generate a highly detailed, very granular and tamper proof audit trail that meets or exceeds legal forensic requirements. CloudLink CypherX Protection vs. Threats From the proliferation of mobile devices such as laptops and tablets, to the emergence of cloud based services, securing against threats demands a new level of sophistication. This applies both for old threat vectors that are experiencing renewed popularity, and new advanced threats. Insider Threats The insider accounts for three quarters of all data leakage in an enterprise. This encompasses both malicious and accidental data leakage vectors. Traditional perimeter security solutions deployed in enterprises to guard against data leakage and threats are becoming less compelling as the workplace grows increasingly decentralized across mobile devices such as laptops and tablets and across telecommuting boundaries and cloud services boundaries. Whether sensitive data escape because of accidental consequences or because of malicious intent, CloudLink CypherX enables IT administrators to deploy fire and forget security across a wide open and widely distributed infrastructure, both physical and virtual, in order to protect sensitive data against threats. No matter where it goes, no matter where it is stored, sensitive information will always be persistently encrypted and CloudLink CypherX will ensure that it can only be accessed by a trusted user, running a trusted application, on a trusted machine, three things that IT administrators can control. Malware Although malware isn t a new threat, the proliferation and creation of new malware threats is accelerating at such a pace that anti-virus and anti-malware software is starting to have a hard time keeping up. Although many antimalware and anti-virus software developers claim to have zero-day protection, there is always a delay between when malware is detected to the time inoculation against the malware is published. CloudLink CypherX s security mechanism offers zero-second protection against malware and viruses. Should malicious binaries find their way inside a computer system protected by CloudLink CypherX, they would only be able to read sensitive data in encrypted form, which is useless to criminal elements. Even custom-made exotic malware designed for a specific target would be powerless against CloudLink CypherX. Advanced Persistent Threats Advanced Persistent Threat (APT) refers to an effort by an actor, such as a corporation, foreign government or significant criminal syndicate, with both the capability and the intent, to persistently and effectively target a specific entity for the purposes of espionage, sabotage, competitive advantage or financial gain. Traditional security solutions such as perimeter protection have proven woefully inadequate against such sophisticated and Page 6 of 7

7 prolonged attacks. CloudLink CypherX provides enterprise customers effective counter-measures because of its sophisticated application as a securable object, or application lock-down approach which allows it to deal effectively with unknown binaries and malicious insiders. Moreover, CloudLink CypherX remains effective beyond the perimeter of the enterprise, extending continuous data protection to cloud computing deployments such as virtual desktops, virtual applications and virtual servers. Even data placed in cloud storage are kept encrypted and safe. Use Cases CloudLink CypherX is an application agnostic data protection technology which is specially designed to protect enterprise digital assets, whether on premise or in cloud, from advanced and persistent cyber threats. Securing SaaS Application Data Many ISVs look to adopt the Software as a Service (SaaS) business model in order to reduce front-end data center investment and on-going operation costs. They often host their software applications in external cloud environments managed by IaaS providers. In this environment, the SaaS application data may reside in an infrastructure shared by multiple tenants and accessed and managed by the IaaS administrators. For regulatory compliance (HIPAA, PCI DSS, etc.), SaaS providers must be able to demonstrate to their customers that their data are secure. CloudLink CypherX gives SaaS providers THE tool to persistently encrypt all files in the cloud and maintain control of encryption keys and access policies. This solution guards SaaS applications from external malware and APTs, malicious cloud administrators and other tenants. Securing VDIs and Virtual Applications Traditional endpoint encryption solutions, such as full disk encryption, do not work in VDI and virtual application environments because the infrastructure is hosted on servers in the cloud. The enterprise data generated by VDI that resides in a multi-tenant cloud is subject to significantly higher risk than data located within the enterprise physical boundary. With CloudLink CypherX, enterprise security administrators can set policies to secure those trusted virtual applications or applications within a VDI instance in order to persistently encrypt data and prevent data leakage. Protecting Intellectual Property and Sensitive Business Data There continue to be numerous high profile intellectual property loss incidents, such as source code leakage from high tech companies, as well as theft of business documents and other sensitive information, due to malware and APT attacks. CloudLink CypherX effectively secures sensitive business data and intellectual property, protecting them from these threats. For example, software development tools can be designated as trusted applications. All source code generated in development environment is automatically encrypted. In the event that the development environment is compromised, e.g. source code is copied on a USB drive, the code remains encrypted and cannot be read outside the trusted application. Conclusion Enterprises deploying hosted virtual apps need cryptographic protection of data beyond the policy-based perimeter protection that is available today. CloudLink CypherX delivers application-level, granular, persistent, easy to-use and scalable data encryption for protection of application data in multi-tenant cloud environments. CloudLink CypherX is the best-in-class solution for controlling and securing digital assets within virtual workloads in the cloud. It enables simpler, faster and more cost-effective compliance management, bridging the gap between on-site computing resources and cloud based digital assets. Page 7 of 7