ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

Transcription

1 VISIBILITY DATA GOVERNANCE SYSTEM OS PARTITION UNIFIED MANAGEMENT CENTRAL AUDIT POINT ACCESS MONITORING ENCRYPTION STORAGE VOLUME POLICY ENFORCEMENT ProtectV SECURITY SNAPSHOT (backup) DATA PROTECTION PROOF OF COMPLIANCE CONTROL KEYS IN HARDWARE ROLE-BASED ACCESS MGMT DIGITAL SHREDDING ProtectV Securing Sensitive Data in Virtual and Cloud Environments whitepaper Features Function Benefits Addressing Requirements for Securing Sensitive Data in Virtual Environments Data Isolation Separation of Duties Cloud Compliance Pre-launch Authentication Multi-tenant Protection Executive Summary Virtual environments and cloud deployment scenarios can present a host of security gaps and challenges, but the adoption of these approaches continues to pick up speed and grow increasingly pervasive. This paper looks at the challenges of safeguarding sensitive assets in virtual datacenters and in private and public cloud deployments. In addition, it reveals how SafeNet ProtectV delivers the critical capabilities security teams need to effectively and persistently meet their governance, compliance, and data protection mandates in these environments. Introduction: The Pervasiveness of Virtualization and Cloud Adoption Whether IT and security teams are embracing the prospect, lukewarm on the idea, or adamantly opposed, business decision makers are driving the move to virtualization and the cloud. Incented by the opportunities for boosting agility and cost efficiency, organizations are quickly and pervasively embarking on virtualization and cloud initiatives. Today, 39.4% of servers are virtual. By 2018, 86% of all workloads are expected to be running in virtual machines. Plus, by the end of the year, the cloud market is expected to grow to $60 billion. The Challenge: Addressing Security Gaps in Virtual and Cloud Environments In spite of their widespread adoption, virtualization technologies and cloud services continue to present some significant challenges for the security teams tasked with safeguarding sensitive data. Following are a few of the more pressing obstacles: Increased data volumes and mobility. In virtual environments, workloads, data repositories, and sensitive data are highly mobile, and frequently being shifted to different virtual and physical resources. In these environments, it is easier than ever to move and copy sensitive data. For example, virtual machines are often routinely backed up, according to proper retention policies. However, given the volume of virtual machines running and the persistent backups of these resources, the locations of sensitive data can increase substantially. Consider that if one virtual machine is backed up every hour, there would be 24 copies of that virtual machine created on a daily basis. This explosive growth in virtual machines and their associated backups all ultimately result in sensitive data residing in many more locations than in years past. This proliferation presents security teams with inherent challenges, increasing the complexity and effort required to secure sensitive assets. ProtectV Whitepaper 1

2 Digital shredding. Exacerbating matters is the uncertainty that can surround data destruction and retention. With the volume of virtual machine snapshots ending up in physical media, it grows increasingly difficult to determine with certainty whether all instances of a sensitive repository are completely and permanently removed from all potential locations. Administrative exposure. Another potential challenge is posed by the changing dynamics of administration in virtual environments. Compared to prior computing models, cloud and virtualization ultimately introduce more privileged users and a new class of administrators. Typically, teams of administrators focused on servers, storage, backups, and applications will have some level of access in virtual environments, and quite often security policies and administrative functions are handled independently by each group. Security teams need to have the visibility and control to ensure sensitive assets aren t exposed to unauthorized access. Unlike traditional environments, establishing and retaining these controls presents a host of unprecedented challenges. Security Requirements in Virtual and Cloud Environments The challenges above are fundamentally at odds with the objectives and responsibilities of enterprise security teams. As with traditional computing environments, security teams need to have the visibility and control to ensure sensitive assets aren t exposed to unauthorized access. Unlike traditional environments, establishing and retaining these controls presents a host of unprecedented challenges whether you re running applications on virtualization technologies in your own datacenter, in private or virtual private clouds, or in public clouds. In these environments, security teams have to be able to realize the following objectives: Data governance. Security administrators have to overcome the inherently limited visibility of dynamic, virtual environments. They need to be able to identify, track, and control where instances containing sensitive assets reside at any given time. They need to be able to track each virtual machine s replication and to monitor each event associated with these instances. Finally, they have to be able to track and guard against unauthorized copying of a virtual resource. Data compliance. Compliance initiatives remain a critical requirement. To ensure their organizations sustain their compliance status, security administrators have to be able to enforce adequate controls of specific data assets. They need to be able to definitively track access to sensitive data, enforce proper access controls, and present a trusted audit trail that can provide complete details on all access events. Data protection. Minimizing the risks of breaches and data loss is a fundamental requirement in virtual environments. To realize these objectives, security administrators have to be able to ensure that all data instances are secure and only accessed by authorized users. Further, in the event of some risk being detected, whether a potential vulnerability or known breach, security administrators need to be able to apply effective security measures in order to mitigate and minimize the exposure. SafeNet ProtectV: Delivering Unparalleled Security to Virtual and Cloud Environments Today, SafeNet offers solutions that enable organizations to leverage the business benefits of virtualization and cloud services, while meeting their governance, compliance, and data protection requirements. With SafeNet ProtectV, organizations can encrypt and secure entire virtual machines, protecting these assets from theft or exposure. Further, with ProtectV, security teams can encrypt virtual storage, ensuring cloud data is isolated and secured even in shared, multi-tenant cloud environments used for application hosting, data storage, or disaster recovery. ProtectV can be deployed in public cloud (Amazon EC2), private cloud (Amazon VPC), and virtual datacenter (VMware vcenter) environments. ProtectV Whitepaper 2

3 With ProtectV, organizations enjoy these advantages: Leverage the deepest, most comprehensive visibility of virtual environments in order to enable effective governance. Ensure the highest levels of compliance with all relevant policies and regulatory mandates. Apply maximum security and protection to sensitive data assets in virtual environments. ProtectV: Key Capabilities Comprehensive Security Featuring support for robust encryption algorithms, including FIPS-approved AES 256 and 3DES, ProtectV enables organizations to apply strong protection to their sensitive assets. ProtectV is the only solution available today that enables organizations to encrypt the entire virtual machine, including virtual machine partitions and operating system partitions, delivering the most comprehensive levels of security. ProtectV addresses the key requirements needed to secure virtual datacenters and cloud environments: Data isolation. With ProtectV, security teams can logically separate the volumes and virtual instances that hold sensitive data from other areas in the environment. In addition, this solution enables organizations to implement safeguards against potential hackers who might breach cloud hypervisors, and from the cloud super-users who administer the virtual environment. Separation of duties. ProtectV enables security teams to separate administrative responsibilities for specific instances and volumes from the cloud super-users who control the larger virtual environment. The solution offers controls for ensuring that any one administrator can t abuse his or her privileges. For example, using approaches like M-of-N separation, organizations can require that multiple administrators must always conduct such critical administrative tasks as policy changes and key export. Cloud compliance. ProtectV offers the core confidentiality and integrity controls that are key requirements for ensuring compliance with regulatory mandates, including version 2.0 of the Payment Card Industry Data Security Standard (PCI DSS), which includes rules on safeguarding payment data in virtual environments. Strong pre-launch access authentication. Featuring password-based protection at the user level, ProtectV enables authentication controls over which resources can be accessed, when, and by whom. When a virtual machine launches, only authorized users can access the OS partition. With alternative encryption approaches, unauthorized users can launch virtual machines and access whatever is stored in the system partition. Multi-tenant protection. With ProtectV s comprehensive, robust capabilities, organizations can ensure that, even in shared, multi-tenant cloud environments, administrators gain the visibility and controls they need to safeguard sensitive assets. With these comprehensive capabilities, organizations can apply consistent, effective security measures across the entire virtual machine lifecycle, including provisioning, starting, operation, snapshots, and deletion. Central, Secure Key Management ProtectV is fully integrated with SafeNet KeySecure, a solution that simplifies the management of encryption keys while ensuring keys are secure and always available to authorized users. KeySecure automates the backup and distribution of encryption keys across an enterprise. Based on a hardened security appliance, KeySecure safeguards keys against theft, tampering, and unexpected system failures. Using the solution s management console, administrators can simultaneously manage multiple appliances, including disk and tape storage encryption platforms from NetApp, Quantum, and SafeNet, and SAN switches from Brocade. ProtectV Whitepaper 3

4 Advantages of KeySecure Centralized management of encryption keys and policies, delivering a central root of trust. Comprehensive key management for a number of encryption solutions, including those for storage, tape libraries, databases, SAN switches, applications, tokenization, and more. Easy integration with third-party appliances through support for the Key Management Interoperability Protocol (KMIP). Secure storage of encryption keys, offering a robust hardware security module (HSM) that is FIPS level 3 certified. Improved safeguards against insider threats, compliance with PCI and other mandates through granular, role-based authorization and secure authentication. Lifecycle management of keys that offers full audit trails on all cryptographic key activities. Secure digital shredding through the deletion of the cryptographic keys needed to decrypt sensitive assets. Fast, Flexible Deployment and Efficient Administration ProtectV offers a range of features that help security teams enjoy fast, flexible deployment and administrative and operational efficiency in the long term: Flexible deployment and integration. Whether your business applications are running in public clouds, private clouds, or virtual datacenters, ProtectV can be conveniently and effectively deployed to support your security objectives. Further, the solution offers flexible APIs that enable automation and integration with virtual server provisioning systems. In addition, the solution provides command-line interfaces for scripting and bulk operations. Fast deployment. ProtectV speeds deployment, for example enabling administrators to use pre-defined images to deploy encryption on new platforms. Intuitive administration. With ProtectV, administrators can work with an easy-to-use console or through their cloud provider s native interface. As a result, tasks such as policy updates, users and role assignments, monitoring, and event management are fast and efficient. Efficient administration. With ProtectV, administrators can centrally manage encryption of all virtual machines, across their cloud or virtual environments. ProtectV: Product Components The ProtectV solution is comprised of these components: ProtectV Client. ProtectV Clients are installed on each virtual machine that is to be encrypted. This component encrypts every bit as it s written onto disk. In addition, it offers a pre-launch authentication layer that protects the operating system from unauthorized access at the time the system first initiates. ProtectV Manager. ProtectV Manager runs on a protected and hardened virtual machine. ProtectV Manager offers a central platform for managing policies, administration, and audits. This component is designed to enable API-based automation, and it can scale to protect virtual machines. KeySecure. KeySecure is a hardware-based key management platform that enables secure, central management of cryptographic keys. Deployed on the customer s premise, KeySecure enables complete and continuous ownership of cryptographic keys across their lifecycle. ProtectV: Deployment Scenario - Virtualized Data Center KeySecure Virtualized Data Center ProtectV Manager ProtectV Client Trusted On-premise Location ProtectV Whitepaper 4

5 ProtectV: Deployment Scenario - Public Cloud KeySecure Public Cloud ProtectV Manager ProtectV Client Trusted On-premise Location Conclusion As the use of virtualization platforms and cloud services continues to grow more widespread, so can the associated security risks. With SafeNet ProtectV, organizations can fully leverage the business benefits of virtualization and cloud offerings, while ensuring optimal security of their sensitive data assets. With SafeNet ProtectV, organizations can fully leverage the business benefits of virtualization and cloud offerings, while ensuring optimal security of their sensitive data assets. SafeNet Data Protection Virtual and cloud security solutions, like all enterprise security, need to be managed in a layered approach to the information protection lifecycle that combines encryption, access policies, key management, content security, and authentication. These layers need to be integrated into a flexible framework that allows the organization to adapt to the risk it faces. Wherever data resides, SafeNet offers persistent, secured storage for structured and unstructured data. SafeNet provides a practical framework for delivering the trust, security, and compliance enterprises demand when moving data, applications and systems to the virtual environments and the cloud. About SafeNet Founded in 1983, SafeNet, Inc. is one of the largest information security companies in the world, and is trusted to protect the most sensitive data for market-leading organizations around the globe. SafeNet s data-centric approach focuses on the protection of high value information throughout its lifecycle, from the datacenter to the cloud. More than 25,000 customers across commercial enterprises and government agencies trust SafeNet to protect and control access to sensitive data, manage risk, ensure compliance, and secure virtual and cloud environments. Contact Us: For all office locations and contact information, please visit Follow Us: SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet. All other product names are trademarks of their respective owners. WP (EN) ProtectV Whitepaper 5