Cloud Data Security Sol Cates CSO @solcates scates@vormetric.com
Agenda The Cloud Securing your data, in someone else s house Explore IT s Dirty Little Secret Why is Data so Vulnerable? A bit about Vormetric Q and A Slide No: 2 Copyright 2014 Vormetric, Inc. Proprietary and Confidential. All rights reserved.
Where s the Perimeter IT is Being Challenged To Embrace The Cloud By 2018 25% of corporate data traffic will bypass traditional perimeter security defenses - up from 4% today. Public Cloud Growth is 5X that of the IT industry as a whole. Gartner November 2013 3 Copyright 2014 Vormetric, Inc. Proprietary and Confidential. All rights reserved.
Cloud Heightens The Need to Protect Data Private, Public, and Hybrid Cloud 4 Copyright 2014 Vormetric, Inc. Proprietary and Confidential. All rights reserved.
Data is Increasingly More Difficult to Protect Data Centers Physical Virtual Outsourced Clouds Private, Public, Hybrid Multiple vendors Trial Analysis Research PHI Credit Cards HR Files Finance Files Customer Stats Contracts Call Records Customer Records Plans Source Code Big Data Sources Nodes Results Physical Servers Local offices and retail locations Labs
2015 VORMETRIC INSIDER THREAT REPORT 818 100% IT DECISION MAKERS US, UK, Germany, Japan, ASEAN Enterprises: $200M + US $100M + UK, Germany, Japan, ASEAN Retail Healthcare Financial Services Other Enterprise Polling by Harris Analysis and Reporting by Ovum 2015 Vormetric Insider Threat Report
EVOLVING THREATS INSIDER THREATS HAVE CHANGED TRADITIONAL INSIDERS IN THE PAST COMPANY EMPLOYEES WITH KNOWLEDGE-REQUIRED ACCESS TODAY WE MUST ADD IT PERSONNEL, CONTRACTORS SERVICE PROVIDER EMPLOYEES COMPROMISE OF INSIDER ACCOUNTS HACKERS ACTIVELY TARGET INSIDER ACCOUNTS WITH ACCESS TO DATA REGARDLESS OF LOCATION POROUS PERIMETERS CLOUD/SAAS BIG DATA
Sensitive Data at Risk Organizations feel more vulnerable than ever 93% 55% Organizations feel vulnerable to insiders Privileged users most dangerous insider 54% 50% Plan to increase spending next year DATA BREACH Preventing Breach Top Business Priority 2015 Vormetric Insider Threat Report Global Edi<on Slide No: 8 Copyright 2015 Vormetric, Inc. Proprietary and Confidential. All rights reserved.
Why start protecting your data? Data is exploding Volume Variety Velocity Reasons for encryption multiplying Regulations PCI, HIPPA, Breach Disclosure Contractual Obligation Risk Reduction Breaches FACT: Data can t protect itself
New Frontier, Pioneers, and Challenges Many types of clouds IaaS, SaaS, PaaS, BPaaS, etc Many Providers Some large fish, and lots of little fish What s their security philosophy? A great resource is CSA s STAR program and Cloud Controls Matrix(CCM) - https://cloudsecurityalliance.org Who s responsible for the data? 99.99% the customer owns the data, but who is tasked with protecting it?
Understanding Cloud Architectures SaaS Software as a Service Presentation Modality APIs Presentation Platform Applications IaaS Infrastructure as a Service APIs Core Connectivity & Delivery Abstraction Hardware Facilities PaaS Platform as a Service Integration Middleware APIs Core Connectivity & Delivery Abstraction Hardware Facilities Infrastructure as a Service (Iaas) Data Metadata Content Integration APIs Core Connectivity & Delivery Abstraction Hardware Facilities Middleware Infrastructure as a Service (Iaas) Platform as a Service (PaaS) 11 Source: Cloud Security Alliance
Encryption has moved From a Tax to a Business Enabler Cloud is an Business Enabler Security Remains the #1 Concern as data moves outside the perimeter Cost of encryption no longer a tax on the business, now viewed as an enabler of costs savings and competitive advantage Top Security Concerns With Cloud Computing Data Privacy and Security 41% Access and Control 35% Auditing and Compliance 32% Control of Data 26% Security Models/ Toolsets 18% Contractual/ Legal Issues 15% Internal Issues 11% Network Connection Security 10% Geographical Coverage 4% March 2014 Q. What are the top cloud computing-related security problems that affect your organization? Please describe up to three. N=94. 12 Copyright 2014 Vormetric, Inc. Proprietary and Confidential. All rights reserved.
TOP IT SPENDING PRIORITIES COMPLIANCE IS LAST FOR THE FIRST TIME DATA BREACH 50% 44% 41% 32% 32% PREVENTING A DATA BREACH INCIDENT PROTECTION OF CRITICAL IP PROTECTION OF FINANCES AND OTHER ASSETS FULFILLING REQUIREMENTS FROM CUSTOMERS, PARTNERS AND PROSPECTS FULFILLING COMPLIANCE REQUIREMENTS AND PASSING AUDITS
Top Ten Security Challenges for Big Data & Cloud Environments 1. Secure computations in distributed programming frameworks 2. Security best practices for non-relational data stores 3. Secure data storage and transactions logs 4. End-point input validation/filtering 5. Real-time security/compliance monitoring 6. Scalable and composible privacy-preserving data mining and analytics 7. Cryptographically enforced access control and secure communication 8. Granular access control 9. Granular audits 10.Data provenance
Security for Big Data & Cloud Environments Should provide protection for big data repositories and the data contained in them. Security strategies for big data include: Sensitive data discovery and classification Data access and change controls Real-time data activity monitoring and auditing Data protection (such as masking or encryption) Data loss prevention Vulnerability management Compliance management
IT s Dirty Little Secret Slide No: 16 Copyright 2014 Vormetric, Inc. All rights reserved.
Information Technology s Dirty Little Secret Slide No: 17
Information Technology s Dirty Little Secret Years super users have been managing our servers, their configurations, and data. Super users have 100% access to all data in the systems they manage. It only takes 1 compromised/rogue user to cause havoc. Slide No: 18
Establishing Some Terms Privileged User Employees who use data and systems as part of their jobs Executives who have more access than they should Administrators who are the governors of the systems Super User Account that leverages the ring-0 privilege Examples: root, administrator, SYSTEM Ring-0 The kernel process who has complete access to all resources http://en.wikipedia.org/wiki/protection_ring
What is the issue? Superusers control the system, packages, patches, and data permissions The nature of the superuser is that they have full access to data accessible by the system. If a superuser is compromised or goes rogue, the impact can be severe, as they can destroy, steal, and manipulate.
Traditional Controls for Super Users Monitoring OS Level auditing, keystroke logging, etc Privileged Account Management Checkout account with single usage password Policy based elevation Tools that allow a user to elevate to the superuser on a per command basis. sudo, powerbroker, etc They are good for saying who can do what as root. But does not control what root can do. None of these controls stop the superuser Just how one becomes the superuser
Vormetric Slide No: 22 Copyright 2014 Vormetric, Inc. All rights reserved.
World-Class Brands Rely on the Vormetric Data Security Platform Global Customers Over 1,700 customers 17 of the Fortune 30 Cloud Service Providers Trust Vormetric Cloud Managed Services Most Security Conscious Brands Largest financial institutions Largest retail companies Major manufacturers Government agencies Cloud Service Providers OEM Partners IBM Symantec With Vormetric, people have no idea it s even running. Vormetric Encryption also saved us at least nine months of application rewrite effort, and its installation was one of the easiest we ve ever experienced. Karl Mudra, CIO Delta Dental of Missouri 23
Vormetric Data Security Platform Solves inefficiencies of point product solutions Best Encryption 24 Best Security & Compliance Virtualized Environments
Vormetric Data Security Platform Solves inefficiencies of point product solutions Vormetric Transparent Encryption Vormetric Application Encryption and Tokenization with Dynamic Data Masking Structured Databases Big Data File and Volume Level Encryption Access Control Audit Logs Vormetric Cloud Encryption Gateway S3 and Box Encryption, Control, Audit Trails Unstructured Files Applications Big Data Field Level Data Encryption Field Preserving Tokenization with Dynamic Data Masking Vormetric Security Intelligence Splunk HP ArcSight IBM QRadar LogRhythm PaaS, IaaS, SaaS Intel Security ESM FireEye TAP Vormetric Key Management KMIP Compliant Oracle and SQL Server TDE Certificate Storage Vormetric Data Security Manager Key and Policy Manager
Controlling and Securing Data in the Cloud DSM in the cloud or on the customer premise Enterprise Data Center Environment Policies & Logs VPN Link VM VM DSM Keys Vormetric Data Security Manager Virtual or Physical Servers Enforce separation of provider and enterprise responsibilities Extensible to multiple cloud providers and traditional servers Pay as you grow, deploy licenses on demand Customer is always the custodian of policies and keys
Vormetric Cloud Partners Cloud Managed Services Vormetric Cloud Partners Proven deployments Bring your own license available for any IaaS Cloud offering Integrated service offerings may be available
Questions? Sol Cates CSO @solcates scates@vormetric.com