Securing Cloud Computing Szabolcs Gyorfi Sales manager CEE, CIS & MEA
Gemalto: Security To Be Free More than just a company tag line it is why we exist Communicate Shop Travel Bank Work In ways that are convenient, enjoyable and secure 2
Gemalto s Secure Personal Devices are in the hands of billions of individuals worldwide 1.5 billion secure devices Produced and personalized in 2009 200 million citizens Received a Gemalto produced e-passport 500 million people Carry a Gemalto produced credit card 400 mobile operators Connecting 2 billion subscribers 30 years experience designing/producing secure personal devices 3
Global Leadership Position Top producer of: SIM cards and UICC (1) Over-The-Air platforms (2) Chip payment cards (4) Chip-based corporate security solutions (1) e-passports (3) Innovation leadership examples First to market with IP based UICC for LTE Ezio optical reader for online banking *Source: (1) Frost & Sullivan; (2) Gemalto (3) Keesing Journal of Identity ; (4) The Nilson Report 4
Defining the Cloud Securing Identities is Key to Success in the Cloud breaks down cloud computing into three different archetypes or models: Software as a Service (SaaS), Platform as a Service (PaaS) Infrastructure as a Service (IaaS). SaaS PaaS IaaS 3 rd party cloud providers deliver a full application service to end-users, uses a cloud-based infrastructure to deliver customer-based applications, enables businesses to deliver their own services by providing them with cloud-based equipment. IDC report, June 2010 5
Market Drivers & Challenge Compliance with regulations and standards Sarbanes-Oxley Act, Health Insurance Portability and Accountability, European Data Protection Directive,... Cloud Services are growing Convenience is a key for Cloud Services adoption: Identity management is painful for organizations and users Single Sign-On: eliminate passwords across cloud services Secure Access is a strong factor Cost Identity theft and phishing attacks are more relevant in cloud world Static Password is Not Secure as cyber criminals are getting smarter, faster and more tenacious about getting at your data and static passwords High TCO for complex password policies Cloud Service 6
The weakest link When you move to the cloud, there may no longer be a PC under the desk, but the user is still the weakest link in the chain. Most people have terrible habits when it comes to passwords, use the same passwords everywhere, and some write them on sticky notes and put them on their monitor. You can have a software provider with the best security on the market, but if one employee happens to choose a bad password that can be guessed in a social engineering attack, it can be catastrophic. 7
Security and convenience Can we have both? Dilbert cartoons "Providers of cloud computing resources are not focused on security in the cloud. Rather, their priority is delivering the features their customers want such as low cost solutions with fast deployment that improves customer service and increases the efficiency of the IT function. As a result, providers in our study conclude that they cannot warrant or provide complete assurance that their products or services are sufficiently secure. Ponemon Institute, 2009 Study 8
Security is a Balancing Act Must balance between Strength and Usability 9
Protiva Confirm: Secure & Convenient Cloud Services enabler Bringing ADAPTABLE TRUST to Cloud Services Strong authentication ensures secure access to Online Services with multiple authentication methods: Password, OTP, PKI Bringing CONVENIENCE to Cloud Services Identity federation/sso Bringing ADVANCED SERVICES to Cloud Services Digital signature service Post Issuance No longer need to choose between SECURITY & CONVENIENCE 10
Adaptable Trust PKI OTP Password.NET, TPC, Cards Display Card, 11
Protiva SA Server The Heart of Protiva Strong Authentication Service Validation server supporting OTP authentication Standards based technology Tokens - OATH event based or time based Mobile App Time based with time stamping Web based administrator interface for user management User self-care portal for registration and password back-up Easily integrates with existing infrastructure Established integrations with leading infrastructure technology Databases MySQL, MS SQL, Oracle, IBM DB2, etc. User Data Repository Microsoft AD, Novel edirectory, Sun One, Open LDAP, etc. Authentication Service HTTP/HTTPS, SOAP, SAML 2.0, XML, RADIUS, Microsoft IAS/NPS, etc. 5/15/2012 12
User On Boarding Mobile OTP User Download and Activate Authentication server URL sent to user by email User enters numeric validation code User establishes personal PIN Mobile OTP application activated 13
Platform for next secure token generation Building Value Together ID-000 (SIM sized) smart card reader Micro SDHC card interface Versatility of smart card and MicroSD Easy to assemble USB High Speed with HID / CCID switch Full exposure of smart card in CCID mode 0footprint in HID mode AES 256 encryption Data can be encrypted CD-ROM emulation Autorun of applications stored in MicroSD USB 2.0 Micro SD Flash ID0 Smart Card Personalization services: graphical, packaging, smart card and flash insertion (MOQ: 1000 units) 15/05/2012 14
Flash memory partitioning SD Partitions Public (X:) Read Only (Y:) Private (Z:) PKI Smart Card Digital signature PKI certificate Controller Firmware: Integrator Key Secure Drive PIN Mass Storage HID / CCID Building Value Together 15/05/2012 15
Use case: secure browsing Where ever you go! Whatever you do! Your browser is protected from permanent infections Using a Secure Browser stored in RO, the malware cannot permanently infect your browser (your browser integrity is maintained) Using a Secure Browser, the server certificates of your corporate trusted websites are stored in your browser and compared to the website you are trying to reach! If this is a phishing website then your browser refuses it! Building Value Together the list of accessible URLs can be restricted USB Shell Pro Token v1 15/05/2012 16
Secure Browsing example Mode HID Portable Firefox (in RO partition) Firefox ProCon add-on Portable P#11 for TPC IM CC RO: Firefox 15/05/2012 17
Data Leakage Protection example Mode CCID Microsoft Bitlocker on the computer Encryption of public partition is done using the smart card Public: Encrypted partition 15/05/2012 18
Fulfillment End User Initiated Fulfilment Fulfillment Process Order Two Factor Auth (2FA) credential or token ordered by end user Receive 2FA credential or token is shipped or made available to end user Use User can start using strong 2FA to protect access to cloud resources 19
Thank You