Data Protection: From PKI to Virtualization & Cloud

Similar documents
ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

Cloud Security Case Study Amazon Web Services. Ugo Piazzalunga Technical Manager, IT Security

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

SERENA SOFTWARE Serena Service Manager Security

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

VICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

FileCloud Security FAQ

HIPAA Privacy & Security White Paper

Tableau Online Security in the Cloud

Securing sensitive data at Rest ProtectFile, ProtectDb and ProtectV. Nadav Elkabets Presale Consultant

Ensuring the Security of Your Company s Data & Identities. a best practices guide

Cloud Computing Governance & Security. Security Risks in the Cloud

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

A Strategic Approach to Enterprise Key Management

Security Issues in Cloud Computing

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

Cloud Security:Threats & Mitgations

CRYPTOGRAPHY AS A SERVICE

Addressing Cloud Computing Security Considerations

MySQL Security: Best Practices

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

Security Virtual Infrastructure - Cloud

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.14 Effective Date: September 9, 2015

Key Management Best Practices

Compliance for the Road Ahead

Ensuring Enterprise Data Security with Secure Mobile File Sharing.

White Paper How Noah Mobile uses Microsoft Azure Core Services

A8.1 Asset Management Responsibility for assets: To identify organisational assets and define appropriate protection responsibilities.

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Top 10 Cloud Risks That Will Keep You Awake at Night

Cloud security architecture

BANKING SECURITY and COMPLIANCE

PICO Compliance Audit - A Quick Guide to Virtualization

Applying Cryptography as a Service to Mobile Applications

Cloud Computing: Legal Risks and Best Practices

Why can you trust Google?

Cloud Security Who do you trust?

PRIVACY, SECURITY AND THE VOLLY SERVICE

Intel Enhanced Data Security Assessment Form

Chapter 10. Cloud Security Mechanisms

Alliance Key Manager Solution Brief

Seven Things To Consider When Evaluating Privileged Account Security Solutions

Making Data Security The Foundation Of Your Virtualization Infrastructure

RE Think. IT & Business. Invent. IBM SmartCloud Security. Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

apple WWDR Certification Practice Statement Version 1.8 June 11, 2012 Apple Inc.

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

How To Protect Your Cloud Computing Resources From Attack

Securing Virtual Desktop Infrastructures with Strong Authentication

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

Security Overview Enterprise-Class Secure Mobile File Sharing

The data which you put into our systems is yours, and we believe it should stay that way. We think that means three key things.

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

Using BroadSAFE TM Technology 07/18/05

Security Architecture Whitepaper

Complying with PCI Data Security

Hands on, field experiences with BYOD. BYOD Seminar

Supplier Information Security Addendum for GE Restricted Data

Mitigating Server Breaches with Secure Computation. Yehuda Lindell Bar-Ilan University and Dyadic Security

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

How To Protect Your Cloud From Attack

American International Group, Inc. DNS Practice Statement for the AIG Zone. Version 0.2

Savitribai Phule Pune University

PLATFORM ENCRYPTlON ARCHlTECTURE. How to protect sensitive data without locking up business functionality.

SENSE Security overview 2014

ProjectManager.com Security White Paper

Our Key Security Features Are:

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

SECURITY INFRASTRUCTURE Standards and implementation practices for protecting the privacy and security of shared genomic and clinical data

John Essner, CISO Office of Information Technology State of New Jersey

Sync Security and Privacy Brief

Data Protection Act Bring your own device (BYOD)

Thick Client Application Security

Healthcare Compliance Solutions

e-authentication guidelines for esign- Online Electronic Signature Service

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

Anatomy of a Cloud Computing Data Breach

Public Cloud Security: Surviving in a Hostile Multitenant Environment

Security Controls for the Autodesk 360 Managed Services

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Enterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH. White Paper February

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)

Alliance Key Manager Cloud HSM Frequently Asked Questions

Transcription:

Data Protection: From PKI to Virtualization & Cloud Raymond Yeung CISSP, CISA Senior Regional Director, HK/TW, ASEAN & A/NZ SafeNet Inc.

Agenda What is PKI? And Value? Traditional PKI Usage Cloud Security Challenge Solutions 2

Symmetric Encryption 1 key Symmetric Key Plain text 3%$hd @(987k Plain text One key used for both encryption and decryption Problem: How to get the one encryption key to both users.and make sure no one else gets a copy Problem: nc2 keys are needed for n users n =100 users, 4950 keys are needed n = 200 users, 19,900 keys are needed n = 300 users, 4,455,100 keys are needed 3

Asymmetric Encryption 2 keys Plain text Public Key 3%$hd @(987k Private Key Plain text Public key - Publish public key in directories etc. Private key - Keep private key close to your chest Encrypt with Public key Decrypt with Private key 4

Digital Signatures Doc Compute HASH Private Key Encrypt (*&^k *((898f digital signature original document Public Key Decrypt Decrypted HASH Compute HASH Compare Digital signature is a private key encryption of a HASH e.g. SHA-256 To test a document s authenticity Decrypt the signature Compare that to a computed HASH of the original document A digital signature has no effect on the original document 5

What is a digital identity? An asymmetric key pair assigned to a particular individual Implemented using a digital certificate Contains information about you name etc. plus your public key Certificate is digitally signed by a trusted source e.g. Hongkong Post, VeriSign It s like issuing a digital passport John Smith Private Key John Smith Public Key Certified & Signed by: How do you use your digital identity? Use your private key to digitally sign documents Others verify your signature with the public key on your certificate 6

What is a PKI? (Public Key Infrastructure) System to deploy and manage digital identities Issue digital identities Revoke digital identities Publish public keys via directories John Smith John Smith John Smith John Smith Certified by: Certified by: Certified by: 7

Value of PKI Create Digital Identity for User/Application/Device/Server in eworld to achieve John Smith Certified by: CA Web Server Certified by: CA Software Certified by: CA Confidentiality Data Encryption Integrity - Digital Signature Authentication Digital Signature Authorization - Certificate Non-repudiation - Digital Signature + Certificate 8

Traditional PKI Usage Customer Facing website like Online Banking, Secure Websites SSL Certificate in Web Server End User Certificate in USB-Token or Smart Card Critical Application in Gov SSL Certificate in Web Server Application Certificate in Critical Application Cross Border Identity Verification Electronic Passport Inter-bank financial transactions Server Application for Cross Border financial transaction Enterprise security solution 9

Virtualization & Cloud Mania Dense Virtualization Cloud Transition 39.4% of all servers virtualized Average enterprise has 470 virtual servers and 200 are mission critical By 2018, 86% of workloads will be running in virtual machines 60% of organizations with virtualization have private or public cloud computing in pilot or production 70% have VDI in pilot/production While IT is being pushed towards virtualization 10

Virtualized Infrastructure Physical Infrastructure Where s my Virtual Infrastructure? Full Control, Audit, etc. No Control Virtual Infrastructure My Data Center All Elements Visible No Visibility 11

Data Security Gaps Remain How secure is my data in a virtualized world? App OS VMs are easy to move. VMs are easy to copy (and steal). App OS App OS App OS App OS Hypervisor Hardware Layer App OS App OS VMs introduces a new class of privileged users and administrators - server, storage, backup, and application - all operating independently. Storage VMs have multiple snapshots and backups of data. Snapshots Backup 12

Contractual Reality Complete Transfer of Liability or Vague Language Amazon Web Services Customer Agreement Section 7.2. Security. We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet. Accordingly, without limitation to Section 4.3 above and Section 11.5 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications. Salesforce Master Subscription Agreement 8.3. Protection of Your Data. Without limiting the above, We shall maintain appropriate administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Your Data. We shall not (a) modify Your Data, (b) disclose Your Data except as compelled by law in accordance with Section 8.4 (Compelled Disclosure) or as expressly permitted in writing by You, or (c) access Your Data except to provide the Services or prevent or address service or technical problems, or at Your request in connection with customer support matters. http://www.salesforce.com/company/msa.jsp http://aws.amazon.com/agreement/

Cloud Security Challenges User ID and Access: Secure Authentication, Authorization, Logging Data Co-Mingling: Multi-tenant data mixing, leakage, ownership Application Vulnerabilities: Exposed vulnerabilities and response Insecure Application APIs: Application injection and tampering Data Leakage: Isolating data Platform Vulnerabilities: Exposed vulnerabilities and response Insecure Platform APIs: Instance manipulation and tampering Data Location/ Residency: Geographic regulatory requirements Hypervisor Vulnerabilities: Virtualization vulnerabilities Data Retention: Secure deletion of data Application & Service Hijacking: Malicious application usage Privileged Users: Super-user abuse Service Outage: Availability Malicious Insider: Reconnaissance, manipulation, tampering Fundamental Trust & Liability Issues Data exposure in multi-tenant environments Separation of duties from cloud provider insiders Transfer of liability by cloud providers to data owners Fundamental New Cloud Risks New hypervisor technologies and architectures Redefine trust and attestation in cloud environments Regulatory Uncertainty in the Cloud Regulations likely to require strong controls in the cloud Logging & Forensics: Incident response, liability limitation Perimeter/ Network Security: Secure isolation and access Physical Security: Direct tampering and theft

PROBLEM Controlling Access to SaaS and Cloud Applications Keeping data secure when you don t own the system Enforcing Authentication Strategy in the Cloud Multi-Factor authentication required for any apps Cloud or Physical Likely even more critical for cloud-based applications Lower level of trust, invocation of additional regulatory requirements Authentication Sprawl Separate authentication systems for each cloud provider Operationally un-scalable Typical user password/authentication fatigue and weak passwords Preserving Flexibility Likely to use multiple cloud providers simultaneously Desire rapid re-provisioning to try new services Preserve options in chaotic cloud market The cloud market will consolidate- not if, but when KEY POINTS Single Sign On Access Federated Identities Seamless Integration Rapid Provisioning 15

SOLUTION Secure Access to SaaS: PKI-based Authentication Protect access to cloud-based applications via centrally managed authentication SaaS Apps Cloud Applications Salesforce.com Federated SSO to the cloud Goggle Apps Security Features Single authentication solution for both onpremise and cloud based applications User authenticates using enterprise identity Federate identities between on-premise solution to cloud based solutions using SAML 2.0 protocol PKI based Authentication to reduce the hassle for remembering password Google Apps and salesforce.com are supported out-of-the-box Authentication Manager 16

PROBLEM Securing Uncontrolled Virtual Instances Achieving compliant isolation and separation of duties in multi-tenant environments Unlimited Copying of Instances Instances could be copied without awareness No visibility to instance location, no audit trail Instances used by competitors and malicious users Enables unlimited brute force attacking Return to original copy for next iteration of password guessing Unsecured Container of Confidential Data Identical to lost or stolen laptop, except the instance is often a server Virtual nature of makes the potential surface area much larger Not just a single entity lost, potentially unlimited number KEY POINTS Data Isolation Separation of Duties Cloud Compliance Pre-Launch Authentication Multi-Tenant Protection 17

SOLUTION Secure Virtual Machines: Secure Instance (ProtectV ) Control virtual machines in the cloud with secure instance encryption and authentication Virtual Machines On-premise ProtectV TM Instance Hypervisor Virtual Server Secure Data Management (Supplemental Security Option): Manages encrypted instances Security policy enforcement Lifecycle key management Access control Security Features FIPS level pre-launch instance encryption Secure login interface (HTTPS) Certificate based authentication options Event logging and activation notification 18

PROBLEM Maintain Trust & Control in Virtual Storage Volumes Loss of ownership in a shared storage environments Issue of Data Leakage Requires trust in meta-tagging or data isolation strategy of cloud provider Risks from mis-configuration and cloud administrators Regulatory evidence of privacy and integrity controls Trust and Control Issues If cloud provider offers encryption: Proper Key Handling NIST Lifecycle compliance Strength, uniqueness, rotation, etc. NIST approved algorithms Administration trust Separation of Duties KEY POINTS Data Isolation Cloud Compliance Multi-Tenant Protection 19

SOLUTION Secure Virtual Storage: Secure Volume for Storage Servers Maintain data privacy in shared storage environments with encrypted data isolation On-premise Data ProtectV TM Volume Storage Virtual Server Secure Data Management (Supplemental Security Option): Manages encrypted instances Security policy enforcement Lifecycle key management Access control Security Features Multiple cloud storage options: Secure volume for storage servers Common network storage support Customer-based file encryption FIPS 140-2 Level 2 Security Certified Solution Centralized Policy and NIST 800-57 Key Lifecycle Management 20

PROBLEM Loss of Digital Ownership and Control Secure Digital Signing and PKI in the Cloud Proving you are you Where is root of trust in Digital Signing and PKI when it s all virtual? The challenge of attesting to ownership in a virtual world Maintaining Keys in clouds When your cloud provider handles keys Appropriate key material Proper lifecycle and policy handling Privileged user abuse The Cryptography and Entropy Problem Difficult to get true randomness in highly replicated and automated cloud Flaws in cryptographic functions have huge consequences KEY POINTS Broad cloud-based platform integration Application and data separation High performing virtual transactions 21

SOLUTION Secure Cloud-Based Identities and Transactions: Hardware Security Modules (HSM) Establish digital ownership and root of trust in virtual environments Private On-premise Public Hybrid Hardware Security Module Security Features Anchored root of trust for digital identities and transactions FIPS 140-2 Level 2 security Certified Solution Multi-host partitioning 20 100 per HSM Virtual platform support (Xen/Hyper-V/ESX-i) 3 rd party partner application support, and integration guides on virtual platforms Broad cloud-based platform integration Application and data separation High performing virtual transactions 22

Thank You! SafeNet Inc. www.safenet-inc.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information