Cloud Security Case Study Amazon Web Services Ugo Piazzalunga Technical Manager, IT Security ugo.piazzalunga@safenet-inc.com
Agenda 1. Amazon Web Services challenge 2. Virtual Instances and Virtual Storage Protection 3. AWS Data Security - User Experience 4. Scalability, Management, Key Security 5. SafeNet Trusted Cloud Fabric 2
The challenge help customers meet compliance requirements including PCI DSS, SOX, HIPAA, EU data privacy dir. IN THE CLOUD 3
The Problem of Protecting Cloud Data Unique challenges to protecting data Virtual Instances Entire servers, applications, databases, etc. virtualized Unsecured container of sensitive data Susceptible to unlimited copying Exposed to uncontrolled brute force attacks Data in the Cloud Will live in multi-tenant environments Will be exposed to cloud admins Will be highly mobile/copyable Exposed to co-resident lawful order surrender Suffer from data destruction and retention uncertainty Virtual Storage Data leakage exposure to physical and logical storage breach Accessible to cloud administrators Risk of data disclosure from misconfiguration or unanticipated changes in privacy terms Cloud offered encryption suffers from separation of duties 4
Smarter Compliance and Security Attaching and enforcing control directly on Data DATA RBAC Perimeter Attacker RBAC Encryption DATA Perimeter solutions apply security around data Solutions fundamentally can t solve data protection Provides diminishing returns on investment Constantly being breached and failing audits Doesn t apply well in the cloud Data encryption attaches security directly on data Protection follows the data Solves separation of duties Solves multi-tenant data isolation (internal department and cloud) Can reduce overall audit scope Delivers granular audit records Directly addresses breach and leakage projects Limit scope of breaches Adheres to safe harbor provisions in most disclosure laws 5
SafeNet Virtual Instance and Storage Protection SafeNet ProtectV server- and storage-based encryption, customers can now protect compliance-impacted data stored on virtual machines and storage volumes running on both cloud and virtualized data centers. ProtectV Instance enables organizations to encrypt and secure the entire contents of virtual servers, protecting these assets from theft or exposure. ProtectV Volume enables enterprises to secure entire virtual volumes in the cloud containing their data such as files or folders. ProtectV Manager enables enterprises to deploy cloud security in large scale, enabling the elasticity and agility of security for the cloud. Delivers: Data isolation Separation of duties Large scale deployment Cloud compliance Pre-launch authentication Multi-tenant protection 6
SafeNet ProtectV on Instances ProtectV Protection Entire instance encrypted, protecting OS Attached volumes encrypted Encrypt all data written to disk OS does not boot without authentication Central Key Management for strong control Resists brute-force attacks on keys Supports AWS and other hypervisors (e.g. VMware) Encrypted Instance AES 256 Pre-Launch Authentication Policy + Key Management Cloud/ Virtual Servers Cloud/ Virtual Storage Protected Volumes 7
Ok, It s Go Time! ProtectV for AWS Experience 3 Steps to Getting Started Today Step 1: Step 2: Sign up for your FREE TRIAL http://www2.safenet-inc.com/aws/register.asp Select AMIs you can choose from 4 AMIs with SafeNet s ProtectV software for Windows preinstalled: 32-bit Windows Server 2008 AMI ID: ami-e85ead81 64-bit Windows Server 2008 AMI ID: ami-d45eadbd 32-bit Windows Server 2003 AMI ID: ami-2e57a447 64-bit Windows Server 2003 AMI ID: ami-3257a45b Step 3: Activate AMI encryption. Here you ll set up the prelaunch environment (username password/authentication credentials). The encryption will run transparently so customers can continue running their machines during the encryption process. It is estimated to take 45 minutes to 1.5 hours to encrypt 30GB. 8
ProtectV and Scaling in AWS Managing ProtectV instances across the cloud Centralized Management Cloud APIs and Web Services Authentication Automation Bulk operations SafeNet KeySecure(on Premise) Centralizes key management for persistence and flexibility Secure key creation and storage Key archiving and shredding Easy integration with ProtectV Manager SafeNet ProtectV Manager Provides centralized management Supports either customer premise or cloud deployments Open APIs to cloud management Manages and coordinates ProtectV Security 9
ProtectV Manager Key benefits and features Integrated Management and Dashboard Centrally manage configuration and policy for all ProtectV deployments Central dashboard for status and events Performance Optimized for Cloud Deployments In-cloud location for rapid encryption management Low latency key management Rapid discovery and initialization Key and policy initialization for new images Cloud Management Integration Fully exposed APIs for cloud management automation Enables rapid provisioning and elastic scalability SOAP and CLI interfaces Full set of published actions: startprotectinstance, getvolume, activateinstance, getvolumestatus, adduser, deleteuser, assignrole, protectvulmes, etc. Interface with external syslog logging systems Continual operations ProtectV Manager high availability Policy and Control Management Fine grain control of user access to ProtectV protected systems Integrates with customer controlled key management and trust anchoring SafeNet KeySecure 10
ProtectV Key Management Maximizing security and operational effectiveness Enforces Maximum Security Granular AAA tied to keys Adheres to strongest established crypto algorithms Overcomes inherent weakness of password-based keys FIPS 140-2 Level 3 (in process) Delivers Maximum Operational Agility Enables dispersed ProtectV deployments Cross availability zones, data centers, cloud providers Prevents data loss No more lost keys Supports key lifecycle through Enterprise Key Management Coordinates across encryption solutions- databases, storage, cloud, etc. Accessible and available for storage and tape archiving Key Management Options Part of ProtectV Manager KeySecure solution for large scale deployments and high root of trust requirements Hardware Security Management for maximum secure key storage SafeNet KeySecure 11
Solving Today s Core Cloud Security Barriers with SafeNet Trusted Cloud Fabric Business Goals SafeNet Cloud Solution 1 Controlling 2 Achieving Access to SaaS Applications; Federating Identities Compliant Isolation and Separation of Duties in Multi- Tenant Environments Secure Access to SaaS: SafeNet Multi-Factor Authentication Secure Virtual Machines: SafeNet ProtectV Instance 3 Maintaining Trust & Control in Virtual Storage Volumes 4 Secure Cloud Applications Without Impacting Performance; Maintain Ownership of Keys Secure Virtual Storage: SafeNet ProtectV Volume and StorageSecure Secure Cloud Applications: SafeNet DataSecure, KeySecure, and ProtectApp 5 Secure 6 Connect Digital Signing and PKI in the Cloud Securely to Private Clouds Secure Cloud-Based Identities and Transactions: SafeNet HSM Secure Cloud-Based Communications: SafeNet HSE 12
Resources: SafeNet http://safenet-inc.com/cloudsecurity Videos White Papers Blog: http://data-protection.safenet-inc.com/ www.cloudsecurityalliance.org Regulatory Mapping Document Threat Document Guidance Document 13
14