Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption



Similar documents
ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

Encryption, Key Management, and Consolidation in Today s Data Center

A Strategic Approach to Enterprise Key Management

SafeNet DataSecure vs. Native Oracle Encryption

Enterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH. White Paper February

Compliance for the Road Ahead

Securing sensitive data at Rest ProtectFile, ProtectDb and ProtectV. Nadav Elkabets Presale Consultant

Complying with PCI Data Security

Alliance Key Manager Solution Brief

Cloud Security Case Study Amazon Web Services. Ugo Piazzalunga Technical Manager, IT Security

Data Protection: From PKI to Virtualization & Cloud

Whitepaper. What You Need to Know About Infrastructure as a Service (IaaS) Encryption

Making Data Security The Foundation Of Your Virtualization Infrastructure

IBM Security Privileged Identity Manager helps prevent insider threats

Preemptive security solutions for healthcare

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

Vormetric Encryption Architecture Overview

SafeNet Data Encryption and Control. Securing data over its lifecycle, wherever it resides from the data center to endpoints and into the cloud

SafeNet Data Encryption and Control. Securing data over its lifecycle, wherever it resides from the data center to endpoints and into the cloud

RSA Solution Brief RSA. Encryption and Key Management Suite. RSA Solution Brief

IT Security & Compliance. On Time. On Budget. On Demand.

Securing Data-at-Rest in Files, Folders and Shares:

CA Cloud Overview Benefits of the Hyper-V Cloud

Effective End-to-End Cloud Security

Windows Least Privilege Management and Beyond

BMC s Security Strategy for ITSM in the SaaS Environment

Virtualization Essentials

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

Managing BitLocker Encryption

SteelFusion with AWS Hybrid Cloud Storage

ways to enhance security in AWS ebook

IBM PowerSC. Security and compliance solution designed to protect virtualized datacenters. Highlights. IBM Systems and Technology Data Sheet

EmulexSecure 8Gb/s HBA Architecture Frequently Asked Questions

CA ARCserve Replication and High Availability Deployment Options for Hyper-V

WhitePaper. Private Cloud Computing Essentials

H Y T RUST: S OLUTION B RIEF. Solve the Nosy Neighbor Problem in Multi-Tenant Environments

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

OPTIMIZING SERVER VIRTUALIZATION

Securing the Service Desk in the Cloud

Windows Server 2003 Migration Guide: Nutanix Webscale Converged Infrastructure Eases Migration

Solutions for Encrypting Data on Tape: Considerations and Best Practices

Protecting Data at Rest with Vormetric Data Security Expert

Meeting Technology Risk Management (TRM) Guidelines from the Monetary Authority of Singapore (MAS)

VDI Security for Better Protection and Performance

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Security Architecture Whitepaper

The Market for Two-Factor Authentication

PICO Compliance Audit - A Quick Guide to Virtualization

Managing Privileged Identities in the Cloud. How Privileged Identity Management Evolved to a Service Platform

Key Management Best Practices

OmniCube. SimpliVity OmniCube and Multi Federation ROBO Reference Architecture. White Paper. Authors: Bob Gropman

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Addressing Cloud Computing Security Considerations

ABC of Storage Security. M. Granata NetApp System Engineer

Learn the essentials of virtualization security

WHITE PAPER WHY ORGANIZATIONS NEED LTO-6 TECHNOLOGY TODAY

Accelerating Backup/Restore with the Virtual Tape Library Configuration That Fits Your Environment

Payment Card Industry Data Security Standard

IBM PowerSC. Security and compliance solution designed to protect virtualised data centres. Highlights. IBM Systems and Technology Data Sheet

Understanding Enterprise Cloud Governance

PCI DSS Top 10 Reports March 2011

F5 PARTNERSHIP SOLUTION GUIDE. F5 and VMware. Virtualization solutions to tighten security, optimize performance and availability, and unify access

Provide access control with innovative solutions from IBM.

Solution Overview. Business Continuity with ReadyNAS

Deployment Options for Microsoft Hyper-V Server

SYMANTEC NETBACKUP APPLIANCE FAMILY OVERVIEW BROCHURE. When you can do it simply, you can do it all.

Securing Data in the Cloud

KeySecure CUSTOMER RELEASE NOTES. Contents. Version: Issue Date: 2 February 2015 Document Part Number: , Rev A.

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Keep Your Data Secure in the Cloud Using encryption to ensure your online data is protected from compromise

Autodesk PLM 360 Security Whitepaper

How To Achieve Pca Compliance With Redhat Enterprise Linux

FAMILY BROCHURE Sensitive data is everywhere. So are we.

Vistara Lifecycle Management

REDEFINE SIMPLICITY TOP REASONS: EMC VSPEX BLUE FOR VIRTUALIZED ENVIRONMENTS

Control your corner of the cloud.

Online Transaction Processing in SQL Server 2008

Compliance and Security Challenges with Remote Administration

GoodData Corporation Security White Paper

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

Things You Need to Know About Cloud Backup

Daymark DPS Enterprise - Agentless Cloud Backup and Recovery Software

Learn the Essentials of Virtualization Security

A ROAD MAP FOR GEOSPATIAL INFORMATION SYSTEM APPLICATIONS ON VBLOCK INFRASTRUCTURE PLATFORMS

Transcription:

THE DATA PROTECTIO TIO N COMPANY Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption whitepaper Executive Summary Long an important security measure, encryption has emerged as a critical component to ensuring compliance in virtualized data centers and cloud environments. However, in order for encryption to be effectively, efficiently, and securely implemented in these emerging environments, there are several fundamental requirements that must be met. This paper provides an overview of these requirements. Introduction Organizations around the world and of every type and size from smaller start-ups to the Fortune 50, from local municipalities to the largest government agencies are growing increasingly reliant upon virtualized data centers and cloud services. While the economics and flexibility afforded by these models are unassailable, so too are the fundamental security ramifications. While relying on a cloud provider frees an organization s internal teams to focus on more strategic endeavors, it also raises fundamental questions and concerns regarding control, ownership, and compliance. While virtualization can enable greater infrastructure utilization and agility, the dynamic nature of these environments can pose significant security challenges. For example, the contents of virtual machines can be much easier to copy and steal than assets on physical servers. Further, snapshots and backups can proliferate rapidly, and, if unsecured, can be harvested for sensitive data. In cloud and virtualized environments, additional tiers of administrators with high-level access and controls can upend a lot of the security checks and balances that security teams had employed in the past. Finally, while already stretched security teams try to contend with these new realities, they cannot turn their backs on the old ones; traditional security responsibilities still need to be met. For all these reasons, encryption, long a critical requirement for many organizations and use cases, grows even more essential. With encryption, organizations can maintain control over who can access which data, even when that data resides in dynamic virtual environments or externally hosted cloud platforms. When security teams look to leverage encryption in the cloud and virtual data center, there are several critical requirements that they must meet if they are to be truly effective in addressing their policies and objectives. The following sections offer an overview of these requirements. 1

Requirement #1: Comprehensive Encryption To effectively safeguard sensitive data in cloud and virtual environments, security teams need to employ comprehensive, multi-layered encryption. By doing so, organizations can gain holistic security to guard against a range of potential threats. Following are some of the key capabilities that comprise a comprehensive encryption approach: System partition-level encryption. Virtual machines (VMs) are vulnerable not just to online attacks, but offline attacks as well. To provide the full range of protection, organizations need to leverage comprehensive encryption. For example, this requires encryption not just of the storage volume but also the system partition, which is where the operating system (OS), applications, cached data, page files, and more reside. Consequently, it is critical to ensure that policies for access and encryption are enforced at the system partition level. Pre-launch authentication and boot volume protection. Organizations need to ensure they have capabilities for pre-launch authentication and boot volume protection. This is essential to ensuring only VM owners have control over VM access. Employing authentication at the user level enables control over which resources can be accessed, when, and by whom. Therefore, when a VM launches, only authorized users can access the OS partition. Without these protections, unauthorized users could launch virtual machines and access whatever is stored in the system and other partitions. Key management. Any time encryption is employed, effective key management is a critical requirement. In encrypted environments, keys effectively are a proxy for the data they protect. If keys are compromised, so is the data. If keys are lost, stolen, or unavailable, so is the data. Toward that end, organizations need to ensure cryptographic keys are available and secure at all times. (See below for more on this requirement.) Requirement #2: Secure Cryptographic Keys When organizations deploy encryption in virtualized and cloud environments, key management represents a critical task, and it is one that must be sustained over the long term. Following are some essential approaches to ensuring these keys remain secure: Central key storage. By centralizing keys in a secure, purpose-built repository, security teams can more effectively govern their usage and ensure policies are more consistently applied. Lifecycle management. To manage keys effectively, security teams need to be able to efficiently manage keys according to internal policies and mandates. This necessitates capabilities for managing keys throughout their lifecycle, including creation, rotation, backup, and deletion. High assurance. Keys need to be stored in a fashion that ensures they will be available when needed. This is essential to ensuring that business-critical transactions and processes can continue as required. Key repositories should deliver responsive performance, fault tolerance, and replication and failover to ensure keys are always continuously available. While hardware-based key management can offer the most rigorous security controls, for those that choose to manage keys in a fully virtualized environment, keys should be stored in an encrypted format and reside within an encrypted, hardened, and tamper-resistant virtual appliance. Standards support. Whenever possible, look to leverage key management platforms that are compliant with the OASIS Key Management Interoperability Protocol (KMIP). By doing so, organizations can begin to centralize key management across multiple encryption platforms, including those from multiple vendors, which provides a range of benefits. For example, organizations can further reduce the number of locations housing cryptographic keys, which is more secure and more efficient from an administrative standpoint. Further, organizations can realize these benefits while fully leveraging their existing investments in encryption platforms. 2

Requirement #3: Central Security and Policy Management Traditionally, organizations have run into significant challenges when managing encryption in a disparate fashion; for example, employing one vendor s platform for encrypting data in databases, another platform for storage encryption, and so on. When these multiple platforms are deployed, it grows increasingly complex and time consuming to ensure that policies are consistently enforced across each of these areas. These challenges are only exacerbated when organizations migrate into virtualized and cloud environments. Consequently, it is critical to employ encryption in a coordinated, enterprisewide fashion. For example, look to employ an enterprise encryption platform that will provide the flexibility to encrypt and centrally, consistently apply policies to both virtual servers and physical platforms. Requirement #4: Deliver High Performance Organizations need to ensure that when employing encryption, they are not negating the scalability and performance advantages of virtualized and cloud computing models. Thus, decision makers need to select platforms that deliver high performance and the capacity to scale as demand dictates. In VMware environments, look for platforms that support Advanced Encryption Standard New Instructions (AES-NI), which enables significantly faster performance of applications running AES encryption. Encryption platforms should be architected to run in a redundant fashion so that, in the event of any system failure, a backup system can continue to support the required workload. Further, the platform should be set up for remote backup and synchronization in order to support disaster recovery objectives. Requirement #5: Flexible, Easy Integration If encryption is too complex or time consuming to implement, it simply will not be practical to deploy, whether in a physical data center or in dynamic virtualized and cloud environments. Leverage encryption platforms that provide open and flexible APIs that enable automation and integration with virtual server provisioning systems. In cloud environments, look for offerings that provide an administrative console or APIs that enable seamless integration with the cloud providers user interface, providing support for such tasks as policy updates, user and role assignments, and event management. Also, look for a single platform that can support both cloud and virtual environments. Finally, look to leverage encryption platforms from vendors that are focused on security and that have been proven to have the support infrastructure suitable for demanding, large-scale enterprise encryption deployments. Requirement #6: Enforce Governance and Compliance Controls When migrating into the cloud and virtualized data center, all relevant compliance mandates and policies must still be adhered to. To ensure compliance mandates are met, following are a few of the most critical requirements: Proof of ownership. Fundamentally, the lines of responsibility between cloud provider and customer must be clearly delineated, but, ultimately, the customer needs to have complete ownership of critical assets at all times. This holds true whether it is an organization working with a third-party cloud provider or a department working with an IT organization running a private cloud or virtualized data center. Single audit point. The more an organization has a central, secure means for tracking all activities surrounding encryption, the better they will be able to furnish evidence for compliance auditors, not to mention monitor security status and follow up in the case of a breach. 3

Complete auditability. When it comes to encrypted information, every authorization event and access attempt must be tracked. Within many mandates, it is vital that any access to encrypted data or administrative functions can be assigned to a specific individual or individuals who are held accountable. Granular administrative controls. Organizations must be able to separate administrative duties in order to comply with mandates, such as the Payment Card Industry Data Security Standard (PCI DSS). Within virtual and cloud environments, one of the implications of this is that the super user administrators, who are responsible for the cloud or virtual infrastructure, cannot have unhindered privileges or unfettered access to data. On a practical level, if an administrator can access data housed on a VM without first authenticating to the VM, an organization cannot enforce or demonstrate separation of duties. Conclusion For almost every advantage of cloud and virtual computing, there is also an associated security risk. By addressing the requirements outlined in this paper, organizations can more aggressively move forward with their cloud and virtualization initiatives without jeopardizing the security of their sensitive data or the solidity of their compliance status. About SafeNet ProtectV and SafeNet KeySecure Today, SafeNet enables organizations to leverage the business benefits of virtualization and cloud services, while helping to meet their governance, compliance, and data protection requirements. With SafeNet ProtectV, organizations can encrypt and secure entire virtualized machines and physical servers, enabling consistent security policy enforcement across the organization so sensitive assets are protected from theft or exposure. ProtectV can be deployed in public clouds, private clouds, virtual data centers, and physical servers inside the data center. The solution is efficiently deployed in highly dynamic virtual and cloud environments so organizations can retain complete control over keys and sensitive assets while embracing the opportunities provided by virtualization and cloud delivery models. ProtectV is a virtual server-based solution, which enables it to adapt on the fly to the fluidity of virtual and cloud environments. At the same time, ProtectV is seamlessly integrated with SafeNet KeySecure, a high availability, appliance-based key management solution that provides a hardened root of trust within the customer s premises. ProtectV addresses all the key requirements for effectively employing encryption in cloud and virtualized environments: Comprehensive encryption. ProtectV delivers full VM encryption with pre-launch authentication that features protection at the user level. This enables security teams to apply authentication controls over which resources can be accessed, when, and by whom. When a VM launches, only authorized users can access the OS partition. Featuring support for robust encryption algorithms, including FIPS-approved AES 256 and 3DES, ProtectV enables organizations to apply strong protection to their sensitive assets. Secure key management. Through its integration with KeySecure, ProtectV enables organizations to leverage a hardened appliance for securing keys, policies, and cryptographic processing. KeySecure simplifies the management of encryption keys while ensuring keys are secure and always available to authorized users. KeySecure automates the backup and distribution of keys across an enterprise; it safeguards keys against theft, tampering, and unexpected system failures, providing centralized management of encryption keys and policies. The solution supports lifecycle management of keys that offers full audit trails on all cryptographic key activities. Central security and policy management. Using the solution s management console and/ or APIs, administrators can simultaneously manage encryption in multiple environments. 4

Through its integration with KeySecure, ProtectV enables unified management of encryption keys and policies. Through KeySecure s KMIP support, organizations can centrally manage a number of encryption solutions, including those for storage, tape libraries, SAN switches, applications, and more. High performance and scalability. ProtectV and KeySecure offer support for replication and failover, which enables organizations to ensure the availability and scalability of critical keys and cryptographic processing. Further, with this scalability, organizations can leverage KeySecure across any number of data centers, cloud deployments, encryption implementations, and regions. Through its support for AES-NI, ProtectV delivers maximum throughput and responsiveness. Flexible, easy integration. ProtectV offers complete support for automated, highly dynamic virtual environments, which is vital to both ensuring critical security mechanisms are consistently enforced and streamlining security administration. ProtectV features APIs that enable flexible integration in cloud and virtual environments. With these APIs, organizations can configure a range of commands, including setting or retrieving cloud credentials, listing virtual machines secured, starting or stopping virtual machines, and more. Through its integration with KeySecure and other SafeNet security solutions, ProtectV can efficiently support expanded cryptographic services. Consequently, the solution represents an investment that can be leveraged over the long term, even as infrastructures, business objectives, and security requirements evolve. Effective governance and controls. ProtectV provides audit trails for all security operations, so organizations can ensure compliance with relevant policies and mandates, and efficiently demonstrate compliance for auditors. With this solution, organizations can realize granular controls over data access. For example, even if some administrators require privileges for moving or managing virtual machines, security teams can still enforce policies so that they cannot actually decrypt and access the sensitive data held on those virtual machines. With ProtectV, security teams can control whether a virtual machine can be launched and by whom. About SafeNet Founded in 1983, SafeNet, Inc. is one of the largest information security companies in the world, and is trusted to protect the most sensitive data for market-leading organizations around the globe. SafeNet s data-centric approach focuses on the protection of high-value information throughout its lifecycle, from the data center to the cloud. More than 25,000 customers across commercial enterprises and government agencies trust SafeNet to protect and control access to sensitive data, manage risk, ensure compliance, and secure virtual and cloud environments. Contact Us: For all office locations and contact information, please visit www.safenet-inc.com Follow Us: www.safenet-inc.com/connected 2013 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet. All other product names are trademarks of their respective owners. WP (EN)-03.08.2013 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information