privacy in public how organizations can securely manage sensitive assets in the cloud n.
Skip this Video
Loading SlideShow in 5 Seconds..
Privacy in Public: How Organizations Can Securely Manage Sensitive Assets in the Cloud PowerPoint Presentation
Download Presentation
Privacy in Public: How Organizations Can Securely Manage Sensitive Assets in the Cloud

Loading in 2 Seconds...

play fullscreen
1 / 28

Privacy in Public: How Organizations Can Securely Manage Sensitive Assets in the Cloud - PowerPoint PPT Presentation

  • Uploaded on

Privacy in Public: How Organizations Can Securely Manage Sensitive Assets in the Cloud. November 25 , 2011. Keith Hale Director Northern EMEA SafeNet, Inc. | Insert Your Name Insert Your Title Insert Date. #1 Inhibitor to Cloud Adoption is SECURITY.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Privacy in Public: How Organizations Can Securely Manage Sensitive Assets in the Cloud' - aziza

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
privacy in public how organizations can securely manage sensitive assets in the cloud

Privacy in Public: How Organizations Can Securely Manage Sensitive Assets in the Cloud

November 25, 2011

Keith Hale

Director Northern EMEA

SafeNet, Inc. |

Insert Your Name

Insert Your Title

Insert Date

1 inhibitor to cloud adoption is security
#1 Inhibitor to Cloud Adoption isSECURITY
  • “…Worldwide demand for cloud computing services will reach $222.5 billion by the year 2015.” —Global Industry Analysts

“IDC predicts public cloud computing services alone will grow to $72.9 billion in 2015, up from $21.5 billion in 2010.”—


Cloud Security Challenges

User ID and Access:Secure Authentication, Authorization, Logging

Data Co-Mingling: Multi-tenant data mixing, leakage, ownership

Application Vulnerabilities: Exposed vulnerabilities and response

Insecure Application APIs: Application injection and tampering

Data Leakage: Isolating data

Platform Vulnerabilities:Exposed vulnerabilities and response

Insecure Platform APIs: Instance manipulation and tampering

Data Location/ Residency:Geographic regulatory requirements

Hypervisor Vulnerabilities:Virtualization vulnerabilities

Data Retention:Secure deletion of data

Application & Service Hijacking:Malicious application usage

Privileged Users:Super-user abuse

Service Outage:Availability

Malicious Insider:Reconnaissance, manipulation, tampering

Logging & Forensics:Incident response, liability limitation

Perimeter/ Network Security:Secure isolation and access

Physical Security:Direct tampering and theft

  • Fundamental Trust & Liability Issues
    • Data exposure in multi-tenancy
    • Separation of duties
    • Transfer of liability by cloud providers to data owners
  • Fundamental New Cloud Risks
    • New hypervisor technologies
    • Redefine trust and attestation
  • Regulatory Uncertainty in the Cloud
    • Regulations likely to require strong controls in the cloud
data mandates extend to the cloud period
Data Mandates Extend to The Cloud. Period.
  • Externally Mandated
    • Governmental, regional, industry trade groups
    • Defines penalties and best-practices
    • Increasingly force uncomfortable public disclosures
  • Internally Mandated
    • Core intellectual Property
    • Safe harbor risk mitigation
    • Insider abuse concerns
    • Crusader abuse (wiki leaks)
  • Overlapping Mandates
    • Globalization of business
    • International nature of Internet
    • Nearly a guarantee
key considerations for adopting cloud
Key Considerations for Adopting Cloud
  • What worked for the data center, doesn’t necessarily translate into the Cloud
  • Re-evaluate your security framework and architectures
private cloud vs public cloud
Private Cloud vs Public Cloud

Security Scale

Very Risky

Pretty Risky

Low Danger




High Danger

  • Secure Management
  • Hypervisor choice
  • Self-service Provisioning
  • Centralized Policies
  • CapEx
  • Cloud Provider Owns Infrastructure
  • Burst to Cloud On-demand
  • Elastic, Pay-as-You-Go
  • Utility Pricing
  • OpEx
the cloud changes all security assumptions the perimeter based security model dissolves
The Cloud Changes All Security AssumptionsThe perimeter-based security model dissolves
  • Data Protection Assumed a Fixed Perimeter
    • Organization owns physical access
    • Organization owns OS stack
    • Organization owns application stack
  • Tradtional Security Controls Centered Around Perimeter Fortification
    • Established standards for process and physical controls
    • Controlled perimeter VLANs, Firewalls, IPS for OS stack
    • Controlled patch management, code review, patch management, host security for application stack




  • BUT the Perimeter Does Not Exist in the Cloud
    • Physical, switch fabric, OS, application stack, etc. are owned by the cloud provider
    • And application and data created and deleted dynamically
    • No visibility in cloud security controls
    • No standards of due care for cloud providers

Cloud Owned Infrastructure

iaas draws a clean and clear line of demarcation

Driving Clarity in Shared Responsibility

IaaS draws a clean and clear line of demarcation

Hardware & Networking

Virtualization APIs

Data Engine & Platform APIs

Application Presentation & APIs


Application Engine

Power & HVAC

Abstraction Layer & Hypervisor

Your Responsibility


as a Service


as a Service


as a Service

IaaS Responsibility




using the uniqueness of iaas to focus pci efforts
Using the uniqueness of IaaS to focus PCI efforts

Focusing on the Right Issues

Some new controls may be needed, close look at Section 3.4

Some controls remain the same, including PCI

Scan & Report

Pen-test, Web scanning, etc.


MFA, IAM integration, entitlement management

Vulnerability Management

Code review/scan, developer ed., QA, etc.

App/DB/File Data Protection

App/DB/File Encryption, DAM/FAM, Process, etc.

Patch Management

Patch process, news lists, patch management

Telemetry & Reporting

  • Isolation and Control Area
  • Centered around demarcation and the associated trust boundary

Instance Authentication/ Authorization

Instance Isolation


Emergence of Encryption as a Unifying Cloud Security Control

      • Strong encryption with key management is one of the core mechanisms that Cloud Computing systems should use to protect data. While encryption itself doesn’t necessarily prevent data loss, safe harbor provisions in laws and regulations treat lost encrypted data as not lost at all. The encryption provides resource protection while key management enables access to protected
      • resources.
  • - Cloud Security Alliance , “Security Guidance for Critical Areas of Focus in Cloud Computing”
  • Encryption is a fundamental technology for realizing cloud security
    • Isolate data in multi-tenant environments
    • Recognized universally by analysts and experts and underlying control for cloud data
    • Sets a high-water mark for demonstrating regulatory compliance adherence for data
  • Moves from Data Center tactic to Cloud strategic solution
    • Physical controls, underlying trust in processes, and isolation mitigated some use of encryption
    • Mitigating trust factors that don’t exist in the cloud.
    • Companies are looking to protect data in the cloud through encryption keys and robust key management. This enables companies to secure data from breaches as well as prevent the cloud provider from accessing the information if they decide to end their relationship with the cloud provider.
  • - Frost and Sullivan, Michael Suby
      • Encryption is one of the best ways to secure corporate data in the cloud, but it has to be encryption that the company controls.
  • - Forrester Research, Jonathan Penn
examples of cloud use cases
Examples of Cloud Use Cases


Strong Authentication for SaaS Applications


Protecting Customer Data in the Cloud


Taking Cloud-based Data Out of Compliance Scope

use case 1

Authentication manager

business challenges
Business Challenges
  • Security! Critical business info is now outside the data center but is protected only with a username and password
  • Management Headaches!IT has to manage provisioning and access controls for on-premise and SaaS applications
  • Usability!Employees need to remember multiple credentials to access several applications
deployment extend secure access to the cloud with an authentication manager and achieve
Deployment: Extend Secure Access to the Cloud with an Authentication Manager and achieve:
  • Security: secure access for on-premise and SaaS applications
  • IT Friendly: Centrally manage all secure access from one authentication server
  • Employee Friendly: Provide easy logon

for employees with SSO

Cloud Applications

SaaS Apps

Goggle Apps

User authenticates using enterprise identity

Authentication Manager

business challenges1
Business Challenges


Companies moving:



-Customer Info




Customer Information


But it needs to stay safe!

possible deployment scenario
Possible Deployment Scenario
  • Deploy Encryption device on-premise in the traditional datacenter.
  • Deploy DB encryption connector and Application encryption connector in the cloud.

Customers get the same level of security in the cloud and the data remains compliant.

Encryption device

App Connector




DB Connector

Local crypto and key caching

business challenges2
Business Challenges
  • Organizations have to show compliance even if their data is in the cloud.
  • Many cloud-based applications just store sensitive information but don’t process it.
  • Encryption is one option for protecting sensitive data for but that keeps the servers handling sensitive data within compliance scope.
  • How can organizations capitalize on business benefits of cloud-based deployment and remove the applications that just store information out of scope?

Replacement of sensitive data with data of a similar size that is not sensitive (a “token”)

1-to-1 mapping of tokens to sensitive data

Customization of token formats


Systems with tokens are taken out of scope of compliance audits such as PCI

Data protection is “transparent” – no changes to database tables or file layouts

No application changes for systems that don’t deal with the original data

7654 3219 8765 4321

1234 5678 9123 4567


Token Servers

7654 3219 8765 4321

1234 5678 9123 4567



Protected Zone

possible deployment scenario1
Possible Deployment Scenario
  • Deploy Encryption device and the token vault on-premise in the traditional datacenter.
  • Deploy Tokenization Service in the cloud or on-premise to serve tokenization requests.
  • Virtual application servers and databases serving business needs remain in the cloud.

Encryption device

the problem of protecting cloud data unique challenges to protecting data
The Problem of Protecting Cloud DataUnique challenges to protecting data
  • Virtual Instances
  • Entire servers, applications, databases, etc. virtualized
  • Unsecured container of sensitive data
  • Susceptible to unlimited copying
  • Exposed to uncontrolled brute force attacks
  • Data in the Cloud
    • Isolation: Will live in multi-tenant environments
    • Ownership: Will be highly mobile/copyable & Exposed to co-resident lawful order surrender
    • Privileged users: Will be exposed to cloud admins
  • Virtual Storage
  • Data leakage exposure to physical and logical storage breach
  • Accessible to cloud administrators
  • Risk of data disclosure from misconfiguration or unanticipated changes in privacy terms
  • Cloud offered encryption suffers from separation of duties and audit-level encryption problems
protectv protection of data in the cloud managing protectv instances across the cloud
ProtectV – Protection of data in the cloudManaging ProtectV instances across the cloud
  • Cloud APIs and Web Services
  • Authentication Automation
  • Bulk operations



  • SafeNet ProtectV Manager
  • Provides centralized management
  • Supports either customer premise or cloud deployments
  • Manages and coordinates ProtectV Security
  • Open APIs to cloud management
  • SafeNet KeySecure (on Premise)
  • Centralizes key management for persistence and flexibility
  • Secure key creation and storage
  • Key archiving and shredding
  • Easy integration with ProtectV Manager
safenet data protection product portfolio
SafeNet Data Protection Product Portfolio

Strong Authentication


Data Encryption and Control

High-Speed Network Encryption

Offering the broadest range of authenticators, from smart cards and tokens to mobile phone auth—all managed from a single platform

  • SafeNet’s DataSecure – a Universalplatform deliveringintelligent data protection and control for information assets

SafeNet high-speed network encryptors combine the highest performance with a unified managementplatform

Offering The most secure, and easiest to integrate technology for securingPKI identities and transactions.



November 25, 2011

Keith Hale

Director Northern EMEA

SafeNet, Inc. |

Insert Your Name

Insert Your Title

Insert Date