welcome to the safenet executive day! - gemalto · 2013-06-10 · isolate data in multi-tenant nas...
TRANSCRIPT
Welcome to the
SafeNet Executive
Day!
Новые
ГоризонтыИнформа
ционной
Безопасности
Data protection in the
age of Cloud and
Virtualization
Rami Shalom, VP, DEC
Product Management,
SafeNet
State of Data Security
Security
professionals
believe they will
suffer a breach.
*Based on a SafeNet Survey of 230 security professionals.
State of Data Security
Organizations
continue to rely
on the same
technologies.
*Based on a SafeNet Survey of 230 security professionals.
State of Data Security
Doubt in security
industry’s ability
to detect and
prevent breaches.
*Based on a SafeNet Survey of 230 security professionals.
State of Data Security
Recognition that if
perimeters failed,
high value data
would not be safe.
*Based on a SafeNet Survey of 230 security professionals.
Cloud migration has a lot to do with it…
Loss of Control Creates New
Security and Compliance Concerns
8
[wrt Virtualization, Forrester] The
insider threat elevates privileged user
management to a whole new level: "I'll
see your domain admin and raise you
one virtualization admin account.‖
My Datacentre
• My Facility
• My machines
• My admins
• My control
• My responsibility
• My accountability
Finance Compliant Customer Regulated Data
Development
Cloud - Starting Point
Direction
Financial: 70% Reduction in IT Infrastructure spend (VMware)
Quality: Automation reduces the volume of
incidents by 27%, and event and incident handling
time by 40% (VMware)
Agility: Provisioning in minutes (from weeks!)
Value
Destination
12 © SafeNet Confidential and Proprietary
Our Datacentre • Our facility
• Our machines
• Our admins
• Our control
• Our responsibility
• My accountability
Their Cloud • Their facility
• Their machines
• Their admins
• Their control
• Their responsibility
• My accountability
Finance Compliant
Customer Regulated Data
Development
Finance Compliant
Customer Regulated Data
Development
Cloud Adoption and Security Concerns
Creating the Perfect Storm
13
Cloud adoption nascent but
soaring b/c of ROI potential
IaaS alone $2.4B -> $6.8B 3 years
Security concerns are the
overwhelming #1 concern for
moving to the cloud.
451 Group, August 2012 report
Who Said?
14 © SafeNet Confidential and Proprietary
―Despite the acknowledged benefits of cloud computing,
wide scale deployment of cloud computing services can
trigger a number of data protection risks, mainly a lack of
control over personal data as well as insufficient
information with regard to how, where and by whom the
data is being processed/sub-processed.‖
It is an independent European advisory body on data
protection and privacy. Its tasks are described in Article 30 of Directive
95/46/EC and Article 15 of Directive 2002/58/EC.
ARTICLE 29 DATA PROTECTION WORKING PARTY
Opinion 05/2012 on Cloud Computing Adopted July 1, 2012
The risk.
Securing The Traditional Infrastructure
Involves securing:
• Datacenter Facilities (Locked doors, alarms, surveillance cameras)
• Physical Network (Firewalls, Routers, VPNs, IDS & IPS)
• Physical Storage (Separate networks, wipe drives)
• Physical Servers (OS updates, disable services, antivirus, enable logging)
• Applications (Apply security patches, run with minimal system privileges)
• Users/Administrators (Directory Services, logging, force password resets, enable two-factor authentication)
Virtualization Introduces Additional
Components to the Datacenter
Datacenter Facilities
Physical Networks
Virtual Networks
Physical Storage
Virtual Storage
Physical Servers
Hypervisor
Virtual Machines
Applications
Users/Administrators
Virtual Administrators
Virtualization Vulnerabilities
18
Securing the Virtualization Layer
Virtual Networks
Virtual Storage
Hypervisor
Virtual Machines (VM)
Virtual Administrators
Management Isolation Jumpbox, indirect access
Administrator Isolation Domain admins, protect root
Virtual Machine Isolation Protect multiple VMs per host
Hypervisor Hardening Follow hardening guide, apply
security updates, host-firewall
Storage Isolation Restrict access, enable Chap for
iSCSI, separate network/vlan.
Network Isolation Separate vMotion, FT, storage,
mgmt and VM traffic, disable
promiscuous mode, VM traffic may
not reach physical network, logical
controls needed
Additional Challenges of Data Center
Consolidation VM VM VM VM VM VM
Physical
Server with
restrictive
security
policy
Physical
Server with
permissive
security
policy
A restricted workload can move from a secure physical
server to an unsecure one without the security admin’s
knowledge!
Traditional physical security policies do not translate well to a virtual
environment. VMs are more dynamic than physical servers. How can they
be secured without creating air gaps and lowering our ROI.
Multiple copies of the VM exist that can be instantiated without anyone’s
knowledge if removed from the environment.
Revoking access to sensitive data in the event of a breach is a far
more difficult problem on VMs than on physical servers.
And then, there’s the data itself!
How secure is my data in a virtualized world?
VMs are easy to copy (and steal.)
Virtual data objects are easy to
move.
Cloud introduces a new class of
privileged users and
administrators—server, storage,
backup, and application—all
operating independently.
VMs have multiple instances,
snapshots and backups of data.
APP APP APP APP
OS OS OS OS
Hypervisor
Compute Layer
Storage
Backup
Snapshots Snapshots
Shredding data capability if
data at risk or switch providers
Who Secures the Cloud?
Challenges in Virtual Datacenters & Clouds
Are all my data instances secure?
How will encryption affect my virtualization solution?
Can I assure only authorized access ?
Can I ―pull the plug‖ on data at risk of exposure?
Data Protection
Prevent leaks or unauthorized access
Who is accessing my data?
Can I enforce an effective access control policy?
Can I present a trusted audit trail?
Control
Set effective access policies
Where are all my data instances?
Can I trace every legitimate copy/ instantiation?
Can I trace unauthorized copying?
Visibility
Where is your data and what is it doing
Control versus Accountability?
“An organization cannot outsource accountability. Ever.” -Cloud Security Alliance
“…outsourcing maintenance of controls is not the same as
outsourcing responsibility for the data overall.” -PCI DSS Cloud Computing Guidelines v2
“…Regarding third-party or public clouds, clients should
consider that while they can outsource the day-to-day
operational management of the data environment, they retain
responsibility for the data they put in the cloud.” -PCI DSS Cloud Computing Guidelines v2
The solution.
State of Data Protection:
Protect What Matters, Where it Matters
WHERE IS YOUR DATA? WHERE ARE YOUR KEYS?
Virtual Machines
File
Server
s
Databases
Site-to-site
Data in Motion
Applications
SaaS Apps
Live Data
1
Virtualized Data
3
Key Management
and Root of Trust
4
Access
5
Stored Data
2
Warning
• Pockets of Encryption
• Operational Inefficiencies
• Audit Deficiencies & Failures
• Sensitive Data Exposure
Protecting What Matters, Where it
Matters
Virtual Machine
SafeNet Solutions for Virtualized
Architectures
Virtual Machine Virtual Machine
Compute Storage Network
Virtual
Compute
CPU
Virtual
Storage
NAS / SAN
Man
ag
em
en
t
Root-of-
trust and
trusted
crypto
Database As-
A-Service
Isolation of
virtual
machines
Strong
Authenticatio
n
Application
Guest OS
Application Application
Guest OS Guest OS
Virtual
Network
Physical
Network
Storage
Encryption
Hypervisor
ProtectV Maintain Control of Your Data Through Your Virtualization
and Cloud Migration
ProtectV Manager VM
VM
ProtectV enables VM encryption to:
• Isolate Virtual Machines and Storage
• Authorize server launches with StartGuard
• Track key access to all copies of your data
• Revoke key access after a breach No need for special discovery of sensitive data
• All data is encrypted, even in archive (ex: snapshots, backups & clones)
StorageSecure Isolate Data in Multi-tenant NAS Environments
30
Health
Solutions
Storage Head
Isolated Data
Shares
Pharmaceutical
Solutions
Patient
Relationship
Medical-
Surgical
•Encryption-enabled separation of data in shared virtual environments
•Separation of inter and intra departmental data
•Protect data belonging to security sensitive departments
•Enables hosting multiple customers on the same HW
Hardware Security
Module (HSM)
Applications
Virtual Machines
Backup
Media
Storage
KeySecure
SafeNet Key Management
Heterogeneous
Open standards-based
Physical or virtual
High assurance
Why Customers Choose SafeNet
Comprehensive Information Lifecycle Protection More ways to protect data than any other vendor- in Databases,
Applications, File Servers, Mainframes, Desktops, and more.
Trusted by Largest Organizations for Critical Data Proven track record of protecting critical data and transactions –
trillions of dollars in bank transfers, stored streaming videos, and
from M1 tanks to Air Force One.
Confidence in the Most Certified Solutions SafeNet has more FIPS 140-2 and Common Criteria certifications
than any vendor, giving peace of mind to our customers.
High Performance for High Volume Deployment For the largest enterprise deployments - dedicated hardware and
optimized software scales to millions of protected records and
trillions of transactions.
Спасибо