Cloud compliance and data security issues -...
Transcript of Cloud compliance and data security issues -...
![Page 1: Cloud compliance and data security issues - Meetupfiles.meetup.com/1304559/Porticor_cloud_compliance_NYC_meetup… · Cloud compliance and data security issues Identifying and dealing](https://reader033.fdocuments.in/reader033/viewer/2022060220/5f0705f47e708231d41ae9de/html5/thumbnails/1.jpg)
Ariel Dan Co-Founder, Executive VP
Cloud compliance and data security issues Identifying and dealing with security risks in IaaS clouds
![Page 2: Cloud compliance and data security issues - Meetupfiles.meetup.com/1304559/Porticor_cloud_compliance_NYC_meetup… · Cloud compliance and data security issues Identifying and dealing](https://reader033.fdocuments.in/reader033/viewer/2022060220/5f0705f47e708231d41ae9de/html5/thumbnails/2.jpg)
• About Porticor
• Cloud compliance and data security issues
• Use cases
Agenda
2
![Page 3: Cloud compliance and data security issues - Meetupfiles.meetup.com/1304559/Porticor_cloud_compliance_NYC_meetup… · Cloud compliance and data security issues Identifying and dealing](https://reader033.fdocuments.in/reader033/viewer/2022060220/5f0705f47e708231d41ae9de/html5/thumbnails/3.jpg)
About Porticor
![Page 4: Cloud compliance and data security issues - Meetupfiles.meetup.com/1304559/Porticor_cloud_compliance_NYC_meetup… · Cloud compliance and data security issues Identifying and dealing](https://reader033.fdocuments.in/reader033/viewer/2022060220/5f0705f47e708231d41ae9de/html5/thumbnails/4.jpg)
Gila
d P
aran
n-N
issa
ny • CEO, Founder
• G.ho.st Cloud OS
• SAP CTO – SMB solutions
• TopTier – Portal & Web Navigator
Yaro
n S
hef
fer • CTO, Co-founder
• Security guru
• Check Point
• Co-chair: IETF ipsecme A
riel
Dan
• EVP Sales & Marketing, co-founder
• Websense
• Enterprise Sales - New York and New Jersey
• EMEA channel sales
• Port Authority DLP
Executive team
4
![Page 5: Cloud compliance and data security issues - Meetupfiles.meetup.com/1304559/Porticor_cloud_compliance_NYC_meetup… · Cloud compliance and data security issues Identifying and dealing](https://reader033.fdocuments.in/reader033/viewer/2022060220/5f0705f47e708231d41ae9de/html5/thumbnails/5.jpg)
Porticor
Founded 2010, Tel Aviv, Israel
Problem we solve
Maintaining trust, control and confidentiality while using cloud infrastructure
Solution
Porticor® Virtual Private Data™ system
Up in minutes, works in most clouds: AWS, VMware, IBM
Only key management solution that is truly safe in the cloud, due to unique technology
Porticor Overview
5
![Page 6: Cloud compliance and data security issues - Meetupfiles.meetup.com/1304559/Porticor_cloud_compliance_NYC_meetup… · Cloud compliance and data security issues Identifying and dealing](https://reader033.fdocuments.in/reader033/viewer/2022060220/5f0705f47e708231d41ae9de/html5/thumbnails/6.jpg)
The “Swiss Banker” metaphor Customer has a key, “Banker” has a key
Master key with Homomorphic key encryption
Patented Key-splitting and Homomorphic Key Encryption
6
![Page 7: Cloud compliance and data security issues - Meetupfiles.meetup.com/1304559/Porticor_cloud_compliance_NYC_meetup… · Cloud compliance and data security issues Identifying and dealing](https://reader033.fdocuments.in/reader033/viewer/2022060220/5f0705f47e708231d41ae9de/html5/thumbnails/7.jpg)
Approaches to Cloud Key Management - A Challenge
7
Cloud provider
User account
Database server/s
Key Management SaaS vendor
key management server in the datacenter • Expensive: hardware, licenses,
operational overhead, etc… • There’s a tension between security and
performance
key management in a cloud hosted by a security vendor • Problematic: puts your encryption keys in somebody
else’s hands
![Page 8: Cloud compliance and data security issues - Meetupfiles.meetup.com/1304559/Porticor_cloud_compliance_NYC_meetup… · Cloud compliance and data security issues Identifying and dealing](https://reader033.fdocuments.in/reader033/viewer/2022060220/5f0705f47e708231d41ae9de/html5/thumbnails/8.jpg)
Cloud Compliance and Security Issues
![Page 9: Cloud compliance and data security issues - Meetupfiles.meetup.com/1304559/Porticor_cloud_compliance_NYC_meetup… · Cloud compliance and data security issues Identifying and dealing](https://reader033.fdocuments.in/reader033/viewer/2022060220/5f0705f47e708231d41ae9de/html5/thumbnails/9.jpg)
“IT security is a bit like cleaning the toilets - When you get it right nobody notices or bothers to phone you to congratulate on a job well done, but when it goes wrong everyone is up to their neck in brown stuff.”
Stephen Bonner, Partner at KPMG
9
![Page 10: Cloud compliance and data security issues - Meetupfiles.meetup.com/1304559/Porticor_cloud_compliance_NYC_meetup… · Cloud compliance and data security issues Identifying and dealing](https://reader033.fdocuments.in/reader033/viewer/2022060220/5f0705f47e708231d41ae9de/html5/thumbnails/10.jpg)
1. How do I maintain control?
2. While leveraging cloud advantages
3. And keeping “cloudy” costs
Top cloud security concerns
10
![Page 11: Cloud compliance and data security issues - Meetupfiles.meetup.com/1304559/Porticor_cloud_compliance_NYC_meetup… · Cloud compliance and data security issues Identifying and dealing](https://reader033.fdocuments.in/reader033/viewer/2022060220/5f0705f47e708231d41ae9de/html5/thumbnails/11.jpg)
When data is stored
•Insiders steal content
•Human error – content exposed
•Malicious Disk snap-shots
•Cloud Providers can read data
•Civil lawsuits, EU Data Dir., USA Patriot Act
•…
When data is in use
•Administrators of VMs may be malicious
•Cloud employees may achieve access to VMs
•Memory snap-shots
•…
Security Encryption requirements
•Encryption of data and all related keys
•Segmentation and compartmentalization
•Splitting secrets as in e.g. PCI
Robustness requirements
•Ensuring a breach in one place (e.g. a single application server) does not expose the entire system
•Ensuring (clear text) data and keys stay in certain geographies
Compliance and
regulation
Security & Compliance Concerns
11
![Page 12: Cloud compliance and data security issues - Meetupfiles.meetup.com/1304559/Porticor_cloud_compliance_NYC_meetup… · Cloud compliance and data security issues Identifying and dealing](https://reader033.fdocuments.in/reader033/viewer/2022060220/5f0705f47e708231d41ae9de/html5/thumbnails/12.jpg)
PCI DSS Cloud Computing Guidelines
12
![Page 13: Cloud compliance and data security issues - Meetupfiles.meetup.com/1304559/Porticor_cloud_compliance_NYC_meetup… · Cloud compliance and data security issues Identifying and dealing](https://reader033.fdocuments.in/reader033/viewer/2022060220/5f0705f47e708231d41ae9de/html5/thumbnails/13.jpg)
Cloud Security is a Shared Responsibility
13
![Page 14: Cloud compliance and data security issues - Meetupfiles.meetup.com/1304559/Porticor_cloud_compliance_NYC_meetup… · Cloud compliance and data security issues Identifying and dealing](https://reader033.fdocuments.in/reader033/viewer/2022060220/5f0705f47e708231d41ae9de/html5/thumbnails/14.jpg)
Use Cases
![Page 15: Cloud compliance and data security issues - Meetupfiles.meetup.com/1304559/Porticor_cloud_compliance_NYC_meetup… · Cloud compliance and data security issues Identifying and dealing](https://reader033.fdocuments.in/reader033/viewer/2022060220/5f0705f47e708231d41ae9de/html5/thumbnails/15.jpg)
App1 AppN
Region1US
Region specific KMS
App1 AppN
Region2 EU
Region specific KMS
App1 AppN
Region3 APAC
Region specific KMS
KMS
HSM
DC ATL
KMS
HSM
DC LHR
KMS
HSM
DC SING
Use case 1: A Large Global ISV
15
![Page 16: Cloud compliance and data security issues - Meetupfiles.meetup.com/1304559/Porticor_cloud_compliance_NYC_meetup… · Cloud compliance and data security issues Identifying and dealing](https://reader033.fdocuments.in/reader033/viewer/2022060220/5f0705f47e708231d41ae9de/html5/thumbnails/16.jpg)
Challenge
•A large ISV would like to deploy its software globally across the US, EU, and APAC. Compliance needs to be maintained per region specific legislation
•Sensitive information must be encrypted
•Encryption keys must be owned and maintained by the ISV (not the cloud provider or security vendor)
•Reduce cost of solution
How Porticor was used
•Physical HSMs removed
•Segregation and separation through encryption
•Split-knowledge using split-key management
Result
•Regulatory compliance achieved while costs reduced significantly. Per region presence no longer requires a physical data center next to each cloud location.
ISV global AWS deployment - multiple continents
![Page 17: Cloud compliance and data security issues - Meetupfiles.meetup.com/1304559/Porticor_cloud_compliance_NYC_meetup… · Cloud compliance and data security issues Identifying and dealing](https://reader033.fdocuments.in/reader033/viewer/2022060220/5f0705f47e708231d41ae9de/html5/thumbnails/17.jpg)
Use case 2: Cloud Disaster Recovery
17
![Page 18: Cloud compliance and data security issues - Meetupfiles.meetup.com/1304559/Porticor_cloud_compliance_NYC_meetup… · Cloud compliance and data security issues Identifying and dealing](https://reader033.fdocuments.in/reader033/viewer/2022060220/5f0705f47e708231d41ae9de/html5/thumbnails/18.jpg)
Challenge
• Maintain PCI compliance
• Reduce DR costs significantly
• Maintain control over the encryption keys
How Porticor was used
• Virtual appliance on premise and on DRaaS cloud
• Split-Key Management as a Service
• The encryption key is in the sole possession of the end customer (not the DR provider)
Result
• Cost reduced dramatically using DRaaS
• PCI maintained by keeping the encryption keys with the end user
Cloud Disaster Recovery
![Page 19: Cloud compliance and data security issues - Meetupfiles.meetup.com/1304559/Porticor_cloud_compliance_NYC_meetup… · Cloud compliance and data security issues Identifying and dealing](https://reader033.fdocuments.in/reader033/viewer/2022060220/5f0705f47e708231d41ae9de/html5/thumbnails/19.jpg)
• Updated HIPAA Omnibus rules put more liability on ISVs’ as “Business Associates”
• There is a lively discussion on whether cloud providers should be defined as business associates and sign "BAAs"
• “…only breaches involving unsecured PHI are required to be reported, and encryption is the only way to secure such data…”
Healthcare - Background
19
![Page 20: Cloud compliance and data security issues - Meetupfiles.meetup.com/1304559/Porticor_cloud_compliance_NYC_meetup… · Cloud compliance and data security issues Identifying and dealing](https://reader033.fdocuments.in/reader033/viewer/2022060220/5f0705f47e708231d41ae9de/html5/thumbnails/20.jpg)
Use case 3: Healthcare ISV
20
![Page 21: Cloud compliance and data security issues - Meetupfiles.meetup.com/1304559/Porticor_cloud_compliance_NYC_meetup… · Cloud compliance and data security issues Identifying and dealing](https://reader033.fdocuments.in/reader033/viewer/2022060220/5f0705f47e708231d41ae9de/html5/thumbnails/21.jpg)
Challenge
• Maintain HIPAA compliance
• Automate the key management and encryption process
• Distribute keys to end users
How Porticor was used
• API Integration for encryption keys creation, revocation, etc…
• Tokens creation and distribution directly to end users
• A cluster of Porticor Virtual Appliances for full redundancy
Result
• Fully integrated with ISV’s workflow
• PHI data is always encrypted - and the patient and Doctor maintain control through personal tokens
Healthcare ISV