GDPR Compliance with HyTrust - cybers.eu · Geo-Tagging Processor level attestation with Intel TXT...

© 2016 HyTrust, Inc. 1

GDPR Compliance with HyTrustWorkload Security and Compliance –

Taking the Pain Out of Government Mandated Security Response

Dan Gaddes – Principle Systems Engineer


HyTrust Workload Security solutions mitigates the security and operational risks that organizations face when pursuing cloud and virtualization data center transformationMulti-Cloud Flexibility – over 750,000 Workloads protected by HyTrust

CUSTOMERS TECHNOLOGY PARTNERSSTRATEGIC & FINANCIAL

INVESTORS

Founded in 2007

Extensive virtualization and cloud security expertise

12 granted and pending patents

Acquired HighCloud Security in 2013

Who is HyTrust


HyTrust Workload Security Use CasesHow are they related to GDPR?

Critical areas affected by GDPR – increased risk with public or hybrid cloud environments:

Eliminate privileged user misuse

Halt data breaches on all clouds

End audit and compliance suffering

Remove costly infrastructure air gaps

Avoid data sovereignty landmines

Stop stupid and the accidental downtime

1. Privileged account misuse

2. Data breach protection

3. Data sovereignty compliance


GDPR SCOPE


GDPR Executive Summary

New standard for data

protection and privacy for the

EU member state – replacing

the previous Safe Harbor

agreement (between the US

and EU). Covers any

company doing business in

the EU or with an EU citizen.

What When Impact

Goes into “full” force on May

25, 2018. Different member

states may add some

variations or additional

requirements.

Enforcement is backed by substantial fines, some based on 2%-4% of

corporate revenue in EU.

Allows EU citizens to challenge companies and shift burden onto the

service providing company for proof/response to privacy and security.

Affects a range of technology systems including data storage and

collection, data encryption, and frameworks for privacy processes

(through policy and privacy specialists).

Still unclear with Britain leaving the EU – but most likely following GDPR

will still be more stringent than any local guidelines.


Challenges

Migration to Public Cloud Increases Risk

Transparency

GDPR Requirement Summary Description

Consent/Data Quality

Security enforcement of Privacy

Data breach readiness and response

Right to be Forgotten (Art 17)

Privacy policy and DPO

Opt-in by consumer; ability to get rid of data if consent is withdrawn

Protecting data via encryption, secure data destruction, etc..

72 hours for breach notification; incident response plan

Right to be Forgotten - Erasure (Art 17)

Policy guarantees harder with 3rd party (ie cloud provider)

Tracking data across many workloads and geographies with instant ability to “kill” data

Proof of actions (of encryption and destruction) are required if challenged

Multi-cloud deployment for large enterprises creates challenges to collect incident data and take action very quickly

All data must deleted – retroactively and for all records

Note there are numerous other areas of challenges – but these are most technically challenging for cloud enabled organizations.


Technology Best Practices Response to GDPR(and applicable HyTrust Use Cases)

Shift from alert and SIEM analysis to

proactive, automatic security for both

breach protection and privacy protection

[Data Sov.]

Automatic

1 2 3 4 5

Insiders Self-Regulating Platform Agnostic Instant Proof

Ensure admins on access data on any cloud can be monitored and proof of

compliance can be shown instantly (or instantly flag

violations for prompt remediation)

[PIM, Data Sov.]

Workload needs portable policy to

protect and enforce compliance itself

[Data Sov.]

Implement a platform agnostic solution –

which will work across any provider or

workload type (virtual machine, SDDC, containers, etc..)

[All use cases]

Ensure proof of compliance is fast,

easy, and multi-cloud ready

[All use cases]


My Cloud Provider Says I Am Protected…

Microsoft, Amazon, and others have issued statements that their customers are protected and compliant already via their use of “model” contracts and other legal mechanisms.

Bottom line: Regardless of who is hosting your data, YOU are responsible for it. Be proactive and not rely on the provider or specific technology to protect your data.

However….

1 2 3 4

And if provider fails – YOU are still responsible for data breach

disclosure and remediation impact for your customers.

ONLY workloads and data that resides on that provider

can be considered as “provider” scope (private data centers, backup/DR sites, QA copies, etc.. are

still your issue).

YOU are still responsible for the administrative actions of

systems on that network.

YOU are still responsible for the data, even if the provider

is compliant.


HyTrust / Customer Options

Detailed GDPR Mapping to HyTrust

GDPR Source Text Requirement Summary

Appropriate level of security based on state of art. Including: encryption, regular tests of security effectiveness, ensure confidentiality, integrity of data.

Requires data controller to implement appropriate technical … measures to ensure and …demonstrate compliance.

Data controllers must also implement data protection by default…implement appropriate technical …measures to [protect/address] the amount of data collected, extent of processing, and retention and accessibility of data.

Implement policy based encryption for data protection (and evidence). Show compliance of human assets.

Forensic level logs that track workloads, administrative activities, and policy changes at the object level.

Through HyTrust BoundaryControl policies, the system is (by default) set to adhere to data boundaries and usage. Furthermore encryption can be used to enforce this across any cloud provider.

Article 32 – Security of processing

Article 24 – Responsibility of the controller

Article 25 – data protection by design and default


Soft-Tagging

Geo-Tagging

Processor level attestation with Intel TXT

Boundary aware decryption

Multi-cloud Policy based Encryption

Dynamic & Zero Touch Rekey

Secure Boot Protection

Hardware accelerated with Intel AES-NI

Automated Compliance

Forensic Logging & Reporting

Granular Role & Object Based Controls

Secondary Workflows

HyTrust CloudControl

HyTrust DataControl

02


HyTrust DataControl

HyTrust BoundaryControl

0301

The HyTrust Workload Security Platform


What

The HyTrust CloudControl Solution

Why

HyTrust CloudControl Capabilities

*coming in future releases

Who How

Strong two-factor authentication

Integrates with Active Directory, RSA SecureID, CA ArcotID, RADIUS and TACACS+, Smart Cards (PKI)

Root password vaulting

Log Viewer (new)

Unified Access

Role – Permissions Assessment Tool*

Role-based access control (RBAC)

Workload/SMART tagging

Workflow escalations/secondary approvals

30+ preconfigured roles

Forensic level logs

Real-time alerts for sensitive or abnormal actions

Built-in integration to SIEM tools (HP ArcSight, Splunk, RSA EnVision, McAfee ePolicy Orchestrator


vSphere Architecture with HyTrust CloudControl

Enterprise Production Network

VMware Management Subnet

CloudOrchestration

Administrators

vCenter

AdministratorActions

Policy Engine

Proxy

CloudControlVirtual Appliances (HA)

✔

✔

✖

✔

Flexible policy engine All actions are logged(including those denied by policy)

Applies controls and monitors activity with NO change to the administrators experience

Not in-line with production network – NO impact on application availability or latency


Management Dashboards – Separation of Duties

Admin distribution over time1D 1W 1M 3M 6M All

Co

un

t

14. Sep

Navigator color indicates: Out of range Within range

13. Sep 15. Sep

0

5

10

15

20

25

13. Sep 12:00 14. Sep 12:00 15. Sep 12:00

09/15/16 18:46:04PowerAdmin: 5ComputeAdmin: 1ManagementAdmin: 5NetworkAdmin: 3StorageAdmin: 7SuperAdmin: 1 (out of range)

1

5

1

7

3

5

1

Total Admins:

22

Admin Categories

PowerAdmin

Compute

Management

Network

Storage

SuperAdmin

Privileged User Distribution

Categories are based on privileges

How has privileged user access changed

over time?

Does the privileged user have more privileges than

necessary to perform their jobs?


Logging Engine

Operation: Delete Hard Disk 3

vCenter Log Entry

CloudControl Log Entry


Policy Engine

Identity

Objects

AD Groupmembership

Custom Roles

Admin

Custom Role Based Access Control (RBAC), including NSX

Object Based Access Control through patented Smart Tagging

Trust status

Protocol

Source IP

Label

PolicyEngine

Flexible Security Rules

Constraints

Role


AdministratorSecondary Approval Administrators

CloudControl

Virtual Infrastructure

Does not need secondary approval

NOTAPPROVED

Policy Engine - Secondary Approval Workflows


HyTrust DataControl


OrchestrationHyTrust Key Control

and Policy Engine

Workload Workload

Hypervisor

Hardware

Key Control – the key manager that ensures

enforcement of policy via key management

Policy Agent – ties policy to workload and

executes encryption and decryption

Policy Engine – ensure appropriate controls

with context

HTDC provides deep protection

Workload protection from boot to data with complete stack protection

Portable policy travels with workload to ensure always on protection

Connects with HyTrust BoundaryControl and HyTrust CloudControl for automated and workflow oriented security

Hardware accelerated encryption via integration with Intel AES-NI

HTDC provides easy management

Scalable, zero downtime re-key management and encryption

Single interface regardless of where the workload runs

Pre-integrated to KMIP client/server for easy extensibility

On-premises and cloud ready – across all major cloud providers

Hyper-Convergence ready – built into Nutanix, Simplvity, others

Storage ready – including SSD technology

HTDC protects data everywhere

The HyTrust DataControl Solution


Agent

HyTrust DataControl

Highly Available Active/Active

multi-node Cluster

Nodes in separate geographical

locations serving the regions

Domain Controllers

On a single node failure, VM agents

will heartbeat to the available node

HyTrust DataControl works withMicrosoft Azure + Hyper-V on premise and also AWS

Core Data Center Core Data Center Or Cloud

VMs

Data Center

Agent

VMs

Data Center

Key Control Node Key Control Node

Agent

VMs


HyTrust DataControl Policy Agent

Function:

Holds security policy and checks for updates and execution from key manager.

Key capabilities:

→ Protects Data: Encryption at disk level → Protects Complete System: Encryption of boot,

root, and swap partitions→ Authorized Boot: Ensures boot up only on

authorization

→ Heartbeat: Constantly validates policy – ensures always on protection

→ Zero Downtime: Dynamic rekey (with no downtime) ensures a higher level of security without ops downtime

→ Fast: Leverages AES-NI for fast, transparent encryption

Hypervisor

Storage Driver

VM/Physical Machine

Applications/Data

File System

Crypto File System Filter

Device Driver

VM/Physical Machine

Applications/Data

File System

Crypto Device Driver

Device Driver

Policy Agent Agent does NOT need to alter operating system kernel. Based on environment – may load above or

below file system.


HyTrust DataControl Policy Agent

Manual or unattended

May be included in VM templates

May leverage enterprise tools (such as SCCM)

Monitoring through KeyControl Dashboard

Full support for VM cloning, including VDI use cases

Deployment of Policy Agent

1 2 3

VM

PA

1

2

3

DataControl Policy Agent Installation

• 64-bit OS

• Reboot required for Windows

HTDC Registration

• Establish trust

Data Encryption

KeyControl


HyTrust DataControl Dynamic Rekeying

Right-click, select “Add and Encrypt” and you’re done!

• Applications / databases continue while disk is being encrypted

Encryption / rekey status is shown in the GUI (or command line)

% encrypted


HyTrust Boundary Control


HyTrust Boundary Control

Virtual Server Placement by

Platform Integrity

Virtual Server Placement by

Location

Virtual Server Decryption by Trust

& Location

Only allow certain virtual servers to run on a trusted hardware and software stack

Only allow certain virtual servers to run on trusted hardware in a particular location

Only allow virtual servers to be decrypted on trusted hardware in a particular location

Software and hardware to enforce geo-fencing of workloads

Trusted Compute Pools Geo-Fencing Data Sovereignty

Eliminates need for air gaps

Automatic compliance to regulatory mandates

PUBLICCLOUD


Automatically provision, configure, and enforce security controls for all things inside your defined logical boundaries – Intel TXT provides Hardware Root-of-Trust

HyTrust Boundary Controls –Avoid Data Sovereignty Landmines

Define and create a logical boundary by geography, regulatory standard,

department, etc.

Assign tags to key assets Define policies and automate security control enforcement for your defined boundary

PCI PII*Finance

PCI GermanFinance

PCIPCI

PCI

Do not decrypt workload unless it is running on Host B

Automatically encrypt workloads within the boundary

Network

Storage

Workload

Host/Server

PCI PCI

PCI PCI


Come see us at our booth to find out more and for a demonstration

GDPR Compliance with HyTrust - cybers.eu · Geo-Tagging Processor level attestation with Intel TXT...

Documents

Transcript of GDPR Compliance with HyTrust - cybers.eu · Geo-Tagging Processor level attestation with Intel TXT...