QuestionofTrust_HowServiceProvidersCanAttractMores_WP_(EN)_web

A Question of Trust: How Service Providers Can Attract More Customers by Delivering TrueSecurity in the Cloud White Paper

1

Executive Summary

Offering an outsourced, elastic, pay-as-you-go computing infrastructure, cloud

computing services can deliver clear cut benefi ts to a host of companies. Today,

however, security concerns are a big barrier to many clients’ adoption of cloud

services. To boost market share and gain competitive distinction, cloud service

providers need to add the security infrastructure that safeguards clients’ sensitive

data and fosters trust. This white paper outlines the path cloud providers can take

to start building trust into cloud deployments, and details the approaches and

capabilities organizations need to make this transition a reality.

Introduction

As high as the rate of adoption for cloud-based services like SaaS has been, the surface has only been scratched in terms of the full business potential cloud service providers can realize. But to realize this potential, cloud providers must overcome a signifi cant obstacle—security.

Today, issues of risk, data privacy, and compliance are the chief inhibitors to most organizations’ adoption of cloud services. In fact, a Gartner report cited data location risk, data loss risk, and data security (privacy) risk as three of the top fi ve barriers to cloud-computing adoption. While security can be seen as an obstacle to the broad adoption of cloud computing, it can, in fact, be an enabler. By fi nding a way to effectively safeguard data in the cloud, cloud providers can begin to fully maximize the market potential of cloud offerings.

To get there, both enterprises and cloud providers will be going through a transition, one that can be viewed in terms of trust. As enterprises kick off their initial deployments, they’ll do so with a minimum of trust in their cloud provider’s infrastructures. Over time, that trust will be cemented by solutions and processes that lead to limited and, ultimately, compliant trust, making cloud security a true win/win for enterprises and providers alike.

A Question of Trust:

How Service Providers Can Attract

More Customers by Delivering True

Security in the Cloud by Russ Dietz WHITE PAPER


2

In the following pages, we’ll walk through this transition in more detail, and then show what this means for cloud providers in the months and years ahead. Then, the document will outline some of the specifi c areas cloud providers can target in their efforts to optimize the security and utility of their cloud initiatives. Finally, we’ll outline some of the most important capabilities organizations will need to support these efforts. (Note: In the following pages, unless otherwise specifi ed, when discussing the cloud, we will be referring to the public cloud. While private clouds present their own specifi c security challenges, given their internal deployments, the nature of security will more closely resemble those of current data center deployments. It is the public cloud, and the changing nature of the client and cloud service provider relationship, that are the focus of this document.)

Step 1: Minimal Trust

In spite of efforts by cloud providers to date, for most enterprises today, security in the cloud is viewed in a fairly straightforward way—don’t assume there is any. Organizations that have gone forward with cloud deployments have thus taken full ownership and responsibility for security. This can play out in several ways:

A business can segment its data into two classifi cations—sensitive and non-sensitive. • Non-sensitive data can be transferred into the cloud as is; for example, for disaster recovery or archival purposes. Sensitive data on the other hand will either be kept out of the cloud entirely or it will be protected, generally through encryption, before it is exposed to the cloud. Further, that information will stay secured through those mechanisms the entire time it resides in the cloud.

An organization may opt to use SaaS offerings but only for applications that do not involve • personally identifi able information (PII), or other types of data subject to regulation or privacy laws.

A business can migrate the processing of non-sensitive applications to the cloud. For • example, this can take the form of “cloud bursting,” an approach in which an organization will migrate an application to the cloud when the processing capacity of its corporate cloud or data center is exceeded. This can be a cost-effective way for organizations to handle seasonal or peak demands for processing. For example, a media company can adopt this approach for video streaming when its internal infrastructure hits capacity.

Each of these scenarios can present organizations with near term benefi ts—they enable an organization to quickly leverage many of the benefi ts and strengths of cloud computing, without compromising security or compliance. These scenarios represent the bulk of cloud deployments done to date.

Step 2. Limited Trust

In order for cloud providers to expand their addressable market, both in terms of clients and applications, they will need to support clients’ efforts to migrate their own security mechanisms to the cloud. This next step in the transition to a trusted cloud will inherently require more of an upfront investment than prior cloud approaches, and also require a deeper, more collaborative relationship between clients and providers.

As enterprises take their existing encryption solutions and run them in the cloud, they’ll retain full control over security ownership. From the service providers’ standpoint, these deployments will be structured similarly to traditional hosting provider models. Specifi c deployment approaches can include the following:

Deploying physical security systems in a virtual private cloud•

Running a virtual service within a hybrid, multi-tenant cloud environment•

Federating cloud user directories with internally-managed identity and access management • systems


3

Here, data protection can be conducted in the cloud, yet still within the enterprise’s control. As a result, by supporting these types of deployments, organizations will become more fully invested in cloud offerings and seek to take greater advantage of the cloud’s benefi ts, which will be a landmark phase in the maturity of the cloud computing market ..

Step 3. Compliant Trust

In this ultimate phase of the cloud’s evolution, cloud providers gain the controls they need to deliver trust as a service, so enterprises can specify security policies and have confi dence in the cloud provider’s infrastructure and capabilities for executing these policies. Here, the enterprise, as the information owner, still holds control over security, but more in a virtual, rather than operational, way.

In this scenario, the enterprise sets security policies and owns the core key materials, credentials, identities, and other elements that are used by the cloud providers to protect information, which gives them the fi nal say in how security is handled. The cloud provider will have the sophisticated security infrastructure in place to meet client’s security objectives, including robust encryption, secure key management, granular access controls, and more.

Enterprises can leverage the cloud and get the level of security needed to stay compliant with all pertinent regulatory mandates and security policies. As a result, almost any business service or application can subsequently be a potential candidate for migration to cloud services.

Four Key Areas for Implementing Cloud Security

As they make the move to supporting compliant trust, what capabilities will service providers require, and how will they differ from traditional approaches? The sections below outline some specifi c areas for applying security measures to cloud environments and the capabilities required to employ these measures. With these initiatives, service providers can begin to gain the control, visibility, and effi ciency they need to both ensure security and leverage the business benefi ts of cloud services.

Protected Infrastructure

Most cloud providers will have infrastructures comprised of a number of sites, all interconnected through a wide area network (WAN). Given the dynamic, processing-intensive environments they build, cloud providers typically require high performance, low latency, dedicated transmission circuits between these distributed sites. Cloud providers often turn to telecom carriers and other service providers for these circuits. While many assume an increase in security from a dedicated “private” circuit that isn’t shared by the entire world, the truth is that private only means dedicated switching or virtual circuit connections, which does not in any way guarantee data integrity or security.

To build a trusted infrastructure, service providers need to employ encryption to secure the transport of data across their WANs, while at the same time, ensuring high speed and low latency communications between these distributed sites. This requires encryption solutions that combine “wire-speed” performance with robust security capabilities, including tamper-resistant hardware and support for robust, industry-standard encryption algorithms. In addition, a secure, centralized solution is required to manage these disparate encryption platforms so users can effi ciently defi ne and distribute integrated policies.


4

Figure 1 To build a trusted infrastructure, service providers need to employ encryption to secure the transport of

data across their WANs, while at the same time, ensuring high speed and low latency communications between

these distributed sites.

Secure Access Controls

Ensuring that only authorized users gain access to cloud-based resources is an absolute requirement for cloud providers. Providers need to ensure proper access controls for users at client sites, and, just as importantly, for administrators within the service provider’s organization.

On the client side, providers need to support multi-factor authentication in much the same way as a secure organization requires multiple credentials (i.e., a key fob and a password) to enter highly restricted physical areas. By coupling multi-factor authentication at the user level with centralized security policy management, cloud providers can much more simply set up new users, and terminate access when an employee leaves or a threat arises.

Cloud providers multi-factor authentication mechanisms, such as tokens, need to be coordinated with the clients’ public key infrastructure (PKI); if not, the cloud service imposes too much additional overhead in terms of security administration to be useful for the client. Further, operational changes need to be transparent to end users if these services are to be optimal for client organizations.

On the cloud provider side, robust, token-based, multi-factor authentication is also required. This is a critical requirement if cloud providers are to meet SAS 70 requirements. By locking down the management console, cloud providers can ensure that services and sensitive client data won’t be compromised. In addition, it provides critical safeguards against internal attacks.

Driven by a need to use the

cloud’s elastic storage, without

exposing data to the cloud’s

vulnerabilities, enterprises can

perform secure storage in the

cloud, effectively using the cloud

for the backup, disaster recovery,

and archival of data.

Enterprise

CloudData Center B

CloudOps Center

CloudData Center A

Carrier Backbone

CloudVPC Center C


5

Figure 2 Robust, token-based, multi-factor authentication is a critical requirement if cloud providers are to meet

SAS 70 requirements. By locking down the management console, cloud providers can ensure that services and

sensitive client data won’t be compromised.

Data and ID Protection

Protecting client data and identities are also vital requirements. Further, these data protection mechanisms need to adhere to a host of regulations with which clients must comply. Inherent in this is an ability to isolate the processes and data of multiple tenants in virtualized cloud environments.

To achieve these objectives, service providers need a host of capabilities:

Hardware Security Modules (HSMs). Service providers need HSMs to protect their TLS/SSL • identities [more to add here?]. To meet many clients’ security requirements, these HSMs should be FIPS 140-2 Level 3 certifi ed.

Granular encryption. Cloud providers need to be able to selectively encrypt sensitive data • according to clients’ security requirements. This means being able to encrypt data at the column level in databases and to partition database security by different clients. This also requires fi le encryption so organizations can encrypt specifi c sensitive client fi les, including spreadsheets and documents.

Central, secure policy management. To effi ciently govern these security mechanisms, cloud • providers need to be able to centrally manage security policy, across disparate systems and regions. Further, given the vital nature of these administrative systems, the utmost security needs to be employed to ensure they are never compromised.

An effi cient cloud security

deployment scenario requires a

centralized, hardened security

appliance, which is used to

manage cryptographic keys,

access control, and other

security policies.

Certificate-Based (PKI)

Cloud Provider

OTP


WorkstationsCloud-provider

pin

pin


6

Figure 3 To effi ciently govern these security mechanisms, cloud providers need to be able to centrally manage

security policy across disparate systems and regions.

Virtual Encryption as a Service

To fully leverage their potential business opportunities, cloud providers need a way to take the unparalleled security offered by sophisticated, hardware-based encryption solutions, and virtualize those offerings. This enables the delivery of symmetric encryption, fi le encryption, secure key management, and a host of other capabilities and services within cloud environments.

When cloud providers deliver virtual encryption as a service, they can implement database, application, and fi le encryption—all managed through a single, virtual platform that combines cryptographic key management, policy management, and encryption processing. Because the platform is virtualized, it can be integrated cost-effectively and seamlessly within the cloud provider’s infrastructure. Further, by combining the security benefi ts of these technologies with the cloud delivery model, security implementations can be far less expensive (and much more attractive) than traditional in-house deployments, putting state-of-the-art security capabilities within reach of even small and medium businesses for the fi rst time—and dramatically expanding the service provider’s addressable market.

To deliver virtual encryption-as-a-service deployments, cloud providers will leverage a host of robust security mechanisms, including centralized key management, granular encryption, and access control within their infrastructures. To support virtual encryption as a service, many cloud customers will deploy multi-factor authentication tokens and token management systems in their environments, which can ensure the appropriate access controls are applied to security services and protected data.

By offering a means to

streamline end user access and

access control administration,

federated access initiatives can

help optimize security while

reducing corporate security

costs.

FIPS 140-2Level 3

ProtectFile

Enterprise A Enterprise B

FIPS 140Level Zone A Zone B


7

Figure 4 By providing virtual encryption as a service, smaller organizations can gain access to robust security

mechanisms that may have been cost prohibitive in the past.

SafeNet: Delivering the Trusted Cloud Platform

Introduction—Overview of SafeNet Cloud Solutions

With SafeNet’s security offerings, organizations can fully leverage the business benefi ts of cloud environments—while ensuring trust, compliance, and privacy. SafeNet offers intelligent, data-centric solutions that persistently protect data throughout the information lifecycle and evolve to support changing cloud delivery models—from today’s SaaS and private clouds to the evolving demands of hybrid and public clouds.

Cryptography as a Service

SafeNet offers a broad set of solutions that enable both enterprises and cloud providers to leverage cryptography as a service. SafeNet solutions offer the unparalleled combination of features—including central key and policy management, robust encryption support, fl exible integration, and more—that make cryptography as a service practical, effi cient, and secure.

SafeNet offers these security solutions:

Token management systems and multi-factor tokens that ensure stringent, granular end • user access controls

Hardware security modules, including the Luna SA product line, that enable centralized, • FIPS- and Common Criteria-certifi ed storage of cryptographic keys

DataSecure, which offers fi le, application, and database encryption—all managed through • a hardened appliance that centralizes encryption processing, keys, logging, auditing, and policy administration

Together, these solutions deliver the critical capabilities required for a robust, cost-effective, and secure cryptography-as-a-service implementation.

When cloud providers deliver

virtual encryption as a service,

they can implement database,

application, and fi le encryption—

all managed through a single,

virtual platform that combines

cryptographic key management,

policy management, and

encryption processing.

Cloud Provider



SMB


8

Figure 5 SafeNet’s HSMs and DataSecure products offer FIPS- and Common Criteria-certifi ed, hardware-based

protection of cryptographic keys and controls that help ensure regulatory compliance in cloud deployments.

Trusted Cloud Computing

While the benefi ts being offered by cloud providers today are undeniable, many potential customers continue to perceive that the dynamic nature of cloud computing can pose signifi cant risks. Today, someone can take an application instance running for one organization, then move it to another location, and run it for another organization—and that application could thus enable unauthorized users and processes to access sensitive data.

With SafeNet, you can control applications and services within the cloud environment, and providers can ensure their clients that applications only run on intended platforms for intended customers. SafeNet enables organizations to control the instances of the high-value virtual machines, ensuring they are only invoked in the right circumstances. SafeNet delivers the solutions that enable organizations to do rights management for virtual machines:

Software rights management solutions and tokens for authenticating virtual machines•

The ProtectFile fi le encryption solution, which enables pre-boot authentication of virtual • machines

DataSecure, which delivers central policy management of all fi le, application, and database • encryption processing

Figure6 SafeNet offers the products and capabilities enterprises need to control instances of virtual machines

running in the cloud, including where they are located and when they can be invoked, so they can safeguard trust in

their cloud deployments.

SafeNetHSMs

ProtectFileProtectAppProtectDB

DataSecure

Token MgmtSystem

MFATokens

HSM Client

Root of Trust

Cloud Storage

Cloud Database

Elastic Compute

Federated Key Mgmt& User Directories



MFA for End-Users

Enterprise Cloud Provider

DataSecureLuna SA

IaaS Provider

Enterprise

PaaS Provider

SRMTokens

eTokens

DataSecure

Two-Factor ActivationLicensing

SRMSRMTokens

Key-ManagementTwo-Factor Pre-Boot

ProtectFile

SRM

Software

OTP


APP

APP

Virtual ResourceAdministrators


9

Contact Us: For all offi ce locations and contact information, please visit www.safenet-inc.com

Follow Us: www.safenet-inc.com/connected

©2010 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet. All other product names are trademarks of their respective owners. WP (EN)-08.30.10

Conclusion

In terms of potential, the sky truly is the limit when it comes to the market opportunity cloud computing can offer. However, the full magnitude of this opportunity can only be realized when security is effi ciently, persistently, and effectively employed to safeguard sensitive data. With its sophisticated, data-centric security solutions, SafeNet enables cloud providers to offer the agility customers need to leverage cloud environments most effectively, without making any compromises in security, privacy, or compliance.

To Learn More about Cloud Security

To provide business and security leaders with more information on secure cloud computing, SafeNet has introduced a series of white board videos, webinars and white papers. These resources outline how cloud security is expected to evolve, and describe what organizations need to do to prepare for, and take advantage of, these changes. For more information, please visit www.safenet-inc.com/safecloud.

About SafeNet

Founded in 1983, SafeNet is a global leader in information security. SafeNet protects its customers’ most valuable assets, including identities, transactions, communications, data and software licensing, throughout the data lifecycle. More than 25,000 customers across both commercial enterprises and government agencies and in over 100 countries trust their information security needs to SafeNet.

QuestionofTrust_HowServiceProvidersCanAttractMores_WP_(EN)_web

Documents

Transcript of QuestionofTrust_HowServiceProvidersCanAttractMores_WP_(EN)_web