Data - Proact

Report
Axis of Encryption: Local, Cloud & Mobile
Securing Your Journey to the Cloud
Stephen Porter Alliance BDM
%
Enterprise
Control vs Responsibility?
Responsibility
Control
Servers
Virtualization &
Private Cloud
Public Cloud
IaaS
Gap
Public Cloud Public Cloud
PaaS
SaaS
Outside-in Perimeter Defense
Isn’t Enough…
Empowered
Employees
Advanced
Targeted
Threats
Re-Perimeterization
Virtualization, Cloud
Consumerization & Mobility
Source: Forrester
A New Model for Security –
Securing the Computing Chain
All environments should be considered un-trusted
Users
access app
Image
ensures
data is
always
encrypted
and
managed
Host
defends
itself from
attack
Encryption
keys only
controlled
by you
Encrypted
Data
Data
DC1, LAN 1
Cloud 1, LAN 2
Cloud, LAN 1
Data
DC2, LAN 2
When this whole chain is secure
Components can move
Service provider “lock” goes away
Location doesn’t matter
Shared storage ROI goes up
Virtual “neighbours” don’t matter
4
Protect my data
Inside-out Security
Smart
Context aware
Self-Secured Workload
Local Threat Intelligence
When Timeline Aware
DATA
INSIDE-OUT
Who Identity Aware
Where Location Aware
What Content Aware
User-defined Access Policies
Encryption
5
SECURITY
Protect the Data BYOD
Limit data loss incidents
Enforce policies for data access and protection by enforcing
the use of passwords, encrypting data, and remotely wiping data from
lost or stolen devices.
• Control device access
– Power-on Password enforcement
– Password policies add security
• Protect corporate data and access
–
–
–
–
Remotely locate devices
Remotely lock devices that are suspected lost
Remotely wipe corporate data from devices – Full & Selective Wipe
Encrypt corporate data on mobile devices
• Feature lock
– Disable Security relevant features (e.g. SD-Card reader)
– Control features that pose a risk (e.g. Bluetooth, Mic, Camera)
– Keep data secure - (Control iCloud)
How Does Cloud Storage Help ?
SYNC and PROTECT
SHARING
Synchronizes all desired data
to the cloud and personal
devices, automatically,
instantly and continuously
Secure and simple sharing for
colleagues and external parties
STORE and MANAGE
ACCESS ANYWHERE
Gives each employee / user their
own personal storage space
Access files and folders from
anywhere, anytime from any
device
7
PLATFORM-SPECIFIC SECURITY RISKS
One Security Model is Possible
across Physical, Virtual, and Cloud Environments
Manageability
Performance & Threats
Visibility & Threats
Glut of security products
Less visibility
Less security
Traditional security
degrades performance
Higher TCO
New VM-based threats
More external risks
Reduce
Complexity
Physical
Increase
Efficiency
Virtual
Deliver
Agility
Cloud
Integrated Security: Single Management Console
REDUCE COMPLEXITY
One Server Security Platform
Firewall
HIPS / Virtual
Patching
Web Application
Protection
Single Management
Console
Advanced
Reporting Module
Software Agent Based Solution
Antivirus
Integrity
Monitoring
Log
Inspection
VIRTUALIZATION SECURITY
Fitting into the VMware Ecosystem
Agentless
Security
Virtual
Machine
vShield
Endpoint
Antivirus
Integrity Monitoring
Agentless
IDS / IPS
Integrates with
vCenter
Other
VMware
APIs
Web Application Protection
Application Control
Firewall
Agent-based
vSphere Virtual Environment
Log Inspection
CLOUD SECURITY
What is the Solution? Data Protection
Data Security
Server & App Security
Modular Protection
Sensitive Research Results
Encryption
with Policy-based
Key Management
• Unreadable for unauthorized
users
• Self-defending VM security
• Agentless and agent-based
• One management portal for
all modules, all deployments
• Control of when and
where data is accessed
• Server validation
• Custody of keys
Integration ensures servers have up-to-date security before
encryption keys are released
vSphere & vCloud
Deep Security / Secure Cloud Example
Customer 1
Customer 2
Unix/
Win
Server
Vmware
Key
Service
Vsphere ESX
Policy
Server
Customer
Encrypted Volumes on SAN, NAS, Cloud Service …
Test
CLOUD SECURITY
Fitting Encryption into a VMware Ecosystem
Trend Micro
SecureCloud
VMware vCloud
VMware
vSphere
Key Service
Console
Data Center
VM VM VM VM
Private Cloud
Public Cloud
VM VM VM VM
VM VM VM VM
Enterprise Key
Encryption throughout your cloud journey—data protection for
virtual & cloud environments
TREND MICRO DEEP SECURITY
Specialized Protection
for Physical, Virtual, and Cloud
Physical
Virtual
Only fully integrated server security platform
First hypervisor-integrated agentless antivirus
First agentless file integrity monitoring (FIM)
Only solution in its category to be EAL4+
and FIPS certified
Cloud
IT Security Policies BUT who knows?
Demonstrate Good Governance
and Mitigate Risk
Les Richardson
IT Security and Data Protection the people factor!
Security of your information is paramount
- YOU know that
– but do ALL of your employees?
Whether responding to legislation, compliance requirements,
or protecting against accidental abuse, sabotage or malware security concerns are real and need to be COMMUNICATED
IT Security and Data Protection the people factor!
IT Security and Data Protection policies are essential
But getting employees’ attention and making sure they read and
sign up to them, to ensure compliance – is often much easier said
than done!
And not ONLY IT Assurance SO many policy areas...
IT Assurance
Data Security
Rules laid down by Regulators and Auditors
Social Media
HR & Operating Procedures
Best Practice Guidance
Anti Bribery and Corruption
Good Governance, Corporate Responsibility
Quality Management Standards and Goals
Health & Safety
UK Bribery Act
Information security Not just Data either!
Do you allow your employees to use social media at work?
“…………………...
“
“……………..
“………
“
“
Information security Not just Data either!
People have access to information and have opinions
and emotions!
People also have access (home or work) to mass communication – so
can “share” these opinions and information
=
Potential “HR accidents waiting to happen” ?
Potential “loss” of information, productivity,
reputation – and at what cost?
All of a Twitter! – Social Media BOOM
Registered
users rose from 75M in 2010 to 175M in 2011.
Users tweeting over 95M tweets per day – that’s 4M tweets each hour!
Has grown 100% since March 2010 with 100M professionals
using this worldwide – 20M in Europe
hit the half-billion member mark in 2010, with over 7 billion
pieces of content “shared” each week
And now there is
? Who’s monitoring Internet use ?
? Who owns the data / information / contacts?
? Where is this all going or being “shared” ?
Examples…………
Risk of trade secrets being revealed – Porsche banned
employees from using social networking websites at work
Business contacts – problem with LinkedIn effectively creates a
list of business contacts – individual’s or company’s?
Being fired after making “my job is SO boring” comments on
social media – employment tribunals
Examples…………??????
Fat and smelly
Cockroaches
Faulty jet engines
Any idea what might connect these comments?
So many policies…
So having good policies in place is the first step to reduce exposure to:
Information and data loss
Financial loss
Reputational damage
Compliance breaches
Potential fines
However, if you don’t:
review them regularly
communicate them professionally
ensure employees read , understand and adhere to them
….they are almost worthless.
Communication is key
Email
Intranet
Traditional methods of communication are no longer adequate
KPMG Forensics Survey
Communication and training programs will be the
areas of greatest focus in compliance efforts over the
next 12-24 months.
Source: KPMG Global Anti-Bribery & Corruption Survey 2011
The stakes are rising
The UK Bribery Act 2010 includes a new offence of “failure of commercial
organisations to prevent bribery”
It is a valid defence for the organisation to
prove that it had in place
“adequate procedures.”
Staff must acknowledge that they have read
and understood the anti-bribery code, and
confirm that they will comply with it –
“compliance declaration”
Shocking Stats
Nearly three quarters, 74%, of 1,000 middle managers had not
even heard of the Bribery Act.
+
More than 20% of those surveyed said they were aware of
unethical activity at their company.
Source: The FIDS (Fraud, Investigations and Disputes Services) team at Ernst & Young
BS:10500
BS:10500 is the Standard against which many
organisations will be audited.
Information Commissioner’s Office Stats……
During 2011 the Information Commissioner’s Office (ICO) issued
£541,000 in fines. This excludes the additional fines imposed by
courts following
This is an increase of 238% over 2010
If the same percentage increase occurs in 2012,
over 2011, total fines issued could be
over £1.8M.
Some recent ICO examples……
19 June 2012
– Belfast Health and Social Care Trust has been served with a Civil Monetary
Penalty of £225,000 following a serious breach of the Data Protection Act
6 June 2012
– Telford and Wrekin Council has been issued with a penalty of £90,000 by the
ICO, following a breach of the Data Protection Act involving the disclosure of
confidential and sensitive personal data relating to four vulnerable children.
1 June 2012
– Brighton and Sussex University Hospitals NHS Trust has been served with a Civil
Monetary Penalty (CMP) of £325,000 following a serious breach of the Data
Protection Act
21 May 2012
– Central London Community Healthcare NHS Trust has been fined £90,000
following a serious breach of the Data Protection Act
Non-compliance comes at a price
Willis £6.895m
FSA Fine
Diagio $16m
SEC penalty
Macmillan £11.3m
SFO Fine
Johnson & Johnson $70m
corruption settlement
Proactive Policy Management
Communication
It is no longer acceptable
to justand
reporting
never
have a well written
policyhave
in place
been more important.
Proactive Policy Management
To prove compliance organisations must
ensure that all stakeholders have :
1
2
3
4
5
Received the latest version of the policy
Read it
Understood it
Signed up to it / not - and
That management have a full audit trail
Communication and
reporting have never
been more important
Value of a Policy Management System
Manage every step of your policy lifecycle in
a central place
Effectively communicate essential policies to your
staff in any location
Avoid duplication and versioning issues
Get the reporting you need – when you need it
Demonstrate best practice and rigorous governance
Increase operational efficiency and cut the cost of
compliance and tribunals
Hitec Expertise
Specialising in the development, implementation and support of
Policy Management; Enterprise Content; Risk and Compliance
management solutions.
Over 350 customers in more than 40 Countries.
Some Customer feedback Associated
British Agriculture (AB Agri)
Benefits highlighted by AB Agri
”We started thinking PolicyHub could help with IT
Security Policies – but quickly established it could
transform effectiveness of SO many policies, from HR,
employee questionnaires through to essential
procedures that support business operations.
Information Security policies such as Acceptable Use for
email and internet benefitted by PolicyHub’s ability to
check employee policy status and immediately present
policies for agreement”
Martin Freeman, IS Security Services
Manager – AB Agri
Audit trail of policy communication and
agreement (or not!)
Visible evidence of staff awareness
of essential IT Assurance policies
and others
Ability to immediately keep remote staff
up to date
Ability to rapidly respond to national
programmes (e.g. Avian Flu)
Ability to be sure of meeting rigorous
compliance, business and security
obligations
Some Customer feedback –
ALD Automotive
”In less than a week, we had secured agreement to key
policies from over 80% of staff.
For policy owners, we’re providing immediate
EVIDENCE of how and when policies are being
accepted.
At Group level Societe Generale can demonstrate
excellent Corporate Governance and Compliance.”
Lindsay Grant, Business Services Management – ALD Automotive
Benefits highlighted by ALD Automotive
Immediate time and cost savings
Complete visibility of compliance
Demonstrable good governance
for the board
Ability to re-brand to fit corporate
brand guidelines
Simplified process for staff who are
more aware of responsibilities
Some Customer feedback –
Morgan Cole
Benefits Highlighted by Morgan Cole
Ability to rigorously enforce a policy
within a deadline
“Compared to the previous approach to communicating
and tracking policies, we cut on going management costs
by a ratio of 20:1… shortening the policy acceptance cycle
- a 24:1 improvement.
We had well written policies and a system of policy
“owners” – we were struggling with a lack of a system to
make this process really effective, simple and sustainable.
We’re seeing benefits from using PolicyHub on multiple
fronts – delivering cost savings and highest levels of
operational effectiveness”
Jeff Wright, I&T Director - Morgan Cole
Ensured policy UNDERSTANDING
Focussed initially on Information Security,
IT Systems Acceptable Use, but many
other policies addressed
Compliance audit trail proving
compliance
High levels of staff understanding
Detailed reporting, LexcellQuality
Standards adherence
In tenders, ability to demonstrate highest
levels of process
Costs cut by 20:1
PolicyHub
Step 1:
Create, import, amend
Policies
Step 6:
Audit every action
and in-action
Step 5:
Ensure understanding
of key policies
Step 2:
Internal review process
Step 3:
Publish the right policies
to the right people
Step 4:
Employee affirmation
for key policies
A Proactive Policy Management Solution
ensures the key policies and procedures get to the right people
that their knowledge is assessed
they become accountable by signing up to them
that the entire process is recorded and auditable
Key Features
Communication
Accessibility
Compliance
Ensures staff read,
understand and sign up to
key policies and procedures
via a clear presentation of
information
Provides instant 24/7
browser based access to
only the latest version of
the document within
personal library
Provides detailed audit trails
and management reporting
on policy agreement and
understanding, identifies
those who have and not
complied
Demonstrate Good Governance > Mitigate Risk
Who benefits?
Compliance, Audit & Security Managers
– Avoid compliance/security breaches
The Board
– Demonstrate good Governance & protect reputation
Management
– Increased control and visibility
– Reduced management time and costs
– Minimise cost of tribunals
– Address knowledge gaps
Employees
– Better employee engagement
Proactive Policy & Procedure
Management
Demonstrate Good Governance
and Mitigate Risk
Questions & Contact Details
Les Richardson
[email protected]
Chris Pascoe
[email protected]
Tel: 01628 600900
UK Headquarters
Hitec Laboratories Ltd
430 Bath Road
Slough
Berkshire
SL1 6BB
www.hiteclabs.com
Enterprise Storage Encryption
and Key Management in the
Datacentre
Blair Semple, CISSP - ISSEP
Director, Business Development
SafeNet Inc.
Agenda







A little about myself and SafeNet
Why encryption in the datacentre
Encryption challenges
Possible deployment options
Key Management challenges for Enterprises
SafeNet Encryption and Key Management
Summary
54
Who We Are
Trusted to protect the world’s most sensitive data for
the world’s most trusted brands.
We protect the most
money that moves in
the world, $1 trillion
daily.
We protect the most digital
identities in the world.
We protect the most
classified information
in the world.
FOUNDED
OWENERSHIP
1983
Private
REVENUE
GLOBAL FOOTPRINT
454m
+25,000
Customers in
100 countries
EMPLOYEES
ACCREDITED
+1,500
Products certified
to the highest
security standard
In 25 countries
Why is Security for Storage Necessary?
Regulations
•
•
•
IP Protection
• Protect IP, digital assets from threats
• Strengthen access controls
• Auditing and logging of user IP access
Security Best
Practices
•
•
•
•
•
PCI, HIPAA, CA SB1386
Privacy Regulations impose financial penalties
Proactive security measures have compelling ROI1
Strong authentication
Administrator role separation
Non-Repudiable auditing
Secure data disposal
Granularity of user data protection
Business Trends
• Controlled data access with outsourced IT and
external development centers
1
Gartner: Estimated cost of dealing with a 100K record breach: $90 per customer
record. Cost of deploying encryption technology: $6 per record
Datacentre Encryption Challenges




Performance
Manageability
Resiliency
Support for Heterogeneous Environments
57
Encryption Options for Storage
Host
Network
Storage
Media
58
Encryption Options at the Extremes
Host-based
Pros
Cons
Extremely Granular Control
Application and O/S
dependencies
Data Secured early in it’s lifecyle
Many devices to install on and
manage
Media-based
Typically Software (less secure)
Pros
Cons
Typically hardware – secure and
fast
Little/no granularity
No upstream dependencies
Data secured only when stored
Few devices to install / manage
Storage-specific solutions
59
Encryption in the Middle
 Network-based Encryption
Pros
Cons
Very Secure (Hardware)
Additional devices to install
Transparent to both sides
Potential for bottlenecking
Appropriate Granularity
60
Why You Should Secure Your NAS
 Effective use of NAS storage means hosting multiple
departments, users, customers, etc.
• No physical segregation or physical access control
• Different policies and requirements
 Effective network sharing means allowing access
within and across enterprise as well as externally
• LAN, Intranet, Internet, VPN
 As such, NAS is vulnerable to:
•
•
•
•
•
human errors
malicious insiders
external attacks
compromised systems
lax policies
Key Management Challenges
 Supporting many devices from many vendors
 Keys need to always be available to authorized users,
but must be kept secure from others
 There can be LOTS of keys
 May need to live for a very long time.
• Some healthcare requirements are “life of the patient plus 10 years”
• Some US Government regulations state “for the life of the republic”
62
Proliferation of Key Management Systems
DataBase
Business
Analytics
Enterprise Apps
E-commerce
Network /
Storage
Encryption
Storage
Systems
Email
Virtualized
Infrastructure
Mainframe
Laptop/
Mobile
Media
Transient
Connection
Persistent Connection
Tape /
Archive
Key
Management
System
Key
Management
System
Key
Management
System
Key
Management
System
Key
Management
System
Key
Management
System
Key
Management
System
Key
Management
System
Proliferation of Key Management Systems
Business
Analytics
DataBase
Enterprise Apps
E-commerce
Network /
Storage
Encryption
Storage
Systems
Email
Virtualized
Infrastructure
Mainframe
Laptop/
Mobile
Media
Tape /
Archive
KMIP
SafeNet KeySecure k460
SafeNet KeySecure
Enterprise Key Management
 Enterprise Key Lifecycle Management
• Centrally managed, consolidation of keys
•
store, manage, generate, distribute, rotate, backup,
activate, deactivate, and destroy
• Up to 1 million keys per cluster
• High Assurance Level
 Standard based approach – OASIS KMIP
 Broadest Coverage in Industry
• NAS – StorageSecure
• SAN - Brocade Encryption Solutions (BES
and FS8/18)
• KMIP support (NSE/FDE, Quantum Tape
Library and other 3rd Party support)
• Cloud-enabled (KMIP-based)
 SafeNet LUNA SA (HSM) and PCI Card
Management
•Hardware- based ,secure key replication
across multiple appliances
•Active-Active mode of clustering
•Geo distribution support
•Highly scalable for cloud implementations
•LDAP/Active Directory Integration and
Syslog forwarding
•Heterogeneous solutions: SFNT and nonSFNT devices, applications, databases,
storage devices, SAN switches, tape
libraries, HSM, network and endpoint
devices, etc.
SafeNet StorageSecure
Next Generation Storage Encryption
 Transparent network-based encryption
• NAS: CIFS (Windows), NFS(Unix/Linux) @ file level
• iSCSI (fall 2012)
 FIPS 140-2 Level 3 (validation in process)
 Strong access controls
• Separation of duties and tamper-proof auditing
 High reliability and availability: Clustering
 Centralized key management: Integrated with KeySecure
 S220 – 1Gbit Interfaces, S280 – 10Gbit Interfaces
Sample Use Cases
67
StorageSecure Use Case Snapshot
1
Isolate Data in Multitenant Environments
Encryption-enabled separation
of data in shared virtual
environments
2
Protect Compliant Data
(Maintain PCI Posture)
Encrypt Data in Real-Time at
the Point of Capture/Creation
3
Protect Offline Data
in Archives
Encrypt Data in Primary &
Secondary Storage Before
Writing to Tape
4
Destroy Data Securely or
Repurpose Storage
Destroy Encryption Keys at
Any Point of the Data Lifecycle
World Leading
Bank
Isolate Data in Multi-tenant Environments
Health
Solutions
Isolated Data
Pharmaceutical
Solutions
Storage Head
Patient
Relationship
Shares
MedicalSurgical
•Encryption-enabled separation of data in shared virtual environments
•Separation of departmental data
•Protect data belonging to security sensitive departments
•Enables hosting multiple customers on the same HW
69
Compliant Data Protection
Intellectual
Property
SalesForce.com
HR
CMS
Off
Premise
On
Premise
(cluster/ failover)
Clients
•Encrypt data in real-time at the point of capture/creation
•Secure, hardware based network storage (FIPS 140-2 Level 3)
•Encrypts data and renders it unreadable to unauthorized viewers
•Secure key management - clear text keys never leave the hardware
•Integrated with KeySecure for automated and centralized key lifecycle management
70
Archival Protection
web
Networked
Applications
DB
App
Primary
Secondary
Storage
Storage
Mobile
Workers
Corporate
Offices
Military
Applications
•Encrypt data in primary & secondary storage before writing to tape
•Operations and staff able to manage data the systems without access to content
•Transparent deployment - no agents, storage device changes or user behavior
adjustments
71
Privileged User Risk Mitigation
Storage
Users
Isolated data
Administrator
•Ensures data isolation and granular, authorized access
•Protects against unauthorized administrators/network administrators and users
•Operations and staff able to manage data the systems without access to content
•Integrated with existing Identity and access mgmt systems (LDAP, MS AD, NIS)
•Instantiates additional layer of dual control to restrict access
72

similar documents