Vormetric, Inc.
2545 N. 1st Street, San Jose, CA 95131 United States: 888.267.3732 United Kingdom: +44.118.949.7711 South Korea: +82.2.2190.3830 [email protected] www.vormetric.com
VORMETRIC CLOUD
ENCRYPTION GATEWAY
TABLE OF CONTENTS
INTRODUCTION . . . 2
Proliferating Data Repositories . . . 2
Increasing Security Threats . . . 3
Intensifying Compliance Mandates . . . 3
THE MANDATE: MOVE DATA TO CLOUD STORAGE —SECURELY . . . 3
CLOUD STORAGE SECURITY: THE CHALLENGES . . . 4
THE SOLUTION: SECURING SENSITIVE DATA IN CLOUD STORAGE . . . 4
VORMETRIC CLOUD ENCRYPTION GATEWAY: KEY FEATURES . . . 5
VORMETRIC CLOUD ENCRYPTION GATEWAY: BENEFITS
. . . 6DEPLOYMENT SCENARIOS . . . 7
Amazon S3 . . . 7
Box . . . 8
PART OF THE VORMETRIC DATA SECURITY PLATFORM . . . 9
Increasingly, sensitive and strategic corporate data is finding its way into cloud storage environments.
At the same time, data breaches continue to grow more prevalent and costly. This paper offers an
in-depth description of the challenges confronting IT teams as they look to keep sensitive data secure
in corporate cloud deployments. In addition, the paper offers an introduction to the Vormetric Cloud
Encryption Gateway. The paper reveals how Vormetric delivers a single platform that enables security
teams to safeguard sensitive data across their cloud and on-premises environments, while centrally
managing policies and keys.
INTRODUCTION: THE DAUNTING CHALLENGES FOR TODAY’S IT AND
SECURITY TEAMS
PROLIFERATING DATA REPOSITORIES
For today’s IT organizations, rapid, substantive change continues to occur. If there’s one thing that remains constant amidst all this change it is this: there’s more. IT teams have to contend with these facts:
• There’s more data. On everything from user devices to backend archives, capacity continues to grow, and data volumes keep expanding to fill this capacity. To support big data initiatives, IT organizations continue to aggregate data from more sources, which leads to exponential increases in the volumes of data that must be managed.
•There are more user devices, applications, and systems. These expanding data volumes, coupled with the pro- liferation of bring-your-own-device initiatives and the ubiquity of mobile applications, all mean that there are more devices and infrastructure that IT teams have to support.
•There are more computing models, locations, and facilities. Beyond the data center, organizations are rely- ing on a number of cloud services, whether delivered via infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), software-as-a-service (SaaS) models, or a combination thereof. At the same time, there are increasing numbers of remote, externally distributed environments and servers, including remote offices, externally hosted environments, disaster recovery and backup sites, and more.
Sensitive Data is Dispersing and Growing
Becoming harder to secure
• Physical • Virtual • Outsourced • Sources • Nodes • Analytics
Enterprise Data Centers Private, Public, Hybrid Clouds IaaS, PaaS, SaaS
Big Data Remote Servers
INCREASING SECURITY THREATS
It is within this context of proliferation that the task of IT security, already tough, grows increasingly daunting. Given all the increasing volumes and locations of data outlined above, the simple reality is this: Sensitive data can show up in more locations and be exposed to more threats. And today, the threats are significant. Costly attacks waged by well-funded and sophisticated nation-states and cyber-criminal organizations are growing increasingly frequent. Further, business and technical leaders are increasingly cognizant of the threats posed by insiders. The 2015 Vormetric Insider Threat Report found that 89% of executives felt their organizations were more at risk from insider attacks. Given the risks being posed from inside and outside the organization, and the dramatically expanding locations that house sensitive data, it should come as no surprise that devastating breaches continue to occur. The Vormetric report revealed that 40% of organizations experienced a breach or failed audit.1
INTENSIFYING COMPLIANCE MANDATES
For many organizations, the need to strengthen security and mitigate the risk of these breaches and threats is being intensified by regulatory and privacy mandates. Given their forced disclosure rules, many mandates can contribute to dramatically escalat- ing brand damage when sensitive data is compromised. Further, the mandates themselves continue to grow more stringent and complex. For example, compared to version 2.0, 3.0 of the Payment Card Industry Data Security Standard (PCI DSS) has 27% more rules. Further, it will require 188 more work days to comply with the new standard.2
Those organizations being tasked with complying with the Health Insurance Portability and Accountability Act (HIPAA) are facing similarly intensifying scrutiny and pressure. In the wake of breaches, the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) has issued fines ranging from $800,000 to $4.2 million.3 Further, starting in 2015, hundreds of healthcare organizations may be the subject of random audits by the OCR.
THE MANDATE: MOVE DATA TO CLOUD STORAGE—SECURELY
As the prior sections make clear, there’s more data, more places it can be exposed, more sophisticated attackers trying to get at that data, and steeper costs if it should be compromised.
To contend with these realities, organizations must expand their safeguards across larger data sets and more environments. This is particularly true of cloud implementations, which represent an increasingly large and strategic portion of the IT computing landscape—and a critical area of vulnerability if the appropriate defenses aren’t employed.
The 2015 Vormetric Insider Threat Report, Cloud and Big Data Edition, illustrates how strategic the cloud has become in this regard. According to the report:
• 80% of enterprises now use cloud-based services and infrastructure.
• 54% of global organizations are hosting sensitive data in the cloud.
• 83% of U.S. respondents are very or extremely concerned with the threat levels posed by cloud storage environments.
• When queried about the location that raised the most security concerns, 46% cited the cloud, making it the highest-ranked category. 4
1 Vormetric, “2015 Vormetric Insider Threat Report: Trends and Future Directions in Data Security,” http://www.vormetric.com/campaigns/insiderthreat/2015/ 2 Gartner, “What's Changing and How to Respond to PCI v3.0”, 20 August 2014, Avivah Litan, Rajpreet Kaur
3 SearchHealthIT, “As HIPAA audits loom, most docs remain unprepared”, Shaun Sutner, January 2015, http://searchhealthit.techtarget.com/feature/As-HIPAA-audits-loom-
most-docs-remain-unprepared
CLOUD STORAGE SECURITY: THE CHALLENGES
Now, most corporate users and business groups are highly reliant upon cloud storage offerings like Box and Amazon Simple Storage Service (Amazon S3). These services have been proven to help businesses enhance collaboration, flexibility, cost efficiency, and data availability.
Given this increasing reliance, cloud storage environments continue to house more sensitive and strategic assets. As a result, it is increasingly vital that organizations employ strong safeguards in these environments. This isn’t a requirement that IT leadership can ignore. It is important to recognize that this move to cloud storage has happened and will happen with or without IT’s involvement. If there isn’t a company-sanctioned cloud storage service, employees will use their own—and in the process create a new set of risks for enterprise data. However, while the need for strong security in cloud environments is critical, addressing this requirement can present security and compliance teams with a number of specific challenges:
• Limited visibility and control. Given the multi-tenant, externally hosted nature of these cloud services, security teams and the auditors they work with fundamentally lack visibility into the nature of security mechanisms in place, making it difficult to track and demonstrate compliance. In addition, sensitive files may be copied, downloaded, and uploaded by employees with- out any controls or logging of these activities. In the event of a breach, security teams may lack the intelligence they need to do proper forensics.
• Privileged user exposure. In cloud storage environments, administrators within the cloud service provider organization may be able to access or manipulate sensitive client data.
• Vulnerability to government subpoenas. News reports have made it clear that government agencies are increasingly using subpoenas of service providers, including cloud providers, to further criminal investigations. For organizations storing their data in the cloud, this can mean that corporate data may be handed over to agencies, potentially without executives ever knowing, let alone providing their consent.
In recent years, data-at-rest encryption has emerged as an increasingly fundamental requirement—and this is particularly true for cloud storage environments. By encrypting sensitive assets, security teams can begin to establish the vital controls needed to guard against unauthorized access to sensitive files. Further, encryption can help establish the visibility IT teams need to track and demonstrate compliance with security policies and regulatory mandates.
Because of these and other attributes, the use of encryption has spread within many organizations. However, in recent years, many IT teams have employed encryption in a more tactical, isolated fashion, for example, with one tool used to encrypt data in one vendor’s database, another tool used to encrypt data in a specific application, and so on. Given the rapidly escalating demands outlined above, these piecemeal approaches are growing increasingly untenable.
THE SOLUTION: SECURING SENSITIVE DATA IN CLOUD STORAGE
Vormetric offers robust solutions that enable organizations to contend with both proliferating data and security threats. The company’s data-at-rest solutions help customers secure their most sensitive assets against the most critical risks, including advanced persistent threat (APT) attacks and abuse by privileged users.
With the Vormetric Data Security Platform, organizations can secure data no matter where it resides, including across data centers and in virtualized, big data, and cloud environments. The Vormetric Data Security Platform features the Vormetric Cloud Encryption Gateway, a solution that enables organizations to safeguard sensitive data in cloud storage environments. With the Vormetric Cloud Encryption Gateway, organizations can encrypt files in cloud storage, without having to add another point tool that compounds the complexity IT teams have to contend with.
The Vormetric Cloud Encryption Gateway is delivered as a virtual appliance that can be deployed in the cloud or in the customer’s data center. The solution encrypts sensitive data before it is saved to the cloud storage environment, enabling security teams to establish the visibility and control they need around sensitive assets. Like other Vormetric encryption offerings, the solution relies on the Vormetric Data Security Manager for key and policy management. As a result, customers never need to relinquish control of cryptographic keys to the provider and data never leaves the enterprise premises unencrypted or unaccounted for.
THE VORMETRIC CLOUD ENCRYPTION GATEWAY: KEY FEATURES
With the Vormetric Cloud Encryption Gateway, organizations can leverage a strong set of capabilities:
• Robust, persistent controls. When the solution is implemented, sensitive data may be copied, shared, and distributed in an array of environments, but security teams can keep localized control over policies and keys. As a result, they can enforce policies and track data access, even as sensitive data is saved and distributed in cloud storage environments.
• On-premises key management. By leveraging this solution, customers can ensure that their security team retains control over cryptographic keys at all times. The keys can be retained on premise, ensuring they’ll never be accessible by the cloud provider. Further, keys can be stored in a FIPS 140-2 level 3-certified hardware appliance.
• Detailed visibility and auditability. The Vormetric Cloud Encryption Gateway gives administrators detailed visibility into data access, access attempts, and more. In the event of a breach or audit, detailed forensics data can be provided. In addition, the solution features dashboards that offer intuitive insights into usage of the cloud storage application.
Security Intelligence Personal Computers Mobile Devices Servers Vormetric Cloud Encryption Gateway
Enterprise Premise Cloud Storage and other SaaS
DSM
• Agile performance. Through its virtualized appliance architecture, the Vormetric Cloud Encryption Gateway offers elastic scaling that enables IT teams to efficiently accommodate changing performance and scalability demands.
• Intelligent risk detection. The Vormetric Cloud Encryption Gateway can automatically scan cloud environments and discover unencrypted files that violate security policies. As a result, security teams can effectively mitigate the exposure associated with having users intentionally or unintentionally circumvent policies.
• Transparent, efficient implementation. The Vormetric Cloud Encryption Gateway significantly streamlines the process of implementing and managing security. IT teams don’t need to modify applications or workflows when deploying the solution. In addition, in Amazon S3 environments, security teams can leverage their Active Directory implementation to more efficiently manage user and group access policies.
• Flexible service extensibility. The solution is built on an extensible architecture that features Vormetric Security Blades. Blades for Amazon S3 and Box were made available in the first product release. In the future, Vormetric and its partners will deliver additional blades for a range of other cloud storage environments and SaaS solutions.
THE VORMETRIC CLOUD ENCRYPTION GATEWAY: BENEFITS
Organizations can realize the following benefits with the Vormetric Cloud Encryption Gateway:
• Boost operational efficiency. With the Vormetric Data Security Platform, IT organizations can establish strong, centralized controls over encryption keys and policies for a range of environments, including cloud storage, other cloud deployments, big data environments, and across the enterprise. As a result, they can address their proliferating data volumes and escalating security threats and compliance demands, with optimal efficiency.
• Strengthen security and compliance controls. The Vormetric Cloud Encryption Gateway enables security organizations to establish strong, persistent controls around sensitive data. The solution provides the capabilities needed to ensure sensitive data isn’t exposed through unauthorized usage, copying, or sharing; government subpoena; or the cloud provider’s privileged users. With these capabilities, IT organizations can track and demonstrate compliance with relevant security policies and regulatory mandates.
Cloud Storage Provider
SaaS Provider
Vormetric Cloud Encryption Gateway
S3
Vormetric Cloud Encryption Gateway DSM Keys API/Browser Enterprise Unstructured data
(files, archives, backups)
Transparently decrypted Transparently encrypted Data is ALWAYS encrypted on S3 Encrypted data
(files, archives, backups)
• Leverage cloud environments more broadly. With the Vormetric Cloud Encryption Gateway, security concerns don’t have to keep limiting an organization’s use of cloud storage. Instead, businesses can more broadly adopt cloud storage environments, and harness all the benefits they offer, without introducing risk. The solution helps IT teams become business enablers, supporting the business as it seeks to rely on cloud storage environments for a broader set of users and use cases, including those that entail the management of sensitive and regulated data.
• Maximize cost efficiency. Existing Vormetric customers can leverage their investments and expertise in the Vormetric Data Security Platform to extend encryption into cloud storage environments. New customers can leverage a single platform to secure data across their data centers, remote locations, big data analytics, and a range of cloud services.
DEPLOYMENT SCENARIOS
AMAZON S3
The Vormetric Cloud Encryption Gateway encrypts sensitive assets before they leave the enterprise and are saved to Amazon S3. The solution then decrypts these assets on the enterprise premises when they are retrieved by authorized users. Files used in stor- age, backups, archives, disaster recovery, and other areas can be transmitted to the gateway, where they are encrypted. Trans- actions are logged and the secured data is passed on to Amazon S3. The keys and policies associated with accessing this data remain in the customer facility. This prevents hackers, Amazon Web Services (AWS) administrators, and other unauthorized users from gaining access to sensitive data stored in Amazon S3.
With the Vormetric Cloud Encryption Gateway, security teams can begin encrypting data in existing applications that are written to Amazon S3 API specifications, without making any code changes. The gateway only processes data manipulation API calls, such as “GET”, “PUT”, and “POST”. Other commands are passed through without any changes.
In addition, the Vormetric Cloud Encryption Gateway features a cloud storage monitoring capability. With this feature,
organizations can ensure that, even if a user bypasses the encryption gateway and saves a file to an Amazon S3 repository, the solution can automatically identify this unencrypted file, and transparently encrypt it. Through this capability, security teams can more effectively and efficiently ensure policies are consistently enforced on all files in a specific repository.
Vormetric Cloud Encryption Gateway DSM Keys API/Browser Enterprise User data Transparently encrypted & decrypted Data is ALWAYS encrypted on Box Transparently encrypted & decrypted Home
BOX
The Vormetric Cloud Encryption Gateway protects user data stored in the Box Enterprise File Synchronization and Sharing (EFSS) service. With the solution, security teams can ensure that their organization’s data is always encrypted when it resides in Box, and control access to that data at all times. With the solution, sensitive data never leaves the customer premise unencrypted. Further, the encryption keys are always in the customer’s facility and under the security team’s control. This prevents hackers, Box adminis- trators, and other unauthorized users from gaining access to sensitive data stored in Box.
When the Vormetric Cloud Encryption Gateway is implemented, users create files as they normally would. Then, when they save or transfer their files to Box, data can be directed to the gateway. The gateway then transparently encrypts the data and logs the transaction.
With this solution, employees can more efficiently and securely collaborate with other employees as well as a range of external colleagues and vendors. When an authorized user, whether the original author or someone the author has designated as a recipi- ent, attempts to access the file, it is transparently decrypted as it passes through the gateway. This enables secure collaboration, while providing an audit trail that is useful in demonstrating data security compliance to auditors.
Using the Vormetric Cloud Encryption Gateway’s cloud storage monitoring feature, security administrators can automatically ensure that all files residing in a secure folder are encrypted, even if some files were originally saved to the folder in an unencrypted format.
By implementing the Vormetric Cloud Encryption Gateway, enterprise IT teams can provide an environment for secure file sharing, collaboration, and back up, without having to change applications or the user experience. In Box environments, the gateway only processes content-focused API calls. Other calls are passed through the gateway without any changes. If organizations have exist- ing applications that are written to Box API specifications, they can use the Vormetric Cloud Encryption Gateway to start encrypting data from these applications, without having to make any code changes.
PART OF THE VORMETRIC DATA SECURITY PLATFORM
The Vormetric Cloud Encryption Gateway is part of the Vormetric Data Security Platform. Today, some of the largest and most security-conscious organizations in the world rely on the Vormetric Data Security Platform for securing sensitive and regulated data in databases and files. The Vormetric Data Security Platform offers a flexible set of technologies that can address a range of security and compliance use cases. Vormetric solutions can secure data across a range of environments, including cloud environments, big data analytics platforms, and physical and virtual servers.
In addition to the Vormetric Cloud Encryption Gateway, the Vormetric Data Security Platform features solutions for transparent encryption, tokenization with dynamic data masking, application-layer encryption, key management, privileged user access control, and security intelligence log collection. With this platform’s comprehensive, unified capabilities, IT teams can efficiently scale to address their expanding security and compliance requirements, while significantly reducing total cost of ownership (TCO). As outlined above, Vormetric Cloud Encryption Gateway can secure sensitive data in Amazon S3 and Box, and, in the future, a range of additional cloud storage and SaaS environments. In addition, Vormetric offers solutions that can secure sensitive data in these cloud environments:
• IaaS.Most commonly, Vormetric Transparent Encryption is deployed to protect sensitive data in IaaS environments. This product features an agent that runs in the file system to provide high-performance encryption and least-privileged access controls for files, directories, and volumes. Access policies and cryptographic keys are managed through the Vormetric Data Security Manager, which can run on premises or in the cloud.
• PaaS. Vormetric Tokenization with Dynamic Data Masking is the primary product used to protect sensitive data in PaaS environments. This product makes it easy for application developers to use format-preserving tokenization to protect sensitive fields in databases. The solution enables compliance with PCI DSS and other regulations, while minimizing disruption and administrative overhead. With the solution, security teams can tokenize and de-tokenize data on-premises and ensure that sensitive data never leaves the enterprise.
To learn more, please visit www.vormetric.com/products/overview.
Figure 6: Vormetric Data Security Platform delivers comprehensive security and on-premises key management across various cloud models
Vormetric Transparent
Encryption Tokenization Vormetric Encryption Gateway Vormetric Cloud
CONCLUSION
The utilization of cloud storage continues to grow increasingly common and strategic. As a result, more and more sensitive data is ultimately residing in these environments. To comply with security policies and regulatory mandates, these sensitive assets must be encrypted. IT organizations need to address this demand and enable secure cloud storage, or employees will circumvent policies and leverage their own cloud services. With the Vormetric Cloud Encryption Gateway, organizations can meet this demand, while minimizing the cost and operational effort required to secure sensitive assets, both across cloud environments and across the enterprise.
ABOUT VORMETRIC
Copyright © 2015 Vormetric, Inc. All rights reserved. Vormetric is a registered trademark of Vormetric, Inc. All other trademarks are the property of their respective owners. No part of this publication may be reproduced, stored in a retrieval system or transmitted, in any form or by any means, photocopying, recording or otherwise, without prior written consent of Vormetric.
EMEA HEADQUARTERS
200 Brook Drive
