• No results found

Cloud Security Case Study Amazon Web Services. Ugo Piazzalunga Technical Manager, IT Security

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Cloud Security Case Study Amazon Web Services. Ugo Piazzalunga Technical Manager, IT Security"

Copied!
14
0
0

Loading.... (view fulltext now)

Download now ( 14 Page )

Full text

(1)

Cloud Security Case Study

Amazon Web Services

Ugo Piazzalunga

(2)

Agenda

1.

Amazon Web Services challenge

2.

Virtual Instances and Virtual Storage Protection

3.

AWS Data Security - User Experience

4.

Scalability, Management, Key Security

5.

SafeNet Trusted Cloud Fabric

(3)

The challenge



help customers meet

compliance requirements

compliance requirements

including PCI DSS, SOX, HIPAA, EU data

privacy dir.

(4)

The Problem of Protecting Cloud Data

Unique challenges to protecting data



Data in the Cloud

Will live in multi-tenant environments Will be exposed to cloud admins Will be highly mobile/copyable

Exposed to co-resident lawful order surrender

Suffer from data destruction and retention uncertainty

Virtual Instances

• Entire servers, applications, databases, etc. virtualized

• Unsecured container of sensitive data • Susceptible to unlimited copyingExposed to uncontrolled brute force

attacks

retention uncertainty

Virtual Storage

• Data leakage exposure to physical and logical storage breach

Accessible to cloud administrators

• Risk of data disclosure from misconfiguration or unanticipated changes in privacy terms • Cloud offered encryption suffers from

(5)

Smarter Compliance and Security

Attaching and enforcing control directly on Data

DATA

P e ri m e te r R B A C RBAC Encryption

DATA



Perimeter solutions apply

security around data

 Data encryption attaches security

directly on data

 Protection follows the data

Attacker

security around data

Solutions fundamentally can’t

solve data protection

Provides diminishing returns on

investment

Constantly being breached and

failing audits

Doesn’t apply well in the cloud

 Protection follows the data

 Solves separation of duties

 Solves multi-tenant data isolation (internal department and cloud)

 Can reduce overall audit scope

 Delivers granular audit records

 Directly addresses breach and leakage projects

 Limit scope of breaches

 Adheres to “safe harbor” provisions in most disclosure laws

(6)

SafeNet Virtual Instance and Storage Protection

SafeNet ProtectV™ server- and storage-based encryption, customers can now protect

compliance-impacted data stored on virtual machines and storage volumes running on

both cloud and virtualized data centers.

ProtectV™Instance enables organizations to encrypt and secure the

entire contents of virtual servers, protecting these assets from theft or

exposure.

ProtectV™Volume enables enterprises to secure entire virtual volumes in

ProtectV™Volume enables enterprises to secure entire virtual volumes in

the cloud containing their data such as files or folders.

Delivers:

• Data isolation

• Separation of duties

• Large scale deployment

• Cloud compliance

• Pre-launch authentication

• Multi-tenant protection

ProtectV™ Manager enables enterprises to deploy cloud security in large

scale, enabling the elasticity and agility of security for the cloud.

(7)

SafeNet ProtectV on Instances

• Encrypted Instance

ProtectV Protection

• Entire instance encrypted, protecting OS • Attached volumes encrypted

• Encrypt all data written to disk

• OS does not boot without authentication • Central Key Management for strong control • Resists brute-force attacks on keys

• Supports AWS and other hypervisors (e.g. VMware)

• Encrypted Instance

•AES 256

• Pre-Launch Authentication

• Policy + Key Management

(8)

Ok, It’s Go Time!

ProtectV for

AWS Experience

3 Steps to Getting Started Today

Step 1: Sign up for your FREE TRIAL

http://www2.safenet-inc.com/AWS/register.asp

Step 2: Select AMIs—you can choose from 4 AMIs with SafeNet’s ProtectV software for Windows pre-installed:

32-bit Windows Server 2008 AMI ID: ami-e85ead81 64-bit Windows Server 2008 AMI ID: ami-d45eadbd 32-bit Windows Server 2003 AMI ID: ami-2e57a447 32-bit Windows Server 2003 AMI ID: ami-2e57a447 64-bit Windows Server 2003 AMI ID: ami-3257a45b

Step 3: Activate AMI encryption. Here you’ll set up the pre-launch environment (username

password/authentication credentials). The

encryption will run transparently so customers can continue running their machines during the

encryption process. It is estimated to take 45 minutes to 1.5 hours to encrypt 30GB.

(9)

Cloud APIs and Web Services

• Authentication Automation • Bulk operations

Centralized Management

ProtectV and Scaling in AWS

Managing ProtectV instances across the cloud

SafeNet ProtectV Manager

•Provides centralized management

•Supports either customer premise or cloud deployments

•Open APIs to cloud management

•Manages and coordinates ProtectV Security SafeNet KeySecure (on Premise)

(10)

ProtectV Manager

Key benefits and features

 Integrated Management and Dashboard

Centrally manage configuration and policy for all ProtectV deployments Central dashboard for status and events

 Performance Optimized for Cloud Deployments

In-cloud location for rapid encryption management

Low latency key management

Rapid discovery and initialization

Key and policy initialization for new images

 Cloud Management Integration

Fully exposed APIs for cloud management automation

Enables rapid provisioning and elastic scalability SOAP and CLI interfaces

Full set of published actions: startprotectinstance, getvolume, activateinstance, getvolumestatus, adduser, deleteuser, assignrole, protectvulmes, etc.

Interface with external syslog logging systems

Continual operations

ProtectV Manager high availability

 Policy and Control Management

Fine grain control of user access to ProtectV protected systems

Integrates with customer controlled key management and trust anchoring

(11)

ProtectV Key Management

Maximizing security and operational effectiveness



Enforces Maximum Security

Granular AAA tied to keys

Adheres to strongest established crypto algorithms

Overcomes inherent weakness of password-based keys

FIPS 140-2 Level 3 (in process)



Delivers Maximum Operational Agility

Enables dispersed ProtectV deployments

Cross availability zones, data centers, cloud providers

SafeNet KeySecure

Cross availability zones, data centers, cloud providers

Prevents data loss

No more lost keys

Supports key lifecycle through Enterprise Key Management

Coordinates across encryption solutions- databases, storage, cloud, etc. Accessible and available for storage and tape archiving



Key Management Options

Part of ProtectV Manager

(12)

SafeNet Cloud Solution

Secure Access to SaaS: SafeNet Multi-Factor Authentication

Secure Virtual Machines: SafeNet ProtectV™Instance

Secure Virtual Storage:

Solving Today’s Core Cloud Security Barriers

with SafeNet Trusted Cloud Fabric

Business Goals

1

Controlling Access to SaaS

Applications; Federating Identities

2

Achieving Compliant Isolation and Separation of Duties in Multi-Tenant Environments

3

Maintaining Trust & Control in Secure Virtual Storage:

SafeNet ProtectV™ Volume and StorageSecure

Secure Cloud Applications: SafeNet DataSecure®, KeySecure, and ProtectApp

Secure Cloud-Based Identities and Transactions: SafeNet HSM

Secure Cloud-Based

Communications: SafeNet HSE

3

Maintaining Trust & Control in

Virtual Storage Volumes

4

Secure Cloud Applications WithoutImpacting Performance; Maintain Ownership of Keys

5

Secure Digital Signing and PKI in the Cloud

6

Connect Securely to Private Clouds

(13)



Resources:

SafeNet

http://safenet-inc.com/cloudsecurity Videos White Papers Blog: http://data-protection.safenet-inc.com/ 

www.cloudsecurityalliance.org

Regulatory Mapping Document Threat Document

(14)

References

Download now ( PDF - 14 Page - 1.13 MB )

Related documents