SlideShare a Scribd company logo
Whose 
Cloud 
Is 
It 
Anyway? 
Exploring 
Data 
Security, 
Ownership 
and 
Control 
David 
Etue 
VP, 
Corporate 
Development 
Strategy 
SafeNet, 
Inc.
Cloud 
and 
VirtualizaFon 
Are 
Changing 
the 
Way 
IT 
is 
Managed 
and 
Consumed 
Agile. 
Now. 
On 
demand. 
Simple. 
Secure?
Cloud 
Benefits 
Are 
Being 
Realized… 
• 80% 
of 
mature 
cloud 
adopters 
are 
seeing:1 
– Faster 
access 
to 
infrastructure 
– Greater 
Scalability 
– Faster 
Time 
to 
Market 
for 
Applica=ons 
• 50% 
of 
cloud 
users 
report 
benefits 
including:1 
– BeAer 
applica=on 
performance 
– Expanded 
geographic 
reach 
– Increased 
IT 
staff 
efficiency 
1-­‐ 
RightScale 
State 
of 
the 
Cloud 
Report 
2014
…But 
Cloud 
Benefits 
Are 
Driven 
by 
Sharing
And 
Security 
and 
Compliance 
Are 
Not 
the 
Biggest 
Fans 
of 
Sharing…
Leading 
Inhibitors 
to 
Cloud 
AdopFon 
451 
TheInfoPro 
2013 
Cloud 
Compu7ng 
Outlook 
– 
Cloud 
Compu7ng 
Wave 
5
Security 
and 
Compliance 
Concerns 
With 
Shared 
Clouds 
Data 
Governance 
Lack 
of 
Visibility 
• Can 
you 
track 
all 
of 
my 
data 
instances? 
Backups? 
Snapshots? 
• Am 
I 
aware 
of 
government 
requests/discovery? 
• Do 
you 
new 
when 
data 
is 
copied? 
Data 
Compliance 
Lack 
of 
Data 
Control 
• Who 
is 
accessing 
my 
data? 
• Can 
I 
illustrate 
compliance 
with 
internal 
and 
external 
mandates? 
• Is 
there 
an 
audit 
trail 
of 
access 
to 
my 
data? 
Data 
ProtecFon 
Risk 
of 
Breach 
and 
Data 
How 
Do 
You 
Maintain 
Ownership 
and 
Control 
Of 
Your 
Informa7on 
In 
A 
Mul7-­‐Tenant 
Environment? 
Loss 
• Are 
all 
my 
data 
instances 
secure? 
• Can 
I 
assure 
only 
authorized 
access 
to 
my 
data? 
• Can 
I 
“pull 
the 
plug” 
on 
data 
that’s 
at 
risk 
of 
exposure 
or 
who’s 
lifecycle 
has 
expired?
New 
Risks 
Driving 
Cloud 
Security 
Challenges 
• Increased 
AAack 
Surface 
• Privileged 
Users 
• Ability 
to 
Apply 
Security 
Controls 
• Control 
(or 
there 
lack 
of)
New 
Risk: 
Increased 
ASack 
Surface
New 
Risk: 
New 
DefiniFon 
of 
Privilege
New 
Risk: 
Ability 
to 
Apply 
Security 
Controls 
Security 
Controls 
Mapping 
and 
Sized 
by 
Budget 
Security 
Management 
& 
GRC 
IdenFty/EnFty 
Security 
Data 
Security 
App 
Sec 
CSA Cloud Model 
Host 
Network 
Infrastructure 
Security 
Source: 
Control 
Quo;ent: 
Adap;ve 
Strategies 
For 
Gracefully 
Losing 
Control 
(RSA 
US 
2013) 
by 
Josh 
Corman 
and 
David 
Etue.
New 
Risk: 
Ability 
to 
Apply 
Security 
Controls 
Most 
organiza7ons 
are 
trying 
to 
deploy 
“tradi7onal” 
security 
controls 
in 
cloud 
and 
virtual 
environments… 
but 
were 
the 
controls 
even 
effec7ve 
then?
New 
Risk: 
Control 
(or 
there 
lack 
of) 
The lower down the stack the Cloud 
provider stops, the more security you 
are tactically responsible for 
implementing & managing yourself. 
Amazon EC2 - IaaS 
Salesforce - SaaS 
Google AppEngine - PaaS 
Source: 
Control 
Quo;ent: 
Adap;ve 
Strategies 
For 
Gracefully 
Losing 
Control 
(RSA 
US 
2013) 
by 
Josh 
Corman 
and 
David 
Etue. 
“Stack” 
by 
Chris 
Hoff 
-­‐> 
CSA
And 
Not 
Just 
The 
TradiFonal 
“Bad 
Guys" 
Sensi=ve 
Data 
in 
the 
Cloud 
Adversaries 
Government 
Discovery 
Cloud 
Administrators 
Auditors 
/ 
Regulators
So, 
Whose 
Cloud 
Is 
It 
Anyway? 
Model 
Private 
Cloud 
IaaS 
in 
Hybrid 
/ 
Community 
/ 
Public 
Cloud 
PaaS/SaaS 
Whose 
Privilege 
Users? 
Customer 
Provider 
Provider 
Whose 
Infrastructure? 
Customer 
Provider 
Provider 
Whose 
VM 
/ 
Instance? 
Customer 
Customer 
Provider 
Whose 
ApplicaFon? 
Customer 
Customer 
Provider 
Government 
Discovery 
Contact? 
Customer 
Provider 
Provider
Geographical 
ConsideraFons? 
16 
Cloud 
Region 
Loca=on 
Cloud 
Provider 
Headquaters 
-­‐ 
US 
Court 
Decision 
with 
Serious 
ImplicaFons: 
IN 
THE 
MATTER 
OF 
A 
WARRANT 
TO 
SEARCH 
A 
CERTAIN 
E-­‐MAIL 
ACCOUNT 
CONTROLLED 
AND 
MAINTAINED 
BY 
MICROSOFT 
CORPORATION, 
13 
Mag. 
2814 
-­‐ 
A 
Sober 
Look 
at 
NaFonal 
Security 
Access 
to 
Data 
in 
the 
Cloud 
-­‐ 
A 
Hogan 
Lovells 
White 
Paper 
(covers 
US, 
EU, 
and 
EU 
member 
country 
legislaFon 
and 
case 
law)
Making 
it 
Your 
Cloud: 
Key 
Enablers 
to 
Cloud 
Security 
Encryp=on 
(and 
Key 
Management) 
Iden=ty 
and 
Access 
Management 
with 
Strong 
Authen=ca=on 
Segmenta=on 
Privilege 
User 
Management 
Detec=on 
and 
Response 
Capabili=es 
System 
Hardening 
Asset, 
Configura=on, 
and 
Change 
Management
EncrypFon: 
Un-­‐Sharing 
in 
a 
Shared 
Environment
Clouds 
Love 
Crypto!!!* 
*with 
good 
key 
management…
Cloud 
EncrypFon 
Models 
Type 
of 
EncrypFon 
DefiniFon 
Also 
Called: 
Service 
Provider 
EncrypFon 
with 
Provider 
Managed 
Keys 
Encryp=on 
performed 
by 
the 
cloud 
service 
provider 
using 
encryp=on 
keys 
owned 
and 
managed 
by 
the 
cloud 
service 
provider 
• Server 
Side 
Encryp=on 
• SSE 
Service 
Provider 
EncrypFon 
with 
Customer 
Managed 
Keys 
Encryp=on 
performed 
by 
the 
cloud 
service 
provider 
using 
encryp=on 
keys 
owned 
and 
managed 
by 
the 
customer 
• “Customer 
provided 
keys” 
• SSE-­‐CPK 
Customer 
Managed 
EncrypFon 
with 
Customer 
Managed 
Keys 
Encryp=on 
performed 
by 
the 
customer 
using 
encryp=on 
keys 
owned 
and 
managed 
by 
the 
customer 
• “Client 
side 
encryp=on” 
(for 
object 
storage 
and 
client-­‐ 
server 
environments)
How 
Do 
You 
Apply 
Security 
Controls? 
Security 
Controls 
Mapping 
and 
Sized 
by 
Budget 
Security 
Management 
& 
GRC 
IdenFty/EnFty 
Security 
Data 
Security 
App 
Sec 
CSA Cloud Model 
Host 
Network 
Infrastructure 
Security 
Source: 
Control 
Quo;ent: 
Adap;ve 
Strategies 
For 
Gracefully 
Losing 
Control 
(RSA 
US 
2013) 
by 
Josh 
Corman 
and 
David 
Etue.
Need 
to 
Focus 
“Up 
The 
Stack” 
Security 
Management 
& 
GRC 
IdenFty/EnFty 
Security 
Data 
Security 
App 
Sec 
CSA Cloud Model 
Host 
Virtualization, Software Defined Networks, 
and Network 
Public/Hybrid/Community Cloud Forces 
Infrastructure 
a Change Security 
in How Security Controls Are 
Evaluated and Deployed
Data 
Centric 
Security 
= 
Agility! 
Security 
Management 
& 
GRC 
IdenFty/EnFty 
Security 
Data 
Security 
App 
Sec 
CSA Cloud Model 
Host 
Network 
Infrastructure 
Security

More Related Content

Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control

  • 1. Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control David Etue VP, Corporate Development Strategy SafeNet, Inc.
  • 2. Cloud and VirtualizaFon Are Changing the Way IT is Managed and Consumed Agile. Now. On demand. Simple. Secure?
  • 3. Cloud Benefits Are Being Realized… • 80% of mature cloud adopters are seeing:1 – Faster access to infrastructure – Greater Scalability – Faster Time to Market for Applica=ons • 50% of cloud users report benefits including:1 – BeAer applica=on performance – Expanded geographic reach – Increased IT staff efficiency 1-­‐ RightScale State of the Cloud Report 2014
  • 4. …But Cloud Benefits Are Driven by Sharing
  • 5. And Security and Compliance Are Not the Biggest Fans of Sharing…
  • 6. Leading Inhibitors to Cloud AdopFon 451 TheInfoPro 2013 Cloud Compu7ng Outlook – Cloud Compu7ng Wave 5
  • 7. Security and Compliance Concerns With Shared Clouds Data Governance Lack of Visibility • Can you track all of my data instances? Backups? Snapshots? • Am I aware of government requests/discovery? • Do you new when data is copied? Data Compliance Lack of Data Control • Who is accessing my data? • Can I illustrate compliance with internal and external mandates? • Is there an audit trail of access to my data? Data ProtecFon Risk of Breach and Data How Do You Maintain Ownership and Control Of Your Informa7on In A Mul7-­‐Tenant Environment? Loss • Are all my data instances secure? • Can I assure only authorized access to my data? • Can I “pull the plug” on data that’s at risk of exposure or who’s lifecycle has expired?
  • 8. New Risks Driving Cloud Security Challenges • Increased AAack Surface • Privileged Users • Ability to Apply Security Controls • Control (or there lack of)
  • 9. New Risk: Increased ASack Surface
  • 10. New Risk: New DefiniFon of Privilege
  • 11. New Risk: Ability to Apply Security Controls Security Controls Mapping and Sized by Budget Security Management & GRC IdenFty/EnFty Security Data Security App Sec CSA Cloud Model Host Network Infrastructure Security Source: Control Quo;ent: Adap;ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
  • 12. New Risk: Ability to Apply Security Controls Most organiza7ons are trying to deploy “tradi7onal” security controls in cloud and virtual environments… but were the controls even effec7ve then?
  • 13. New Risk: Control (or there lack of) The lower down the stack the Cloud provider stops, the more security you are tactically responsible for implementing & managing yourself. Amazon EC2 - IaaS Salesforce - SaaS Google AppEngine - PaaS Source: Control Quo;ent: Adap;ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue. “Stack” by Chris Hoff -­‐> CSA
  • 14. And Not Just The TradiFonal “Bad Guys" Sensi=ve Data in the Cloud Adversaries Government Discovery Cloud Administrators Auditors / Regulators
  • 15. So, Whose Cloud Is It Anyway? Model Private Cloud IaaS in Hybrid / Community / Public Cloud PaaS/SaaS Whose Privilege Users? Customer Provider Provider Whose Infrastructure? Customer Provider Provider Whose VM / Instance? Customer Customer Provider Whose ApplicaFon? Customer Customer Provider Government Discovery Contact? Customer Provider Provider
  • 16. Geographical ConsideraFons? 16 Cloud Region Loca=on Cloud Provider Headquaters -­‐ US Court Decision with Serious ImplicaFons: IN THE MATTER OF A WARRANT TO SEARCH A CERTAIN E-­‐MAIL ACCOUNT CONTROLLED AND MAINTAINED BY MICROSOFT CORPORATION, 13 Mag. 2814 -­‐ A Sober Look at NaFonal Security Access to Data in the Cloud -­‐ A Hogan Lovells White Paper (covers US, EU, and EU member country legislaFon and case law)
  • 17. Making it Your Cloud: Key Enablers to Cloud Security Encryp=on (and Key Management) Iden=ty and Access Management with Strong Authen=ca=on Segmenta=on Privilege User Management Detec=on and Response Capabili=es System Hardening Asset, Configura=on, and Change Management
  • 18. EncrypFon: Un-­‐Sharing in a Shared Environment
  • 19. Clouds Love Crypto!!!* *with good key management…
  • 20. Cloud EncrypFon Models Type of EncrypFon DefiniFon Also Called: Service Provider EncrypFon with Provider Managed Keys Encryp=on performed by the cloud service provider using encryp=on keys owned and managed by the cloud service provider • Server Side Encryp=on • SSE Service Provider EncrypFon with Customer Managed Keys Encryp=on performed by the cloud service provider using encryp=on keys owned and managed by the customer • “Customer provided keys” • SSE-­‐CPK Customer Managed EncrypFon with Customer Managed Keys Encryp=on performed by the customer using encryp=on keys owned and managed by the customer • “Client side encryp=on” (for object storage and client-­‐ server environments)
  • 21. How Do You Apply Security Controls? Security Controls Mapping and Sized by Budget Security Management & GRC IdenFty/EnFty Security Data Security App Sec CSA Cloud Model Host Network Infrastructure Security Source: Control Quo;ent: Adap;ve Strategies For Gracefully Losing Control (RSA US 2013) by Josh Corman and David Etue.
  • 22. Need to Focus “Up The Stack” Security Management & GRC IdenFty/EnFty Security Data Security App Sec CSA Cloud Model Host Virtualization, Software Defined Networks, and Network Public/Hybrid/Community Cloud Forces Infrastructure a Change Security in How Security Controls Are Evaluated and Deployed
  • 23. Data Centric Security = Agility! Security Management & GRC IdenFty/EnFty Security Data Security App Sec CSA Cloud Model Host Network Infrastructure Security