Virtual Machine Encryption Security & Compliance in the Cloud Pius Graf Director Sales Switzerland 27.September 2017
Agenda Control Your Data In The Cloud Overview Virtual Machine Encryption Architecture
Putting Your Data in The Cloud has Its Challenges Can we protect sensitive data stored in and moving to and from the cloud? How do we meet compliance obligations in cloud environments? How do we prevent cloud administrators and other tenants from accessing data? How do we control what data is accessed in the event of a government subpoena? How do we ensure data is securely decommissioned from the cloud? Who owns our encryption keys in the cloud? How do we centralize data security across environments? 3
54% of companies take a proactive approach to managing security and complying with privacy and data protection regulations in the cloud Maintaining Control of Data in the Cloud is Critical to Security MORE THAN HALF of companies have cloud services and corporate data stored in cloud not controlled by the IT department ONLY 1/3 of sensitive data stored in cloud-based applications is encrypted 56% of organizations do not agree they are careful about sharing sensitive information in the cloud with third parties such as business partners, contractors and vendors 4 Source: The 2016 Global Data Security Study, Gemalto/Ponemon Institute, July 2016.
Stay Compliant in the Cloud Virtual Machine Encryption gives data control squarely to the customer and lets them demonstrate undisputed command and proof of ownership for both data and keys. Addresses compliance standards for cloud environments such as PCI DSS, SOX, and HIPAA. Centralized policy enforcement provides a single audit point to facilitate proof of governance a key factor in compliance.
Run Workloads Securely in the Cloud Virtual Machine Encryption helps customers maintain full control of their data by encrypting entire virtual machines and all of the data residing in the instance. Once encrypted, all archives, snapshots, and backups of these instances remain secure regardless of their location. Illegitimate or hidden copies of data are rendered useless, and trusted audit logs cover access events.
Virtual Machine Instances Are Only Available To Authorized Users Virtual Machine Encryption provides encryption- based separation of duties that isolates data from AWS, Microsoft Azure and IBM Bluemix organization s IT administrators, and different business units within the organization s virtual environment. Granular role-based control of who can start a virtual instance with pre- boot authentication policies. Copies and snapshots of Virtual Machines instances and volumes are tracked and impossible to instantiate without authorized access.
Deployment Options Virtual Machine Encryption On-Premises Cloud/Virtual Security and compliance across virtual and cloud-enabled infrastructure to secure sensitive workloads and confidential data in the cloud Isolate virtual machines and storage through encryption of OS and data partitions Authorize virtual machine launches Track key access to all copies of your data Revoke key access after terminating an instance or in the event of a breach Single pane of glass for management across clouds 8
Virtual Machine Encryption: Secures the Entire VM Lifecycle Encrypted VM Lifecycle
Virtual Machine Encryption for Microsoft Azure with trusted Central Key Management Azur e Trusted on-premises location Protected Storage Protected Instance HA Generate and Store Keys Central Key Management Virtual Machine Encryption Manager: Manages Clients Virtual Machine Encryption Client: Encrypt all I/O, Partitions, OS
Virtual Machine Encryption: Common Use Cases Run workloads securely and isolation in a multitenant environment Meet compliance and regulatory mandates Enable separation of duties between cloud service provider, storage, security and other administrators Safely decommission data from the cloud Track access and audit Data Protect data against lawful seizure 11
Beyond 2FA The Smart Way to Manage Cloud Access Presented by Pius Graf Director Sales Gemalto AG Title 12 24.09.17
Objectives To understand how cloud access management can help your organization adopt cloud apps without compromising on: User Convenience Ease of Management Security Compliance
Agenda Cloud Identity and security trends Challenges to enterprise cloud adoption 2FA vs. access management What s the difference? Cloud access management 101
Cloud Identity and Security Trends
Multi-factor Assimilation Identity verification methods in enterprise and consumer apps are assimilating Cloud SSO sorely sought 88% of organizations have already implemented or plan to implement cloud SSO Cloud is mainstream 93% of organizations use cloud-based IT services, according to Spiceworks survey Identity federation at work & home Consumer and enterprise services want to let users log in with their current identity 16 Title
Challenges to enterprise cloud adoption
The use of cloud apps has become mainstream according to joint Ponemon-Gemalto research. 18
But cloud apps create challenges 87yht%4 2849357485 1234563 according to joint Ponemon-Gemalto research. 23459473a& For users: Frustration PW Fatigue Security work arounds For IT: PW resets Security risk Lack of visibility 19
SSO offers a partial solution For users: Convenient and hassle free One Credential Not Ideal for IT: Security risk: if the credential is compromised, all apps will be vulnerable Visibility: Can t track which apps are being accessed and when 20
Access Management = SSO + IT Control Win-Win for users and IT For users: Authenticate once and step up only when required For IT: Set the access policy per cloud app Get visibility into who is accessing what, when and how Maintain security, reduce password workarounds 21
Access Management addresses enterprise cloud adoption roadblocks Password Fatigue Poor Security Multiple Consoles Compliance Risk Password Resets according to joint Ponemon-Gemalto research. NIST found that its employees authenticate 23 times within a 24- hour period. 22 20% of help desk tickets are a result of lost or forgotten passwords. 62% of IT professionals say the use of cloud resources increases their compliance risk
2FA vs. access management What s the difference?
2FA is a subset of Access Management Authorization Enforcement Session Management Authentication Access Management Identity Admin Auditing & Reporting SSO 24 Title 24.09.17
Access Management is a subset of IAM IAM Identity and Access Management Authorization Enforcement Session Management Policy and role management Identity Lifecycle Authentication Access Management Identity Admin Password Management IGA Identity, Governance & Administration Entitlements Management Auditing & Reporting SSO Reporting & Analytics Access approval workflow
IAM Identity and Access Management ACCESS MANAGEMENT Who accessed what and when? How was their identity verified? IDENTITY GOVERNANCE AND ADMINISTRATION Who was granted access to what? By whom and when?
Cloud access management 101
What is access management? Access management is a functionality that enables providing the right user access to the right app at the appropriate level of trust. Key functionalities Single Sign On Granular access policies Context-based Authentication 28 Title 24.09.17
Single Sign-On 29 24.09.17
Benefits of Single Sign On For Users - a single credential set for all apps For IT - single pane of glass management For security officers - a single audit trail For security officers - session management 30 Title 24.09.17
Granular Access Policies 31 24.09.17
Granular Access Policies App Sensitivity High risk Low risk User Role C-Suite IT Admin Standard user Partner Contextual Data Known Device Trusted Network Location Time of Day 32
User Experience: Context-based Authentication Transparent Authentication 1 USERNAME Gemalto\IRONMAN Step Up as required based on Access Policy 2 PASSWORD USERNAME Gemalto\IRONMAN OTP 33
Contextual Authentication enables Continuous Authentication Login to App 1 Evaluate context: Are you in the office? Is this your laptop? Evaluate context: Are you in the office? Is this your laptop? MONITOR Check the access policy: Has it changed? Check the access policy What level of authentication is needed? Login to App 2
Conclusion
Cloud access management solutions enables smooth cloud adoption in the enterprise Visibility Security Scalability Convenience Know who is accessing which app and when Apply the appropriate security policy for each access attempt Add new users, apps and access policies as needs evolve Ensures users gain convenient access to apps through smart Single Sign On (SSO) Know which access controls are applied to user access Enforce the appropriate level of trust Eliminate help desk overheads associated with password resets Lets users maintain a single identity for all their cloud apps Centrally define access policies for all cloud apps 36
Thank You Questions? Pius.Graf@Gemalto.com