On Demand Cryptographic Resources for Your Virtual Data Center and the Cloud: Introducing SafeNet s Crypto Hypervisor Ugo Piazzalunga SafeNet Italy Technical Manager, IT Security ugo.piazzalunga@safenet-inc.com
Agenda The state of data security Protecting Data With High Assurance Encryption Is Hardware-based Encryption the answer? What is needed? How do we get there? Introducing SafeNet s Crypto Hypervisor!
The state of data security As part of our Secure the Breach program, SafeNet surveyed 850 security professionals from 500+ organizations worldwide. 49% have no confidence at all the network security industry is able to detect and prevent breaches 59% said that if a network perimeter breach occurred, high value data would not be safe 66% believe they will suffer a breach within the next 3 years For more info download the secure the breach manifesto: http://www2.safenet-inc.com/securethebreach/downloads/secure_the_breach_manifesto.pdf 3
So what does all this mean? We need to accept that breaches WILL happen and once they do, the only protection is to secure the data itself The new perimeter is the data itself we must Secure the Breach 4
Cloud Adoption VS Security & Privacy More than 90% of [the business leaders] are worried about security, availability, and privacy of their data as it rests in the cloud 2009 Microsoft Survey 72% of IT professionals cite data protection security as a major obstacle to cloud deployment 2012 Cisco Global Cloud Networking Survey 5
Protecting Data With High Assurance Encryption 6
Is Hardware-based Encryption the Answer? The encryption solution stack Encryption Key management Key vault If attacker breaches the perimeter, they gain only encrypted data Dependent on the security of keys, certificates, and PKI Encryption Key management Trusted Key Vaults Managing and vaulting keys and certificates in hardware is a best practice 7
Crypto Hypervisor uses Hardware Security Modules as the hardware platform A Hardware Security Module is designed for Hardware protection of the crypto key lifecycle a dedicated Hardware crypto processor validated to be secure by third parties a Trust Anchor
But Hardware doesn t work in a Virtual World? Today s Hardware-based encryption solutions are designed for the physical world! Limits of encryption today: Inability to protect & control data centrally Can t take full benefits of cloud Islands of encryption Very slow to scale up and down DNSSEC SSL Database Email Code Sign Time-consuming crypto rollouts 9
What is needed? Encryption Infrastructure that follows the cloud model! Benefits: Reduce Costs (Reduce DC presence) Centralize Subject Matter Expert Crypto Group Unify Governance and Compliance Centralize services 10
How do we get there? Cloud requirements defined by NIST NIST 1 Cloud Definition of Essential Characteristics Today s Hardware encryption On-Demand Self-Service Rapid Elasticity Measured Service Broad Network Access Resource Pooling Multi-Tenancy 2 No No Some Yes Some Some 1. National Institute of Standards and Technology 2. Multi-Tenancy is an essential characteristic added by the Cloud Security Alliance 11
Introducing The Crypto Hypervisor 12
Where do we start?... With a hypervisor for encryption Introducing the SafeNet Crypto Hypervisor! VMware hypervisor c. 2001 O/S Partition O/S Isolation Dynamic resource allocation Crypto Hypervisor c. 2013 HSM Partition HSM Isolation Dynamic crypto allocation Application Operating System Hypervisor Hardware Platform asdasd48rh AsD546F4dfgf ddfgdfghjkd6g 54R Application Dynamic Crypto Resource Crypto Hypervisor Crypto Hardware Platform (HSM)
Crypto Hypervisor: Designed for operational cloud model 6 Apps can now migrate to cloud 1 On-demand crypto delivery 5 Part of New VM Rollout Process 4 Encryption now a cloud enabler 3 2 Self-service portal for users New crypto services spin up easily 14
Three things to know about Crypto Hypervisor Built for the cloud Shared resource pooling, rapid elasticity and multitenancy Can reduce capital costs up to 95% Lower TCO Take advantage of virtualization Deliver high-assurance cryptographic resources in a fraction of the time 5 minutes, not 5 hours Centralized control Strong auditing capabilities Compliance in the Cloud Ensure enterprise-wide consistency of crypto policy 15
Solution Highlights Host Trust Link (HTL) securely binds virtual applications to dynamic crypto resources Prevents Stolen VM from Accessing Critical Assets Crypto Command Center Simplifies HSM management, through Abstraction of HSM Hardware Publish Catalogs for on-demand service Separation of roles/responsibilities in multi-tenancies Built on proven platform Availability: Five 9 s uptime, robust high availability Validated Security: FIPS 140-2 Level 3 and CC EAL 4+ (in process) HW Trust: Keys remain in Hardware! Who/What/When Secure Auditing and Logging Configurable based on your Organizational needs Control: Unique Roles for Security in Multi-tenant Environments. System administrators: manages physical devices (appliances, expansion cards, etc.), and provision access to resource catalogues for users. Consumer/User: manage crypto applications that consume crypto services. Own their HSM resource when leased. 16
Cloud operational model: CHv meets all NIST cloud requirements NIST 1 Cloud Definition of Essential Characteristics Today s Hardware encryption On-Demand Self-Service Rapid Elasticity Measured Service Broad Network Access Resource Pooling Multi-Tenancy 2 Yes Yes Yes Yes Yes Yes 1. National Institute of Standards and Technology 2. Multi-Tenancy is an essential characteristic added by the Cloud Security Alliance 17
Want to Learn more about the World s first Crypto Hypervisor? Demo session! Download 3 Whitepapers from SafeNet: Crytpo Command Center and SFNT HSMs Available from SafeNet web site www.safenet-inc.com Host Trust Link Protection with SFNT HSMs Available from SafeNet web site www.safenet-inc.com Secure Audit Logging for Compliance with SFNT HSMs Available from SafeNet web site www.safenet-inc.com 18
Grazie! ugo.piazzalunga@safenet-inc.com
How does it work? 20
Crypto Hypervisor Enables Crypto as a Service either on Premise or in the Cloud! Consumer Crypto Admin Crypto Application + Luna Client SSH Crypto Command Center Luna SA Device Pool
I m Leo and I work in engineering for Fibo Financial. I have heard we know have a centralized security group
I m working on a new financial application, and know I need to sign all transactions securely But I am not a Security expert!?
Can anyone at Fibo Financial help me what do I need to get started?
Can anyone at Fibo Financial help me is there really a Fibo Financial team that manages this stuff?
Can anyone at Fibo Financial help me How do I do this securely in compliance with our corporate policies?
I contact the central security group and say I need to securely sign transaction for my new application! Can you help? No problem. We follow best practices to secure keys for transaction signing. I ll set you up in the crypto system.
The Crypto Admin creates a username, password for me Bob.Jameson.Password
and provides to me a URL for Crypto Command Center, username and password Bob.Jameson.Password.URL
as well as a cheat sheet explaining how to get started! How to Select a service from Crypto Command Center Download Luna Client Install Luna Client Configure an application to use Crypto Service
I can now begin the setup process. I start by using the Crypto Command Center Client GUI 1 2 3 4 Open the URL Log in with my credentials Pick the appropriate service from the catalog and deploy (signing) Initialize a service
next I configure my transaction signing application server to use my HSM. 1 2 3 Install Luna Client Configure service for use by transaction signing application I can securely sign my code!
Now I am up and running!
Want to Learn more about the World s first Crypto Hypervisor? Demo session! Download 3 Whitepapers from SafeNet: Crypto Command Center and SFNT HSMs Available from SafeNet web site www.safenet-inc.com Host Trust Link Protection with SFNT HSMs Available from SafeNet web site www.safenet-inc.com Secure Audit Logging for Compliance with SFNT HSMs Available from SafeNet web site www.safenet-inc.com 34
Grazie! ugo.piazzalunga@safenet-inc.com