Offering an outsourced, elastic, pay-as-you-go computing infrastructure, cloud computing services can deliver clear cut benefi ts to a host of companies. Today, however, security concerns are a big barrier to many clients’ adoption of cloud services. To boost market share and gain competitive distinction, cloud service providers need to add the security infrastructure that safeguards clients’ sensitive data and fosters trust. This white paper outlines the path cloud providers can take to start building trust into cloud deployments, and details the approaches and capabilities organizations need to make this transition a reality.
The Ultimate Guide to Choosing WordPress Pros and Cons
A Question of Trust: How Service Providers Can Attract More Customers by Delivering True Security in the Cloud
1. A Question of Trust:
How Service Providers Can Attract
More Customers by Delivering True
Security in the Cloud by Russ Dietz
WHITE PAPER
Executive Summary
Offering an outsourced, elastic, pay-as-you-go computing infrastructure, cloud
computing services can deliver clear cut benefits to a host of companies. Today,
however, security concerns are a big barrier to many clients’ adoption of cloud
services. To boost market share and gain competitive distinction, cloud service
providers need to add the security infrastructure that safeguards clients’ sensitive
data and fosters trust. This white paper outlines the path cloud providers can take
to start building trust into cloud deployments, and details the approaches and
capabilities organizations need to make this transition a reality.
Introduction
As high as the rate of adoption for cloud-based services like SaaS has been, the surface has
only been scratched in terms of the full business potential cloud service providers can realize.
But to realize this potential, cloud providers must overcome a significant obstacle—security.
Today, issues of risk, data privacy, and compliance are the chief inhibitors to most
organizations’ adoption of cloud services. In fact, a Gartner report cited data location risk, data
loss risk, and data security (privacy) risk as three of the top five barriers to cloud-computing
adoption. While security can be seen as an obstacle to the broad adoption of cloud computing,
it can, in fact, be an enabler. By finding a way to effectively safeguard data in the cloud, cloud
providers can begin to fully maximize the market potential of cloud offerings.
To get there, both enterprises and cloud providers will be going through a transition, one that
can be viewed in terms of trust. As enterprises kick off their initial deployments, they’ll do so
with a minimum of trust in their cloud provider’s infrastructures. Over time, that trust will be
cemented by solutions and processes that lead to limited and, ultimately, compliant trust,
making cloud security a true win/win for enterprises and providers alike.
A Question of Trust: 1
How Service Providers Can Attract More Customers by Delivering TrueSecurity in the Cloud White Paper
2. In the following pages, we’ll walk through this transition in more detail, and then show what
this means for cloud providers in the months and years ahead. Then, the document will outline
some of the specific areas cloud providers can target in their efforts to optimize the security
and utility of their cloud initiatives. Finally, we’ll outline some of the most important capabilities
organizations will need to support these efforts. (Note: In the following pages, unless otherwise
specified, when discussing the cloud, we will be referring to the public cloud. While private
clouds present their own specific security challenges, given their internal deployments, the
nature of security will more closely resemble those of current data center deployments. It is the
public cloud, and the changing nature of the client and cloud service provider relationship, that
are the focus of this document.)
Step 1: Minimal Trust
In spite of efforts by cloud providers to date, for most enterprises today, security in the cloud is
viewed in a fairly straightforward way—don’t assume there is any. Organizations that have gone
forward with cloud deployments have thus taken full ownership and responsibility for security.
This can play out in several ways:
• A business can segment its data into two classifications—sensitive and non-sensitive.
Non-sensitive data can be transferred into the cloud as is; for example, for disaster recovery
or archival purposes. Sensitive data on the other hand will either be kept out of the cloud
entirely or it will be protected, generally through encryption, before it is exposed to the
cloud. Further, that information will stay secured through those mechanisms the entire time
it resides in the cloud.
• An organization may opt to use SaaS offerings but only for applications that do not involve
personally identifiable information (PII), or other types of data subject to regulation or
privacy laws.
• A business can migrate the processing of non-sensitive applications to the cloud. For
example, this can take the form of “cloud bursting,” an approach in which an organization
will migrate an application to the cloud when the processing capacity of its corporate cloud
or data center is exceeded. This can be a cost-effective way for organizations to handle
seasonal or peak demands for processing. For example, a media company can adopt this
approach for video streaming when its internal infrastructure hits capacity.
Each of these scenarios can present organizations with near term benefits—they enable an
organization to quickly leverage many of the benefits and strengths of cloud computing, without
compromising security or compliance. These scenarios represent the bulk of cloud deployments
done to date.
Step 2. Limited Trust
In order for cloud providers to expand their addressable market, both in terms of clients and
applications, they will need to support clients’ efforts to migrate their own security mechanisms
to the cloud. This next step in the transition to a trusted cloud will inherently require more of an
upfront investment than prior cloud approaches, and also require a deeper, more collaborative
relationship between clients and providers.
As enterprises take their existing encryption solutions and run them in the cloud, they’ll retain
full control over security ownership. From the service providers’ standpoint, these deployments
will be structured similarly to traditional hosting provider models. Specific deployment
approaches can include the following:
• Deploying physical security systems in a virtual private cloud
• Running a virtual service within a hybrid, multi-tenant cloud environment
• Federating cloud user directories with internally-managed identity and access management
systems
A Question of Trust: 2
How Service Providers Can Attract More Customers by Delivering TrueSecurity in the Cloud White Paper
3. Here, data protection can be conducted in the cloud, yet still within the enterprise’s control. As a
result, by supporting these types of deployments, organizations will become more fully invested
in cloud offerings and seek to take greater advantage of the cloud’s benefits, which will be a
landmark phase in the maturity of the cloud computing market ..
Step 3. Compliant Trust
In this ultimate phase of the cloud’s evolution, cloud providers gain the controls they need to
deliver trust as a service, so enterprises can specify security policies and have confidence in the
cloud provider’s infrastructure and capabilities for executing these policies. Here, the enterprise,
as the information owner, still holds control over security, but more in a virtual, rather than
operational, way.
In this scenario, the enterprise sets security policies and owns the core key materials,
credentials, identities, and other elements that are used by the cloud providers to protect
information, which gives them the final say in how security is handled. The cloud provider will
have the sophisticated security infrastructure in place to meet client’s security objectives,
including robust encryption, secure key management, granular access controls, and more.
Enterprises can leverage the cloud and get the level of security needed to stay compliant with all
pertinent regulatory mandates and security policies. As a result, almost any business service or
application can subsequently be a potential candidate for migration to cloud services.
Four Key Areas for Implementing Cloud Security
As they make the move to supporting compliant trust, what capabilities will service providers
require, and how will they differ from traditional approaches? The sections below outline some
specific areas for applying security measures to cloud environments and the capabilities
required to employ these measures. With these initiatives, service providers can begin to gain
the control, visibility, and efficiency they need to both ensure security and leverage the business
benefits of cloud services.
Protected Infrastructure
Most cloud providers will have infrastructures comprised of a number of sites, all interconnected
through a wide area network (WAN). Given the dynamic, processing-intensive environments they
build, cloud providers typically require high performance, low latency, dedicated transmission
circuits between these distributed sites. Cloud providers often turn to telecom carriers and other
service providers for these circuits. While many assume an increase in security from a dedicated
“private” circuit that isn’t shared by the entire world, the truth is that private only means
dedicated switching or virtual circuit connections, which does not in any way guarantee data
integrity or security.
To build a trusted infrastructure, service providers need to employ encryption to secure the
transport of data across their WANs, while at the same time, ensuring high speed and low
latency communications between these distributed sites. This requires encryption solutions that
combine “wire-speed” performance with robust security capabilities, including tamper-resistant
hardware and support for robust, industry-standard encryption algorithms. In addition, a secure,
centralized solution is required to manage these disparate encryption platforms so users can
efficiently define and distribute integrated policies.
A Question of Trust: 3
How Service Providers Can Attract More Customers by Delivering TrueSecurity in the Cloud White Paper
4. Cloud
Ops Center
Cloud
Driven by a need to use the Data Center A
cloud’s elastic storage, without
exposing data to the cloud’s
Enterprise
vulnerabilities, enterprises can Carrier Backbone
perform secure storage in the
cloud, effectively using the cloud
for the backup, disaster recovery,
and archival of data. Cloud
Cloud Data Center B
VPC Center C
Figure 1 To build a trusted infrastructure, service providers need to employ encryption to secure the transport of
data across their WANs, while at the same time, ensuring high speed and low latency communications between
these distributed sites.
Secure Access Controls
Ensuring that only authorized users gain access to cloud-based resources is an absolute
requirement for cloud providers. Providers need to ensure proper access controls for users
at client sites, and, just as importantly, for administrators within the service provider’s
organization.
On the client side, providers need to support multi-factor authentication in much the same way
as a secure organization requires multiple credentials (i.e., a key fob and a password) to enter
highly restricted physical areas. By coupling multi-factor authentication at the user level with
centralized security policy management, cloud providers can much more simply set up new
users, and terminate access when an employee leaves or a threat arises.
Cloud providers multi-factor authentication mechanisms, such as tokens, need to be
coordinated with the clients’ public key infrastructure (PKI); if not, the cloud service imposes too
much additional overhead in terms of security administration to be useful for the client. Further,
operational changes need to be transparent to end users if these services are to be optimal for
client organizations.
On the cloud provider side, robust, token-based, multi-factor authentication is also required.
This is a critical requirement if cloud providers are to meet SAS 70 requirements. By locking
down the management console, cloud providers can ensure that services and sensitive client
data won’t be compromised. In addition, it provides critical safeguards against internal attacks.
A Question of Trust: 4
How Service Providers Can Attract More Customers by Delivering TrueSecurity in the Cloud White Paper
5. Workstations
An efficient cloud security Cloud-provider
deployment scenario requires a Certificate-Based (PKI)
pin
centralized, hardened security Cloud Provider
appliance, which is used to
pin
manage cryptographic keys,
Certificate-Based (PKI)
access control, and other OTP
security policies.
Figure 2 Robust, token-based, multi-factor authentication is a critical requirement if cloud providers are to meet
SAS 70 requirements. By locking down the management console, cloud providers can ensure that services and
sensitive client data won’t be compromised.
Data and ID Protection
Protecting client data and identities are also vital requirements. Further, these data protection
mechanisms need to adhere to a host of regulations with which clients must comply. Inherent
in this is an ability to isolate the processes and data of multiple tenants in virtualized cloud
environments.
To achieve these objectives, service providers need a host of capabilities:
• Hardware Security Modules (HSMs). Service providers need HSMs to protect their TLS/SSL
identities [more to add here?]. To meet many clients’ security requirements, these HSMs
should be FIPS 140-2 Level 3 certified.
• Granular encryption. Cloud providers need to be able to selectively encrypt sensitive data
according to clients’ security requirements. This means being able to encrypt data at the
column level in databases and to partition database security by different clients. This also
requires file encryption so organizations can encrypt specific sensitive client files, including
spreadsheets and documents.
• Central, secure policy management. To efficiently govern these security mechanisms, cloud
providers need to be able to centrally manage security policy, across disparate systems and
regions. Further, given the vital nature of these administrative systems, the utmost security
needs to be employed to ensure they are never compromised.
A Question of Trust: 5
How Service Providers Can Attract More Customers by Delivering TrueSecurity in the Cloud White Paper
6. Enterprise A Enterprise B
ProtectFile
By offering a means to
streamline end user access and
access control administration,
federated access initiatives can
help optimize security while
reducing corporate security
costs.
FIPS 140-2
140
Level 3 Zone A Zone B
Figure 3 To efficiently govern these security mechanisms, cloud providers need to be able to centrally manage
security policy across disparate systems and regions.
Virtual Encryption as a Service
To fully leverage their potential business opportunities, cloud providers need a way to take
the unparalleled security offered by sophisticated, hardware-based encryption solutions,
and virtualize those offerings. This enables the delivery of symmetric encryption, file
encryption, secure key management, and a host of other capabilities and services within cloud
environments.
When cloud providers deliver virtual encryption as a service, they can implement database,
application, and file encryption—all managed through a single, virtual platform that combines
cryptographic key management, policy management, and encryption processing. Because the
platform is virtualized, it can be integrated cost-effectively and seamlessly within the cloud
provider’s infrastructure. Further, by combining the security benefits of these technologies with
the cloud delivery model, security implementations can be far less expensive (and much more
attractive) than traditional in-house deployments, putting state-of-the-art security capabilities
within reach of even small and medium businesses for the first time—and dramatically
expanding the service provider’s addressable market.
To deliver virtual encryption-as-a-service deployments, cloud providers will leverage a host of
robust security mechanisms, including centralized key management, granular encryption, and
access control within their infrastructures. To support virtual encryption as a service, many cloud
customers will deploy multi-factor authentication tokens and token management systems in
their environments, which can ensure the appropriate access controls are applied to security
services and protected data.
A Question of Trust: 6
How Service Providers Can Attract More Customers by Delivering TrueSecurity in the Cloud White Paper
7. Certificate-Based (PKI)
When cloud providers deliver SMB Cloud Provider
virtual encryption as a service, Certificate-Based (PKI)
they can implement database,
application, and file encryption—
all managed through a single,
virtual platform that combines
cryptographic key management,
policy management, and Figure 4 By providing virtual encryption as a service, smaller organizations can gain access to robust security
encryption processing. mechanisms that may have been cost prohibitive in the past.
SafeNet: Delivering the Trusted Cloud Platform
Introduction—Overview of SafeNet Cloud Solutions
With SafeNet’s security offerings, organizations can fully leverage the business benefits of cloud
environments—while ensuring trust, compliance, and privacy. SafeNet offers intelligent, data-
centric solutions that persistently protect data throughout the information lifecycle and evolve
to support changing cloud delivery models—from today’s SaaS and private clouds to the evolving
demands of hybrid and public clouds.
Cryptography as a Service
SafeNet offers a broad set of solutions that enable both enterprises and cloud providers to
leverage cryptography as a service. SafeNet solutions offer the unparalleled combination of
features—including central key and policy management, robust encryption support, flexible
integration, and more—that make cryptography as a service practical, efficient, and secure.
SafeNet offers these security solutions:
• Token management systems and multi-factor tokens that ensure stringent, granular end
user access controls
• Hardware security modules, including the Luna SA product line, that enable centralized,
FIPS- and Common Criteria-certified storage of cryptographic keys
• DataSecure, which offers file, application, and database encryption—all managed through
a hardened appliance that centralizes encryption processing, keys, logging, auditing, and
policy administration
Together, these solutions deliver the critical capabilities required for a robust, cost-effective, and
secure cryptography-as-a-service implementation.
A Question of Trust: 7
How Service Providers Can Attract More Customers by Delivering TrueSecurity in the Cloud White Paper
8. Cloud Database
MFA SafeNet
Tokens HSMs Cloud Storage
Token Mgmt Elastic Compute
System
Certificate-Based (PKI)
HSM Client
ProtectFile
ProtectApp
ProtectDB
Enterprise Cloud Provider
Certificate-Based (PKI) MFA for End-Users
DataSecure
Luna SA
Root of Trust Federated Key Mgmt DataSecure
& User Directories
Figure 5 SafeNet’s HSMs and DataSecure products offer FIPS- and Common Criteria-certified, hardware-based
protection of cryptographic keys and controls that help ensure regulatory compliance in cloud deployments.
Trusted Cloud Computing
While the benefits being offered by cloud providers today are undeniable, many potential
customers continue to perceive that the dynamic nature of cloud computing can pose significant
risks. Today, someone can take an application instance running for one organization, then move it
to another location, and run it for another organization—and that application could thus enable
unauthorized users and processes to access sensitive data.
With SafeNet, you can control applications and services within the cloud environment, and
providers can ensure their clients that applications only run on intended platforms for intended
customers. SafeNet enables organizations to control the instances of the high-value virtual
machines, ensuring they are only invoked in the right circumstances. SafeNet delivers the
solutions that enable organizations to do rights management for virtual machines:
• Software rights management solutions and tokens for authenticating virtual machines
• The ProtectFile file encryption solution, which enables pre-boot authentication of virtual
machines
• DataSecure, which delivers central policy management of all file, application, and database
encryption processing
SRM
APP
SRM
Tokens Two-Factor Activation
Licensing
PaaS Provider
APP
Virtual Resource Enterprise
Administrators
OTP IaaS Provider
DataSecure
Software
eTokens Key-Management
Two-Factor Pre-Boot
Certificate-Based (PKI) ProtectFile
Figure6 SafeNet offers the products and capabilities enterprises need to control instances of virtual machines
running in the cloud, including where they are located and when they can be invoked, so they can safeguard trust in
their cloud deployments.
A Question of Trust: 8
How Service Providers Can Attract More Customers by Delivering TrueSecurity in the Cloud White Paper