Home » The Art of Data Protection
Kathleen SpaethJune 30, 2015, 10:00 am EDT
This begins a series of blog posts about how to address data security in the AWS cloud environment with the SafeNet product line from Gemalto. Topics that will be addressed include: how to store data in the AWS cloud with customer-owned encryption, roots of trust, the importance of secure key management, encryption and pre-boot authentication for EC2 and EBS, and customer-owned object encryption for Amazon S3.
What’s not to love about cloud computing? Not only is it an agile, cost-effective way to run business-critical applications and store information, but the data itself is kept safe from rouge administrators, prying eyes, and hackers because it’s stored waaay up there in the cloud . . . right?
If only it were that simple. The fact is that physical security is only part of the cloud data security story—and, although it makes a nice visual, the story doesn’t involve a bright blue sky and the white, cotton-like puffs that populate it.
So, is my data safe in the cloud? The answer is complicated and dependent not only on your chosen cloud service provider and its ability to physically and logically secure your information but also on the online accessibility to and the outright ownership of your data.
A cloud service provider delivers the infrastructure and foundation for the business applications and information you migrate to the cloud. Amazon Web Services (AWS), a recognized leader in cloud infrastructure services, is dedicated to protecting mission-critical information from accidental or deliberate theft, leakage, integrity compromise, and deletion. AWS offers physical and logical protection services that are aligned with security best practices. Physical security measures include strictly controlled data center access both at the perimeter of the property and at the building itself such as video surveillance, intrusion detection systems, and other electronic means. Logical security measures feature capabilities such as disk wiping for both Amazon EBS and instance ephemeral volumes, instance isolation in Amazon EC2 environments, and identity and access management for access to the AWS Console and APIs. The AWS compliance framework covers FISMA Low and Moderate, PCI DSS Level 1, ISO 27001, SOC 1/SSAE16, and HIPAA.
Physical and logical security is only part of the cloud data security story. Online accessibility and availability to your cloud data is another. With over five times the compute capacity of its fourteen nearest competitors and its own Marketplace store, Amazon Web Services gives customers a web-based front-end to purchase and deploy cloud-based infrastructure—as well as hundreds of related applications—from both AWS and its partners. Why is this important? Because, under the AWS shared responsibility model, AWS customers are responsible for protecting the confidentiality, integrity, and availability of their data in the cloud as well as meeting specific business requirements for information protection.
Understanding cloud data security—encryption features, options, and add-ons that offer different levels of protection—is a critical consideration for every enterprise who entrusts its company data to the cloud. After all, it’s not just your data you’re protecting—it’s the data of your prospects, customers, clients, vendors, partners, and everyone you do business with. And, with that responsibility, it’s not enough to play it safe—the only way to keep your data safe in the cloud is by keeping your head in the cloud, too.
For more information on keeping your data safe in the cloud, read our ebook, How to Enhance Security in AWS.
Sharon GingaJune 29, 2015, 02:04 pm EDT
“Every cell phone tower you pass, friend you keep, article you write, site you visit, subject line you type, and packet you route, is in the hands of a system whose reach is unlimited but whose safeguards are not.”
So if you don’t recognize this quote already, the author is Edward Snowden. We’re not talking science fiction like the “God’s Eye’ technology in Fast and Furious 7 movie here; the capabilities to observe, track and even change data are here today. And the capacity to do so is growing at a truly fast and furious pace. You simply don’t know if, or maybe it’s more likely when, you are under surveillance.
Surveillance is a heavily loaded word, and there is a lot of debate about security vs. surveillance, who should have access and who shouldn’t, but does, etc. Ultimately this is about our inability to create a technology or capability that distinguishes the good guys from the bad guys, and our definition of who those guys are.
Let’s narrow the focus and look at what this means for you and me. Let’s start with some basics.
- Is your data secure and what does that actually mean?
- Who can access that data, and who are we trying to keep out?
- What happens when that data is moving across the network?
- And would you even know if you had been breached? The sad truth is probably not, as very few countries and/or states or even industries require notification.
So what can we do to prevent our sensitive information from being exposed to covert and overt watching eyes? A good start is to consider whether your information — and that could be data, voice, video or even metadata — is encrypted. Without the correct controls, your business and your personal data are vulnerable.
Approved users and processes need to be able to leverage the data that’s available, wherever it resides, while keeping the bad guys out. Make sure you lock down any high-value, sensitive information, such as intellectual property, personally identifiable information, and company financials. And then you’re taking the first steps to keeping your information away from watching eyes.
The Internet of Things (IoT) is one of the hottest topics in tech today, and how to provide security for the Internet of Things is a frequent topic of conversation. The internet is also abuzz with articles about the lack of security found in many IoT solutions — anyone who took the opportunity to walk the RSA show floor knows this — as they were inundated with solutions from security vendors of all shapes and sizes. Even the Federal Trade Commission (FTC) weighed in on the issue by releasing a report recommending that connected devices be designed with security as the priority to reduce the possibility of long-term risks.
Back in October, SafeNet took a look at particular threats in our blog series IoT Nightmares. This was our first foray into the IoT security discussion and it served to illustrate the point that the Internet of Things could pose a serious threat to our safety and security if security is not of foremost concern. So what makes the IoT’s security challenges different?
Mobility and Data Sprawl. As technology becomes more mobile, so does our data. The scope of the Internet of Things, and it’s dependency on mobile technology exacerbates this issue by moving even more data and control beyond the traditional perimeters of our houses and businesses.
Cloud Hits It’s Stride. We have heard about the rise of cloud computing for years and the Internet of Things, which will require a cloud foundation to accommodate the large volume of devices, connections, and data, just might be the technology movement that makes the cloud ubiquitous. Not only will we need to protect IoT endpoints themselves, but we’ll also need to know information is encrypted and securely governed in the cloud to truly feel confident sensitive data is secure in the Internet of Things era.
Data Grows into Big Data. Speaking of data volumes, the tremendous volume of data that will be pouring in from devices presents a huge challenge for IoT solution providers. Big Data solutions will be instrumental in overcoming this challenge by giving us the capacity to analyze data, and discover relevant trends and patterns.
New Communication Technologies. The nature of IoT will necessitate the development and adoption of a myriad of new communications technologies that are able to provide greater security and more efficient communication, and do so using devices with limited power.
Want to learn more? Check out our IoT Guidebook, “Building a Trusted Foundation for the Internet of Things.”
Adrian SanabriaJune 17, 2015, 10:00 am EDT
What is the allure of the cloud?
Sure, there’s the cost savings and flexibility when trying out new ideas and proofs of concept; not having to commit to acquiring all the necessary infrastructure and the associated CapEx costs. There’s even an entire market segment out there, devoted to helping you maximize cloud spending and efficiency. It isn’t all about cost though. The true value of the cloud, I find, is in the ability to program infrastructure. This idea of programmable infrastructure is an important piece behind what we call Digital Infrastructure and I find it makes solving several traditionally challenging security issues a breeze to squash in the cloud.
First off, don’t think of cloud infrastructure as virtualized copies of physical servers, applications, databases or workloads. In the cloud, everything is disposable. I like to think of server instances in the cloud as files. With simple scripts, files can be duplicated, created, moved, copied, backed up or deleted. So now, so can servers. It goes far beyond infrastructure also – with AWS Lambda, it is possible to stitch together workflows between other AWS services without using servers. Once most people become aware of the available functionality and APIs, the possibilities begin to open up.
So what? How does this help security? Some security examples I’ll share won’t work for all businesses or all server types, but where they work, the security and IT benefits are significant. At the core of each example are cloud’s most powerful benefits – automation and orchestration.
- Policy - We can now apply and enforce policy at levels that weren’t possible before from a single source (be it scripts or commercial product). A single policy can implement whole disk encryption, provision appropriate users, apply firewall rules at the host level (a trend often referred to as ‘microsegmentation’) simultaneously.
- Consistency - Traditionally, a server would be built by an individual. Most companies didn’t have strict build guidelines or hardening rules, so servers built by Kevin would be distinctly different from servers built by Beth. They would carry Beth or Kevin’s signature. The problem here is that managing patches and vulnerabilities gets difficult when you have lots of fingerprints. The ability to create servers from pre-built, pre-hardened and constantly updated templates solves much of this problem.
- Immutable and disposable infrastructure – This next example is popular in DevOps shops. The concept of immutable infrastructure is that you don’t ever change a server in production. If a server requires a configuration change or application change, we build a replacement that comes from a recently updated master template. The changes are applied and the new server is promoted to production. The old server is destroyed, as it is designed to be disposable. Most, if not all pre-production release testing is automated, so the whole process could take only minutes. Once we consider that we only need to make changes in production, we realize we have an opportunity to reduce attack surface, so we shut down admin access before promoting each server to production. In some cases, companies have even been known to additionally mount filesystems as read-only to further frustrate attack/hacking attempts.
- Visibility – In the world of virtualized infrastructure, we never have to run discovery scans to obtain a list of assets. The underlying management plane does that for us. We simply ask it for a list of servers or other configuration information and it responds.
Risks in the Cloud
As you might imagine, the cloud introduces new risks. They’re far from insurmountable though, so it is most important to be aware of them and address them early on.
- Ensure you protect your cloud management consoles closely. The concept of a single pane of glass to manage a datacenter didn’t exist in the old world, and if one user in your environment can do something drastically damaging like deleting all objects in your cloud, the results can be catastrophic.
- Criminals have been known to steal credentials and ransom access to cloud consoles, so always use 2-factor authentication.
- Employees have been known to make catastrophic mistakes, so use role-based access controls in designing your infrastructure so that no single account can run your cloud.
- Also set up thresholds and alerts to keep scripts, criminals or employees from running your cloud infrastructure bill through the roof.
Rana GuptaJune 15, 2015, 10:55 am EDT
Recently I was pleased to emcee Gemalto’s second annual APAC Cipher Partner Summit in Phuket, Thailand with attendance from more than 110 partners from around the region. For three days we shared presentations on our data and identity protection solutions, exchanged ideas and best practices, networked with peers, and celebrated our valuable collaboration together on behalf of our customers. It was an extremely positive experience for our partners, and the energy was very palpable about the greater market potential we now have through the combination of Gemalto and SafeNet.
We also had the great privilege to recognize the success of our channel partners through their work with Gemalto.
Spectrum BD of Bangladesh and eSECURE Technology of Taiwan received the New Partner of the Year Award for the significant projects they brought to Gemalto. Spectrum BD sold a Hardware Security Module (HSM) solution to the Central Bank in Bangladesh for its Real Time Gross Settlement project, and eSECURE Technology brought Gemalto an authentication project for a major bank in Taiwan last year.
Macnica Networks Corps. of Japan, PRONEW Technologies Co., Ltd. of Taiwan, and Stream I.T. Consulting Ltd. Of Thailand were recognized with the Rising Star of the Year Award due to the significant increase in revenue contributions by these partners.
ADOST of South Korea and Channel Solutions Inc. of the Philippines were recognized with the Solution Partner of the Year Award. ADOST was nominated for the best (HSM) application in 2014 and by winning the most number of contracts, all with major banks and enterprises. Channel Solutions Inc. was recognized for its pioneering work in the region delivering multi-factor authentication solutions to banks.
The Top Contributor of the Year Award was given to Macnica Networks Corp. of Japan, Transition Systems of India, and Nera Telecommunications Ltd. of Singapore for generating the most partner revenue in 2014.
The Cipher Partner of the Year Award went to Transition Systems of India, Bangkok Systems & Software Company Limited of Thailand, and Paysecure Technology Co Ltd., of Taiwan as they showed strong adoption of the partner enablement programs offered through the Cipher Partner Program.
Finally, Ascentech K.K. of Japan and Transition Systems of Indonesia took home the Marketing Excellence Award. The former bagged this award by prominently showcasing Gemalto’s Identity and Data Protection products at its physical and online estates helping drive the demand generation while the latter actively participated in the lead generation initiatives by running the most number of marketing campaigns in 2014.
Through the acquisition of SafeNet, Gemalto has clearly accelerated its portfolio of data security solutions for the enterprise market by bringing together the core security capabilities of SafeNet with the edge security strengths of Gemalto. Together, we now have the opportunity to offer a stronger combined portfolio, enabling more growth opportunities for Gemalto and our partners.
We value our strategic relationships with our partners enormously for the support they give us in growing our customer relationships. Together, we can deliver a better overall quality of solutions and service. Congratulations to all of our partner award winners, and we hope that our successful partnerships continue for a long time to come.
— SafeNet (@SafeNetInc) June 12, 2015
Kathleen Spaeth June 30, 2015, 10:00 am UTC
Sharon Ginga June 29, 2015, 02:04 pm UTC
Adrian Sanabria June 17, 2015, 10:00 am UTC
Rana Gupta June 15, 2015, 10:55 am UTC
Jason Hart March 18, 2015, 10:00 am UTC
Adrian Sanabria June 17, 2015, 10:00 am UTC
Tsion Gonen April 16, 2015, 09:00 am UTC
Cheryl Barto Shoults March 19, 2012, 10:05 am UTC