A New Model for Security – Securing the Computing Chain All environments should be considered un-trusted 4 Host defends itself from attack Encrypted Data Encryption keys only controlled by you When this whole chain is secure Components can move DC1, LAN 1 Cloud 1, LAN 2 Data Cloud, LAN 1 Data DC2, LAN 2 Virtual “neighbours” don’t matterLocation doesn’t matter Service provider “lock” goes awayShared storage ROI goes up
Inside-OutSecurity Protect my data 5 Inside-out Security Smart Context aware Self-Secured WorkloadLocal Threat Intelligence When Timeline Aware Who Identity Aware Where Location Aware What Content Aware User-defined Access PoliciesEncryption DATA INSIDE-OUT SECURITY
Protect the Data BYOD Limit data loss incidents Enforce policies for data access and protection by enforcing the use of passwords, encrypting data, and remotely wiping data from lost or stolen devices. Control device access –Power-on Password enforcement –Password policies add security Protect corporate data and access –Remotely locate devices –Remotely lock devices that are suspected lost –Remotely wipe corporate data from devices – Full & Selective Wipe –Encrypt corporate data on mobile devices Feature lock –Disable Security relevant features (e.g. SD-Card reader) –Control features that pose a risk (e.g. Bluetooth, Mic, Camera) –Keep data secure - (Control iCloud)
SYNC and PROTECT Synchronizes all desired data to the cloud and personal devices, automatically, instantly and continuously STORE and MANAGE Gives each employee / user their own personal storage space SHARING Secure and simple sharing for colleagues and external parties ACCESS ANYWHERE Access files and folders from anywhere, anytime from any device 7 How Does Cloud Storage Help ?
PhysicalVirtualCloud Manageability Glut of security products Less security Higher TCO Reduce Complexity One Security Model is Possible across Physical, Virtual, and Cloud Environments PLATFORM-SPECIFIC SECURITY RISKS Integrated Security: Single Management Console Performance & Threats Traditional security degrades performance New VM-based threats Increase Efficiency Visibility & Threats Less visibility More external risks Deliver Agility
One Server Security Platform REDUCE COMPLEXITY Firewall HIPS / Virtual Patching Web Application Protection Antivirus Integrity Monitoring Log Inspection Advanced Reporting Module Single Management Console Software Agent Based Solution
Fitting into the VMware Ecosystem VIRTUALIZATION SECURITY vSphere Virtual Environment Integrates with vCenter Security Virtual Machine Log Inspection Agent-based Other VMware APIs IDS / IPS Web Application Protection Application Control Firewall Agentless vShield Endpoint Antivirus Integrity Monitoring
Sensitive Research Results Unreadable for unauthorized users Control of when and where data is accessed Server validation Custody of keys Data Security Encryption with Policy-based Key Management Server & App Security Modular Protection Self-defending VM security Agentless and agent-based One management portal for all modules, all deployments vSphere & vCloud Integration ensures servers have up-to-date security before encryption keys are released What is the Solution? Data Protection CLOUD SECURITY
Test Deep Security / Secure Cloud Example Vmware Vsphere ESX Customer Customer 1 Customer 2 Unix/ Win Server Encrypted Volumes on SAN, NAS, Cloud Service … Policy Server Key Service
VM VMware vCloud VMware vSphere Encryption throughout your cloud journey—data protection for virtual & cloud environments Enterprise Key Key Service Console Trend Micro SecureCloud Data Center Private Cloud Public Cloud Fitting Encryption into a VMware Ecosystem CLOUD SECURITY
Specialized Protection for Physical, Virtual, and Cloud PhysicalVirtualCloud TREND MICRO DEEP SECURITY Only solution to offer agentless: Antivirus Integrity monitoring Intrusion detection & prevention Web application protection Firewall
2011 Technology Alliance Partner of the Year TREND MICRO: VMWARE’S NUMBER 1 SECURITY PARTNER Improves Security by providing the most secure virtualization infrastructure, with APIs, and certification programs Improves Virtualization by providing security solutions architected to fully exploit the VMware platform Feb: Join VMsafe program RSA: Trend Micro VMsafe demo, announces Coordinated approach & Virtual pricing RSA: Trend Micro announces virtual appliance 2010: >100 customers >$1M revenue VMworld: Announce Deep Security 8 w/ Agentless FIM 1000 Agentless customers VMworld: Trend virtsec customer, case study, webinar, video May: Trend acquires Third Brigade July: CPVM GA Nov: Deep Security 7 with virtual appliance RSA: Trend Micro Demos Agentless 2010 Q4: Joined EPSEC vShield Program VMworld: Announce Deep Security 7.5 Sale of DS 7.5 Before GA Dec: Deep Security 7.5 w/ Agentless Antivirus RSA: Other vendors “announce” Agentless
IT Security Policies - BUT who knows? Demonstrate Good Governance and Mitigate Risk Les Richardson
Security of your information is paramount - YOU know that – but do ALL of your employees? Whether responding to legislation, compliance requirements, or protecting against accidental abuse, sabotage or malware - security concerns are real and need to be COMMUNICATED IT Security and Data Protection - the people factor!
IT Security and Data Protection policies are essential But getting employees’ attention and making sure they read and sign up to them, to ensure compliance – is often much easier said than done!
And not ONLY IT Assurance - SO many policy areas... IT Assurance Data Security Rules laid down by Regulators and Auditors Social Media HR & Operating Procedures Best Practice Guidance Anti Bribery and Corruption Good Governance, Corporate Responsibility Quality Management Standards and Goals Health & Safety UK Bribery Act
Information security - Not just Data either! Do you allow your employees to use social media at work? “ …………………... “ “ …………….. “ “ ……… “
Information security - Not just Data either! People have access to information and have opinions and emotions! People also have access (home or work) to mass communication – so can “share” these opinions and information = Potential “HR accidents waiting to happen” ? Potential “loss” of information, productivity, reputation – and at what cost?
Registered users rose from 75M in 2010 to 175M in Users tweeting over 95M tweets per day – that’s 4M tweets each hour! Has grown 100% since March 2010 with 100M professionals using this worldwide – 20M in Europe hit the half-billion member mark in 2010, with over 7 billion pieces of content “shared” each week And now there is All of a Twitter! – Social Media BOOM ? Who’s monitoring Internet use ? ? Who owns the data / information / contacts? ? Where is this all going or being “shared” ?
Examples………… Risk of trade secrets being revealed – Porsche banned employees from using social networking websites at work Business contacts – problem with LinkedIn effectively creates a list of business contacts – individual’s or company’s? Being fired after making “my job is SO boring” comments on social media – employment tribunals
Examples…………?????? Any idea what might connect these comments? Fat and smellyCockroachesFaulty jet engines
So many policies… So having good policies in place is the first step to reduce exposure to: Information and data loss Financial loss Reputational damage Compliance breaches Potential fines However, if you don’t: review them regularly communicate them professionally ensure employees read, understand and adhere to them ….they are almost worthless.
Communication is key Traditional methods of communication are no longer adequate
KPMG Forensics Survey Communication and training programs will be the areas of greatest focus in compliance efforts over the next months. Source: KPMG Global Anti-Bribery & Corruption Survey 2011
The stakes are rising The UK Bribery Act 2010 includes a new offence of “failure of commercial organisations to prevent bribery” It is a valid defence for the organisation to prove that it had in place “adequate procedures.” Staff must acknowledge that they have read and understood the anti-bribery code, and confirm that they will comply with it – “compliance declaration”
Shocking Stats Nearly three quarters, 74%, of 1,000 middle managers had not even heard of the Bribery Act. + More than 20% of those surveyed said they were aware of unethical activity at their company. Source: The FIDS (Fraud, Investigations and Disputes Services) team at Ernst & Young
BS:10500 BS:10500 is the Standard against which many organisations will be audited.
Information Commissioner’s Office Stats…… During 2011 the Information Commissioner’s Office (ICO) issued £541,000 in fines. This excludes the additional fines imposed by courts following This is an increase of 238% over 2010 If the same percentage increase occurs in 2012, over 2011, total fines issued could be over £1.8M.
Some recent ICO examples…… 19 June 2012 – Belfast Health and Social Care Trust has been served with a Civil Monetary Penalty of £225,000 following a serious breach of the Data Protection Act 6 June 2012 – Telford and Wrekin Council has been issued with a penalty of £90,000 by the ICO, following a breach of the Data Protection Act involving the disclosure of confidential and sensitive personal data relating to four vulnerable children. 1 June 2012 – Brighton and Sussex University Hospitals NHS Trust has been served with a Civil Monetary Penalty (CMP) of £325,000 following a serious breach of the Data Protection Act 21 May 2012 – Central London Community Healthcare NHS Trust has been fined £90,000 following a serious breach of the Data Protection Act
Non-compliance comes at a price Willis £6.895m FSA Fine Diagio $16m SEC penalty Macmillan £11.3m SFO Fine Johnson & Johnson $70m corruption settlement
Proactive Policy Management Communication and reporting have never been more important. It is no longer acceptable to just have a well written policy in place
Proactive Policy Management To prove compliance organisations must ensure that all stakeholders have : Communication and reporting have never been more important 1 Received the latest version of the policy 2 Read it 3 Understood it 4 Signed up to it / not - and 5 That management have a full audit trail
Value of a Policy Management System Manage every step of your policy lifecycle in a central place Effectively communicate essential policies to your staff in any location Avoid duplication and versioning issues Get the reporting you need – when you need it Demonstrate best practice and rigorous governance Increase operational efficiency and cut the cost of compliance and tribunals
Hitec Expertise Specialising in the development, implementation and support of Policy Management; Enterprise Content; Risk and Compliance management solutions. Over 350 customers in more than 40 Countries.
Some Customer feedback Associated British Agriculture (AB Agri) Benefits highlighted by AB Agri Audit trail of policy communication and agreement (or not!) Visible evidence of staff awareness of essential IT Assurance policies and others Ability to immediately keep remote staff up to date Ability to rapidly respond to national programmes (e.g. Avian Flu) Ability to be sure of meeting rigorous compliance, business and security obligations ”We started thinking PolicyHub could help with IT Security Policies – but quickly established it could transform effectiveness of SO many policies, from HR, employee questionnaires through to essential procedures that support business operations. Information Security policies such as Acceptable Use for and internet benefitted by PolicyHub’s ability to check employee policy status and immediately present policies for agreement” Martin Freeman, IS Security Services Manager – AB Agri
Some Customer feedback – ALD Automotive Benefits highlighted by ALD Automotive Immediate time and cost savings Complete visibility of compliance Demonstrable good governance for the board Ability to re-brand to fit corporate brand guidelines Simplified process for staff who are more aware of responsibilities ”In less than a week, we had secured agreement to key policies from over 80% of staff. For policy owners, we’re providing immediate EVIDENCE of how and when policies are being accepted. At Group level Societe Generale can demonstrate excellent Corporate Governance and Compliance.” Lindsay Grant, Business Services Management – ALD Automotive
Some Customer feedback – Morgan Cole Benefits Highlighted by Morgan Cole Ability to rigorously enforce a policy within a deadline Ensured policy UNDERSTANDING Focussed initially on Information Security, IT Systems Acceptable Use, but many other policies addressed Compliance audit trail proving compliance High levels of staff understanding Detailed reporting, LexcellQuality Standards adherence In tenders, ability to demonstrate highest levels of process Costs cut by 20:1 “Compared to the previous approach to communicating and tracking policies, we cut on going management costs by a ratio of 20:1… shortening the policy acceptance cycle - a 24:1 improvement. We had well written policies and a system of policy “owners” – we were struggling with a lack of a system to make this process really effective, simple and sustainable. We’re seeing benefits from using PolicyHub on multiple fronts – delivering cost savings and highest levels of operational effectiveness” Jeff Wright, I&T Director - Morgan Cole
PolicyHub Step 1: Create, import, amend Policies Step 2: Internal review process Step 3: Publish the right policies to the right people Step 4: Employee affirmation for key policies Step 5: Ensure understanding of key policies Step 6: Audit every action and in-action
A Proactive Policy Management Solution ensures the key policies and procedures get to the right people that their knowledge is assessed they become accountable by signing up to them that the entire process is recorded and auditable
Notification Insert screen shot of Inbox Automated Customisable sent to Users Hyperlink to personal PolicyHub Inbox (no attachments)
Inbox Personal Inbox View outstanding policies / knowledge tests awaiting completion Single sign on = no log in required
Library Insert screen shot of Library Personal Library View and search for Policy documents relevant to you
Knowledge Assessment Integrated and flexible test & questionnaire functionality Knowledge Assessment When more than just acceptance of a key policy is required
Reporting – MIS Reporting The ability to see both test and questionnaire results is imperative
Key Features Ensures staff read, understand and sign up to key policies and procedures via a clear presentation of information Communication Demonstrate Good Governance > Mitigate Risk Provides instant 24/7 browser based access to only the latest version of the document within personal library Accessibility Provides detailed audit trails and management reporting on policy agreement and understanding, identifies those who have and not complied Compliance
Who benefits? Compliance, Audit & Security Managers – Avoid compliance/security breaches The Board – Demonstrate good Governance & protect reputation Management – Increased control and visibility – Reduced management time and costs – Minimise cost of tribunals – Address knowledge gaps Employees – Better employee engagement
Proactive Policy & Procedure Management Demonstrate Good Governance and Mitigate Risk
Questions & Contact Details Les Richardson Chris Pascoe Tel: UK Headquarters Hitec Laboratories Ltd 430 Bath Road Slough Berkshire SL1 6BB
Enterprise Storage Encryption and Key Management in the Datacentre Blair Semple, CISSP - ISSEP Director, Business Development SafeNet Inc.
Agenda A little about myself and SafeNet Why encryption in the datacentre Encryption challenges Possible deployment options Key Management challenges for Enterprises SafeNet Encryption and Key Management Summary 54
Who We Are Trusted to protect the world’s most sensitive data for the world’s most trusted brands. We protect the most money that moves in the world, $1 trillion daily. We protect the most digital identities in the world. We protect the most classified information in the world. FOUNDED 1983 REVENUE 454m EMPLOYEES +1,500 In 25 countries OWENERSHIP Private GLOBAL FOOTPRINT +25,000 Customers in 100 countries ACCREDITED Products certified to the highest security standard
Why is Security for Storage Necessary? PCI, HIPAA, CA SB1386 Privacy Regulations impose financial penalties Proactive security measures have compelling ROI 1 Protect IP, digital assets from threats Strengthen access controls Auditing and logging of user IP access Strong authentication Administrator role separation Non-Repudiable auditing Secure data disposal Granularity of user data protection Controlled data access with outsourced IT and external development centers Regulations IP Protection Security Best Practices Business Trends 1 Gartner: Estimated cost of dealing with a 100K record breach: $90 per customer record. Cost of deploying encryption technology: $6 per record
Datacentre Encryption Challenges Performance Manageability Resiliency Support for Heterogeneous Environments 57
Security and Granularity Encryption Options for Storage 58 Host Network Storage Media Manageability and efficiency
Encryption Options at the Extremes Host-based Media-based 59 ProsCons Extremely Granular ControlApplication and O/S dependencies Data Secured early in it’s lifecyleMany devices to install on and manage Typically Software (less secure) ProsCons Typically hardware – secure and fast Little/no granularity No upstream dependenciesData secured only when stored Few devices to install / manageStorage-specific solutions
Encryption in the Middle Network-based Encryption 60 ProsCons Very Secure (Hardware)Additional devices to install Transparent to both sidesPotential for bottlenecking Appropriate Granularity
Why You Should Secure Your NAS Effective use of NAS storage means hosting multiple departments, users, customers, etc. No physical segregation or physical access control Different policies and requirements Effective network sharing means allowing access within and across enterprise as well as externally LAN, Intranet, Internet, VPN As such, NAS is vulnerable to: human errors malicious insiders external attacks compromised systems lax policies
Key Management Challenges Supporting many devices from many vendors Keys need to always be available to authorized users, but must be kept secure from others There can be LOTS of keys May need to live for a very long time. Some healthcare requirements are “life of the patient plus 10 years” Some US Government regulations state “for the life of the republic” 62
Proliferation of Key Management Systems Key Management System Laptop/ Mobile Media Storage Systems Tape / Archive Business Analytics DataBase Virtualized Infrastructure Mainframe Network / Storage Encryption E-commerce Enterprise Apps Persistent Connection Transient Connection
Proliferation of Key Management Systems Laptop/ Mobile Media Storage Systems Tape / Archive Business Analytics DataBase Virtualized Infrastructure Mainframe Network / Storage Encryption E-commerce Enterprise Apps KMIP SafeNet KeySecure k460
SafeNet KeySecure Enterprise Key Management Enterprise Key Lifecycle Management Centrally managed, consolidation of keys store, manage, generate, distribute, rotate, backup, activate, deactivate, and destroy Up to 1 million keys per cluster High Assurance Level Standard based approach – OASIS KMIP Broadest Coverage in Industry NAS – StorageSecure SAN - Brocade Encryption Solutions (BES and FS8/18) KMIP support (NSE/FDE, Quantum Tape Library and other 3 rd Party support) Cloud-enabled (KMIP-based) SafeNet LUNA SA (HSM) and PCI Card Management
SafeNet StorageSecure Next Generation Storage Encryption Transparent network-based encryption NAS: CIFS (Windows), file level iSCSI (fall 2012) FIPS Level 3 (validation in process) Strong access controls Separation of duties and tamper-proof auditing High reliability and availability: Clustering Centralized key management: Integrated with KeySecure S220 – 1Gbit Interfaces, S280 – 10Gbit Interfaces
Sample Use Cases 67
StorageSecure Use Case Snapshot World Leading Bank Isolate Data in Multi- tenant Environments Protect Offline Data in Archives Destroy Data Securely or Repurpose Storage Encryption-enabled separation of data in shared virtual environments Encrypt Data in Primary & Secondary Storage Before Writing to Tape Protect Compliant Data (Maintain PCI Posture) 2 2 Encrypt Data in Real-Time at the Point of Capture/Creation Destroy Encryption Keys at Any Point of the Data Lifecycle
Isolate Data in Multi-tenant Environments 69 Health Solutions Storage Head Isolated Data Shares Pharmaceutical Solutions Patient Relationship Medical- Surgical Encryption-enabled separation of data in shared virtual environments Separation of departmental data Protect data belonging to security sensitive departments Enables hosting multiple customers on the same HW
Compliant Data Protection 70 (cluster/ failover) SalesForce.com Intellectual Property Clients CMS Off Premise On Premise HR Encrypt data in real-time at the point of capture/creation Secure, hardware based network storage (FIPS Level 3) Encrypts data and renders it unreadable to unauthorized viewers Secure key management - clear text keys never leave the hardware Integrated with KeySecure for automated and centralized key lifecycle management
Archival Protection 71 Storage Primary Secondary Networked Applications Mobile Workers Corporate Offices Military Applications web App DB Encrypt data in primary & secondary storage before writing to tape Operations and staff able to manage data the systems without access to content Transparent deployment - no agents, storage device changes or user behavior adjustments
Privileged User Risk Mitigation 72 Administrator Isolated data Users Storage Ensures data isolation and granular, authorized access Protects against unauthorized administrators/network administrators and users Operations and staff able to manage data the systems without access to content Integrated with existing Identity and access mgmt systems (LDAP, MS AD, NIS) Instantiates additional layer of dual control to restrict access