Amazon Web Services
Ugo Piazzalunga
Technical Manager, IT Security ugo.piazzalunga@safenet-inc.com Agenda
1. Amazon Web Services challenge
2. Virtual Instances and Virtual Storage Protection
3. AWS Data Security - User Experience
4. Scalability, Management, Key Security
5. SafeNet Trusted Cloud Fabric
2
The challenge
help customers meet compliance requirements including PCI DSS, SOX, HIPAA, EU data privacy dir.
IN THE CLOUD
3
The Problem of Protecting Cloud Data
Unique challenges to protecting data
Data in the Cloud
Virtual Instances
•
•
•
•
Entire servers, applications, databases, etc. virtualized Unsecured container of sensitive data
Susceptible to unlimited copying
Exposed to uncontrolled brute force attacks Will live in multi-tenant environments
Will be exposed to cloud admins
Will be highly mobile/copyable
Exposed to co-resident lawful order surrender Suffer from data destruction and retention uncertainty
Virtual Storage
•
•
•
•
Data leakage exposure to physical and logical storage breach
Accessible to cloud administrators
Risk of data disclosure from misconfiguration or unanticipated changes in privacy terms
Cloud offered encryption suffers from separation of duties
4
Smarter Compliance and Security
Attaching and enforcing control directly on Data
RBAC
Perimeter
DATA
Perimeter solutions apply security around data
•
•
•
•
Solutions fundamentally can’t solve data protection
Provides diminishing returns on investment Constantly being breached and failing audits
Doesn’t apply well in the cloud
RBAC
Encryption
DATA
Attacker
Data encryption attaches security directly on data
Protection follows the data
Solves separation of duties
Solves multi-tenant data isolation
(internal department and cloud)
Can reduce overall audit scope
Delivers granular audit records
Directly addresses breach and leakage projects Limit scope of breaches
Adheres to “safe harbor” provisions in most disclosure laws
5
SafeNet Virtual Instance and Storage Protection
SafeNet ProtectV™ server- and storage-based encryption, customers can now protect compliance-impacted data stored on virtual machines and storage volumes running on both cloud and virtualized data centers.
ProtectV™Instance enables organizations to encrypt and secure the entire contents of virtual servers, protecting these assets from theft or exposure. ProtectV™Volume enables enterprises to secure entire virtual volumes in the cloud containing their data such as files or folders.
ProtectV™ Manager enables enterprises to deploy cloud security in large scale, enabling the elasticity and agility of security for the cloud.
Delivers:
• Data isolation
• Separation of duties
• Large scale deployment
• Cloud compliance
• Pre-launch authentication
• Multi-tenant protection
6
SafeNet ProtectV on Instances
ProtectV Protection
• Entire instance encrypted, protecting OS
• Attached volumes encrypted
• Encrypt all data written to disk
• OS does not boot without authentication
• Central Key Management for strong control
• Resists brute-force attacks on keys
• Supports AWS and other hypervisors (e.g.
VMware)
• Encrypted Instance
•AES 256
• Pre-Launch Authentication
• Policy + Key Management
Cloud/
Virtual Servers
Cloud/
Virtual Storage
• Protected Volumes
7
Ok, It’s Go Time!
ProtectV for AWS Experience
3 Steps to Getting Started Today
Step 1:
Sign up for your FREE TRIAL http://www2.safenet-inc.com/AWS/register.asp Step 2:
Select AMIs—you can choose from 4 AMIs with
SafeNet’s ProtectV software for Windows preinstalled:
32-bit Windows Server 2008 AMI ID: ami-e85ead81
64-bit Windows Server 2008 AMI ID: ami-d45eadbd
32-bit Windows Server 2003 AMI ID: ami-2e57a447
64-bit Windows Server 2003 AMI ID: ami-3257a45b
Step 3:
Activate AMI encryption. Here you’ll set up the