Cloud Security Authors: Elizabeth White, John Katrick, Pat Romanski, Rostyslav Demush, Yeshim Deniz

Related Topics: @CloudExpo, Cloud Security

@CloudExpo: Blog Feed Post

SaaS Bill of Rights By @Vormetric | @CloudExpo [#Cloud]

Techniques for protecting data in the cloud

SaaS Bill of Rights - It's All About the SaaS
By Alan Kessler

Recently, we released the results from the cloud edition of our 2015 Insider Threat Report. My colleagues Andy Kicklighter and CJ Radford delved into the results in their blog posts from March 24 and March 26, and I’ve gone into a bit more detail about the findings below. But, the purpose of this blog is to do two things: a) discuss what we hear matters when it comes to successful and safe SaaS consumption and delivery and b) with this feedback in mind, outline the tools and capabilities necessary to make this happen.

Its all about the SaaS

Stormy Clouds Ahead?
It wouldn’t be an exaggeration to say that cloud computing has changed the way organizations approach IT; it’s enabled them to become more agile, introduce new business models, provide more services and reduce IT costs. Perhaps unsurprisingly, the Cloud and Big Data Edition of our 2015 Insider Threat Report found that 54 percent of respondents globally reported keeping sensitive information within the cloud.

Risks to Sensitive Data

But, the movement towards wide-scale cloud adoption doesn’t come without worries. Our survey also found that most IT decision makers have concerns about relinquishing security and control when they deploy cloud technology – which is an issue when 46 percent report market pressures are forcing them to use cloud services. In the U.S. cloud environments (46 percent) outpace databases (37 percent) and file servers (29 percent) as the location perceived as being the greatest risk by enterprise organizations.

Your (Cloud) Type – and How It Affects What You Want
As an enterprise customer and consumer of SaaS, we get it. From our conversations with enterprise customers, partners and through our own experiences, this is what we hear matters:

  • IaaS: When it comes to the consumption of IaaS, there are certain security capabilities you want to ensure maximum data security and control over your data, including:
    • Data-at-rest protection (data encryption with the ability to perform privilege user access control is a key requirement in this environment to remove the custodial risk of IaaS infrastructure personnel accessing sensitive data)
    • Along those lines, the ability to manage who and which applications in your IaaS environment can access your data
    • The ability to control and manage your own keys, even as your data is stored in an IaaS environment
    • The ability to receive audit log information to monitor the administration of your data and data policy by your IaaS provider
  • SaaS: When it comes to SaaS, we’ve found you’re generally looking for:
    • The ability to encrypt data before it leaves your premises
    • Compliance without interfering with functionality
    • Visibility and audit logs for tracking data access and movement between users and the cloud service
    • Key management that works across many different use cases across your enterprise and can deliver consistent policy implementation between systems, reducing training and maintenance costs. With this, comes:
      • The ability to control what data can be viewed and reported on by your SaaS provider including having a kill switch to your data when you turn down a service
      • The ability to control who within the SaaS environment can see your data and have the flexibility to control access to the keys necessary to view sensitive data in the SaaS cloud
      • Ability to separate the keys from the data repository. This typically means the encryption keys stay on the customer premises or at least are only managed by the customer.

As you can see, there’s a recurring them here: transparency and visibility. The transparency point is important, most notably in an environment where you may host a wide range of applications, data types and operating system/computing environments. You would like to have a data security solution that is broadly applicable across structured and unstructured data and across a broad range of operating environments and supports public, private and hybrid clouds.

The Cloud Is All Around Us
Many enterprises operating in a B2B context are not only consuming Infrastructure as a Service (IaaS) and Software as a Service (SaaS) services, but are delivering solutions to their business customers via SaaS. (If you need a refresh of how these cloud models are defined, I recommend you check out our excellent Data Security in the Cloud White Paper).

What do I mean by this? Well, let’s say you’re Company X. As Company X, you deliver enterprise products that allow other enterprises to analyze their data. One of those enterprise products comes in the form of a cloud-based service. Concurrently, you also consume SaaS for your own internal purposes. You might, say, use Salesforce. Or AWS. Or BOX. So, you have a lot of (cloud) balls in play. Chances are, your security stress level is high. This has to do with the fact that you simply don’t have the visibility and control you do when using your own resources–and you also want to ensure your customers feels protected.

That being said, the economic and operational benefits of cloud technology are compelling enough to drive your business partners within the organization to consume cloud services. But, you still need a guarantee of security as a consumer and deliverer of cloud services – and this means you need a platform that contains features/capabilities addressing the concerns outlined above. Below, I’ve walked through some methods for getting to a secure place.

Techniques for Protecting Data in the Cloud

Data Protection/Encryption
Let’s start with data protection. You own your own data and you safeguard your customer’s data. That’s a lot of data to worry about. So – and this is somewhat dependent on the use case – you will need to protect that data at the file level or application level. A file level solution using transparent encryption is quick and easy to deploy and protects databases (structured data), files (unstructured data) and big data repositories. Application level encryption encrypts the sensitive data fields form within the application itself. This has the added advantage of assuring not only encryption of the data at rest, but also the data in motion starting at the application server. This method gives very granular control of what fields to encrypt.

Another granular method of encryption is through the use of tokenization. Tokenization replaces sensitive information in databases with a token, which is a meaningless placeholder that even if stolen, can’t reveal the data it’s protecting because the actual data has been replaced and a token is irreversible. By using tokens, threats are mitigated from both inside your organization and from outside attackers because the object of their hacking doesn’t contain the information they desire. The sensitive data itself is kept in a token vault, which is encrypted and in a very secure and controlled location, thereby drastically cutting down the amount of people with access to the sensitive information.

Another consideration when displaying data to an end user is to implement dynamic data masking. Dynamic data masking is pretty much exactly what it sounds like: it’s the process of hiding original data with a replacement characters. Common reasons for employing dynamic data masking are to protect classified data, such as Social Security numbers, credit card numbers and financial information that only needs to be partially displayed to certain users.

For example, when you view your credit card statement online, you often see only the last four digits of the credit card number. The first digits are obfuscated with a character pattern such as XXXX-XXXX-XXXX. This is dynamic data masking in action. As the end-user, you only need to see your last four digits to know which credit card is represented on the statement.

The target markets for tokenization and dynamic data masking are generally those that must follow strict compliance regulations. Examples include retail, which must abide by the Payment Card Industry Data Security Standard (PCI DSS) and healthcare, which is beholden to HIPAA. Big data lakes also often present a large need for data masking and obfuscation, because much of the data contained in those lakes is unstructured. For more information on the fascinating topic of data lakes, I invite you to check out a blog by our VP of product development and partner management, Ashvin Kamaraju and a blog by our CSO, Sol Cates.

We recognize not everyone is on the encryption train. So, if you don’t want to (or can’t) encrypt data before it leaves the confines of your network, we recommend working with SaaS providers who provide strong security.

Key Management
Earlier, I delved into key management because it’s an important component of encryption. If you’ve chosen to encrypt data, it means you (or someone else) has a handle on the decryption key.

When it comes to key management, there’s basically two models to consider for encrypted data.  Either you own and manage the key, or you allow your service provider to own and manage your key on your behalf.  Each model has its own risks and that will depend on the level of risk and cost you’re prepared to take on.  As a best practice, as the owner of the data, we recommend you own and manage the key.

Regarding the transparency point I brought up earlier: Vormetric Cloud Encryption, for example, includes encryption key management within the solution and is completely transparent to applications and users. This allows for existing processes and usage to continue with no changes. Thus, you can protect any data file within cloud environments simply, easily and efficiently.

Key management basically allows for access control, which means limiting access to encrypted data to only those whose work requires it.

An intelligent implementation of access control will allow system and application maintenance and operations without exposing data to the privileged users who carry out these tasks. It also meets myriad compliance requirements and stops the threat of legal or physical compromise of the cloud environment. Even if someone walks away with the drive, or more realistically finds their way to your data by finding a security flaw in the provider’s environment,  they won’t see a thing of value. And if you control your own keys, legal challenges to see your data in the cloud provider’s jurisdiction aren’t possible without your knowledge and cooperation.

In a nutshell, the end goal for you, the enterprise, is to trust your cloud service providers, trust your employees that are using the cloud to make their workflow more efficient and streamlined and trust that any cloud-based solutions you are delivering to your business customers will not open them up to security risks.

Although I’m just a tad biased, I like to think our existing data security products (and some soon-to-be-announced new updates!) meet the majority of needs outlined above. I’m so confident about this, I invite you to come take a look for yourself while you’re at RSA (you will be at RSA, right?)

You can find us at booth #3015 (North Hall) and booth #515 (South Hall). Bring your shopping cart by, and our team will show you the goods.

The post SaaS Bill of Rights – It’s All About the SaaS appeared first on Data Security Blog | Vormetric.

Read the original blog entry...

More Stories By Vormetric Blog

Vormetric (@Vormetric) is the industry leader in data security solutions that span physical, big data and cloud environments. Data is the new currency and Vormetric helps over 1400 customers, including 17 of the Fortune 30 and many of the world’s most security conscious government organizations, to meet compliance requirements and protect what matters — their sensitive data — from both internal and external threats. The company’s scalable Vormetric Data Security Platform protects any file, any database and any application’s data —anywhere it resides — with a high performance, market-leading data security platform that incorporates application transparent encryption, privileged user access controls, automation and security intelligence.

@ThingsExpo Stories
DevOpsSummit New York 2018, colocated with CloudEXPO | DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City. Digital Transformation (DX) is a major focus with the introduction of DXWorldEXPO within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of bus...
With 10 simultaneous tracks, keynotes, general sessions and targeted breakout classes, @CloudEXPO and DXWorldEXPO are two of the most important technology events of the year. Since its launch over eight years ago, @CloudEXPO and DXWorldEXPO have presented a rock star faculty as well as showcased hundreds of sponsors and exhibitors! In this blog post, we provide 7 tips on how, as part of our world-class faculty, you can deliver one of the most popular sessions at our events. But before reading...
DXWorldEXPO LLC announced today that "Miami Blockchain Event by FinTechEXPO" has announced that its Call for Papers is now open. The two-day event will present 20 top Blockchain experts. All speaking inquiries which covers the following information can be submitted by email to [email protected] Financial enterprises in New York City, London, Singapore, and other world financial capitals are embracing a new generation of smart, automated FinTech that eliminates many cumbersome, slow, and expe...
Cloud Expo | DXWorld Expo have announced the conference tracks for Cloud Expo 2018. Cloud Expo will be held June 5-7, 2018, at the Javits Center in New York City, and November 6-8, 2018, at the Santa Clara Convention Center, Santa Clara, CA. Digital Transformation (DX) is a major focus with the introduction of DX Expo within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive ov...
DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
DXWorldEXPO LLC announced today that ICOHOLDER named "Media Sponsor" of Miami Blockchain Event by FinTechEXPO. ICOHOLDER give you detailed information and help the community to invest in the trusty projects. Miami Blockchain Event by FinTechEXPO has opened its Call for Papers. The two-day event will present 20 top Blockchain experts. All speaking inquiries which covers the following information can be submitted by email to [email protected] Miami Blockchain Event by FinTechEXPO also offers s...
DXWorldEXPO | CloudEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.
Widespread fragmentation is stalling the growth of the IIoT and making it difficult for partners to work together. The number of software platforms, apps, hardware and connectivity standards is creating paralysis among businesses that are afraid of being locked into a solution. EdgeX Foundry is unifying the community around a common IoT edge framework and an ecosystem of interoperable components.
Digital Transformation and Disruption, Amazon Style - What You Can Learn. Chris Kocher is a co-founder of Grey Heron, a management and strategic marketing consulting firm. He has 25+ years in both strategic and hands-on operating experience helping executives and investors build revenues and shareholder value. He has consulted with over 130 companies on innovating with new business models, product strategies and monetization. Chris has held management positions at HP and Symantec in addition to ...
Cloud-enabled transformation has evolved from cost saving measure to business innovation strategy -- one that combines the cloud with cognitive capabilities to drive market disruption. Learn how you can achieve the insight and agility you need to gain a competitive advantage. Industry-acclaimed CTO and cloud expert, Shankar Kalyana presents. Only the most exceptional IBMers are appointed with the rare distinction of IBM Fellow, the highest technical honor in the company. Shankar has also receive...
Enterprises have taken advantage of IoT to achieve important revenue and cost advantages. What is less apparent is how incumbent enterprises operating at scale have, following success with IoT, built analytic, operations management and software development capabilities - ranging from autonomous vehicles to manageable robotics installations. They have embraced these capabilities as if they were Silicon Valley startups.
The standardization of container runtimes and images has sparked the creation of an almost overwhelming number of new open source projects that build on and otherwise work with these specifications. Of course, there's Kubernetes, which orchestrates and manages collections of containers. It was one of the first and best-known examples of projects that make containers truly useful for production use. However, more recently, the container ecosystem has truly exploded. A service mesh like Istio addr...
Predicting the future has never been more challenging - not because of the lack of data but because of the flood of ungoverned and risk laden information. Microsoft states that 2.5 exabytes of data are created every day. Expectations and reliance on data are being pushed to the limits, as demands around hybrid options continue to grow.
Poor data quality and analytics drive down business value. In fact, Gartner estimated that the average financial impact of poor data quality on organizations is $9.7 million per year. But bad data is much more than a cost center. By eroding trust in information, analytics and the business decisions based on these, it is a serious impediment to digital transformation.
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...
As IoT continues to increase momentum, so does the associated risk. Secure Device Lifecycle Management (DLM) is ranked as one of the most important technology areas of IoT. Driving this trend is the realization that secure support for IoT devices provides companies the ability to deliver high-quality, reliable, secure offerings faster, create new revenue streams, and reduce support costs, all while building a competitive advantage in their markets. In this session, we will use customer use cases...
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...
The best way to leverage your Cloud Expo presence as a sponsor and exhibitor is to plan your news announcements around our events. The press covering Cloud Expo and @ThingsExpo will have access to these releases and will amplify your news announcements. More than two dozen Cloud companies either set deals at our shows or have announced their mergers and acquisitions at Cloud Expo. Product announcements during our show provide your company with the most reach through our targeted audiences.