Cloud Security Authors: Mehdi Daoudi, Elizabeth White, John Walsh, Liz McMillan, Kevin Jackson

Related Topics: @CloudExpo, Cloud Security

@CloudExpo: Blog Feed Post

SaaS Bill of Rights By @Vormetric | @CloudExpo [#Cloud]

Techniques for protecting data in the cloud

SaaS Bill of Rights - It's All About the SaaS
By Alan Kessler

Recently, we released the results from the cloud edition of our 2015 Insider Threat Report. My colleagues Andy Kicklighter and CJ Radford delved into the results in their blog posts from March 24 and March 26, and I’ve gone into a bit more detail about the findings below. But, the purpose of this blog is to do two things: a) discuss what we hear matters when it comes to successful and safe SaaS consumption and delivery and b) with this feedback in mind, outline the tools and capabilities necessary to make this happen.

Its all about the SaaS

Stormy Clouds Ahead?
It wouldn’t be an exaggeration to say that cloud computing has changed the way organizations approach IT; it’s enabled them to become more agile, introduce new business models, provide more services and reduce IT costs. Perhaps unsurprisingly, the Cloud and Big Data Edition of our 2015 Insider Threat Report found that 54 percent of respondents globally reported keeping sensitive information within the cloud.

Risks to Sensitive Data

But, the movement towards wide-scale cloud adoption doesn’t come without worries. Our survey also found that most IT decision makers have concerns about relinquishing security and control when they deploy cloud technology – which is an issue when 46 percent report market pressures are forcing them to use cloud services. In the U.S. cloud environments (46 percent) outpace databases (37 percent) and file servers (29 percent) as the location perceived as being the greatest risk by enterprise organizations.

Your (Cloud) Type – and How It Affects What You Want
As an enterprise customer and consumer of SaaS, we get it. From our conversations with enterprise customers, partners and through our own experiences, this is what we hear matters:

  • IaaS: When it comes to the consumption of IaaS, there are certain security capabilities you want to ensure maximum data security and control over your data, including:
    • Data-at-rest protection (data encryption with the ability to perform privilege user access control is a key requirement in this environment to remove the custodial risk of IaaS infrastructure personnel accessing sensitive data)
    • Along those lines, the ability to manage who and which applications in your IaaS environment can access your data
    • The ability to control and manage your own keys, even as your data is stored in an IaaS environment
    • The ability to receive audit log information to monitor the administration of your data and data policy by your IaaS provider
  • SaaS: When it comes to SaaS, we’ve found you’re generally looking for:
    • The ability to encrypt data before it leaves your premises
    • Compliance without interfering with functionality
    • Visibility and audit logs for tracking data access and movement between users and the cloud service
    • Key management that works across many different use cases across your enterprise and can deliver consistent policy implementation between systems, reducing training and maintenance costs. With this, comes:
      • The ability to control what data can be viewed and reported on by your SaaS provider including having a kill switch to your data when you turn down a service
      • The ability to control who within the SaaS environment can see your data and have the flexibility to control access to the keys necessary to view sensitive data in the SaaS cloud
      • Ability to separate the keys from the data repository. This typically means the encryption keys stay on the customer premises or at least are only managed by the customer.

As you can see, there’s a recurring them here: transparency and visibility. The transparency point is important, most notably in an environment where you may host a wide range of applications, data types and operating system/computing environments. You would like to have a data security solution that is broadly applicable across structured and unstructured data and across a broad range of operating environments and supports public, private and hybrid clouds.

The Cloud Is All Around Us
Many enterprises operating in a B2B context are not only consuming Infrastructure as a Service (IaaS) and Software as a Service (SaaS) services, but are delivering solutions to their business customers via SaaS. (If you need a refresh of how these cloud models are defined, I recommend you check out our excellent Data Security in the Cloud White Paper).

What do I mean by this? Well, let’s say you’re Company X. As Company X, you deliver enterprise products that allow other enterprises to analyze their data. One of those enterprise products comes in the form of a cloud-based service. Concurrently, you also consume SaaS for your own internal purposes. You might, say, use Salesforce. Or AWS. Or BOX. So, you have a lot of (cloud) balls in play. Chances are, your security stress level is high. This has to do with the fact that you simply don’t have the visibility and control you do when using your own resources–and you also want to ensure your customers feels protected.

That being said, the economic and operational benefits of cloud technology are compelling enough to drive your business partners within the organization to consume cloud services. But, you still need a guarantee of security as a consumer and deliverer of cloud services – and this means you need a platform that contains features/capabilities addressing the concerns outlined above. Below, I’ve walked through some methods for getting to a secure place.

Techniques for Protecting Data in the Cloud

Data Protection/Encryption
Let’s start with data protection. You own your own data and you safeguard your customer’s data. That’s a lot of data to worry about. So – and this is somewhat dependent on the use case – you will need to protect that data at the file level or application level. A file level solution using transparent encryption is quick and easy to deploy and protects databases (structured data), files (unstructured data) and big data repositories. Application level encryption encrypts the sensitive data fields form within the application itself. This has the added advantage of assuring not only encryption of the data at rest, but also the data in motion starting at the application server. This method gives very granular control of what fields to encrypt.

Another granular method of encryption is through the use of tokenization. Tokenization replaces sensitive information in databases with a token, which is a meaningless placeholder that even if stolen, can’t reveal the data it’s protecting because the actual data has been replaced and a token is irreversible. By using tokens, threats are mitigated from both inside your organization and from outside attackers because the object of their hacking doesn’t contain the information they desire. The sensitive data itself is kept in a token vault, which is encrypted and in a very secure and controlled location, thereby drastically cutting down the amount of people with access to the sensitive information.

Another consideration when displaying data to an end user is to implement dynamic data masking. Dynamic data masking is pretty much exactly what it sounds like: it’s the process of hiding original data with a replacement characters. Common reasons for employing dynamic data masking are to protect classified data, such as Social Security numbers, credit card numbers and financial information that only needs to be partially displayed to certain users.

For example, when you view your credit card statement online, you often see only the last four digits of the credit card number. The first digits are obfuscated with a character pattern such as XXXX-XXXX-XXXX. This is dynamic data masking in action. As the end-user, you only need to see your last four digits to know which credit card is represented on the statement.

The target markets for tokenization and dynamic data masking are generally those that must follow strict compliance regulations. Examples include retail, which must abide by the Payment Card Industry Data Security Standard (PCI DSS) and healthcare, which is beholden to HIPAA. Big data lakes also often present a large need for data masking and obfuscation, because much of the data contained in those lakes is unstructured. For more information on the fascinating topic of data lakes, I invite you to check out a blog by our VP of product development and partner management, Ashvin Kamaraju and a blog by our CSO, Sol Cates.

We recognize not everyone is on the encryption train. So, if you don’t want to (or can’t) encrypt data before it leaves the confines of your network, we recommend working with SaaS providers who provide strong security.

Key Management
Earlier, I delved into key management because it’s an important component of encryption. If you’ve chosen to encrypt data, it means you (or someone else) has a handle on the decryption key.

When it comes to key management, there’s basically two models to consider for encrypted data.  Either you own and manage the key, or you allow your service provider to own and manage your key on your behalf.  Each model has its own risks and that will depend on the level of risk and cost you’re prepared to take on.  As a best practice, as the owner of the data, we recommend you own and manage the key.

Regarding the transparency point I brought up earlier: Vormetric Cloud Encryption, for example, includes encryption key management within the solution and is completely transparent to applications and users. This allows for existing processes and usage to continue with no changes. Thus, you can protect any data file within cloud environments simply, easily and efficiently.

Key management basically allows for access control, which means limiting access to encrypted data to only those whose work requires it.

An intelligent implementation of access control will allow system and application maintenance and operations without exposing data to the privileged users who carry out these tasks. It also meets myriad compliance requirements and stops the threat of legal or physical compromise of the cloud environment. Even if someone walks away with the drive, or more realistically finds their way to your data by finding a security flaw in the provider’s environment,  they won’t see a thing of value. And if you control your own keys, legal challenges to see your data in the cloud provider’s jurisdiction aren’t possible without your knowledge and cooperation.

In a nutshell, the end goal for you, the enterprise, is to trust your cloud service providers, trust your employees that are using the cloud to make their workflow more efficient and streamlined and trust that any cloud-based solutions you are delivering to your business customers will not open them up to security risks.

Although I’m just a tad biased, I like to think our existing data security products (and some soon-to-be-announced new updates!) meet the majority of needs outlined above. I’m so confident about this, I invite you to come take a look for yourself while you’re at RSA (you will be at RSA, right?)

You can find us at booth #3015 (North Hall) and booth #515 (South Hall). Bring your shopping cart by, and our team will show you the goods.

The post SaaS Bill of Rights – It’s All About the SaaS appeared first on Data Security Blog | Vormetric.

Read the original blog entry...

More Stories By Vormetric Blog

Vormetric (@Vormetric) is the industry leader in data security solutions that span physical, big data and cloud environments. Data is the new currency and Vormetric helps over 1400 customers, including 17 of the Fortune 30 and many of the world’s most security conscious government organizations, to meet compliance requirements and protect what matters — their sensitive data — from both internal and external threats. The company’s scalable Vormetric Data Security Platform protects any file, any database and any application’s data —anywhere it resides — with a high performance, market-leading data security platform that incorporates application transparent encryption, privileged user access controls, automation and security intelligence.

@ThingsExpo Stories
WebRTC is great technology to build your own communication tools. It will be even more exciting experience it with advanced devices, such as a 360 Camera, 360 microphone, and a depth sensor camera. In his session at @ThingsExpo, Masashi Ganeko, a manager at INFOCOM Corporation, introduced two experimental projects from his team and what they learned from them. "Shotoku Tamago" uses the robot audition software HARK to track speakers in 360 video of a remote party. "Virtual Teleport" uses a multip...
Gemini is Yahoo’s native and search advertising platform. To ensure the quality of a complex distributed system that spans multiple products and components and across various desktop websites and mobile app and web experiences – both Yahoo owned and operated and third-party syndication (supply), with complex interaction with more than a billion users and numerous advertisers globally (demand) – it becomes imperative to automate a set of end-to-end tests 24x7 to detect bugs and regression. In th...
"Space Monkey by Vivent Smart Home is a product that is a distributed cloud-based edge storage network. Vivent Smart Home, our parent company, is a smart home provider that places a lot of hard drives across homes in North America," explained JT Olds, Director of Engineering, and Brandon Crowfeather, Product Manager, at Vivint Smart Home, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"IBM is really all in on blockchain. We take a look at sort of the history of blockchain ledger technologies. It started out with bitcoin, Ethereum, and IBM evaluated these particular blockchain technologies and found they were anonymous and permissionless and that many companies were looking for permissioned blockchain," stated René Bostic, Technical VP of the IBM Cloud Unit in North America, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Conventi...
"Cloud Academy is an enterprise training platform for the cloud, specifically public clouds. We offer guided learning experiences on AWS, Azure, Google Cloud and all the surrounding methodologies and technologies that you need to know and your teams need to know in order to leverage the full benefits of the cloud," explained Alex Brower, VP of Marketing at Cloud Academy, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clar...
It is of utmost importance for the future success of WebRTC to ensure that interoperability is operational between web browsers and any WebRTC-compliant client. To be guaranteed as operational and effective, interoperability must be tested extensively by establishing WebRTC data and media connections between different web browsers running on different devices and operating systems. In his session at WebRTC Summit at @ThingsExpo, Dr. Alex Gouaillard, CEO and Founder of CoSMo Software, presented ...
A strange thing is happening along the way to the Internet of Things, namely far too many devices to work with and manage. It has become clear that we'll need much higher efficiency user experiences that can allow us to more easily and scalably work with the thousands of devices that will soon be in each of our lives. Enter the conversational interface revolution, combining bots we can literally talk with, gesture to, and even direct with our thoughts, with embedded artificial intelligence, whic...
Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection between Coke and its customers. Digital signs pair software with high-resolution displays so that a message can be changed instantly based on what the operator wants to communicate or sell. In their Day 3 Keynote at 21st Cloud Expo, Greg Chambers, Global Group Director, Digital Innovation, Coca-Cola, and Vidya Nagarajan, a Senior Product Manager at Google, discussed how from store operations and ...
In his session at 21st Cloud Expo, Carl J. Levine, Senior Technical Evangelist for NS1, will objectively discuss how DNS is used to solve Digital Transformation challenges in large SaaS applications, CDNs, AdTech platforms, and other demanding use cases. Carl J. Levine is the Senior Technical Evangelist for NS1. A veteran of the Internet Infrastructure space, he has over a decade of experience with startups, networking protocols and Internet infrastructure, combined with the unique ability to it...
"MobiDev is a software development company and we do complex, custom software development for everybody from entrepreneurs to large enterprises," explained Alan Winters, U.S. Head of Business Development at MobiDev, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5–7, 2018, at the Javits Center in New York City, NY. CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buye...
"There's plenty of bandwidth out there but it's never in the right place. So what Cedexis does is uses data to work out the best pathways to get data from the origin to the person who wants to get it," explained Simon Jones, Evangelist and Head of Marketing at Cedexis, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
SYS-CON Events announced today that Telecom Reseller has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.
SYS-CON Events announced today that Evatronix will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Evatronix SA offers comprehensive solutions in the design and implementation of electronic systems, in CAD / CAM deployment, and also is a designer and manufacturer of advanced 3D scanners for professional applications.
Leading companies, from the Global Fortune 500 to the smallest companies, are adopting hybrid cloud as the path to business advantage. Hybrid cloud depends on cloud services and on-premises infrastructure working in unison. Successful implementations require new levels of data mobility, enabled by an automated and seamless flow across on-premises and cloud resources. In his general session at 21st Cloud Expo, Greg Tevis, an IBM Storage Software Technical Strategist and Customer Solution Architec...
To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitigate risk rely on applications that minimize latency on a variety of data sources. In his session at @BigDataExpo, Jack Norris, Senior Vice President, Data and Applications at MapR Technologies, reviewed best practices to ...
An increasing number of companies are creating products that combine data with analytical capabilities. Running interactive queries on Big Data requires complex architectures to store and query data effectively, typically involving data streams, an choosing efficient file format/database and multiple independent systems that are tied together through custom-engineered pipelines. In his session at @BigDataExpo at @ThingsExpo, Tomer Levi, a senior software engineer at Intel’s Advanced Analytics gr...
When talking IoT we often focus on the devices, the sensors, the hardware itself. The new smart appliances, the new smart or self-driving cars (which are amalgamations of many ‘things’). When we are looking at the world of IoT, we should take a step back, look at the big picture. What value are these devices providing? IoT is not about the devices, it’s about the data consumed and generated. The devices are tools, mechanisms, conduits. In his session at Internet of Things at Cloud Expo | DXWor...
Everything run by electricity will eventually be connected to the Internet. Get ahead of the Internet of Things revolution. In his session at @ThingsExpo, Akvelon expert and IoT industry leader Sergey Grebnov provided an educational dive into the world of managing your home, workplace and all the devices they contain with the power of machine-based AI and intelligent Bot services for a completely streamlined experience.
SYS-CON Events announced today that Synametrics Technologies will exhibit at SYS-CON's 22nd International Cloud Expo®, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. Synametrics Technologies is a privately held company based in Plainsboro, New Jersey that has been providing solutions for the developer community since 1997. Based on the success of its initial product offerings such as WinSQL, Xeams, SynaMan and Syncrify, Synametrics continues to create and hone inn...