1

Secure Cloud and BYOD StrategiesGaining Control Over Trust

2

A New World

Own Nothing.

3

Some Misconceptions

It’s my Cloud providers responsibility to provide a secure environment.

“You are responsible for properly configuring and using the Service Offerings and taking your own steps to maintain appropriate security, protection” Customer Agreement

“When you go to the cloud, you have to consider that application is going to be going to a somewhat hostile environment.”

Dennis Hurst, founding member of CSA and security specialist

Hewlett-Packard Co.

4

The Onus Is On YOU!

“When data is transferred to a cloud, the responsibility for protecting and securing the data typically remains with the collector or

custodian of that data.” Guidance v3.0

“Ultimately, you can outsource responsibility but you can't outsource accountability” ENISA Cloud Computing: Benefits, risks and recommendations for information security

5

Establishing TRUST?

6

Establishing Trust

Encryption

Digitalcertificates

API &symmetric keys SSH keys

7

When TRUST breaks down

2011 2012 2013

Stolen Private Keys

Digitally sign code

• Stuxnet • Zeus – Kaspersky

compromised • Duqu• W32/Agent.DTIW• Mediyes • Troj/BredoZp –

Adobe compromised

• Sony compromise• Bit9 compromise

User ErrorPoorly managed

keys

• Yahoo • Foxconn - Wii U

keys• TurkTrust• McAfee• Microsoft

Fraudulent Certificates

CA Compromise

• Verisign • Comodo • StartSSL • DigiNotar • DigiCert

Technology Advances

Weak Crypto

• BEAST – SSL 3• FLAME – MD5 • Lucky 13 – (D)TLS• SSH daemon

backdoors

8

Trust is The New Target

“PKI is under attack”Scott Charney, Microsoft

9

Real World Data

Weak crypto exploit

Server key theft

CA compromise

SSH attacks

Attacks over last 24 months

1.3 0.4 1.1 0.3Expected attacks in next 24 months

18% 5% 7% 3%

Cost of Failed Trust: Threats & Attacks, Feb 2013, Underwritten by Venafi – download @ www.venafi.com/Ponemon

Demographics: 2,300 Global 2000 organizationsU.S, Germany, UK, Australia, France

10

Real World Data

1 in 5 organizations

expect to fall prey to attacks due to weak or legacy cryptography

Cost of Failed Trust: Threats & Attacks, Feb 2013, Underwritten by Venafi – download @ www.venafi.com/ponemon

11

Emerging Threats

#1 Most Alarming Key & Certificate Management Threat

SSHCritical for establishing trust and control in the cloudCost of Failed Trust: Threats & Attacks, Feb 2013, Underwritten by Venafi – download @ www.venafi.com/ponemon

12

Gain Control Over TRUST

13

Control Over Trust Challenges

Security Threats

& Attacks

Operational Risks &

Outages

Complia

nce Audits

14

Solving the Problem?

Getting key and certificate management right first, solves security, operations, and compliance problems of using encryption

59%Cost of Failed Trust: Threats & Attacks, Feb 2013, Underwritten by Venafi – download @ www.venafi.com/ponemon

15

A Rather Large Problem!

Average number of server keys and certificates in a Global 2000 organization

17,807Cost of Failed Trust: Threats & Attacks, Feb 2013, Underwritten by Venafi – download @ www.venafi.com/ponemon

16

Gaining Control Over Trust

Central Policy Control

DiscoveryEnrollment

Server Certs

Module

Symmetric Key Module

SSH Key Module

User Certs

Module

ProvisioningMonitoring

17

Journey to Control Trust

AUTOMATEREPORT AND

AUDIT

ENFORCEPOLICY

DISCOVER

ASSETS

ANALYZE FOR INSIGHT

CONNECTPEOPLE

18

First, Assess Risk and Gain Visibility

19

How Do You Measure Up?

MD5 % SHA-1 % Validity Period <=1 year %

Validity Period 1-3 years %

Validity Period >3 years %

Expired Certs % Key Length <= 1024 %

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

37%

55%

23%

15%

40%

21%

68%

Financial Govt Healthcare

Tech All Industry Average

20

Gain Control Over Trust

Streamline your trust asset management

Gain knowledge

Bring under control

Eliminate failed audits

Put controls in place

Reduce operational cost

Own Nothing. Control Everything.

21

Gained Control Over Trust

Learn More: www.venafi.com/about/case-studies/

22

Any Key. Any Cert. Anywhere.™

Read Key & Certificate Management Best Practices www.venafi.com/best-practices/

Take the Enterprise risk assessment to understand your risks www.venafi.com/venafi-assessor/

23

Unpublished Work of Venafi, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Venafi, Inc. Access to this work is restricted to Venafi employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Venafi, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Venafi, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Venafi, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Venafi marks referenced in this presentation are trademarks or registered trademarks of Venafi, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

© 2013 Venafi Proprietary and Confidential