1 secure cloud and byod strategies gaining control over trust
TRANSCRIPT
1
Secure Cloud and BYOD StrategiesGaining Control Over Trust
2
A New World
Own Nothing.
3
Some Misconceptions
It’s my Cloud providers responsibility to provide a secure environment.
“You are responsible for properly configuring and using the Service Offerings and taking your own steps to maintain appropriate security, protection” Customer Agreement
“When you go to the cloud, you have to consider that application is going to be going to a somewhat hostile environment.”
Dennis Hurst, founding member of CSA and security specialist
Hewlett-Packard Co.
4
The Onus Is On YOU!
“When data is transferred to a cloud, the responsibility for protecting and securing the data typically remains with the collector or
custodian of that data.” Guidance v3.0
“Ultimately, you can outsource responsibility but you can't outsource accountability” ENISA Cloud Computing: Benefits, risks and recommendations for information security
5
Establishing TRUST?
6
Establishing Trust
Encryption
Digitalcertificates
API &symmetric keys SSH keys
7
When TRUST breaks down
2011 2012 2013
Stolen Private Keys
Digitally sign code
• Stuxnet • Zeus – Kaspersky
compromised • Duqu• W32/Agent.DTIW• Mediyes • Troj/BredoZp –
Adobe compromised
• Sony compromise• Bit9 compromise
User ErrorPoorly managed
keys
• Yahoo • Foxconn - Wii U
keys• TurkTrust• McAfee• Microsoft
Fraudulent Certificates
CA Compromise
• Verisign • Comodo • StartSSL • DigiNotar • DigiCert
Technology Advances
Weak Crypto
• BEAST – SSL 3• FLAME – MD5 • Lucky 13 – (D)TLS• SSH daemon
backdoors
8
Trust is The New Target
“PKI is under attack”Scott Charney, Microsoft
9
Real World Data
Weak crypto exploit
Server key theft
CA compromise
SSH attacks
Attacks over last 24 months
1.3 0.4 1.1 0.3Expected attacks in next 24 months
18% 5% 7% 3%
Cost of Failed Trust: Threats & Attacks, Feb 2013, Underwritten by Venafi – download @ www.venafi.com/Ponemon
Demographics: 2,300 Global 2000 organizationsU.S, Germany, UK, Australia, France
10
Real World Data
1 in 5 organizations
expect to fall prey to attacks due to weak or legacy cryptography
Cost of Failed Trust: Threats & Attacks, Feb 2013, Underwritten by Venafi – download @ www.venafi.com/ponemon
11
Emerging Threats
#1 Most Alarming Key & Certificate Management Threat
SSHCritical for establishing trust and control in the cloudCost of Failed Trust: Threats & Attacks, Feb 2013, Underwritten by Venafi – download @ www.venafi.com/ponemon
12
Gain Control Over TRUST
13
Control Over Trust Challenges
Security Threats
& Attacks
Operational Risks &
Outages
Complia
nce Audits
14
Solving the Problem?
Getting key and certificate management right first, solves security, operations, and compliance problems of using encryption
59%Cost of Failed Trust: Threats & Attacks, Feb 2013, Underwritten by Venafi – download @ www.venafi.com/ponemon
15
A Rather Large Problem!
Average number of server keys and certificates in a Global 2000 organization
17,807Cost of Failed Trust: Threats & Attacks, Feb 2013, Underwritten by Venafi – download @ www.venafi.com/ponemon
16
Gaining Control Over Trust
Central Policy Control
DiscoveryEnrollment
Server Certs
Module
Symmetric Key Module
SSH Key Module
User Certs
Module
ProvisioningMonitoring
17
Journey to Control Trust
AUTOMATEREPORT AND
AUDIT
ENFORCEPOLICY
DISCOVER
ASSETS
ANALYZE FOR INSIGHT
CONNECTPEOPLE
18
First, Assess Risk and Gain Visibility
19
How Do You Measure Up?
MD5 % SHA-1 % Validity Period <=1 year %
Validity Period 1-3 years %
Validity Period >3 years %
Expired Certs % Key Length <= 1024 %
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
37%
55%
23%
15%
40%
21%
68%
Financial Govt Healthcare
Tech All Industry Average
20
Gain Control Over Trust
Streamline your trust asset management
Gain knowledge
Bring under control
Eliminate failed audits
Put controls in place
Reduce operational cost
Own Nothing. Control Everything.
21
Gained Control Over Trust
Learn More: www.venafi.com/about/case-studies/
22
Any Key. Any Cert. Anywhere.™
Read Key & Certificate Management Best Practices www.venafi.com/best-practices/
Take the Enterprise risk assessment to understand your risks www.venafi.com/venafi-assessor/
23
Unpublished Work of Venafi, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Venafi, Inc. Access to this work is restricted to Venafi employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Venafi, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Venafi, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Venafi, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Venafi marks referenced in this presentation are trademarks or registered trademarks of Venafi, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.
© 2013 Venafi Proprietary and Confidential