cloud gateways for regulatory compliance
DESCRIPTION
Consumers have no control over security once data is inside the public cloud. Completely reliant on provider for application and storage security. A private cloud gives a single Cloud Consumers organization the exclusive access to and usage of the infrastructure and computational resources. But Consumer has limited capability to manage security within outsourced IaaS private cloud. a cloud service mapping can be compared against a catalogue of security controls to determine which controls exist and which do not — as provided by the consumer, the cloud service provider, or a third party. This can in turn be compared to a compliance framework or set of requirements such as PCI DSS. The PCI guidance is defining how Cloud security is a shared responsibility between the cloud service provider (CSP) and its clients. If payment card data is stored, processed or transmitted in a cloud environment, PCI DSS will apply to that environment, and will typically involve validation of both the CSP’s infrastructure and the client’s usage of that environment. Gartner studied Cloud Gateways and came up with the definition of six different types. A Public Cloud Gateways. Provides isolation for the sensitive data from the Public Cloud and the security control stays within your organization. A Cloud Gateway can Protect any data sent or received via HTTP or FTP through enterprise, remote, or mobile channels and Securely integrate enterprise data into cloud applications, emailed reports, and process analytics on protected data from remote requests. You control all security functions from inside your enterprise – vital for compliance with many regulations and laws. You can Protect Data with Tokenization or Encryption. This solution enforces fine grained, field-level data protection with Vaultless Tokenization or encryption, and comprehensive activity monitoring. It should support Multiple Deployment Options with a flexible gateway architecture that allows you to easily deploy the Cloud Gateway on physical or virtual servers, to protect data in public, private, or hybrid cloud environments. It should offer protection by column, field, or even by character without any back-end system modifications or loss in functionality. Files should also be fully encrypted or tokenized.TRANSCRIPT
Cloud Gateways for Regulatory ComplianceCloud Gateways for Regulatory Compliance
Ulf MattssonCTO, Protegrity
Public Cloud – No Control
2
Consumers have no control over security once data is inside the public cloud. Completely reliant on provider for application and storage security.
Private Cloud – Limited Control
Outsourced Private Cloud
Consumer has limited capability to manage security within outsourced
3
On-sitePrivate Cloud
within outsourced IaaS private cloud.
Mapping the Cloud Model to Security Control & Compliance
ApplicationsApplicationsApplicationsApplications
DataDataDataData
4
5
Cloud Encryption Gateways • SaaS encryption
Cloud Security Gateways• Policy enforcement
Cloud Access Security Brokers (CASBs)
Cloud Gateways – Enterprise Control
Cloud Access Security Brokers (CASBs)
Cloud Services Brokerage (CSB)
Secure Email Gateways
Secure Web gateway
6
Public Cloud Gateway Example
GatewayAppliance
7
Cloud Gateway Example – Public Cloud
Cloud Gateway
08
High-Performance Gateway Architecture
Enterprise-extensible platform
Tokenization and encryption
Enterprise-grade key management
Flexible policy controls
Example of Cloud Security Gateway Features
Flexible policy controls
• File or Field Security
• Advanced function & usability preservation
Comprehensive activity monitoring & reporting
Support for internal, remote & mobile users
Multiple deployment options
9
Corporate Network
Security Gateway Deployment – Example
BackendSystem
CloudGateway
ExternalService
010
EnterpriseSecurity
AdministratorSecurity Officer
Enterprise Data Security Policy
What is the sensitive data that needs to be protected.
How you want to protect and present sensitive data. There are several methods for protecting sensitive data. Encryption, tokenization, monitoring, etc.
Who should have access to sensitive data and who should not. Security access control. Roles & Users
What
Who
How
11
When should sensitive data access be granted to those who have access. Day of week, time of day.
Where is the sensitive data stored? This will be where the policy is enforced.
Audit authorized or un-authorized access to sensitive data.
When
Where
Audit
Centralized Policy Management - ExampleApplication
RDBMS
MPP
AuditLog
AuditLog
AuditLog
EnterpriseSecurity
Administrator
PolicyPolicyPolicyPolicyPolicyPolicyPolicyPolicyPolicy
Cloud
Security Officer
AuditLog
AuditLog
AuditLog
12
File Servers
Big Data
Gateway Servers
HP NonStopBase24
IBM Mainframe Protector
AuditLog
AuditLog Audit
Log
AuditLog
Protection Servers
AuditLog
AuditLog