Securing Cloud Computing

Szabolcs Gyorfi

Sales manager CEE, CIS & MEA

Gemalto: Security To Be Free More than just a company tag line…it is why we exist

Communicate Travel

Bank

Shop

Work

In ways that are

convenient,

enjoyable and

secure

2

Gemalto’s Secure Personal Devices

1.5 billion secure devices – Produced and personalized in 2009

200 million citizens – Received a Gemalto produced e-Passport

500 million people – Carry a Gemalto produced credit card

400 mobile operators – Connecting 2 billion subscribers

30 years experience – designing/producing secure personal devices

3

…are in the hands of billions of individuals worldwide

Global Leadership Position

*Source: (1) Frost & Sullivan; (2) Gemalto (3) Keesing Journal of Identity ; (4) The Nilson Report

Top producer of:

SIM cards and UICC (1)

Over-The-Air platforms(2)

Chip payment cards(4)

Chip-based corporate security solutions(1)

e-Passports (3)

Innovation leadership examples

First to market with IP based UICC for LTE

Ezio optical reader for online banking

4

Defining the “Cloud”

‘Securing Identities is Key to Success in the Cloud’ breaks

down cloud computing into three different archetypes or

models:

Software as a Service (SaaS),

Platform as a Service (PaaS)

Infrastructure as a Service (IaaS).

SaaS

3rd party cloud providers deliver a full application service to end-users,

PaaS

uses a cloud-based infrastructure to deliver customer-based applications,

IaaS

enables businesses to deliver their own services by providing them with

cloud-based equipment.

5

IDC report, June 2010

Market Drivers & Challenge

Compliance with regulations and standards

Sarbanes-Oxley Act, Health Insurance Portability and Accountability,

European Data Protection Directive, ...

6

Cloud Services are growing

Convenience is a key for Cloud Services adoption:

Identity management is painful for organizations and users

Single Sign-On: eliminate passwords across cloud services

Secure Access is a strong factor

Identity theft and phishing attacks are more relevant in cloud world

Static Password is Not Secure as cyber criminals are getting smarter, faster

and more tenacious about getting at your data and static passwords

Cost

High TCO for complex password policies

Cloud

Service

The weakest link

When you move to the cloud, there may no longer be a PC under the

desk, but the user is still the weakest link in the chain.

Most people have terrible habits when it comes to passwords, use the

same passwords everywhere, and some write them on sticky

notes and put them on their monitor.

You can have a software provider with the best security on the market,

but if one employee happens to choose a bad password that can be

guessed in a social engineering attack, it can be catastrophic.

7

Security and convenience – Can we have both?

8

"Providers of cloud computing resources are not focused on security in

the cloud. Rather, their priority is delivering the features their customers

want such as low cost solutions with fast deployment that improves

customer service and increases the efficiency of the IT function. As a result,

providers in our study conclude that they cannot warrant or provide

complete assurance that their products or services are sufficiently

secure.”

Dilbert cartoons

Ponemon Institute, 2009 Study

Security is a Balancing Act

and

9

Must balance between

Usability Strength

Protiva Confirm: Secure & Convenient Cloud

Services enabler

Bringing ADAPTABLE TRUST to Cloud Services

Strong authentication ensures secure access to Online Services

with multiple authentication methods: Password, OTP, PKI

Bringing CONVENIENCE to Cloud Services

Identity federation/SSO

Bringing ADVANCED SERVICES to Cloud Services

Digital signature service

Post Issuance

10

No longer need to choose between

SECURITY & CONVENIENCE

Adaptable Trust

11

.NET, TPC, …

Cards

Display Card,

OTP

PKI

Password

Protiva SA Server

5/15/2012 12

Validation server supporting OTP authentication

Standards based technology

Tokens - OATH event based or time based

Mobile App – Time based with time stamping

Web based administrator interface for user management

User self-care portal for registration and password back-up

Easily integrates with existing infrastructure

Established integrations with leading infrastructure technology

Databases – MySQL, MS SQL, Oracle, IBM DB2, etc.

User Data Repository – Microsoft AD, Novel eDirectory, Sun One, Open LDAP, etc.

Authentication Service – HTTP/HTTPS, SOAP, SAML 2.0, XML, RADIUS, Microsoft

IAS/NPS, etc.

The Heart of Protiva Strong Authentication Service

User On Boarding

13

Mobile OTP – User Download and Activate

Authentication

server URL sent

to user by email

User enters

numeric

validation code

User establishes

personal PIN

Mobile OTP

application

activated

Platform for next secure token generation

14 15/05/2012

ID-000 (SIM sized) smart card reader

Micro SDHC card interface

Versatility of smart card and MicroSD

Easy to assemble

USB High Speed with HID / CCID switch

Full exposure of smart card in CCID mode

“0footprint” in HID mode

AES 256 encryption

Data can be encrypted

CD-ROM emulation

Autorun of applications stored in MicroSD

Personalization services: graphical, packaging, smart card and flash

insertion (MOQ: 1000 units)

ID0 Smart Card Micro SD Flash

USB 2.0

Building

Value

Together

Flash memory partitioning

15 15/05/2012

Mass Storage

HID / CCID

Controller Firmware: • Integrator Key

• Secure Drive PIN

SD Partitions • Public (X:)

• Read Only (Y:)

• Private (Z:)

PKI Smart Card • Digital signature

• PKI certificate

Building

Value

Together

Use case: secure browsing

16 USB Shell Pro Token

v1

“Where ever you go! Whatever you do! Your browser is protected from

permanent infections”

Using a Secure Browser stored in RO, the malware cannot

permanently infect your browser (your browser integrity is

maintained)

Using a Secure Browser, the server certificates of your

corporate trusted websites are stored in your browser and

compared to the website you are trying to reach! If this is a

phishing website then your browser refuses it!

…the list of accessible URLs can be restricted

15/05/2012

Building

Value

Together

Secure Browsing example

Mode HID

Portable Firefox (in RO partition)

Firefox ProCon add-on

Portable P#11 for TPC IM CC

17 15/05/2012

RO: Firefox

Data Leakage Protection example

Mode CCID

Microsoft Bitlocker on the computer

Encryption of public partition is done using the smart card

18 15/05/2012

Public: Encrypted partition

Fulfillment End User Initiated Fulfilment

Order

Two Factor Auth

(2FA) credential or

token ordered by

end user

Receive

2FA credential or

token is shipped or

made available to

end user

Use

User can start using

strong 2FA to

protect access to

cloud resources

Fulfillment Process

19

Thank You