SlideShare a Scribd company logo

Cloud Computing and the Federal Government: Maximizing Trust Supporting the Mission and Improving Assurance with Data-Centric Information Security

SafeNet, profile picture
SafeNet

This white paper discusses the integration of cloud computing within federal government operations, emphasizing the importance of security and trust when handling sensitive data. It outlines a three-step trust evolution model for federal agencies to adopt cloud services: basic trust, limited trust, and shared trust, each illustrating increasing levels of security mechanisms and collaboration with cloud providers. Additionally, the paper highlights key areas for enhancing security in cloud environments, including secure storage, endpoint protection, federated access control, and encryption as a service.

Technology
Related topics:
Cloud Security Insights Federal Government
1 of 10
Downloaded 16 times
1
2
3
4
5
6
7
8
9
10
Cloud Computing and the Federal Government: Maximizing Trust Supporting the Mission and Improving Assurance with Data-Centric Information Security WHITE PAPER Table of Contents Executive Summary...............................................................................................................2 Introduction ..........................................................................................................................2 Step 1: Basic Trust ..........................................................................................................3 Step 2. Limited Trust ......................................................................................................3 Step 3. Shared Trust .......................................................................................................4 Four Key Areas for Implementing Security in the Federal Cloud ............................................4 Secure Cloud Storage.....................................................................................................5 Cloud Security for Endpoints .........................................................................................6 Federated Access Control ..............................................................................................6 Virtual Encryption as a Service.......................................................................................7 SafeNet: Delivering the Trusted Cloud Platform .....................................................................8 Introduction—Overview of SafeNet Cloud Solutions ......................................................8 Cryptography as a service ..............................................................................................8 Trusted Cloud Computing ...............................................................................................9 Conclusion ..........................................................................................................................10 To Learn More about Cloud Security ....................................................................................10 About SafeNet.....................................................................................................................10 Cloud Computing and the Federal Government: Maximizing Trust Supporting the Mission and 1 Improving Assurance with Data-centric Information Security White Paper
Executive Summary Cloud computing services can support nearly every mission the federal government performs – from defending our nation’s borders to protecting the environment. Offering an elastic, adaptive infrastructure, cloud computing enables federal agencies and their component organizations to share information and create services, improving how agencies support the federal mission and serve the American public. Just as the benefits are obvious, however, so too are the security concerns. When consolidating their infrastructures with cloud service providers, how do federal agencies ensure that sensitive data remains secure? How do they remain in control of their information assets and compliant with U.S. Office of Management and Budget (OMB) and agency-specific mandates and policies? Of equal importance is how the security concerns differ within the federal community. This white paper outlines the role of trust in different federal government communities, the path federal agencies can take to start building trust into cloud deployments, and the approaches and capabilities that these organizations need to make this transition a reality. Introduction Today, issues of risk, data privacy, The Obama Administration launched Apps.gov – a cloud computing storefront for federal and compliance are the chief agencies to leverage cloud-based services – in 2009, with the goal of increasing the scope of inhibitors to most organizations’ available services. The federal government’s move to cloud computing is not only underway, it is here to stay – with good reason. The cloud enables multiple agencies – or organizations adoption of cloud services. within a single agency – to share information and create services by leveraging service-oriented computing technologies from the underlying information technology (IT) infrastructure. Migrating to a cloud infrastructure also allows for scalability to quickly add computing power and storage capacity to meet the demands created by extraordinary events, such as a national or manmade disaster. The list goes on. Cloud computing raises some pretty vexing questions when it comes to security. Some challenges are shared by most federal agencies. How do federal agencies maintain control and ownership of sensitive, classified, or personally identifiable information (PII) when moving from a world where security mechanisms are focused on physical assets and data residing in a single community’s datacenters to a world in which everything is virtualized and comingled? How can the federal government move into a cloud infrastructure while safeguarding the trust of the American people, federal employees, other inter-/intra-governmental organizations, and industry? Still other security questions may be raised about multi-tenant information sharing and the mission. For example, a cloud designed to promote intelligence sharing within the national security community will create a very different set of security challenges than a cloud designed to promote public engagement and transparency. Today, issues of risk, information/data privacy, and compliance are the chief inhibitors to most federal agencies’ adoption of cloud services. In fact, a Gartner report cited data location risk, risk of data loss, and data security risk as three of the top five barriers to cloud adoption. Additionally, the risk of cross contamination of classified information (e.g., inappropriately sharing information among cloud tenants not cleared to read it) is a key concern for agencies with a national security-focused mission. Therefore, delivering cloud solutions that meet federal tenants’ mission requirements and enable cross-domain/agency information sharing is an invaluable asset. Understanding how to effectively safeguard data in the cloud, federal agencies can begin to fully maximize the potential of cloud offerings to enhance the efficiency of government operations, improve performance, and provide better service to the American people. Cloud Computing and the Federal Government: Maximizing Trust Supporting the Mission and Improving Assurance 2 with Data-centric Information Security White Paper
Non-sensitive data can be To get there, both the federal community and cloud providers must understand federal cloud transferred into the cloud as is; deployments in terms of the security needed to support the mission, the differing levels of trust for example, for disaster recovery required by agencies within the federal community, and when – if aligned with the mission – or archival purposes. Sensitive agencies can transition to the next level of trust. For example, agencies sharing information in support of national security missions will do so with a basic level of trust. Similarly, public- data, on the other hand, will facing agencies with citizen-centric missions will incorporate solutions and processes that lead either be kept out of the cloud to limited and, ultimately, shared trust, making cloud security a true win-win for federal agencies entirely or it will be protected, and providers alike. generally through encryption, In the following pages, we’ll walk through these key differences and the potential for transition in before it is exposed to the cloud. more detail, and then show what this means for the federal government in the months and years ahead. Then, the document will outline some specific areas federal agencies can target in their efforts to optimize the security and utility of their cloud initiatives. Finally, we will outline some of the most important capabilities that federal organizations need to support these efforts. [Note: In the following pages, unless otherwise specified, when discussing the cloud, we will be referring to the public and hybrid clouds. While private clouds present their own specific security challenges, given their internal deployments, the nature of security will more closely resemble those of current datacenter deployments. It is the public and hybrid clouds, and the changing nature of the client and cloud service provider relationship, that are the focus of this document.] Step 1: Basic Trust In the compliant trust phase For most federal agencies today, security in the cloud is viewed in a pretty straightforward way— of the cloud’s evolution, cloud don’t assume there is any. Federal organizations that have gone forward with cloud deployments providers gain the controls have thus taken full ownership and responsibility for security. This can play out in several ways: they need to deliver trust as • An agency can segment its data into three classifications: classified, sensitive, and non- a service, so enterprises can sensitive. Non-sensitive data can be transferred into the cloud as is; for example, for specify security policies and disaster recovery or archival purposes. Classified and sensitive data, on the other hand, will have confidence in the cloud either be kept out of the cloud entirely or it will be protected, generally through encryption, before it is exposed to the cloud. Further, that information will stay secured through those provider’s infrastructure and mechanisms the entire time it resides in the cloud, shared only through cross-domain capabilities for executing these solutions that ensure only users with the appropriate levels of trust are able to access it. policies. This approach is utilized by federal cloud environments that support homeland and national security missions. • A federal agency may opt to use software-as-a-service (SaaS) offerings, but only for applications that do not involve PII or other types of data subject to federal regulation, mandates, or privacy laws. • An agency can migrate the processing of non-sensitive applications to the cloud. For example, this can take the form of “cloud bursting”—an approach in which a federal organization will migrate an application to the cloud when the processing capacity of its cloud or datacenter is exceeded. This can be an effective way for federal organizations to handle the increased demands for processing that occur during extraordinary events, such as disaster response or launching a significant agency initiative. For example, an agency can adopt this approach for providing emergency information (i.e., data, video, audio, interactive tools, etc.) when its internal infrastructure hits capacity. Each of these scenarios can present agencies with near-term benefits; they enable federal organizations to quickly leverage many of the benefits and strengths of cloud computing, without compromising security or compliance. These scenarios represent the bulk of cloud deployments done to date. Cloud Computing and the Federal Government: Maximizing Trust Supporting the Mission and Improving Assurance 3 with Data-centric Information Security White Paper
Step 2: Limited Trust As the federal community becomes more fully invested in cloud offerings, and seeks to take greater advantage of the cloud’s benefits, agencies will increasingly embark upon initiatives to migrate their own security mechanisms to the cloud. This next step in the transition to a trusted cloud inherently will require more of an upfront investment than prior cloud approaches, and also require a deeper, more collaborative relationship with the cloud provider. As agencies take their existing encryption solutions and run them in the cloud, they’ll retain full control over security ownership. At a high level, these deployments will be structured similarly to traditional hosting provider models. Specific deployment approaches can include the following: • Deploying physical security systems in a virtual private cloud • Running a virtual service within a hybrid, multi-tenant cloud environment • Federating cloud user directories with internally managed identity and access management systems Driven by a need to use the Here, data protection can be conducted in the cloud, yet still within the federal enterprise’s cloud’s elastic storage, without control. As a result, the type of services that can be migrated to cloud platforms expands exposing data to the cloud’s substantially, enabling agencies to perform more effectively in support of their agency missions. This transition will be particularly valuable to agencies that maintain sensitive or PII data, and vulnerabilities, enterprises can may support multiple missions by sharing the information among users with different levels of perform secure storage in the trust. For example, an agency may utilize cross-domain solutions to securely share data with cloud, effectively using the cloud trusted users in one organization but leverage service-oriented computing technologies to for the backup, disaster recovery, create a service-providing aggregate available for public dissemination. and archival of data. Step 3: Shared Trust In this ultimate phase of the cloud’s evolution, cloud providers gain the controls they need to deliver trust as a service, so federal agencies can specify security policies and have confidence in the cloud provider’s infrastructure and capabilities for executing these policies. Here, the federal organization, as the information owner, still holds control over security, but in a virtual, rather than operational, way. In this scenario, the federal agency sets security policies, and owns the core key materials, credentials, identities, and other elements that are used by the cloud providers to protect information, which gives them the final say over how security is handled. The cloud provider will have the sophisticated security infrastructure in place to meet the agency’s security objectives, including robust encryption, secure key management, granular access controls, and more. The federal government can leverage the cloud and get the level of security essential to comply with OMB and agency-specific mandates, regulations, and security policies. As a result, virtually any service or application can subsequently be a potential candidate for migration to cloud services. Four Key Areas for Implementing Security in the Federal Cloud Without the right security in place, the move to cloud computing can be a disastrous one for any organization. This is particularly true in the federal government, which by its nature, is both a steward of the public trust and responsible for securing our nation’s homeland and global interests. Whether insufficient security results in a devastating national security breach, the compromise of PII, or a host of other scenarios, the impact of a poorly-secured cloud implementation is significant and certain, ranging from an increase in negative publicity, to inviting government investigations, or even placing American lives at risk of a terrorist attack. Cloud Computing and the Federal Government: Maximizing Trust Supporting the Mission and Improving Assurance 4 with Data-centric Information Security White Paper
With the right capabilities, however, federal agencies can ensure high levels of security in cloud deployments, providing previously unimagined opportunities to create and share information that strengthens our nation. What capabilities will be required in cloud environments and how do they differ from traditional approaches? The sections below outline some specific areas for applying security measures to cloud environments, and the capabilities required to undertake these measures. With these initiatives, federal agencies can begin to gain the control, visibility, and efficiency they need to both ensure security and leverage the operational benefits of cloud services. Secure Cloud Storage An efficient cloud security Driven by a need to use the cloud’s elastic storage, without exposing data to the cloud’s deployment scenario requires a vulnerabilities, federal agencies can have secure storage in the cloud, effectively using the cloud centralized, hardened security for the backup, disaster recovery, and archival of data. appliance, which is used to To achieve effective secure cloud storage, agencies need the following capabilities: manage cryptographic keys, • Granular encryption. While a federal entity could simply encrypt all data as it is passed access control, and other to the cloud, this could introduce a lot of unnecessary processing overhead, and add security policies. significant delays in data restoration. Consequently, the entity benefits by having granular encryption capabilities, ideally at the file level, so it can more selectively encrypt only the information that is sensitive. • Robust access controls. In tandem with granular encryption, federal organizations need strong access control, including at the user level, to authorize which files or folders can be accessed, when, and by whom. • Group-based policies. To streamline implementation, agency information security teams need to be able to enforce policies at the group level, so categories of users can be assured of getting appropriate access to sensitive data. • Central management of remote systems. To make this approach practical, federal agencies need to be able to leverage centralized mechanisms for managing disparate systems, including centralized key and policy management. Armed with these capabilities, federal enterprises can efficiently leverage many of the benefits of cloud services, while retaining effective security controls. With this approach, sensitive data is encrypted the entire time it is housed in the cloud. While securing sensitive data in this way will address many fundamental security objectives, it will not address them all. For example, this approach would not address many of the compliance mandates that require the use of tamper-proof, FIPS-certified hardware security modules (HSMs) for the storage of keys. Figure 1 Secure cloud storage represents an opportunity for organizations to leverage the cloud’s elastic, cost- effective storage capacity, while maintaining security. This approach requires a combination of granular encryption mechanisms and centralized access. ProtectFile Workstations Enterprise ProtectFile Ar ch ive Cloud Providers ProtectFile Mobile Workforce Cloud Computing and the Federal Government: Maximizing Trust Supporting the Mission and Improving Assurance 5 with Data-centric Information Security White Paper
Cloud Security for Endpoints With this approach, federal organizations can protect data at the end-user level, including at the mobile device and laptop or desktop level. This enables seamless interaction between users and information in cloud storage. In this scenario, sensitive information remains encrypted in the cloud at all times. By offering a means to An efficient deployment scenario would include a centralized, hardened security appliance, streamline end user access and which is used to manage cryptographic keys, access control, and other security policies. In access control administration, addition, a virtualized instance of this appliance would be deployed in the cloud to replicate policies and security enforcement on the data. Security administrators need to be able to dictate federated access initiatives can policy based on content, documents, and folders in order to ensure only authorized users and help optimize security while groups can access sensitive data. reducing corporate security costs. When this approach is employed, cryptographic keys never leave the federal agency, and in fact, they never leave the secured, hardened HSM-based appliance. For optimal security, tokens can be employed at the user level, helping add an additional layer of security to user access. Consequently, federal agencies can leverage an elastic, cloud-based storage pool, while optimizing security, ensuring sensitive data is only visible to authorized users at authorized endpoints. Workstations ProtectFile Certificate-Based (PKI) Common Data Protection Policy ProtectFile ProtectFile ProtectFile Enterprise Cloud Providers ProtectFile ProtectFile ProtectFile ProtectFile Certificate-Based (PKI) Mobile Workforce and Partners Figure 2 By employing centralized key management and tokens at the end-user level, enterprises can harness cloud services, while ensuring sensitive data is only visible to authorized users. Federated Access Control Today, even without cloud deployments in the mix, most federal organizations have to manage multiple user identities across various platforms and services, which can pose a significant administrative burden, inefficiency for end users, and security threats. By employing federated access control, government agencies can accomplish the following objectives: • Deliver single sign-on access for users to all enterprise applications and platforms— including internal e-mail and ERP systems, and external SaaS applications. • Streamline administration through central management of policies, identities, and tokens • Adhere to a host of compliance mandates and stringent security policies • Leverage open standards and a broad range of authentication solutions • Boost security through stringent, cohesive policy enforcement, separation of duties, and granular access controls By offering a means to streamline end-user access and access control administration, federated access initiatives can help optimize security while reducing overall security costs. Cloud Computing and the Federal Government: Maximizing Trust Supporting the Mission and Improving Assurance 6 with Data-centric Information Security White Paper
To deliver on this objective, identity management needs to be done through a simple, Web-based gateway that offers all the administrative access controls required. eTokens need to be leveraged to ensure proper authentication. In addition, this deployment approach can leverage Security Assertion Markup Language (SAML), an XML-based standard for exchanging authentication and authorization data, for managing the exchange of information between the agency and external service providers. Common Identity Interconnect Identity Server SAML SAML SaaS Provider Infrastructure Enterprise Cloud Provider End Users Figure 3 By federating access control mechanisms, organizations can simultaneously streamline security administration and improve adherence with security policies. Virtual Encryption as a Service When cloud providers deliver To fully leverage the cloud opportunity, federal agencies and cloud providers alike, need a virtual encryption as a service, way to take the unparalleled security offered by sophisticated, hardware-based encryption they can implement database, solutions, and virtualize those offerings. This enables the delivery of symmetric encryption, file encryption, secure key management, and a host of other capabilities and services within cloud application, and file encryption— environments. all managed through a single, virtual platform that combines When cloud providers deliver virtual encryption as a service, they can implement database, cryptographic key management, application, and file encryption—all managed through a single, virtual platform that combines cryptographic key management, policy management, and encryption processing. Because the policy management, and platform is virtualized, it can be integrated seamlessly within the cloud provider’s infrastructure. encryption processing. Further, by combining the security benefits of these technologies with the cloud delivery model, security implementations can be far less expensive than traditional in-house deployments, ensuring that even federal organizations with tight budgets can incorporate state-of-the-art security capabilities into their organizations. Virtual-encryption-as-a-service deployment will largely be implemented by the cloud provider, who will leverage robust security mechanisms, such as centralized key management, granular encryption, and access control, within their infrastructures. To support virtual encryption as a service, many cloud customers will deploy multi-factor authentication tokens and token management systems in their environments, which can ensure the appropriate access controls are applied to security services and protected data. Cloud Computing and the Federal Government: Maximizing Trust Supporting the Mission and Improving Assurance 7 with Data-centric Information Security White Paper
Cloud Database MFA SafeNet Tokens HSMs Cloud Storage Token Mgmt Elastic Computer System Certificate-Based (PKI) HSM Client ProtectFile ProtectApp ProtectDB Enterprise Cloud Provider Certificate-Based (PKI) MFA for End-Users DataSecure Luna SA Root of Trust Federated Key Mgmt DataSecure & User Directories Figure 4 By providing virtual encryption as a service, smaller organizations can gain access to robust security mechanisms that may have been cost prohibitive in the past. SafeNet: Delivering the Trusted Cloud Platform Introduction—Overview of SafeNet Cloud Solutions With SafeNet’s security offerings, organizations can fully leverage the business benefits of cloud environments while ensuring trust, compliance, and privacy. Cryptography as a Service SafeNet offers intelligent, SafeNet offers a broad set of solutions that enable both enterprises and cloud providers to data-centric solutions that leverage cryptography as a service. SafeNet solutions offer the unparalleled combination of persistently protect data features—including central key and policy management, robust encryption support, flexible integration, and more—that make cryptography as a service practical, efficient, and secure. throughout the information lifecycle and evolve to support SafeNet offers these security solutions: changing cloud delivery • Token management systems and multi-factor tokens that ensure stringent, granular end- models—from today’s SaaS and user access controls private clouds to the evolving • Hardware security modules, including the Luna SA product line, that enable centralized, demands of hybrid and public FIPS- and Common Criteria-certified storage of cryptographic keys clouds. • DataSecure, which offers file, application, and database encryption—all managed through a hardened appliance that centralizes encryption processing, keys, logging, auditing, and policy administration Together, these solutions deliver the critical capabilities required for a robust, cost-effective, and secure cryptography-as-a-service implementation. Cloud Computing and the Federal Government: Maximizing Trust Supporting the Mission and Improving Assurance 8 with Data-centric Information Security White Paper
Certificate-Based (PKI) SMB Cloud Provider Certificate-Based (PKI) Figure 5 SafeNet’s HSMs and DataSecure offerings provide FIPS- and Common Criteria-certified, hardware-based protection of cryptographic keys and controls that help ensure regulatory compliance in cloud deployments. Trusted Cloud Computing SafeNet delivers the solutions The dynamic nature of cloud computing can pose significant risks. Today, someone can take an that enable organizations to application, for instance, running for one federal agency, then move it to another location and run implement rights management it for another government organization—and that application could thus enable unauthorized users and processes to access sensitive data. for virtual machines. With SafeNet, your agency can control applications and services within the cloud environment, and ensure applications only run on platforms for intended end users. SafeNet enables federal agencies to control the instances of the high-value virtual machines, ensuring they are only invoked in the right circumstances. SafeNet delivers the solutions that enable organizations to implement rights management for virtual machines: • Software rights management solutions and tokens for authenticating virtual machines • The ProtectFile file encryption solution, which enables pre-boot authentication of virtual machines • DataSecure, which delivers central policy management of all file, application, and database encryption processing SRM APP SRM Tokens Two-Factor Activation Licensing PaaS Provider APP Virtual Resource Enterprise Administrators OTP IaaS Provider DataSecure Software eTokens Key-Management, Two-Factor Pre-Boot Certificate-Based (PKI) ProtectFile Figure 6 SafeNet offers the products and capabilities enterprises need to control instances of virtual machines running in the cloud, including where they are located and when they can be invoked, so they can safeguard trust in their cloud deployments. Cloud Computing and the Federal Government: Maximizing Trust Supporting the Mission and Improving Assurance 9 with Data-centric Information Security White Paper
Conclusion In terms of potential, the sky truly is the limit when it comes to the benefits cloud computing can deliver. However, the full magnitude of this opportunity can only be realized when security is efficiently, persistently, and effectively employed to safeguard sensitive data. With its sophisticated, data-centric security solutions, SafeNet enables federal agencies and organizations to gain the agility they need to leverage cloud environments most effectively, without making any compromises in security, privacy, or compliance. To Learn More about Cloud Security To provide federal and security leaders with more information on secure cloud computing, SafeNet has introduced its “SafeCloud” website, a new microsite that features a series of whiteboard videos and white papers. These resources outline how cloud security is expected to evolve, and describe what organizations need to do to prepare for and take advantage of these changes. To visit the SafeCloud site, go to www.safenet-inc.com/safecloud. About SafeNet Founded in 1983, SafeNet is a global leader in information security. SafeNet protects its customers’ most valuable assets, including identities, transactions, communications, data, and software licensing, throughout the data lifecycle. More than 25,000 customers across both commercial enterprises and government agencies, and in over 100 countries, trust their information security needs to SafeNet. Contact Us: For all office locations and contact information, please visit www.safenet-inc.com Follow Us: www.safenet-inc.com/connected ©2011 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet. All other product names are trademarks of their respective owners. WP (EN)-03.02.11 Cloud Computing and the Federal Government: Maximizing Trust Supporting the Mission and Improving 10 Assurance with Data-centric Information Security White Paper

More Related Content

PDF
Framework for cybersecurity info sharing
Roy Ramkrishna
 
DOC
InSTEDD Mesh4x Platform
Taha Kass-Hout, MD, MS
 
PDF
Towards building trusted multinational civil
Bruce Forrester
 
PDF
W3C TPAC 2012 Breakout Session on Government Linked Data
3 Round Stones
 
PDF
Mit csail-tr-2007-034
vafopoulos
 
PDF
HIMSS Response to DHS National Cyber Incident Response Plan
David Sweigert
 
PDF
Cyber Security Conference - Rethinking cyber-threat
Microsoft
 
PDF
Delivering on Standards for Publishing Government Linked Data
3 Round Stones
 
Framework for cybersecurity info sharing
Roy Ramkrishna
 
InSTEDD Mesh4x Platform
Taha Kass-Hout, MD, MS
 
Towards building trusted multinational civil
Bruce Forrester
 
W3C TPAC 2012 Breakout Session on Government Linked Data
3 Round Stones
 
Mit csail-tr-2007-034
vafopoulos
 
HIMSS Response to DHS National Cyber Incident Response Plan
David Sweigert
 
Cyber Security Conference - Rethinking cyber-threat
Microsoft
 
Delivering on Standards for Publishing Government Linked Data
3 Round Stones
 

What's hot (19)

DOCX
DBryant-Cybersecurity Challenge
msdee3362
 
PDF
Cyber Integration for Fusion Centers to develop Cyber Threat Intelligence
David Sweigert
 
PDF
Bja cyber fusioncenters
AnonDownload
 
PPT
Web 2.0 in Government
David Fletcher
 
PDF
E Bryan - An Analysis Of Content And Information Management As Drivers For E...
Emerson Bryan
 
DOCX
What is the future of cloud security linked in
Jonathan Spindel
 
PPTX
DBryant-Cybersecurity Challenge
msdee3362
 
PDF
Digital Fault-Lines
Cyril Foday-Kailie
 
DOCX
Technology Evangelism & Thought Leadership by Chuck Brooks
Chuck Brooks
 
PDF
Geolocation and Application Delivery
FindWhitePapers
 
PPTX
Governmental Linked Data
Haklae Kim
 
PDF
The Cyberspace and Intensification of Privacy Invasion
iosrjce
 
PDF
Network Strategy Overview
Jessica Gheiler
 
PPT
Brainframes, digital technologies and connected intelligence -Derrick de Kerc...
thiteu
 
PDF
Open Government Data, Linked Data, and the Missing Blocks in Korea
Haklae Kim
 
PDF
Cook County (IL) Open Government Plan
Greg Wass
 
PDF
Accenture-Informed-Consent-Data-Motion
Steven Tiell
 
PDF
Future of Privacy - The Emerging View 11 06 15
Future Agenda
 
PDF
Semantic Enterprise: A Step Toward Agent-Driven Integration
Cognizant
 
DBryant-Cybersecurity Challenge
msdee3362
 
Cyber Integration for Fusion Centers to develop Cyber Threat Intelligence
David Sweigert
 
Bja cyber fusioncenters
AnonDownload
 
Web 2.0 in Government
David Fletcher
 
E Bryan - An Analysis Of Content And Information Management As Drivers For E...
Emerson Bryan
 
What is the future of cloud security linked in
Jonathan Spindel
 
DBryant-Cybersecurity Challenge
msdee3362
 
Digital Fault-Lines
Cyril Foday-Kailie
 
Technology Evangelism & Thought Leadership by Chuck Brooks
Chuck Brooks
 
Geolocation and Application Delivery
FindWhitePapers
 
Governmental Linked Data
Haklae Kim
 
The Cyberspace and Intensification of Privacy Invasion
iosrjce
 
Network Strategy Overview
Jessica Gheiler
 
Brainframes, digital technologies and connected intelligence -Derrick de Kerc...
thiteu
 
Open Government Data, Linked Data, and the Missing Blocks in Korea
Haklae Kim
 
Cook County (IL) Open Government Plan
Greg Wass
 
Accenture-Informed-Consent-Data-Motion
Steven Tiell
 
Future of Privacy - The Emerging View 11 06 15
Future Agenda
 
Semantic Enterprise: A Step Toward Agent-Driven Integration
Cognizant
 
Ad

Similar to Cloud Computing and the Federal Government: Maximizing Trust Supporting the Mission and Improving Assurance with Data-Centric Information Security (20)

PDF
Global Security Certification for Governments
CloudMask inc.
 
PDF
Barriers to government cloud adoption
IJMIT JOURNAL
 
PDF
Three Strategies to Accelerate Your Agency's Migration to the Cloud
Gov BizCouncil
 
PDF
Staying Safe in Cyberspace
GovCloud Network
 
PDF
Cloud Computing Security: Government Acquisition Considerations for the Cloud...
Booz Allen Hamilton
 
PDF
Cloud Expo 2010 Cloud Computing in DoD
GovCloud Network
 
PDF
Strategic, Privacy and Security Considerations for Adoption of Cloud and Emer...
Marie-Michelle Strah, PhD
 
PPT
Rob livingstone Canberra Cloud Security Conference Nov 2011
Livingstone Advisory
 
DOCX
Please read the below discussion post and provide response in 75 to .docx
christalgrieg
 
DOCX
Discussion 1Cloud computing offers the ability to share informat
VinaOconner450
 
DOCX
Running Head cyber security Emerging Cyber security T.docx
charisellington63520
 
PDF
Enabling Cloud Analytics with Data-Level Security
Booz Allen Hamilton
 
PDF
DoD Cloud Computing Strategy
GovCloud Network
 
PDF
Ac breaking cyber-sharinglogjam_web
atlanticcouncil
 
PDF
Cloud service providers in pune
Anshita Dixit
 
PDF
A New Network Acquisition Model for the Federal Government
Gov BizCouncil
 
PPTX
vinay pdfsjyfbjyv mvjkhvags gfbbdgfvbzfddddddddddddddfbdfg
pentamvinay89
 
PDF
Security Issues in Cloud Computing Cloud computing has come a vital tool for ...
vivatechijri
 
PDF
SECURITY AND PRIVACY SOLUTIONS IN CLOUD COMPUTING AT OPENSTACK TO SUSTAIN USE...
Zac Darcy
 
PDF
Security and Privacy Solutions in Cloud Computing at Openstack to Sustain Use...
Zac Darcy
 
Global Security Certification for Governments
CloudMask inc.
 
Barriers to government cloud adoption
IJMIT JOURNAL
 
Three Strategies to Accelerate Your Agency's Migration to the Cloud
Gov BizCouncil
 
Staying Safe in Cyberspace
GovCloud Network
 
Cloud Computing Security: Government Acquisition Considerations for the Cloud...
Booz Allen Hamilton
 
Cloud Expo 2010 Cloud Computing in DoD
GovCloud Network
 
Strategic, Privacy and Security Considerations for Adoption of Cloud and Emer...
Marie-Michelle Strah, PhD
 
Rob livingstone Canberra Cloud Security Conference Nov 2011
Livingstone Advisory
 
Please read the below discussion post and provide response in 75 to .docx
christalgrieg
 
Discussion 1Cloud computing offers the ability to share informat
VinaOconner450
 
Running Head cyber security Emerging Cyber security T.docx
charisellington63520
 
Enabling Cloud Analytics with Data-Level Security
Booz Allen Hamilton
 
DoD Cloud Computing Strategy
GovCloud Network
 
Ac breaking cyber-sharinglogjam_web
atlanticcouncil
 
Cloud service providers in pune
Anshita Dixit
 
A New Network Acquisition Model for the Federal Government
Gov BizCouncil
 
vinay pdfsjyfbjyv mvjkhvags gfbbdgfvbzfddddddddddddddfbdfg
pentamvinay89
 
Security Issues in Cloud Computing Cloud computing has come a vital tool for ...
vivatechijri
 
SECURITY AND PRIVACY SOLUTIONS IN CLOUD COMPUTING AT OPENSTACK TO SUSTAIN USE...
Zac Darcy
 
Security and Privacy Solutions in Cloud Computing at Openstack to Sustain Use...
Zac Darcy
 
Ad

More from SafeNet (20)

PPTX
eIDAS Reference Guide
SafeNet
 
PDF
Whose Cloud is It Anyway - Data Security in the Cloud
SafeNet
 
PDF
Whose Cloud Is It Anyway: Exploring Data Security Ownership and Control
SafeNet
 
PPTX
Cyber Security Management in a Highly Innovative World
SafeNet
 
PPTX
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
SafeNet
 
PPTX
ProtectV - Data Security for the Cloud
SafeNet
 
PPTX
Cloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business Model
SafeNet
 
PDF
SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...
SafeNet
 
PDF
A Single Strong Authentication Platform for Cloud and On-Premise Applications
SafeNet
 
PDF
Securing Digital Identities and Transactions in the Cloud Security Guide
SafeNet
 
PDF
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...
SafeNet
 
PDF
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
SafeNet
 
PDF
Hardware Security Modules: Critical to Information Risk Management
SafeNet
 
PDF
Strong Authentication: Securing Identities and Enabling Business
SafeNet
 
PDF
Building Trust into eInvoicing: Key Requirements and Strategies
SafeNet
 
PDF
A Question of Trust: How Service Providers Can Attract More Customers by Deli...
SafeNet
 
PDF
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
SafeNet
 
PDF
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
SafeNet
 
PDF
SafeNet DataSecure vs. Native SQL Server Encryption
SafeNet
 
PDF
Building Trust into DNS: Key Strategies
SafeNet
 
eIDAS Reference Guide
SafeNet
 
Whose Cloud is It Anyway - Data Security in the Cloud
SafeNet
 
Whose Cloud Is It Anyway: Exploring Data Security Ownership and Control
SafeNet
 
Cyber Security Management in a Highly Innovative World
SafeNet
 
Not Going Quietly: Gracefully Losing Control & Adapting to Cloud and Mobility
SafeNet
 
ProtectV - Data Security for the Cloud
SafeNet
 
Cloud Monetization: A Step-by-Step Guide to Optimizing Your SaaS Business Model
SafeNet
 
SafeWord 2008 Migration Bundle Building a Fully Trusted Authentication Enviro...
SafeNet
 
A Single Strong Authentication Platform for Cloud and On-Premise Applications
SafeNet
 
Securing Digital Identities and Transactions in the Cloud Security Guide
SafeNet
 
Securing Network-Attached HSMs: The SafeNet Luna SA Three-Layer Authenticatio...
SafeNet
 
Introduction to PKI & SafeNet Luna Hardware Security Modules with Microsoft W...
SafeNet
 
Hardware Security Modules: Critical to Information Risk Management
SafeNet
 
Strong Authentication: Securing Identities and Enabling Business
SafeNet
 
Building Trust into eInvoicing: Key Requirements and Strategies
SafeNet
 
A Question of Trust: How Service Providers Can Attract More Customers by Deli...
SafeNet
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
SafeNet
 
E-Passport: Deploying Hardware Security Modules to Ensure Data Authenticity a...
SafeNet
 
SafeNet DataSecure vs. Native SQL Server Encryption
SafeNet
 
Building Trust into DNS: Key Strategies
SafeNet
 

Recently uploaded (20)

PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
PDF
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
project resource management chapter-09.pdf
ssuser00e6e21
 
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
Modernising the Digital Integration Hub
Daniel Toomey
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
What is a Computer? Input Devices /output devices
GulJan8
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 

Cloud Computing and the Federal Government: Maximizing Trust Supporting the Mission and Improving Assurance with Data-Centric Information Security

  • 1. Cloud Computing and the Federal Government: Maximizing Trust Supporting the Mission and Improving Assurance with Data-Centric Information Security WHITE PAPER Table of Contents Executive Summary...............................................................................................................2 Introduction ..........................................................................................................................2 Step 1: Basic Trust ..........................................................................................................3 Step 2. Limited Trust ......................................................................................................3 Step 3. Shared Trust .......................................................................................................4 Four Key Areas for Implementing Security in the Federal Cloud ............................................4 Secure Cloud Storage.....................................................................................................5 Cloud Security for Endpoints .........................................................................................6 Federated Access Control ..............................................................................................6 Virtual Encryption as a Service.......................................................................................7 SafeNet: Delivering the Trusted Cloud Platform .....................................................................8 Introduction—Overview of SafeNet Cloud Solutions ......................................................8 Cryptography as a service ..............................................................................................8 Trusted Cloud Computing ...............................................................................................9 Conclusion ..........................................................................................................................10 To Learn More about Cloud Security ....................................................................................10 About SafeNet.....................................................................................................................10 Cloud Computing and the Federal Government: Maximizing Trust Supporting the Mission and 1 Improving Assurance with Data-centric Information Security White Paper
  • 2. Executive Summary Cloud computing services can support nearly every mission the federal government performs – from defending our nation’s borders to protecting the environment. Offering an elastic, adaptive infrastructure, cloud computing enables federal agencies and their component organizations to share information and create services, improving how agencies support the federal mission and serve the American public. Just as the benefits are obvious, however, so too are the security concerns. When consolidating their infrastructures with cloud service providers, how do federal agencies ensure that sensitive data remains secure? How do they remain in control of their information assets and compliant with U.S. Office of Management and Budget (OMB) and agency-specific mandates and policies? Of equal importance is how the security concerns differ within the federal community. This white paper outlines the role of trust in different federal government communities, the path federal agencies can take to start building trust into cloud deployments, and the approaches and capabilities that these organizations need to make this transition a reality. Introduction Today, issues of risk, data privacy, The Obama Administration launched Apps.gov – a cloud computing storefront for federal and compliance are the chief agencies to leverage cloud-based services – in 2009, with the goal of increasing the scope of inhibitors to most organizations’ available services. The federal government’s move to cloud computing is not only underway, it is here to stay – with good reason. The cloud enables multiple agencies – or organizations adoption of cloud services. within a single agency – to share information and create services by leveraging service-oriented computing technologies from the underlying information technology (IT) infrastructure. Migrating to a cloud infrastructure also allows for scalability to quickly add computing power and storage capacity to meet the demands created by extraordinary events, such as a national or manmade disaster. The list goes on. Cloud computing raises some pretty vexing questions when it comes to security. Some challenges are shared by most federal agencies. How do federal agencies maintain control and ownership of sensitive, classified, or personally identifiable information (PII) when moving from a world where security mechanisms are focused on physical assets and data residing in a single community’s datacenters to a world in which everything is virtualized and comingled? How can the federal government move into a cloud infrastructure while safeguarding the trust of the American people, federal employees, other inter-/intra-governmental organizations, and industry? Still other security questions may be raised about multi-tenant information sharing and the mission. For example, a cloud designed to promote intelligence sharing within the national security community will create a very different set of security challenges than a cloud designed to promote public engagement and transparency. Today, issues of risk, information/data privacy, and compliance are the chief inhibitors to most federal agencies’ adoption of cloud services. In fact, a Gartner report cited data location risk, risk of data loss, and data security risk as three of the top five barriers to cloud adoption. Additionally, the risk of cross contamination of classified information (e.g., inappropriately sharing information among cloud tenants not cleared to read it) is a key concern for agencies with a national security-focused mission. Therefore, delivering cloud solutions that meet federal tenants’ mission requirements and enable cross-domain/agency information sharing is an invaluable asset. Understanding how to effectively safeguard data in the cloud, federal agencies can begin to fully maximize the potential of cloud offerings to enhance the efficiency of government operations, improve performance, and provide better service to the American people. Cloud Computing and the Federal Government: Maximizing Trust Supporting the Mission and Improving Assurance 2 with Data-centric Information Security White Paper
  • 3. Non-sensitive data can be To get there, both the federal community and cloud providers must understand federal cloud transferred into the cloud as is; deployments in terms of the security needed to support the mission, the differing levels of trust for example, for disaster recovery required by agencies within the federal community, and when – if aligned with the mission – or archival purposes. Sensitive agencies can transition to the next level of trust. For example, agencies sharing information in support of national security missions will do so with a basic level of trust. Similarly, public- data, on the other hand, will facing agencies with citizen-centric missions will incorporate solutions and processes that lead either be kept out of the cloud to limited and, ultimately, shared trust, making cloud security a true win-win for federal agencies entirely or it will be protected, and providers alike. generally through encryption, In the following pages, we’ll walk through these key differences and the potential for transition in before it is exposed to the cloud. more detail, and then show what this means for the federal government in the months and years ahead. Then, the document will outline some specific areas federal agencies can target in their efforts to optimize the security and utility of their cloud initiatives. Finally, we will outline some of the most important capabilities that federal organizations need to support these efforts. [Note: In the following pages, unless otherwise specified, when discussing the cloud, we will be referring to the public and hybrid clouds. While private clouds present their own specific security challenges, given their internal deployments, the nature of security will more closely resemble those of current datacenter deployments. It is the public and hybrid clouds, and the changing nature of the client and cloud service provider relationship, that are the focus of this document.] Step 1: Basic Trust In the compliant trust phase For most federal agencies today, security in the cloud is viewed in a pretty straightforward way— of the cloud’s evolution, cloud don’t assume there is any. Federal organizations that have gone forward with cloud deployments providers gain the controls have thus taken full ownership and responsibility for security. This can play out in several ways: they need to deliver trust as • An agency can segment its data into three classifications: classified, sensitive, and non- a service, so enterprises can sensitive. Non-sensitive data can be transferred into the cloud as is; for example, for specify security policies and disaster recovery or archival purposes. Classified and sensitive data, on the other hand, will have confidence in the cloud either be kept out of the cloud entirely or it will be protected, generally through encryption, before it is exposed to the cloud. Further, that information will stay secured through those provider’s infrastructure and mechanisms the entire time it resides in the cloud, shared only through cross-domain capabilities for executing these solutions that ensure only users with the appropriate levels of trust are able to access it. policies. This approach is utilized by federal cloud environments that support homeland and national security missions. • A federal agency may opt to use software-as-a-service (SaaS) offerings, but only for applications that do not involve PII or other types of data subject to federal regulation, mandates, or privacy laws. • An agency can migrate the processing of non-sensitive applications to the cloud. For example, this can take the form of “cloud bursting”—an approach in which a federal organization will migrate an application to the cloud when the processing capacity of its cloud or datacenter is exceeded. This can be an effective way for federal organizations to handle the increased demands for processing that occur during extraordinary events, such as disaster response or launching a significant agency initiative. For example, an agency can adopt this approach for providing emergency information (i.e., data, video, audio, interactive tools, etc.) when its internal infrastructure hits capacity. Each of these scenarios can present agencies with near-term benefits; they enable federal organizations to quickly leverage many of the benefits and strengths of cloud computing, without compromising security or compliance. These scenarios represent the bulk of cloud deployments done to date. Cloud Computing and the Federal Government: Maximizing Trust Supporting the Mission and Improving Assurance 3 with Data-centric Information Security White Paper
  • 4. Step 2: Limited Trust As the federal community becomes more fully invested in cloud offerings, and seeks to take greater advantage of the cloud’s benefits, agencies will increasingly embark upon initiatives to migrate their own security mechanisms to the cloud. This next step in the transition to a trusted cloud inherently will require more of an upfront investment than prior cloud approaches, and also require a deeper, more collaborative relationship with the cloud provider. As agencies take their existing encryption solutions and run them in the cloud, they’ll retain full control over security ownership. At a high level, these deployments will be structured similarly to traditional hosting provider models. Specific deployment approaches can include the following: • Deploying physical security systems in a virtual private cloud • Running a virtual service within a hybrid, multi-tenant cloud environment • Federating cloud user directories with internally managed identity and access management systems Driven by a need to use the Here, data protection can be conducted in the cloud, yet still within the federal enterprise’s cloud’s elastic storage, without control. As a result, the type of services that can be migrated to cloud platforms expands exposing data to the cloud’s substantially, enabling agencies to perform more effectively in support of their agency missions. This transition will be particularly valuable to agencies that maintain sensitive or PII data, and vulnerabilities, enterprises can may support multiple missions by sharing the information among users with different levels of perform secure storage in the trust. For example, an agency may utilize cross-domain solutions to securely share data with cloud, effectively using the cloud trusted users in one organization but leverage service-oriented computing technologies to for the backup, disaster recovery, create a service-providing aggregate available for public dissemination. and archival of data. Step 3: Shared Trust In this ultimate phase of the cloud’s evolution, cloud providers gain the controls they need to deliver trust as a service, so federal agencies can specify security policies and have confidence in the cloud provider’s infrastructure and capabilities for executing these policies. Here, the federal organization, as the information owner, still holds control over security, but in a virtual, rather than operational, way. In this scenario, the federal agency sets security policies, and owns the core key materials, credentials, identities, and other elements that are used by the cloud providers to protect information, which gives them the final say over how security is handled. The cloud provider will have the sophisticated security infrastructure in place to meet the agency’s security objectives, including robust encryption, secure key management, granular access controls, and more. The federal government can leverage the cloud and get the level of security essential to comply with OMB and agency-specific mandates, regulations, and security policies. As a result, virtually any service or application can subsequently be a potential candidate for migration to cloud services. Four Key Areas for Implementing Security in the Federal Cloud Without the right security in place, the move to cloud computing can be a disastrous one for any organization. This is particularly true in the federal government, which by its nature, is both a steward of the public trust and responsible for securing our nation’s homeland and global interests. Whether insufficient security results in a devastating national security breach, the compromise of PII, or a host of other scenarios, the impact of a poorly-secured cloud implementation is significant and certain, ranging from an increase in negative publicity, to inviting government investigations, or even placing American lives at risk of a terrorist attack. Cloud Computing and the Federal Government: Maximizing Trust Supporting the Mission and Improving Assurance 4 with Data-centric Information Security White Paper
  • 5. With the right capabilities, however, federal agencies can ensure high levels of security in cloud deployments, providing previously unimagined opportunities to create and share information that strengthens our nation. What capabilities will be required in cloud environments and how do they differ from traditional approaches? The sections below outline some specific areas for applying security measures to cloud environments, and the capabilities required to undertake these measures. With these initiatives, federal agencies can begin to gain the control, visibility, and efficiency they need to both ensure security and leverage the operational benefits of cloud services. Secure Cloud Storage An efficient cloud security Driven by a need to use the cloud’s elastic storage, without exposing data to the cloud’s deployment scenario requires a vulnerabilities, federal agencies can have secure storage in the cloud, effectively using the cloud centralized, hardened security for the backup, disaster recovery, and archival of data. appliance, which is used to To achieve effective secure cloud storage, agencies need the following capabilities: manage cryptographic keys, • Granular encryption. While a federal entity could simply encrypt all data as it is passed access control, and other to the cloud, this could introduce a lot of unnecessary processing overhead, and add security policies. significant delays in data restoration. Consequently, the entity benefits by having granular encryption capabilities, ideally at the file level, so it can more selectively encrypt only the information that is sensitive. • Robust access controls. In tandem with granular encryption, federal organizations need strong access control, including at the user level, to authorize which files or folders can be accessed, when, and by whom. • Group-based policies. To streamline implementation, agency information security teams need to be able to enforce policies at the group level, so categories of users can be assured of getting appropriate access to sensitive data. • Central management of remote systems. To make this approach practical, federal agencies need to be able to leverage centralized mechanisms for managing disparate systems, including centralized key and policy management. Armed with these capabilities, federal enterprises can efficiently leverage many of the benefits of cloud services, while retaining effective security controls. With this approach, sensitive data is encrypted the entire time it is housed in the cloud. While securing sensitive data in this way will address many fundamental security objectives, it will not address them all. For example, this approach would not address many of the compliance mandates that require the use of tamper-proof, FIPS-certified hardware security modules (HSMs) for the storage of keys. Figure 1 Secure cloud storage represents an opportunity for organizations to leverage the cloud’s elastic, cost- effective storage capacity, while maintaining security. This approach requires a combination of granular encryption mechanisms and centralized access. ProtectFile Workstations Enterprise ProtectFile Ar ch ive Cloud Providers ProtectFile Mobile Workforce Cloud Computing and the Federal Government: Maximizing Trust Supporting the Mission and Improving Assurance 5 with Data-centric Information Security White Paper
  • 6. Cloud Security for Endpoints With this approach, federal organizations can protect data at the end-user level, including at the mobile device and laptop or desktop level. This enables seamless interaction between users and information in cloud storage. In this scenario, sensitive information remains encrypted in the cloud at all times. By offering a means to An efficient deployment scenario would include a centralized, hardened security appliance, streamline end user access and which is used to manage cryptographic keys, access control, and other security policies. In access control administration, addition, a virtualized instance of this appliance would be deployed in the cloud to replicate policies and security enforcement on the data. Security administrators need to be able to dictate federated access initiatives can policy based on content, documents, and folders in order to ensure only authorized users and help optimize security while groups can access sensitive data. reducing corporate security costs. When this approach is employed, cryptographic keys never leave the federal agency, and in fact, they never leave the secured, hardened HSM-based appliance. For optimal security, tokens can be employed at the user level, helping add an additional layer of security to user access. Consequently, federal agencies can leverage an elastic, cloud-based storage pool, while optimizing security, ensuring sensitive data is only visible to authorized users at authorized endpoints. Workstations ProtectFile Certificate-Based (PKI) Common Data Protection Policy ProtectFile ProtectFile ProtectFile Enterprise Cloud Providers ProtectFile ProtectFile ProtectFile ProtectFile Certificate-Based (PKI) Mobile Workforce and Partners Figure 2 By employing centralized key management and tokens at the end-user level, enterprises can harness cloud services, while ensuring sensitive data is only visible to authorized users. Federated Access Control Today, even without cloud deployments in the mix, most federal organizations have to manage multiple user identities across various platforms and services, which can pose a significant administrative burden, inefficiency for end users, and security threats. By employing federated access control, government agencies can accomplish the following objectives: • Deliver single sign-on access for users to all enterprise applications and platforms— including internal e-mail and ERP systems, and external SaaS applications. • Streamline administration through central management of policies, identities, and tokens • Adhere to a host of compliance mandates and stringent security policies • Leverage open standards and a broad range of authentication solutions • Boost security through stringent, cohesive policy enforcement, separation of duties, and granular access controls By offering a means to streamline end-user access and access control administration, federated access initiatives can help optimize security while reducing overall security costs. Cloud Computing and the Federal Government: Maximizing Trust Supporting the Mission and Improving Assurance 6 with Data-centric Information Security White Paper
  • 7. To deliver on this objective, identity management needs to be done through a simple, Web-based gateway that offers all the administrative access controls required. eTokens need to be leveraged to ensure proper authentication. In addition, this deployment approach can leverage Security Assertion Markup Language (SAML), an XML-based standard for exchanging authentication and authorization data, for managing the exchange of information between the agency and external service providers. Common Identity Interconnect Identity Server SAML SAML SaaS Provider Infrastructure Enterprise Cloud Provider End Users Figure 3 By federating access control mechanisms, organizations can simultaneously streamline security administration and improve adherence with security policies. Virtual Encryption as a Service When cloud providers deliver To fully leverage the cloud opportunity, federal agencies and cloud providers alike, need a virtual encryption as a service, way to take the unparalleled security offered by sophisticated, hardware-based encryption they can implement database, solutions, and virtualize those offerings. This enables the delivery of symmetric encryption, file encryption, secure key management, and a host of other capabilities and services within cloud application, and file encryption— environments. all managed through a single, virtual platform that combines When cloud providers deliver virtual encryption as a service, they can implement database, cryptographic key management, application, and file encryption—all managed through a single, virtual platform that combines cryptographic key management, policy management, and encryption processing. Because the policy management, and platform is virtualized, it can be integrated seamlessly within the cloud provider’s infrastructure. encryption processing. Further, by combining the security benefits of these technologies with the cloud delivery model, security implementations can be far less expensive than traditional in-house deployments, ensuring that even federal organizations with tight budgets can incorporate state-of-the-art security capabilities into their organizations. Virtual-encryption-as-a-service deployment will largely be implemented by the cloud provider, who will leverage robust security mechanisms, such as centralized key management, granular encryption, and access control, within their infrastructures. To support virtual encryption as a service, many cloud customers will deploy multi-factor authentication tokens and token management systems in their environments, which can ensure the appropriate access controls are applied to security services and protected data. Cloud Computing and the Federal Government: Maximizing Trust Supporting the Mission and Improving Assurance 7 with Data-centric Information Security White Paper
  • 8. Cloud Database MFA SafeNet Tokens HSMs Cloud Storage Token Mgmt Elastic Computer System Certificate-Based (PKI) HSM Client ProtectFile ProtectApp ProtectDB Enterprise Cloud Provider Certificate-Based (PKI) MFA for End-Users DataSecure Luna SA Root of Trust Federated Key Mgmt DataSecure & User Directories Figure 4 By providing virtual encryption as a service, smaller organizations can gain access to robust security mechanisms that may have been cost prohibitive in the past. SafeNet: Delivering the Trusted Cloud Platform Introduction—Overview of SafeNet Cloud Solutions With SafeNet’s security offerings, organizations can fully leverage the business benefits of cloud environments while ensuring trust, compliance, and privacy. Cryptography as a Service SafeNet offers intelligent, SafeNet offers a broad set of solutions that enable both enterprises and cloud providers to data-centric solutions that leverage cryptography as a service. SafeNet solutions offer the unparalleled combination of persistently protect data features—including central key and policy management, robust encryption support, flexible integration, and more—that make cryptography as a service practical, efficient, and secure. throughout the information lifecycle and evolve to support SafeNet offers these security solutions: changing cloud delivery • Token management systems and multi-factor tokens that ensure stringent, granular end- models—from today’s SaaS and user access controls private clouds to the evolving • Hardware security modules, including the Luna SA product line, that enable centralized, demands of hybrid and public FIPS- and Common Criteria-certified storage of cryptographic keys clouds. • DataSecure, which offers file, application, and database encryption—all managed through a hardened appliance that centralizes encryption processing, keys, logging, auditing, and policy administration Together, these solutions deliver the critical capabilities required for a robust, cost-effective, and secure cryptography-as-a-service implementation. Cloud Computing and the Federal Government: Maximizing Trust Supporting the Mission and Improving Assurance 8 with Data-centric Information Security White Paper
  • 9. Certificate-Based (PKI) SMB Cloud Provider Certificate-Based (PKI) Figure 5 SafeNet’s HSMs and DataSecure offerings provide FIPS- and Common Criteria-certified, hardware-based protection of cryptographic keys and controls that help ensure regulatory compliance in cloud deployments. Trusted Cloud Computing SafeNet delivers the solutions The dynamic nature of cloud computing can pose significant risks. Today, someone can take an that enable organizations to application, for instance, running for one federal agency, then move it to another location and run implement rights management it for another government organization—and that application could thus enable unauthorized users and processes to access sensitive data. for virtual machines. With SafeNet, your agency can control applications and services within the cloud environment, and ensure applications only run on platforms for intended end users. SafeNet enables federal agencies to control the instances of the high-value virtual machines, ensuring they are only invoked in the right circumstances. SafeNet delivers the solutions that enable organizations to implement rights management for virtual machines: • Software rights management solutions and tokens for authenticating virtual machines • The ProtectFile file encryption solution, which enables pre-boot authentication of virtual machines • DataSecure, which delivers central policy management of all file, application, and database encryption processing SRM APP SRM Tokens Two-Factor Activation Licensing PaaS Provider APP Virtual Resource Enterprise Administrators OTP IaaS Provider DataSecure Software eTokens Key-Management, Two-Factor Pre-Boot Certificate-Based (PKI) ProtectFile Figure 6 SafeNet offers the products and capabilities enterprises need to control instances of virtual machines running in the cloud, including where they are located and when they can be invoked, so they can safeguard trust in their cloud deployments. Cloud Computing and the Federal Government: Maximizing Trust Supporting the Mission and Improving Assurance 9 with Data-centric Information Security White Paper
  • 10. Conclusion In terms of potential, the sky truly is the limit when it comes to the benefits cloud computing can deliver. However, the full magnitude of this opportunity can only be realized when security is efficiently, persistently, and effectively employed to safeguard sensitive data. With its sophisticated, data-centric security solutions, SafeNet enables federal agencies and organizations to gain the agility they need to leverage cloud environments most effectively, without making any compromises in security, privacy, or compliance. To Learn More about Cloud Security To provide federal and security leaders with more information on secure cloud computing, SafeNet has introduced its “SafeCloud” website, a new microsite that features a series of whiteboard videos and white papers. These resources outline how cloud security is expected to evolve, and describe what organizations need to do to prepare for and take advantage of these changes. To visit the SafeCloud site, go to www.safenet-inc.com/safecloud. About SafeNet Founded in 1983, SafeNet is a global leader in information security. SafeNet protects its customers’ most valuable assets, including identities, transactions, communications, data, and software licensing, throughout the data lifecycle. More than 25,000 customers across both commercial enterprises and government agencies, and in over 100 countries, trust their information security needs to SafeNet. Contact Us: For all office locations and contact information, please visit www.safenet-inc.com Follow Us: www.safenet-inc.com/connected ©2011 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet. All other product names are trademarks of their respective owners. WP (EN)-03.02.11 Cloud Computing and the Federal Government: Maximizing Trust Supporting the Mission and Improving 10 Assurance with Data-centric Information Security White Paper