People First, Ministry of Science, Performance Now Technology and Innovation ruth and Consequences: Information T Clouds and Virtualization Assurance Peter Rajnak, Guardtime 14 November 2013
Data trust and Audit – Status Quo For 40 years we have relied on dedicated hardware and procedure based around access control. This is called the “perimeter model”. This no longer works in the dynamic world of cloud computing.
Background | Cloud Blurs the Existing Security Paradigm 10101010101 10101010101 10101010101 01010101010 01010101010 01010101010 10101010101 10101010101 10101010101 01010101010 01010101010 01010101010 10101010101 10101010101 10101010101 01010101010 01010101010 01010101010 1. Perimeter control 1. Perimeter control ??? 2. Trusted insiders 2. Trusted insiders ??? 3. Data in vaults 3. Data in vaults ???
Background | Data Integrity is Crucial for the Digital World
Cloud Status in EC and EU Countries European Commission approved a measure to begin devotjng tjme, energy and funds toward establishing a lightly regulated cloud computjng market that is capable of servicing the 27 natjons in the E.U. Cloud Computjng Challenges: Data Security Residency and regulatjons Data Audit Potentjal loss of control with reliance on remote or foreign cloud computjng services Transparency - lack of informatjon about the infrastructure and services they are using might place them at risk for unknown variables and atuacks.
Recommendatjons The commission's recommendatjons for proper cloud use and operatjon: Providers must meet certain standards and obligatjons to be eligible for E.U. business (E.U. data privacy regime) Locatjon lists detailing where data will be processed in any event Data is only accessible by authorized partjes (no exceptjons) Contracts can be immediately terminated if any unapproved changes are made Cloud providers are held accountable for cross-border data transfers Data auditjng rights are withheld by the E.U. countries / customers All sub-contractors (subsequent service providers) must be identjfjed and also be able to adhere to privacy standards
A Bit About Estonia Home of Skype and NATO Cybersecurity HQ Cybersecurity and disaster recovery a national priority Centre of the European Union IT Agency
e-Estonia Early Adopters Enterprises with fixed broadband access 2011 Poland 73% Latvia 82% • Hungary 84% 100% of schools and Lithuania 87% government institutions have Czech Republic 87% broadband connection EU 27 87% ESTONIA 90% UK 92% • 68% of households have Sweden 94% broadband connection Finland 96% (Statistics Estonia 2011) 0% 20% 40% 60% 80% 100% 120% Households with fixed broadband access, 2011 • 98% of bank transfers are Lithuania 57% made electronically Latvia 59% Hungary 61% Poland 61% • 92% of income tax returns are Czech Republic 63% ESTONIA 66% submitted via the e-Tax Board EU 27 67% UK 81% • 1,163,917 active ID cards Finland 81% Sweden 86% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% • Digital signature legislation Source: Eurostat
Unique High Availability and Data Recovery Services Ofger highest level of business continuity and disaster recovery (BC/DR) by building two geographically remote, but architecturally similar centers in …… and Estonia Leverage Electro Magnetic Pulse shielding technologies to offer first in kind EMP/IEMI secure cloud services Employ geo-synchronization between the two remote locations to allow for prioritized DR in an extreme case of local data loss Benefit from stable geological areas – Estonia has no real natural disaster threats Data center availability guaranteed by continuous data replication between the separate data center locations Focus on reliability and superior redundancy with N+2/N+3 resilience for both power supply and water cooling systems, ensuring Tier IV availability
State-of-the-Art Technologies and Standards Employ some of the most advanced technologies and standards to build a state-of-the-art cloud service provider, including: Construction of facilities over 37 meters above sea level to protect from tsunamis, at least 60 meters underground to protect from EMP/IEMI Based on OpenCompute standards laid out by Facebook’s data center design Guardtime secured virtual machines and data at rest Employ SmartDataCenter cloud services platform 10/40 GbE to meet constantly increasing bandwidth and performance requirements
KSI | Data is the new perimeter 10101010101 10101010101 01010101010 01010101010 = 10101010101 + 10101010101 01010101010 01010101010 10101010101 10101010101 Keyless Signature 01010101010 01010101010 Electronic Data Signed Electronic Data Proves the time, integrity and authenticity of electronic data using formal mathematical methods without relying on keys or trusted humans
KSI | Open Source, Open Standard, Open Infrastructure
KSI Background | Unique Properties of KSI Signatures Verification of the KSI-based electronic evidence does not require cryptographic No keys, or key management keys or key management – verification can be performed independently of any trusted third party or human being, using only formal mathematical methods. All KSI-signed data can be archived in the cloud without a loss of legal strength or regulatory compliance for an unlimited time period on commodity storage Long-term integrity proof hardware, making paper- or hardware based special archiving solutions obsolete and substantially reducing overall archiving costs. KSI-based data authentication is not tied to specific hardware or process - Portability of the evidence wherever the data goes, the proof goes along with it, simplifying and speeding up data processing and e-discovery processes KSI-based real-time electronic data authentication solution for Cloud scales to Massive scale trillions of events per second, supporting any size of the system today or in the future.
KSI for Cloud | Complete Mutual Auditability in the Cloud Cloud VM LOG VM LOG STORE STORE Executable Integrity Event Integrity Storage Integrity
KSI for Cloud | Core Value Across Public, Private & Hybrid Clouds Executable Integrity Event Integrity Storage Integrity “Am I deploying the authorized code?” “What has happened to my resources?” “Is my stored data OK?” KSI establishes accountability for KSI provides a real-time KSI enables independent events in the Cloud, enabling authentication mechanism against authentication of every object in parties to prove that the logs have external hacking and insider the Object Store, realizing not been compromised by external tampering of the Virtual Machine regulatory compliance for data images prior to deployment in the hacking or insider tampering . integrity, in commodity hardware, Cloud. in the Cloud
KSI for Cloud | Executable Integrity Real-time Data Signing CLOUD INFRASTRUCTURE 10101010101 10101010101 01010101010 01010101010 10101010101 10101010101 01010101010 01010101010 10101010101 10101010101 01010101010 01010101010 Virtual Machine Deployed KSI signature Virtual Machine Image Image Virtual Machine verification Repository VALUE KSI provides a mechanism against external hacking and insider tampering of the executable code inside the machine.
KSI for Cloud | Indemnification for Service Providers Answers Questions: • When and what data was stored? 10101010101 • Who authorized changes? 01010101010 KSI signature • Has the data changed since authorization? 10101010101 01010101010 verification 10101010101 01010101010 Data VALUE KSI provides necessary proof to indemnify the Service Provider in a breach related incident in the Cloud.
KSI for Cloud | Use Case for Executable Integrity Customer Joyent Public Cloud Application Assured Virtual Machine Image Integrity. KSI is integrated right into Joyent’s Cloud platform, assuring the customers that the implemented security measures for the virtual environment have worked, that the operating policies are being enforced, that only approved and validated virtual machines are running in the environment. Value Business Continuity. Enables companies to safely host applications and data in the cloud, being assured that the executable environment is intact and has not been compromised by malicious or accidental tampering, neither by external nor internal parties. Reduced Risk of Liability. By having only tested, approved and signed Virtual Machines running within the virtual environment, the source and method behind any error, compromise, and loss cannot be questioned, instantly indemnifying the no-fault party. Safe Migration of Virtual Machines. KSI technology enables customers to validate the state of running Virtual Machine and provide a tamper-evident audit trail when suspending it and sending into another data center.
KSI for Cloud | Event Integrity VALUE KSI establishes accountability for Cloud events, enabling a specific Cloud event to be presented as evidence along with a proof of the entire log file integrity, while keeping all other events in confidence .
Recommend
More recommend