Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
© 2016 HyTrust, Inc. 1
GDPR Compliance with HyTrustWorkload Security and Compliance –
Taking the Pain Out of Government Mandated Security Response
Dan Gaddes – Principle Systems Engineer
© 2016 HyTrust, Inc. 2
HyTrust Workload Security solutions mitigates the security and operational risks that organizations face when pursuing cloud and virtualization data center transformationMulti-Cloud Flexibility – over 750,000 Workloads protected by HyTrust
CUSTOMERS TECHNOLOGY PARTNERSSTRATEGIC & FINANCIAL
INVESTORS
Founded in 2007
Extensive virtualization and cloud security expertise
12 granted and pending patents
Acquired HighCloud Security in 2013
Who is HyTrust
© 2016 HyTrust, Inc. 3
HyTrust Workload Security Use CasesHow are they related to GDPR?
Critical areas affected by GDPR – increased risk with public or hybrid cloud environments:
Eliminate privileged user misuse
Halt data breaches on all clouds
End audit and compliance suffering
Remove costly infrastructure air gaps
Avoid data sovereignty landmines
Stop stupid and the accidental downtime
1. Privileged account misuse
2. Data breach protection
3. Data sovereignty compliance
© 2016 HyTrust, Inc. 4
GDPR SCOPE
© 2016 HyTrust, Inc. 5
GDPR Executive Summary
New standard for data
protection and privacy for the
EU member state – replacing
the previous Safe Harbor
agreement (between the US
and EU). Covers any
company doing business in
the EU or with an EU citizen.
What When Impact
Goes into “full” force on May
25, 2018. Different member
states may add some
variations or additional
requirements.
Enforcement is backed by substantial fines, some based on 2%-4% of
corporate revenue in EU.
Allows EU citizens to challenge companies and shift burden onto the
service providing company for proof/response to privacy and security.
Affects a range of technology systems including data storage and
collection, data encryption, and frameworks for privacy processes
(through policy and privacy specialists).
Still unclear with Britain leaving the EU – but most likely following GDPR
will still be more stringent than any local guidelines.
© 2016 HyTrust, Inc. 6
Challenges
Migration to Public Cloud Increases Risk
Transparency
GDPR Requirement Summary Description
Consent/Data Quality
Security enforcement of Privacy
Data breach readiness and response
Right to be Forgotten (Art 17)
Privacy policy and DPO
Opt-in by consumer; ability to get rid of data if consent is withdrawn
Protecting data via encryption, secure data destruction, etc..
72 hours for breach notification; incident response plan
Right to be Forgotten - Erasure (Art 17)
Policy guarantees harder with 3rd party (ie cloud provider)
Tracking data across many workloads and geographies with instant ability to “kill” data
Proof of actions (of encryption and destruction) are required if challenged
Multi-cloud deployment for large enterprises creates challenges to collect incident data and take action very quickly
All data must deleted – retroactively and for all records
Note there are numerous other areas of challenges – but these are most technically challenging for cloud enabled organizations.
© 2016 HyTrust, Inc. 7
Technology Best Practices Response to GDPR(and applicable HyTrust Use Cases)
Shift from alert and SIEM analysis to
proactive, automatic security for both
breach protection and privacy protection
[Data Sov.]
Automatic
1 2 3 4 5
Insiders Self-Regulating Platform Agnostic Instant Proof
Ensure admins on access data on any cloud can be monitored and proof of
compliance can be shown instantly (or instantly flag
violations for prompt remediation)
[PIM, Data Sov.]
Workload needs portable policy to
protect and enforce compliance itself
[Data Sov.]
Implement a platform agnostic solution –
which will work across any provider or
workload type (virtual machine, SDDC, containers, etc..)
[All use cases]
Ensure proof of compliance is fast,
easy, and multi-cloud ready
[All use cases]
© 2016 HyTrust, Inc. 8
My Cloud Provider Says I Am Protected…
Microsoft, Amazon, and others have issued statements that their customers are protected and compliant already via their use of “model” contracts and other legal mechanisms.
Bottom line: Regardless of who is hosting your data, YOU are responsible for it. Be proactive and not rely on the provider or specific technology to protect your data.
However….
1 2 3 4
And if provider fails – YOU are still responsible for data breach
disclosure and remediation impact for your customers.
ONLY workloads and data that resides on that provider
can be considered as “provider” scope (private data centers, backup/DR sites, QA copies, etc.. are
still your issue).
YOU are still responsible for the administrative actions of
systems on that network.
YOU are still responsible for the data, even if the provider
is compliant.
© 2016 HyTrust, Inc. 9
HyTrust / Customer Options
Detailed GDPR Mapping to HyTrust
GDPR Source Text Requirement Summary
Appropriate level of security based on state of art. Including: encryption, regular tests of security effectiveness, ensure confidentiality, integrity of data.
Requires data controller to implement appropriate technical … measures to ensure and …demonstrate compliance.
Data controllers must also implement data protection by default…implement appropriate technical …measures to [protect/address] the amount of data collected, extent of processing, and retention and accessibility of data.
Implement policy based encryption for data protection (and evidence). Show compliance of human assets.
Forensic level logs that track workloads, administrative activities, and policy changes at the object level.
Through HyTrust BoundaryControl policies, the system is (by default) set to adhere to data boundaries and usage. Furthermore encryption can be used to enforce this across any cloud provider.
Article 32 – Security of processing
Article 24 – Responsibility of the controller
Article 25 – data protection by design and default
© 2016 HyTrust, Inc. 10
Soft-Tagging
Geo-Tagging
Processor level attestation with Intel TXT
Boundary aware decryption
Multi-cloud Policy based Encryption
Dynamic & Zero Touch Rekey
Secure Boot Protection
Hardware accelerated with Intel AES-NI
Automated Compliance
Forensic Logging & Reporting
Granular Role & Object Based Controls
Secondary Workflows
HyTrust CloudControl
HyTrust DataControl
02
HyTrust CloudControl
HyTrust DataControl
HyTrust BoundaryControl
0301
The HyTrust Workload Security Platform
© 2016 HyTrust, Inc. 11
HyTrust CloudControl
© 2016 HyTrust, Inc. 12
What
The HyTrust CloudControl Solution
Why
HyTrust CloudControl Capabilities
*coming in future releases
Who How
Strong two-factor authentication
Integrates with Active Directory, RSA SecureID, CA ArcotID, RADIUS and TACACS+, Smart Cards (PKI)
Root password vaulting
Log Viewer (new)
Unified Access
Role – Permissions Assessment Tool*
Role-based access control (RBAC)
Workload/SMART tagging
Workflow escalations/secondary approvals
30+ preconfigured roles
Forensic level logs
Real-time alerts for sensitive or abnormal actions
Built-in integration to SIEM tools (HP ArcSight, Splunk, RSA EnVision, McAfee ePolicy Orchestrator
© 2016 HyTrust, Inc. 13
vSphere Architecture with HyTrust CloudControl
Enterprise Production Network
VMware Management Subnet
CloudOrchestration
Administrators
vCenter
AdministratorActions
Policy Engine
Proxy
CloudControlVirtual Appliances (HA)
✔
✔
✖
✔
Flexible policy engine All actions are logged(including those denied by policy)
Applies controls and monitors activity with NO change to the administrators experience
Not in-line with production network – NO impact on application availability or latency
© 2016 HyTrust, Inc. 14
Management Dashboards – Separation of Duties
Admin distribution over time1D 1W 1M 3M 6M All
Co
un
t
14. Sep
Navigator color indicates: Out of range Within range
13. Sep 15. Sep
0
5
10
15
20
25
13. Sep 12:00 14. Sep 12:00 15. Sep 12:00
09/15/16 18:46:04PowerAdmin: 5ComputeAdmin: 1ManagementAdmin: 5NetworkAdmin: 3StorageAdmin: 7SuperAdmin: 1 (out of range)
1
5
1
7
3
5
1
Total Admins:
22
Admin Categories
PowerAdmin
Compute
Management
Network
Storage
SuperAdmin
Privileged User Distribution
Categories are based on privileges
How has privileged user access changed
over time?
Does the privileged user have more privileges than
necessary to perform their jobs?
© 2016 HyTrust, Inc. 15
Logging Engine
Operation: Delete Hard Disk 3
vCenter Log Entry
CloudControl Log Entry
© 2016 HyTrust, Inc. 16
Policy Engine
Identity
Objects
AD Groupmembership
Custom Roles
Admin
Custom Role Based Access Control (RBAC), including NSX
Object Based Access Control through patented Smart Tagging
Trust status
Protocol
Source IP
Label
PolicyEngine
Flexible Security Rules
Constraints
Role
© 2016 HyTrust, Inc. 17
AdministratorSecondary Approval Administrators
CloudControl
Virtual Infrastructure
Does not need secondary approval
NOTAPPROVED
Policy Engine - Secondary Approval Workflows
© 2016 HyTrust, Inc. 18
HyTrust DataControl
© 2016 HyTrust, Inc. 19
OrchestrationHyTrust Key Control
and Policy Engine
Workload Workload
Hypervisor
Hardware
Key Control – the key manager that ensures
enforcement of policy via key management
Policy Agent – ties policy to workload and
executes encryption and decryption
Policy Engine – ensure appropriate controls
with context
HTDC provides deep protection
Workload protection from boot to data with complete stack protection
Portable policy travels with workload to ensure always on protection
Connects with HyTrust BoundaryControl and HyTrust CloudControl for automated and workflow oriented security
Hardware accelerated encryption via integration with Intel AES-NI
HTDC provides easy management
Scalable, zero downtime re-key management and encryption
Single interface regardless of where the workload runs
Pre-integrated to KMIP client/server for easy extensibility
On-premises and cloud ready – across all major cloud providers
Hyper-Convergence ready – built into Nutanix, Simplvity, others
Storage ready – including SSD technology
HTDC protects data everywhere
The HyTrust DataControl Solution
© 2016 HyTrust, Inc. 20
Agent
HyTrust DataControl
Highly Available Active/Active
multi-node Cluster
Nodes in separate geographical
locations serving the regions
Domain Controllers
On a single node failure, VM agents
will heartbeat to the available node
HyTrust DataControl works withMicrosoft Azure + Hyper-V on premise and also AWS
Core Data Center Core Data Center Or Cloud
VMs
Data Center
Agent
VMs
Data Center
Key Control Node Key Control Node
Agent
VMs
© 2016 HyTrust, Inc. 21
HyTrust DataControl Policy Agent
Function:
Holds security policy and checks for updates and execution from key manager.
Key capabilities:
→ Protects Data: Encryption at disk level → Protects Complete System: Encryption of boot,
root, and swap partitions→ Authorized Boot: Ensures boot up only on
authorization
→ Heartbeat: Constantly validates policy – ensures always on protection
→ Zero Downtime: Dynamic rekey (with no downtime) ensures a higher level of security without ops downtime
→ Fast: Leverages AES-NI for fast, transparent encryption
Hypervisor
Storage Driver
VM/Physical Machine
Applications/Data
File System
Crypto File System Filter
Device Driver
VM/Physical Machine
Applications/Data
File System
Crypto Device Driver
Device Driver
Policy Agent Agent does NOT need to alter operating system kernel. Based on environment – may load above or
below file system.
© 2016 HyTrust, Inc. 22
HyTrust DataControl Policy Agent
Manual or unattended
May be included in VM templates
May leverage enterprise tools (such as SCCM)
Monitoring through KeyControl Dashboard
Full support for VM cloning, including VDI use cases
Deployment of Policy Agent
1 2 3
VM
PA
1
2
3
DataControl Policy Agent Installation
• 64-bit OS
• Reboot required for Windows
HTDC Registration
• Establish trust
Data Encryption
KeyControl
© 2016 HyTrust, Inc. 23
HyTrust DataControl Dynamic Rekeying
Right-click, select “Add and Encrypt” and you’re done!
• Applications / databases continue while disk is being encrypted
Encryption / rekey status is shown in the GUI (or command line)
% encrypted
© 2016 HyTrust, Inc. 24
HyTrust Boundary Control
© 2016 HyTrust, Inc. 25
HyTrust Boundary Control
Virtual Server Placement by
Platform Integrity
Virtual Server Placement by
Location
Virtual Server Decryption by Trust
& Location
Only allow certain virtual servers to run on a trusted hardware and software stack
Only allow certain virtual servers to run on trusted hardware in a particular location
Only allow virtual servers to be decrypted on trusted hardware in a particular location
Software and hardware to enforce geo-fencing of workloads
Trusted Compute Pools Geo-Fencing Data Sovereignty
Eliminates need for air gaps
Automatic compliance to regulatory mandates
PUBLICCLOUD
© 2016 HyTrust, Inc. 26
Automatically provision, configure, and enforce security controls for all things inside your defined logical boundaries – Intel TXT provides Hardware Root-of-Trust
HyTrust Boundary Controls –Avoid Data Sovereignty Landmines
Define and create a logical boundary by geography, regulatory standard,
department, etc.
Assign tags to key assets Define policies and automate security control enforcement for your defined boundary
PCI PII*Finance
PCI GermanFinance
PCIPCI
PCI
Do not decrypt workload unless it is running on Host B
Automatically encrypt workloads within the boundary
Network
Storage
Workload
Host/Server
PCI PCI
PCI PCI
© 2016 HyTrust, Inc. 27
Come see us at our booth to find out more and for a demonstration