The Cloud and the Challenge
As IT organizations look to move to the cloud to reduce costs, improve business agility and deliver on the promise of limitless collaboration they are confronted with some significant challenges that today, limit even the smallest cloud computing deployments and curtail all of the possible values delivered by the promise of moving infrastructure to the cloud. These challenges include:
- Opening access to a cloud environment to employees and mitigating the risk of improper or sensitive data flows into the cloud environment
- Protecting data that properly flows into a cloud environment from loss, theft or compromise
- Managing a provisioning process for data access to nearly unlimited number of possible cloud participants
- Clouds currently offer little protection from the growing threat of malware and advanced persistent threat
Requirements for Securing the Cloud
For the cloud to become a truly viable business model, the challenges of securing and managing cloud environments must be overcome. This begins with the creation of trust across both private and public server environments. Trust does not necessarily mean that the cloud environment needs to be totally trusted or that the collaborators in the cloud environment are totally trusted. It means that the risks associated with sharing sensitive data and completing business transactions across these environments and within the users has been mitigated through properly functioning controls.
Beyond trust, is cost effective administration and management of data moving to the cloud environment and users accessing the cloud environment. Some enterprises are looking to create collaborative cloud environments with users that number into the hundreds of thousands and not just with public data but also to sensitive data about clients as well as IP and trade secrets. Provisioning those users into authentication and access control systems in traditional models remain untenable. new models of user driven self-service provisioning must also be created. Another piece of the puzzle is auditing and understanding what data went to the cloud and who accesses and manipulated it. This will be critical for understanding risk as well as to show compliance.
CloudTrust A Digital Guardian Module, by Verdasys:
The CloudTrust Module is a fully integrated add-on module and part of the Digital Guardian EIP platform. CloudTrust extends enterprise information protection out into the various worlds of Cloud Computing by focusing on protecting “cloud sessions” and data and not infrastructure and machines. CloudTrust combines a variety of data centric capabilities including information classification, file level encryption, data owner driven provisioning and agent-less auditing to create a comprehensive cloud security model. CloudTrust is flexible and meets the uses cases that enterprises encounter as they first move to the cloud with enterprise applications to safe costs, and can grow to meet the advanced “high collaboration” cloud based worlds promised in this new computing model.
Key Capabilities of Digital Guardian CloudTrust Module
- Protects cloud sessions and sensitive data, not machines
- Classifies data moving to and from the cloud and applies automated encryption controls
- Enables data owner driven provisioning of cloud based networks
- Normalized authentication across cloud services
- Secure Data End-to-End with Encryption
- Transparently Encrypt Cloud-bound Data
- Multi-Level Trust Model
- Remote Revocation
- Creates a complete audit trail across the Cloud
CloudTrust Use Case Coverage
Local or remote employees on IT managed machines accessing cloud environments
Enterprises the utilize cloud based applications for corporate email or enterprise applications utilize the Digital Guardian platform and CloudTrust Module to control both structured and unstructured data that moves on and off cloud based applications. All documents stored on the cloud platform are encrypted, and all unstructured data is classified and its access and usage is monitored and controlled.
Remote employees on unmanaged machines accessing cloud environments
One of the great advantages of the cloud beyond reducing infrastructure costs is the promise of access to work environments and applications from any machine, anywhere at any time of day. This of course creates another set of security challenges. Digital Guardian customers can deploy the CloudTrust module which includes the light weight and easily provisionable DG Remote Agent onto uncontrolled machines. These agents authenticate the user, secure the transaction, decrypt and allow access to cloud applications and data, control the movement of sensitive unstructured data off the end user machine and audit the entire process.
Third party collaborators on unmanaged machines access cloud environments
The use case for utilizing cloud environments to create huge collaborative networks for product and service design and development includes everything from computer gaming to chip design to best practices in compliance law and holds the promise of tapping the creative minds of hundreds of thousands of experienced workers. Beyond cloud security concerns this use case includes potentially massive user registrations in environments where collaborators are accessing the cloud through uncontrolled machines and may only be involved in a project for a matter of days. CloudTrust includes the ability to meet the needs of collaborator registration, provisioning of DG Remote Agent, secondary authentication of the third party collaborator, decryption and control of unstructured data on the end users machine and auditing of the entire process as well as data usage.
CloudTrust Example
An employee initiates a cloud computing project that will include third party workers.
Potential collaborators are registered and provisioned with the CloudTrust DG Remote Agent through an automated online forms feature driven by knowledge workers with access to cloud networks. The DG Remote Agent initiates a secondary authentication process and grants access to the cloud environment and decrypts information as needed by the third party collaborator. The DG Remote Agent secures classified unstructured data assets on the remote machine. The entire process is audited. When the project ends, the DG remote agent wipes all keys and de-provisions from the users machine.