Date post: | 25-Dec-2014 |
Category: |
Technology |
Upload: | oksystem |
View: | 288 times |
Download: | 2 times |
Securing Cloud Computing
Szabolcs Gyorfi
Sales manager CEE, CIS & MEA
Gemalto: Security To Be Free More than just a company tag line…it is why we exist
Communicate Travel
Bank
Shop
Work
In ways that are
convenient,
enjoyable and
secure
2
Gemalto’s Secure Personal Devices
1.5 billion secure devices – Produced and personalized in 2009
200 million citizens – Received a Gemalto produced e-Passport
500 million people – Carry a Gemalto produced credit card
400 mobile operators – Connecting 2 billion subscribers
30 years experience – designing/producing secure personal devices
3
…are in the hands of billions of individuals worldwide
Global Leadership Position
*Source: (1) Frost & Sullivan; (2) Gemalto (3) Keesing Journal of Identity ; (4) The Nilson Report
Top producer of:
SIM cards and UICC (1)
Over-The-Air platforms(2)
Chip payment cards(4)
Chip-based corporate security solutions(1)
e-Passports (3)
Innovation leadership examples
First to market with IP based UICC for LTE
Ezio optical reader for online banking
4
Defining the “Cloud”
‘Securing Identities is Key to Success in the Cloud’ breaks
down cloud computing into three different archetypes or
models:
Software as a Service (SaaS),
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS).
SaaS
3rd party cloud providers deliver a full application service to end-users,
PaaS
uses a cloud-based infrastructure to deliver customer-based applications,
IaaS
enables businesses to deliver their own services by providing them with
cloud-based equipment.
5
IDC report, June 2010
Market Drivers & Challenge
Compliance with regulations and standards
Sarbanes-Oxley Act, Health Insurance Portability and Accountability,
European Data Protection Directive, ...
6
Cloud Services are growing
Convenience is a key for Cloud Services adoption:
Identity management is painful for organizations and users
Single Sign-On: eliminate passwords across cloud services
Secure Access is a strong factor
Identity theft and phishing attacks are more relevant in cloud world
Static Password is Not Secure as cyber criminals are getting smarter, faster
and more tenacious about getting at your data and static passwords
Cost
High TCO for complex password policies
Cloud
Service
The weakest link
When you move to the cloud, there may no longer be a PC under the
desk, but the user is still the weakest link in the chain.
Most people have terrible habits when it comes to passwords, use the
same passwords everywhere, and some write them on sticky
notes and put them on their monitor.
You can have a software provider with the best security on the market,
but if one employee happens to choose a bad password that can be
guessed in a social engineering attack, it can be catastrophic.
7
Security and convenience – Can we have both?
8
"Providers of cloud computing resources are not focused on security in
the cloud. Rather, their priority is delivering the features their customers
want such as low cost solutions with fast deployment that improves
customer service and increases the efficiency of the IT function. As a result,
providers in our study conclude that they cannot warrant or provide
complete assurance that their products or services are sufficiently
secure.”
Dilbert cartoons
Ponemon Institute, 2009 Study
Security is a Balancing Act
and
9
Must balance between
Usability Strength
Protiva Confirm: Secure & Convenient Cloud
Services enabler
Bringing ADAPTABLE TRUST to Cloud Services
Strong authentication ensures secure access to Online Services
with multiple authentication methods: Password, OTP, PKI
Bringing CONVENIENCE to Cloud Services
Identity federation/SSO
Bringing ADVANCED SERVICES to Cloud Services
Digital signature service
Post Issuance
10
No longer need to choose between
SECURITY & CONVENIENCE
Adaptable Trust
11
.NET, TPC, …
Cards
Display Card,
OTP
PKI
Password
Protiva SA Server
5/15/2012 12
Validation server supporting OTP authentication
Standards based technology
Tokens - OATH event based or time based
Mobile App – Time based with time stamping
Web based administrator interface for user management
User self-care portal for registration and password back-up
Easily integrates with existing infrastructure
Established integrations with leading infrastructure technology
Databases – MySQL, MS SQL, Oracle, IBM DB2, etc.
User Data Repository – Microsoft AD, Novel eDirectory, Sun One, Open LDAP, etc.
Authentication Service – HTTP/HTTPS, SOAP, SAML 2.0, XML, RADIUS, Microsoft
IAS/NPS, etc.
The Heart of Protiva Strong Authentication Service
User On Boarding
13
Mobile OTP – User Download and Activate
Authentication
server URL sent
to user by email
User enters
numeric
validation code
User establishes
personal PIN
Mobile OTP
application
activated
Platform for next secure token generation
14 15/05/2012
ID-000 (SIM sized) smart card reader
Micro SDHC card interface
Versatility of smart card and MicroSD
Easy to assemble
USB High Speed with HID / CCID switch
Full exposure of smart card in CCID mode
“0footprint” in HID mode
AES 256 encryption
Data can be encrypted
CD-ROM emulation
Autorun of applications stored in MicroSD
Personalization services: graphical, packaging, smart card and flash
insertion (MOQ: 1000 units)
ID0 Smart Card Micro SD Flash
USB 2.0
Building
Value
Together
Flash memory partitioning
15 15/05/2012
Mass Storage
HID / CCID
Controller Firmware: • Integrator Key
• Secure Drive PIN
SD Partitions • Public (X:)
• Read Only (Y:)
• Private (Z:)
PKI Smart Card • Digital signature
• PKI certificate
Building
Value
Together
Use case: secure browsing
16 USB Shell Pro Token
v1
“Where ever you go! Whatever you do! Your browser is protected from
permanent infections”
Using a Secure Browser stored in RO, the malware cannot
permanently infect your browser (your browser integrity is
maintained)
Using a Secure Browser, the server certificates of your
corporate trusted websites are stored in your browser and
compared to the website you are trying to reach! If this is a
phishing website then your browser refuses it!
…the list of accessible URLs can be restricted
15/05/2012
Building
Value
Together
Secure Browsing example
Mode HID
Portable Firefox (in RO partition)
Firefox ProCon add-on
Portable P#11 for TPC IM CC
17 15/05/2012
RO: Firefox
Data Leakage Protection example
Mode CCID
Microsoft Bitlocker on the computer
Encryption of public partition is done using the smart card
18 15/05/2012
Public: Encrypted partition
Fulfillment End User Initiated Fulfilment
Order
Two Factor Auth
(2FA) credential or
token ordered by
end user
Receive
2FA credential or
token is shipped or
made available to
end user
Use
User can start using
strong 2FA to
protect access to
cloud resources
Fulfillment Process
19
Thank You