The CipherTrust Cloud Key Manager for Software-as-a-service

Similar documents
Cisco Enterprise Agreement: Meeting the Challenges of Shifting Business Trends

The Economic Benefits of Puppet Enterprise

Quantum Artico Active Archive Appliance

Veritas Velocity Brings Copy Data Management to NetBackup Environments

Enterprise Big Data, Business Intelligence, and Analytics Trends: Redux

SAP Business One OnDemand. SAP Business One OnDemand Solution Overview

IBM Sterling B2B Integrator

Introduction to Cloud Computing. White Paper

Buyers Guide to ERP Business Management Software

Fulfilling CDM Phase II with Identity Governance and Provisioning

Security overview. 2. Physical security

Agile Monetization for smart business

Sarbanes-Oxley Compliance Kit

Oracle Cloud Blueprint and Roadmap Service. 1 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

SOLUTION BRIEF RSA IDENTITY GOVERNANCE & LIFECYCLE SOLUTION OVERVIEW ACT WITH INSIGHT TO DRIVE INFORMED DECISIONS TO MITIGATE IDENTITY RISK

Increase Value and Reduce Total Cost of Ownership and Complexity with Oracle PaaS

Analytics in the Cloud

As a Service (XaaS) Business Model for Telecom Industry. Whitepaper

IBM Cloud Services Balancing compute options: How IBM SmartCloud can be a catalyst for IT transformation

Consolidating Multiple Salesforce Orgs: A Best Practice Guide. White Paper

UNDERSTANDING THE NEED FOR A HELP DESK SOLUTION. How to select the right help desk solution for your organization

Security intelligence for service providers

SIMPLE FUND 360: AN AUDITORS GUIDE. Australia s leading cloud SMSF admin solution AN AUDITORS GUIDE.

Realize Your Product Promise

Microsoft FastTrack For Azure Service Level Description

Enterprise Information Governance, Archiving & Records management

MIGRATING AND MANAGING MICROSOFT WORKLOADS ON AWS WITH DATAPIPE DATAPIPE.COM

Oracle Banking Enterprise Collections

COURSE OUTLINE: Course 20533C- Implementing Microsoft Azure Infrastructure Solutions

WHITE PAPER GOOGLE AND SALESFORCE

Accenture and Salesforce. Delivering enterprise cloud solutions that help accelerate business value and enable high performance

Prepare for GDPR today with Microsoft 365

SECURE SSO TO OFFICE 365 & OTHER CLOUD APPLICATIONS WITH A CLOUD-BASED AUTHENTICATION SOLUTION

Accenture: Manage mysales solution digitizes the sales process

Operations Management Suite

Salesforce Shield for Financial Services. How a new level of security can accelerate the financial services industry s move to the cloud

Oracle Product Hub Cloud

Secure information access is critical & more complex than ever

Abstract. Background. ESG Lab Review. Figure 1. Top Eight Benefits of Deploying a Converged Technology Solution

Finding Your Blue Sky

Avangate SkyCommerce Suite

Universal Storage for Data Lakes: Dell EMC Isilon

LIAISON ALLOY HEALTH PLATFORM

Entitlement Management

Accelerating Business Agility with Boomi

A Guide for Application Providers: Choosing the Right Integration Partner

Business Transformation with Cloud ERP

Setting the Foundation for Improved Business Agility

VULNERABILITY MANAGEMENT BUYER S GUIDE

THE ACUMATICA PLATFORM

Tascent Enterprise Suite Multimodal Biometric Identity Platform

Innovation From the Ground Up:

Key Benefits of Novell ZENworks 10 Configuration Management. Enterprise Edition

Emerging Technology and Security Update

Compliance Management Solutions from Novell Insert Presenter's Name (16pt)

Clearing the ERP Clouds

Compiere ERP Starter Kit. Prepared by Tenth Planet

Simplify Management in an Application-Centric World

Open Cloud Foundation

ABB Ability Ellipse APM

Kent State University s Cloud Strategy

1 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Adopting Azure Resource Manager for efficient cloud infrastructure management

SunGard: Cloud Provider Capabilities

ERP Edge Tech Mahindra Oracle Cloud Transforming your business to capture profit in the Cloud

Thru. Secure File Sync And Share - For The Enterprise

uottawa.ca Architecture Review Board (ARB)

Optimizing resource efficiency in Microsoft Azure

Clearing the ERP Clouds 2017

Cloud-connected monitoring and control for renewable power plants

SOLUTION BRIEF CA MANAGEMENT CLOUD FOR MOBILITY. Overview of CA Management Cloud for Mobility

Microsoft in the Modern Workplace. How strategic solutions help companies evolve

White. Paper. Elevating Archiving s Business Status. March 2013

PORTFOLIO MANAGEMENT Thomas Zimmermann, Solutions Director, Software AG, May 03, 2017

WHY COMMERCIAL REAL ESTATE FIRMS ARE EMBRACING OFFICE 365. Find out how out-of-the-box Cloud services in Office 365 can help you grow your practice

Accenture Architecture Services. DevOps: Delivering at the speed of today s business

Tough Math for Desktop TCO

Trusted by more than 150 CSPs worldwide.

IBM QRadar SIEM. Detect threats with IBM QRadar Security Information and Event Management (SIEM) Highlights

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

for Oracle Cloud ERP

Take a Tour of Native Hybrid Cloud & Neutrino. Modern, cloud native platforms

Tech Mahindra s Cloud Platform and PaaS Offering. Copyright 2015 Tech Mahindra. All rights reserved.

ONAP Architecture Overview

White Paper. What Every SaaS Company Should Know About Integrating with Its Customers

Modernize your grid: Simplify smart metering with an intelligent partner.

CONNECTED ASSET LIFECYCLE MANAGEMENT. ABB Ability Ellipse Performance orchestration for the power industry.

SECURE MOBILE USERS PLANNING - MOBILE DEVICE MANAGEMENT (MDM) SCENARIOS COMPARISON

Choosing a Fax Solution Deployment Model

Symantec ediscovery Platform, powered by Clearwell

Ten Ways to Catch ERP Software Companies Faking It with Cloudwashing

Microsoft ISV Partners & The Cloud. Managing & Monetizing the Business Transition

Oracle Enterprise Manager 13c Cloud Control

Efficiently Integrate Enterprise Applications with Salesforce.com using Oracle SOA Suite 11g

ForgeRock Identity Management

Experience the commitment. CGI Exploration2Revenue TM Business Suite. Optimize your upstream back office

IBM Tivoli Endpoint Manager for Lifecycle Management

Modernize Your Device Management Practices Using The Cloud

BMC - Business Service Management Platform

Transcription:

Enterprise Strategy Group Getting to the bigger truth. Solution Showcase The CipherTrust Cloud Key Manager for Software-as-a-service Date: December 2017 Author: Doug Cahill, Senior Analyst; and Leah Matuson, Research Analyst Abstract: The use of SaaS applications such as a salesforce.com, ServiceNow, Workday, Box, and others has become the standard for the way many organizations conduct business, resulting in corporate data being sent northbound to the cloud. Not all data is created equal with respect to its intrinsic value to an organization. That data which is most sensitive, such as customer relationship management (CRM) data associated with the use of Salesforce.com, needs the same enterprise-class data security and compliance tools and processes as employed to protect on-premises data to meet and maintain compliance with industry regulations. While native and third-party encryption options including bring your own key (BYOK) are now being offered for many cloud services, challenges remain, including operationalizing the management of the encryption key lifecycle and the compliance requirements of some industry regulations to store keys separately from the encrypted data. The CipherTrust Cloud Key Manager from Thales esecurity, available either as a service, or for on-premises or single-tenant deployment, includes the ability to separate encrypted data from its encryption keys to provide operational efficiencies for organizations seeking additional visibility and control over their cloud-resident data assets. Compliance and Operational Key Management Challenges for SaaS-resident Data Today, multiple IT meta-trends including mobility and cloud adoption are simultaneously and fundamentally changing how corporate data is stored, accessed, and secured, challenging perimeter-centric security models and complicating compliance with industry regulations. At the same time, the threat landscape continues to evolve with new attack vectors and methods being employed by bad actors, and data exfiltration techniques by internal threats. But one constant remains: Security should be applied as close to the data as possible, an especially relevant consideration for data stored by SaaS (software-as-a-service) applications in physical locations into which the customer lacks visibility and control. SaaS Adoption Resulting in Cloud-resident Data Many new IT projects are being evaluated through the lens of cloud-first initiatives, which is driving the wide adoption of cloud services. In fact, according to ESG research, 74% of IT professionals surveyed said that their organizations currently use software-as-a-service, while 13% currently do not use it, but plan to. 1 But with the growing adoption of cloud across organizations also comes a growing concern about cloud security, especially when corporate data assets are being stored with cloud services. This concern is especially acute for data that is sensitive with respect to its strategic and, thus, intrinsic value to a company. As such, it s not surprising that previously conducted 1 Source: ESG Master Survey Results, 2018 IT Spending Intentions Survey, December 2017. This ESG Solution Showcase was commissioned by Thales esecurity and is distributed under license from ESG.

Solution Showcase: The CipherTrust Cloud Key Manager for Software-as-a-service 2 ESG research revealed that more than half (53%) of respondents surveyed indicated they are very concerned about storing sensitive data in the cloud (see Figure 1). 2 And cloud security continues to be a concern, as seen in recent ESG research, in which cloud security is the most commonly selected area of cybersecurity in which organizations expect to make significant investments in 2018 and beyond. 3 Figure 1. Areas of Significant Investment Related to Cybersecurity in 2018 In which of the following areas of cybersecurity will your organization make the most significant investments over the next 12-18 months? (Percent of respondents, N=272, five responses accepted) Cloud security (i.e., applications and/or infrastructure) 43% Network security Data security 37% 39% Endpoint security 33% Security analytics Vulnerability scanning/patch management Identity and access management Information assurance 28% 26% 26% 25% Security automation and orchestration Web and messaging security Application and database security Tools/process improvements for regulatory compliance Secure software development tools and processes 20% 19% 17% 15% 15% Source: Enterprise Strategy Group, 2017 Complicating Compliance Many regulations are infrastructure-agnostic in that they require organizations to apply the same processes and controls independent of whether the data in scope is on-premises or in the cloud. For example, PCI DSS requires dual control with respect to the separation of data and keys, as well as separation of duties in the form of role-based access to key management software. Additionally, PCI DSS, along with GLBA/FFIEC, and FISMA, requires the use of NIST-certified AES encryption and FIPS 140-2 compliant key management software. Meeting and maintaining compliance with such industry regulations can be complicated by the prevalent use of SaaS applications. Furthermore, regional laws and regulations that govern data sovereignty and privacy are increasingly relevant to conducting business internationally, the specifics of which are still fluid, but thematically are centered on both access control and custodianship of data and keys. 2 Source: ESG Research Report, The Visibility and Control Requirements of Cloud Application Security, May 2016. 3 Source: ESG Master Survey Results, 2018 IT Spending Intentions Survey, December 2017.

Solution Showcase: The CipherTrust Cloud Key Manager for Software-as-a-service 3 Cloudy Key Management and Custodianship While more and more cloud service providers (CSPs) are offering native encryption, that capability, in and of itself, does not address all use cases or compliance requirements. Co-located decryption keys provide access to encrypted data and raise questions and concerns over separation of duties, lack of dual controls between data and keys, and operational aspects of key management including key rotation, deactivation, and more. If the CSP holds the keys, the customer should be rightfully concerned about what happens in the case of a subpoena being served requiring access to the data. Arbitrating who is responsible for key management the CSP or the customer and which party should be the custodian of the keys further muddies the waters. The Attributes of Compliant, Flexible, and Operationally Efficient BYOK Some CSPs address a subset of cloud encryption issues with BYOK services to give customers more control over their keys, but additional capabilities are required. Extending BYOK should include both as-a-service and on-premises options to afford organizations the freedom to choose the best option for their architecture and compliance requirements. Separation of Data and Keys Augmenting a BYOK service should allow organizations to implement the encryption best practice of separating the location of data from that of the decryption keys. This best practice of data and key separation is a compliance requirement for many industry regulations. However, such separation does not address the issue of custodianship, also a compliance requirement for some industry regulations. Custodianship Optionality via Key Management and Vault Location Flexibility, Including On-premises Customer-managed does not necessarily mean custodianship. Cloud-delivered encryption services allow for customerdedicated vaults in the form of a hardware security module (HSM), but the keys in that HSM still reside in the CSP s data center when in use. Organizations most sensitive to this fact are those subject to certain industry regulations that require them to be the physical custodians of the keys. As such, extending a CSP s BYOK capability should include the option of deploying the management server and key vault on-premises where they control the backup and usage of the keys. Delivery-as-a-service For those organizations who do not require an on-premises key creation and store, an as-a-service (XaaS) offering eliminates the need for on-premises infrastructure and the associated CapEx infrastructure costs and OpEx of managing that environment. As use of the service grows and additional resources are required, XaaSes automatically scale to meet that demand. Cloud-delivery can also simplify key management by providing a centralized control plane for anywhere, anytime access to the key management user interface. Least Privileged via Role-based Access Controls (RBAC) for Separation of Duties By leveraging the user group constructs native to the SaaS application, key management solutions which extend BYOK capabilities will allow for access to the keys, and thus the data, based on membership to such groups. This allows for implementing a least privileged approach to key management whereby the least number of people are authorized to manage the least amount of keys.

Solution Showcase: The CipherTrust Cloud Key Manager for Software-as-a-service 4 Extending BYOK with Flexible Key Management from Thales to Meet Compliance Requirements Leveraging BYOK with the CipherTrust Cloud Key Manager from Thales esecurity offered as a service or for on-premises deployment meets requirements for both security and compliance outcomes. On-premises and as-a-service Options Thales esecurity offers two deployment models for the separation of the control path and data path. Both offer FIPS 140-2- compliant key protection. CipherTrust Cloud Key Manager is offered as a service in the cloud for both the management and storage of customer-created encryption keys. It has a subscription-based pricing model that aligns with SaaS models, allowing organization to treat all of the associated costs as operational expenses. CipherTrust Cloud Key Manager can be deployed on-premises or as a private-cloud single-tenant solution for both the management plane and encryption key vault. The solution is partially subscription-based with the key vault possibly already deployed by the customer. These flexible deployment options represent a notable consideration for organizations evaluating key management solutions for cloud-resident data by allowing some customers to opt for the efficiencies of a service and others the onpremises option for when custodianship of the keys is a requirement for internal security policies and/or compliance considerations. Regardless of whether an organization chooses on-premises or as-a-service, it can take advantage of cloud-like utility-based subscription licensing. In addition to licensing, both solutions share the same easy-to-use graphical user interface to remove much of the complexity typically associated with key management. The result is centralized key management that can simplify compliance and regulation audits for PCI DSS, FISMA, HIPAA, and the upcoming GDPR. Spotlight: Native Integration with Salesforce Shield BYOK For many organizations, Salesforce.com is more than a software service; by virtue of holding and managing all aspects of a company s relationship with its customers, it s a strategic platform and the data it holds are assets. The CipherTrust Cloud Key Manager integrates with Salesforce Shield s Bring Your Own Key service via native APIs that allow customers to use their own keys, in addition to streamlining policy management, and allowing for authorized customers to use Salesforce login credentials for key management.

Solution Showcase: The CipherTrust Cloud Key Manager for Software-as-a-service 5 Figure 2. Spotlight: CipherTrust Cloud Key Manager for Salesforce Shield BYOK RBAC-Based Key Management Lifecycle Management Source: Thales esecurity, 2017 The CipherTrust Cloud Key Manager provides a full set of key management functionality including: key creation, rotation, deactivation, and revocation. To assure such key management activities are authorized, Thales integrates with federated login APIs provided by Salesforce.com to enable tenant secret management based on cloud provider, rather than local database, controls. The Bigger Truth The foundational concept in cloud security is the shared responsibility model that defines the demarcation line of the division of labor between the CSP and the customer for securing and protecting the cloud service. For all types of cloud services, from infrastructure platforms to software-as-a-service (SaaS), the model is clear: the customer is responsible for securing data that is stored in the cloud. While CSPs offer some native controls including the ability to encrypt data, upload your own keys via a BYOK service, and store those keys in either a multi-tenant environment or dedicated HSM, the customer is responsible for both employing these services and managing the process. To meet regulatory compliance requirements, customers in certain industries will also require the ability to store encryption keys on-premises. The Thales next-generation key management offering to extend SaaS BYOK capabilities appropriately focuses on operationalizing the encryption of data associated with one of the most widely adopted SaaS properties, salesforce.com, in addition to several other SaaS and IaaS properties, including Microsoft Office 365 and the Microsoft Azure Key Vault. The combination of visibility into key usage and management, along with the optionality of cloud-delivered and on-premises deployment models, will help organizations satisfy auditors when it comes to meeting and maintaining compliance. By providing both as-a-service in the cloud and on-premises versions, customers have options for leveraging the agility of the cloud, while meeting and maintaining compliance.

Solution Showcase: The CipherTrust Cloud Key Manager for Software-as-a-service 6 All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188. Enterprise Strategy Group is an IT analyst, research, validation, and strategy firm that provides market intelligence and actionable insight to the global IT community. www.esg-global.com 2017 by The Enterprise contact@esg-global.com Strategy Group, Inc. All Rights Reserved. P. 508.482.0188

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback