For many organizations, leveraging elastic, pay-as-you-go cloud services for housing
exponentially expanding amounts of fi les and digital assets represents a signifi cant
opportunity. However, for those enterprises that must comply with regulatory mandates or
strict internal security policies, the security risks posed by keeping information in multitenant
cloud storage servers can make migrating to the cloud a nonstarter.
In these cloud environments, sensitive data resides on virtualized, multi-tenant storage
infrastructures, which can pose signifi cant challenges from a security standpoint. How do
security organizations ensure sensitive data isn’t inadvertently exposed to other tenants of
the cloud? How can organizations address mandates for separation of administrative duties,
so those with super-user privileges in the cloud infrastructure can’t exploit their access
rights?
2. Securing
Securing Cloud Storage
SECURITY
SECURITY GUIDE
DE
Introduction: The Promise, and Security Obstacles, of Cloud Storage
ProtectV Volume: Key For many organizations, leveraging elastic, pay-as-you-go cloud services for housing
Features exponentially expanding amounts of files and digital assets represents a significant
opportunity. However, for those enterprises that must comply with regulatory mandates or
• Data Isolation strict internal security policies, the security risks posed by keeping information in multi-
• Compliant Key Management tenant cloud storage servers can make migrating to the cloud a nonstarter.
• Granular Authentication In these cloud environments, sensitive data resides on virtualized, multi-tenant storage
• Multi-tenant Protection infrastructures, which can pose significant challenges from a security standpoint. How do
• Separation of Duties security organizations ensure sensitive data isn’t inadvertently exposed to other tenants of
the cloud? How can organizations address mandates for separation of administrative duties,
so those with super-user privileges in the cloud infrastructure can’t exploit their access
rights?
Securing Cloud Storage with SafeNet ProtectV Volume
SafeNet offers a range of solutions that enable organizations to leverage the business benefits
of cloud services, without making compromises in security. With SafeNet ProtectV Volume,
organizations can leverage cloud storage for their most sensitive assets. ProtectV Volume
enables security teams to encrypt entire storage volumes in remote cloud deployments,
ensuring data is isolated and secured even in shared, multi-tenant environments. ProtectV
Volume addresses the critical requirements needed to secure cloud storage:
• Data isolation. With ProtectV Volume, security teams can logically separate volumes that
hold sensitive data, so, for example, a cloud provider’s administrators can’t abuse their
super-user privileges and a user with access to one volume can’t “jump” partitions and
gain access to another group’s containers.
• Compliant key management. ProtectV Volume offers the key management capabilities
administrators need to support the logical segmentation of data, users, and groups, and
enforce the policies required to ensure the confidentiality and integrity of data, so they
can adhere to internal policies and external compliance mandates in the near and long
term.
• Granular authentication. ProtectV Volume also delivers strong pre-launch authentication,
including password-based protection at the user level, to control which resources can be
accessed, when, and by whom.
Securing Cloud Storage Security Guide 1
3. • Multi-tenant protection. With its comprehensive, robust capabilities, organizations can
ensure that, even in shared, multi-tenant cloud environments, administrators can have the
visibility and controls they need to safeguard sensitive assets.
• Separation of duties. ProtectV Volume enables security teams to separate administrative
responsibilities, for example, data encryption roles can be separated from data access
controls. The solution offers controls for ensuring that any one administrator can’t abuse his
or her privileges. For example, using approaches like “M of N separation”, organizations can
require that multiple administrators must always conduct such critical administrative tasks
as policy changes and key export.
In addition, ProtectV Volume offers support for strong encryption algorithms, including FIPS-
approved AES 256 and 3DES, and it delivers the reporting, auditing, and logging capabilities
required by PCI and many other regulatory mandates for data privacy and protection.
Deployment Scenario
ProtectV Volume can be used in VMware and Xen virtualized environments, as well as Amazon
Web Services deployments. ProtectV Volume can be deployed in tandem with SafeNet
DataSecure, an appliance-based platform that offers data encryption and granular access
control capabilities. DataSecure can be applied to databases, applications, mainframe
environments, and individual files, making it a comprehensive solution for enterprises.
When the combined solution is deployed, DataSecure is used as the central management
mechanism for cryptographic keys, security policies, and administration. DataSecure resides
in the customer’s premises, so administrators can retain the control and visibility required.
ProtectV Volume resides on virtualized servers and communicates with cloud storage systems,
enforcing encryption protection, so that only users that have been authenticated through
DataSecure will be allowed to decrypt and use information.
Data
On-premise
ProtectV™Volume
Storage
Virtual Server
SafeNet DataSecure® (Supplemental Security Option):
• Manages file protection • Security policy enforcement
• Lifecycle key management • Access control
By employing the ProtectV Volume solution, organizations can retain control over sensitive assets stored in
virtualized, multi-tenant cloud environments.
Securing Cloud Storage Security Guide 2