A Security

Practitioner’s
Guide
to the Cloud
Maintaining Trust and Control in Virtualized
Environments with SafeNet’s
Trusted Cloud Fabric

TRUSTED CLOUD
FABRIC
A Security Practitioner’s
Guide to the Cloud
Maintaining Trust and
Control in Virtualized
Environments with
SafeNet’s Trusted
Cloud Fabric.
“Forrester fully expects to see
the emergence of highly secure
and trusted cloud services
over the next five years, during
which time cloud security will
grow into a $1.5 billion market
and will shift from being an
inhibitor to an enabler of cloud
services adoption.”
—Forrester Research
Executive Summary- To fully capitalize on the strategic potential of the
cloud, enterprises will need to address a key challenge: security. With its
comprehensive, flexible, and modular security solutions, SafeNet enables
enterprises to overcome the security challenges posed by the cloud. The
SafeNet Trusted Cloud Fabric enables enterprises to maximize security and
control in the cloud, migrate to new cloud services with optimal flexibility,
and fully leverage the cloud’s business benefits.
Introduction
Today, over 60% of enterprises, both large and small, plan to evaluate or pilot some type
of cloud-enabled offerings within the next 18 months1. For many applications, such as
sales force automation, project management, and marketing automation, SaaS-based
delivery has become the de facto standard. Yet for many enterprises, initial cloud initiatives
represent a virtual drop in the bucket in terms of what is ultimately possible.
Take, for instance, the case of a large multi-national retailer that looks to migrate its
virtual machines from internally sourced to cloud-based resources during the holiday
season. Given that 70% of its retail business is conducted during this four-week period,
the company stands to substantially reduce its IT operational expense through the less-
demanding months of the year—and save millions in the process.
It is with this type of strategic initiative that enterprises will begin to realize the full value
of the cloud’s elasticity and cost benefits. However, for these visions to become a reality,
a significant challenge needs to be addressed: guaranteeing security, trust, and control in
the cloud. What precautions do cloud providers have in place to guard against breaches?
How can businesses ensure sensitive data isn’t inadvertently co-mingling with another
client’s records in a virtualized, multi-tenant environment? How do businesses ensure and
demonstrate compliance of their cloud deployments?
Enterprises pursuing a host of cloud initiatives today are wrestling with these issues, and,
as the strategic value of cloud initiatives increases, so too does the security imperative.
These heightened security demands will spawn significant effort and investment from
enterprises and the security vendors that serve them. That’s why Forrester estimates cloud
security will grow into a $1.5 billion market in the next five years2.
1 Gartner, “Hype Cycle for Cloud Computing, 2010”, David Mitchell Smith, July 27, 2010
2 Forrester, “Security And The Cloud: Looking At The Opportunity Beyond The Obstacle”, Jonathan Penn with
Heidi Shey, Christopher Mines, Chétina Muteba, October 20, 2010
A Security Practitioner’s Guide to the Cloud Whitepaper 2

SafeNet Information
Lifecycle Protection
The SafeNet Trusted Cloud
Fabric is an extension
of SafeNet Information
Lifecycle Protection, a
comprehensive framework
for securing data throughout
the information lifecycle. By
extending trust and control
when moving users, data,
systems, and applications
to virtualized environments,
SafeNet enables customers
to seamlessly integrate
any cloud model into their
near-term and long-term
technology and security
strategies.
Secure Virtual Storage
Secure Virtual Machines
Secure Access to SaaS
The Solution: SafeNet’s Trusted Cloud Fabric
SafeNet delivers the industry’s most complete cloud fabric for virtualized environments,
enabling enterprises to ensure trust throughout the lifecycle of enterprise data. The
SafeNet Trusted Cloud Fabric enables enterprises to…
• Ensure security and compliance in the cloud. The SafeNet Trusted Cloud Fabric
represents a complete ecosystem of security solutions, weaving together persistent
protection, elastic encryption, anchored identity, and secured communication. With
these capabilities, SafeNet enables customers to retain complete control over how
data is isolated, protected, and shared—even in multi-tenant cloud environments.
• Take a practical migration path to the cloud. SafeNet offers a modular architecture
that gives organizations the flexibility to migrate to the cloud in the most effective
and efficient manner, and according to their specific timeframes, business objectives,
and security policies. SafeNet’s Trusted Cloud Fabric enables businesses to tackle
their most pressing security challenges, both in the near term and in the long term—
whether they’re looking to secure access to SaaS applications, encrypt storage in the
cloud, protect the communication links between private and public clouds, or address
a host of other objectives.
• Fully leverage the benefits of the cloud. The SafeNet Trusted Cloud Fabric features
high performance solutions built specifically to support virtualized environments.
In addition, SafeNet’s comprehensive solutions enable centralized governance and
management of sensitive data, applications, and systems across the data center and
the cloud. As a result, security teams can enjoy optimized administrative efficiency,
while businesses fully embrace cloud opportunities.
Secure Cloud Applications
Secure Cloud-Based
Identities and Transactions
Secure Cloud-Based
Communications
On-premise
The Elements of the Trusted Cloud Fabric
When it comes to enterprise cloud initiatives, one size, strategy, or technology does not fit
all. Many enterprises will take disparate, multi-pronged approaches to the cloud, and will
need modular solutions that offer flexible integration points across public, private, and
A Security Practitioner’s Guide to the Cloud Whitepaper 3

The Benefits of the
Trusted Cloud Fabric
• Stay in control. Bring
private data center security
and control to public and
private clouds.
• Eliminate compromise.
Boost security without
compromising the elasticity,
scalability, or flexibility of
cloud deployments.
• Keep it simple. Get
integrated, centralized
management,
administration, and
policy enforcement of
all domains—including
internal data center and
private, public, and hybrid
clouds.
• Make it persistent. Wrap
protection around sensitive
information throughout
its lifecycle, wherever it
resides.
hybrid clouds. SafeNet delivers a complete array of solutions, equipping enterprises with
the capabilities they need, when they need them—regardless of where they are in their
cloud adoption strategies. SafeNet offers these cloud-based solutions:
• Secure access for SaaS
• Secure cloud-based identities and transactions
• Secure virtual instances
• Secure cloud-based storage
• Secure cloud application data
• Secure cloud connections
SaaS Apps Cloud Applications
Salesforce.com
Federated SSO
to the cloud
Google Apps
User authenticates
using enterprise
identity
SafeNet Authentication
Secure Access for SaaS Manager (SAM)
The Mandate
Multi-factor authentication—whether through the use of one-time password (OTP) tokens,
certificates, USB tokens, or smart cards—has grown increasingly critical as organizations
look to secure remote users’ access to corporate systems. As enterprises move increasingly
strategic business services to the cloud, security teams will need to leverage centralized
mechanisms that accommodate both traditional remote access scenarios and cloud
deployments.
The Solution
With SafeNet Authentication Manager, customers can leverage a unified authentication
infrastructure for both their on-premise and cloud-based services—providing a
centralized, comprehensive way to manage all access policies. When users try to access
one of the enterprise’s cloud services, for example a SaaS service like Salesforce.
com or GoogleApps, they will authenticate using their existing SafeNet authentication
mechanisms, such as smart cards, USB tokens, or OTP via the user’s mobile phone.
The Benefits
SafeNet’s comprehensive authentication solutions make it easy for enterprises to
maximize authentication security for SaaS applications. SafeNet solutions offer an
unparalleled array of advantages for enterprises moving to the cloud:
• Comprehensive platform. All SafeNet solutions that can all be managed through
SafeNet Authentication Manager, a central management server that enables identity
federation, access controls, and strong authentication to both on-premise and SaaS
applications.
• Deployment and form factor flexibility. SafeNet offers the broadest authentication
portfolio, including hardware tokens, software authentication, one-time password
A Security Practitioner’s Guide to the Cloud Whitepaper 4
 solutions, and more, ensuring organizations have the solutions tailored to their specific
security and business objectives.

• Advanced reporting. SafeNet authentication platforms offer extensive reporting

capabilities that streamline compliance with a host of security regulations and policies.

Private

Public
On-premise

Hybrid

Hardware Security Module

Secured Identities and Transactions

The Mandate
The virtualized nature of the cloud removes many of the physical workflow and perimeter-
based control points that helped secure sensitive information in traditional in-house
deployments. In order to adopt cloud services, while ensuring the requisite levels of trust
and security, enterprises must take a data-centric approach to security. This entails
employing cryptographic operations, such as data encryption and digital signatures, to
ensure the confidentiality and integrity of data and business processes. At the same time,
the use of cryptography can’t jeopardize the performance and reliability of cloud resources.

The Solution
SafeNet offers the most advanced and secure network-based HSMs, which are ideally
suited to the demands of virtual and cloud infrastructures. SafeNet HSMs, including
SafeNet Luna SA, offer an unparalleled combination of features—including central key and
policy management, robust encryption support, flexible integration, and more—that form
the basis of a secure cloud platform. In addition, SafeNet is the only HSM solution provider
to protect keys in hardware, ensuring that the cryptographic keys, paramount to securing
your application and sensitive information, never leave the confines of the hardware
appliance. Finally, SafeNet offers HSMs that feature FIPS- and Common Criteria-certified
storage of cryptographic keys.

The Benefits
By employing SafeNet HSMs for their cloud environments, enterprises can realize a range
of significant benefits:

• Maximize security. SafeNet enables organizations to retain effective control

through group-based policies, robust user access controls, and central key and
policy management of remote systems. Armed with the comprehensive, advanced
capabilities of SafeNet’s HSMs, organizations can efficiently leverage the many
benefits of cloud services and stay compliant with all pertinent regulatory mandates
and security policies.

A Security Practitioner’s Guide to the Cloud Whitepaper 5

 • Reduce administrative costs and overhead. Combining the security benefits of
hardware security modules with the cloud delivery model, security implementations
can be far less expensive than traditional in-house deployments, putting state-of-the-
art security capabilities within reach of even small- and medium-sized businesses for
the first time.

• Realize long term scalability and flexibility. Each SafeNet HSM can support up to
100 clients and 20 partitions, enabling organizations to maximize the return on their
investment, while enjoying maximum scalability and flexibility to accommodate
changing business and technical requirements.

Virtual Machines

On-premise
ProtectV™Instance

Hypervisor

Virtual Server

SafeNet DataSecure® (Supplemental Security Option):

• Manages encrypted instances • Security policy enforcement
• Lifecycle key management • Access control

Secured Virtual Instance Control

The Mandate
Today, enterprises are increasingly moving servers from traditional dedicated data centers
to shared, virtualized infrastructures, whether based in public or private clouds. Given that
these virtual servers often contain sensitive corporate information—including personnel
records, intellectual property, customer information, and more—the lost or theft of these
virtual assets can be disastrous.

In order to meet their regulatory or internal risk management policies, enterprises must
address a host of challenges posed by virtualized instances, including controlling privileged
administrator access, guarding against potential unlimited copying, overcoming the lack
of visibility and auditability, and mitigating the exposure of raw data. To address these
challenges and safeguard the sensitive information held in virtual servers, organizations
must go beyond simple user access controls and actively secure virtual servers.

The Solution
In order to mitigate the risk virtual servers can pose to sensitive data, SafeNet offers
ProtectV Instance, which enables organizations to encrypt and secure entire contents of
virtual servers, protecting these assets from theft or exposure. With ProtectV Instance,
data contained on the drive is secured, even offline and during instance activation.
ProtectV Instance provides a critical separation of duties for control of virtual servers and
adds the critical visibility needed to audit cloud-based servers.

The Benefits
By leveraging full disk encryption for virtual servers in the cloud, enterprises can maintain
ownership and control of their sensitive data—and so safeguard against the damage of
unauthorized theft or manipulation. Even if a drive is replicated, a virtual analog of a lost

A Security Practitioner’s Guide to the Cloud Whitepaper 6


On-premise
SafeNet DataSecure® (Supplemental Security Option):
• Manages file protection
• Lifecycle key management
laptop, security teams can still rest assured that their sensitive data won’t be exposed to
unauthorized access. With ProtectV Instance, organizations can maximize the benefits of
their private and public cloud deployments, including infrastructure as a service (IaaS),
without compromising security.
Data
ProtectV™Volume
Storage
Virtual Server
• Security policy enforcement
• Access control
Secured Cloud-based Storage
The Mandate
For many organizations, the prospect of leveraging elastic, pay-as-you-go services for
housing their exponentially expanding volumes of files and digital assets represents a
significant opportunity. For many organizations however, particularly those who must meet
regulatory mandates, security risks posed by keeping information in multi-tenant cloud
storage servers can make the cloud a nonstarter.
The Solution
SafeNet offers three solutions for securing cloud storage:
• SafeNet ProtectV Volume software enables enterprises to secure their files or folders
on cloud storage volumes.
• SafeNet for NetApp storage, enabling protection of files on NetApp storage systems.
• SafeNet ProtectFile, delivering capabilities for encrypting sensitive folders and files
kept on the hard drives of local and remote servers, network drives, file servers, and
virtualized systems, whether on or off premise.
The Benefits
With SafeNet, enterprises can efficiently leverage many of the benefits of cloud services,
while retaining effective security controls. With SafeNet solutions, organizations can
leverage the cloud for applications that would have previously been off limits from a
security standpoint. With SafeNet, enterprises can realize a range of benefits:
• Boost user productivity. Through its transparent, seamless security enforcement,
SafeNet solutions enable authorized users to enjoy more consistent and
reliable access in a manner that is seamless and transparent, which can help
optimize productivity.
• Lower costs. By enabling comprehensive, cohesive security policy enforcement in the
cloud, SafeNet solutions enable organizations to move more business services into
the cloud, and so more fully enjoy the cost savings these models deliver. In addition,
by centralizing and streamlining security administration and enforcement, SafeNet
solutions deliver significant cost reductions.
A Security Practitioner’s Guide to the Cloud Whitepaper 7
 • Increase business agility. Inherently, cloud offerings enable organizations to scale or
contract much more quickly and cost effectively than if they were relying on internally
hosted infrastructures. Through its support of dynamic cloud environments, SafeNet
solutions provide organizations with an unparalleled ability to take advantage of the
cloud’s flexibility to more quickly adapt to changing requirements.

Database Application

On-premise ProtectDB ProtectApp

Tokenization

Local crypto
and key caching

Secured Cloud Application Data

DataSecure®
The Mandate
For virtually any enterprise, safeguarding the trust of consumers is essential. While
migrating applications to SaaS and PaaS enables dramatic cost savings for the
organization as well as ubiquitous access for users, this move means critical customer
data ultimately resides in an environment not owned or controlled by the organization.
Without active protection of the data entering the application, the potential risks
associated with this loss of control and trust are severe.

In order to satisfy both the economic benefits and security requirements of cloud-based
applications, organizations must satisfy several core requirements:

• Transparent application integration. Organizations must have the ability to encrypt

data in their own application development environment, with simple integration that
doesn’t require them to be cryptography experts.

• Centralized control and management. Controlling data must be centralized to minimize

operational costs and provide the capabilities required for auditing and separating
administrative duties.

• Flexible and agile deployment. Given that organizations will use multiple cloud
providers, and change service providers over time, organizations need capabilities that
enable flexible data protection controls when migrating to different vendors.

The Solution
In order to maintain security and business continuity while moving into the cloud,
businesses can deploy DataSecure on premise and configure and provision ProtectApp
to secure virtualized applications that interact with such sensitive data as credit cards,
personally identifiable information, and more. ProtectApp is available in a wide variety of
development platforms to enable transparent integration, while the centralized control
via DataSecure provides the flexibility to work with multiple cloud providers. The on-
premise DataSecure platform is anchored as the root of trust for policy enforcement and
lifecycle key management. In the cloud, ProtectApp handles encryption and key caching
locally to deliver optimal performance. Because the data is protected as it is generated

A Security Practitioner’s Guide to the Cloud Whitepaper 8

 and stored on databases in the cloud and the keys are kept with the application server,
enterprises can ensure sensitive data remains secure and demonstrate compliance with
relevant mandates.

The Benefits
With SafeNet, organizations can utilize SaaS and PaaS for their applications, while also
protecting their own customers’ data. In addition, the flexibility of the solution enables the
deployment of these protections with minimal operational overhead and maximum agility
to work with multiple cloud providers.

On-premise Private

High Speed Encryptor

Secured Cloud Communications

The Mandate
Whether an organization is moving aggressively or tentatively into cloud-based services,
the reality is that just about every enterprise will have a hybrid mix of services—including
on-premise, private cloud, and public cloud—in place at any given time. As a result,
an organization’s sensitive assets will often need to be transported across a wide area
network (WAN) as data and processing are shared across these geographically distributed
deployments. To build a trusted hybrid multi-site infrastructure, enterprises need to employ
encryption to secure the transport of data across their WANs, while at the same time,
ensuring high-speed, low-latency communications between these distributed sites.

The Solution
Today, SafeNet offers advanced layer 2 encryption solutions that enable organizations to
secure WAN communications—while eliminating the challenges and obstacles presented
by traditional IPsec encryption approaches. SafeNet Ethernet Encryptors provide the
administrative efficiency and optimized performance and bandwidth utilization that make
it ideally suited to an enterprise’s private cloud environment.

The Benefits
With SafeNet Ethernet Encryptors, organizations can ensure trusted communications
across all their cloud-based and internally hosted sites, and so gain a range of benefits:

• Boost user productivity. Through its high performance and reliability, SafeNet enables
authorized users to quickly and securely transfer communications, media, and other
data from the enterprise to the cloud—optimizing productivity.

• Lower costs. By eliminating costly overhead for expensive transport pipes and providing
full throughput, SafeNet offers immediate cost savings in the cloud and across the
enterprise. In addition, as cloud models evolve, businesses can easily add new devices
into their existing cloud environment. By centralizing and streamlining security
administration, management, and enforcement, SafeNet delivers significant cost
reductions.

A Security Practitioner’s Guide to the Cloud Whitepaper 9

 • Increase business agility. Inherently, cloud offerings enable organizations to scale or
contract much more quickly and cost effectively than if they were relying on internally
hosted network infrastructures. Through its support of dynamic cloud environments,
SafeNet provides organizations with an unparalleled ability to take advantage of the
cloud’s flexibility to more quickly adapt to changing requirements.

SafeNet Trusted Cloud Fabric

SafeNet delivers the industry’s most complete cloud fabric for virtualized environments,
enabling enterprises to ensure trust throughout the lifecycle of enterprise data. The
SafeNet Trusted Cloud Fabric™ represents a complete ecosystem that weaves together
persistent protection, elastic encryption, anchored identity, and secured communication.
With these capabilities, SafeNet brings trust to customers by delivering ownership and
control over how data is isolated, protected, and shared—even in multi-tenant cloud
environments. An extension of SafeNet Information Lifecycle Protection, the SafeNet
Trusted Cloud Fabric™ enables customers to seamlessly integrate any cloud model into
their near-term and long-term security strategies.

About SafeNet, Inc.

Founded in 1983, SafeNet is a global leader in information security. SafeNet protects its
customers’ most valuable assets, including identities, transactions, communications, data
and software licensing, throughout the data lifecycle. More than 25,000 customers across
both commercial enterprises and government agencies and in over 100 countries trust their
information security needs to SafeNet.

Follow Us:

Contact Us: For all office locations and contact information, please visit www.safenet-inc.com
Follow Us: www.safenet-inc.com/connected
©2011 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet.
All other product names are trademarks of their respective owners. WP (EN)-02.17.11

A Security Practitioner’s Guide to the Cloud Whitepaper 10