One of the most significant new opportunities for public cloud is the processing and storage of regulated data. Until recently the idea was deemed heretical, mainly due to regulatory, compliance costs and the difficulty in interlocking physical and virtual security controls. That has changed due to a recent Vidder project for a public financial services firm with more than $10B in assets.
The Business Case
Regulated physical data centers are very expensive to own and operate. From the racks and stacks to the mechanical/electrical/power/security infrastructure and the people required to maintain availability and security, hardware costs can be dwarfed by operating expenses. In many cases, including unpredictable workloads and out of date infrastructure needing a refresh, public clouds like Amazon offer a superior operating model.
And many regulated data centers are older, with less density and energy efficiency, making them more costly than cloud data centers with advanced infrastructure and security controls, which are also often located in areas with low cost power and high available bandwidth.
Yet complex regulatory requirements and high migration costs have kept the public clouds out of reach for virtually all regulated premise environments despite the opportunity for enhanced security, agility and efficiency. Yet technology breakthroughs like software defined perimeter solutions are changing the game.
New Thinking Driven by New Technology
Clouds have developed advanced security options, including partitioning and encryption, that can help regulated entities create secure enclaves. By integrating software defined perimeter (SDP) with cloud advanced security capabilities, secure enclaves can be created that allow regulated organizations to easily deploy in public cloud environments.
What is a Secure Enclave?
Conceptually, a secure enclave is a virtual container within the public cloud which is interlocked with secured facility’s physical and virtual security controls. In essence, it’s a scalable cloud environment that is as an extension of a secured physical facility via a combination of network, security and cryptographic protocols.
Applications inside the secure enclave can only be accessible from the regulated data center. Active Directory is utilized for application layer access control to the enclave. Digital Certificates and Key Management are managed by a single Issuing CA/HSM.
Benefits include the extended footprint of the regulated data center to the public cloud, maintenance of strict compliance requirements for application access/logging and full cryptographic integration between physical and virtual systems.
Secure Enclave Diagram
As you can see above, the two environments are connected via MPLS/IPsec site-to-site connection between the secure facility and public cloud. The SDP gateway obfuscates the workload from visibility via untrusted clients within the secure facility.
Users must be authenticated and authorized by their organization, even with accessing the enclave within a secured facility. This protects the enclave from attacks from inside, including predatory malware, credential theft, server exploitation and network attacks. The secure enclave is also only accessible from the organization’s facilities thus blocking lateral attacks from inside the public cloud.
Secure Enclave Uses
Secure Enclaves can be used for a broad array of regulated environments, from financial and medical to law enforcement.
Vidder’s software defined perimeter (SDP) solution is already deployed at leading financial and consumer product companies, including in the first secure enclave utilized by a financial institution in AWS. The public cloud offers highly regulated organizations a much lower cost structure and more scalable operating environment than legacy data centers. These organizations are now able to utilize the AWS Marketplace for enhanced agility and deployment options without compromising on security!
For more information request a briefing from our expert team.