VSM: Porticor has recently launched as a company, and introduced a new solution for protecting private data in virtualized environments. Can you provide us with a brief overview of your new company?
GPN: Yes, I would be happy to. I joined with other experts in security, cloud computing and cryptography to start Porticor in 2010 to protect private information stored in virtual environments and public clouds.
As businesses seriously consider migrating to the cloud, one of the most significant concerns is data security. We understood that encryption was necessary for securing data at rest, yet we saw that the critical issue of keys stored in the cloud was being unaddressed. So we formed Porticor to enable companies of all sizes to safeguard their data, comply with regulatory standards, and streamline operations, while eliminating the need to trust the security vendor or the virtualization provider with the most important security element around data in the cloud – the encryption keys.
VSM: And what about the new Virtual Private Data security solution?
GPN: The Porticor VPD system introduces a number of industry firsts:
- It is the industry’s first solution that provides trust and control for data at rest, while working 100 percent in virtual, public, private and hybrid cloud environments.
- It is the industry’s first solution with patent-pending homomorphic split-key encryption technology to ensure the encryption key itself is never exposed in its unencrypted format.
- It is the industry’s only cloud data protection system that delivers data security across virtual disks, databases, and distributed storage and file systems.
Specifically, the Porticor VPD system is made up of the Porticor Virtual Appliance (or Agent) and the Porticor Virtual Key Management Service to deliver the industry’s highest level of data privacy in a virtual environment for data protection and compliance to regulations such as SOX, HIPAA, PCI DDS and GLBA, while also solving the issues raised by EU Data Protection and the U.S. Patriot Act.
VSM: What are the most significant threats to organizations’ private data stored in virtual and cloud environments?
GPN: In a virtual cloud environment, an enterprise’s data is no longer within their four walls. This exposes virtualized/cloud users to the following new threats which are unique to a cloud environment:
- In a virtualized infrastructure scenario – an attacker could steal the credentials to your cloud management and gain access to all of your virtual disks.
- Enterprises share the same infrastructure and therefore the separation between users is logical and not physical. If attackers gain access to a specific portion of the customer’s virtual account they could exploit a network, virtualization or operating system vulnerability and get access to others’ data stored on a different virtualized portion.
- We can’t forget the internal threat. It is highly unlikely, but possible, that a cloud provider employee will be involved in data theft. The more realistic scenario is an accidental incident related to an insider with physical access to the data center. One well known example is the HealthNet case where 1.9 million customer records of HealthNet, a major health insurer located in the U.S., were lost after its IT vendor misplaced nine server drives following a move to a new data center.
The above threats highlight the importance of an effective encryption and key management system in a virtualized environment.
VSM: Why is it so difficult to secure data and meet audit and compliance control requirements in a virtual environment?
GPN: Securing data-at-rest is considered less risky when it is located within the four walls of a private data center. But once data is moved to the cloud and virtual environments, the question becomes “who do I trust?” For example, can I trust the cloud provider with my encryption keys? Probably not, and it is definitely not recommended to store the encryption keys with the data itself. How about trusting a third party vendor? Recent attacks on RSA and VeriSign show that the security vendors themselves are vulnerable to attacks, as well.
VSM: Aren’t there current solutions already available addressing these issues?
GPN: There are some solutions out there, but traditional data security solutions require costly software licenses and operational overhead. Other cloud encryption solutions put enterprises’ encryption keys in the hands of the security vendor or cloud providers. The current solutions are an evolution of security technologies into the cloud virtualization era, and are not necessarily built for the cloud, or with the cloud in mind.
VSM: What is different about your solution? Why is this important?
GPN: Porticor’s patented Virtual Key Management service, with breakthrough split-key encryption technology and built for homomorphic key encryption, keeps the encryption key in the customer’s control, not in the control of the security vendor or cloud provider. This is the first time such techniques have been used in a commercial product. Also, Porticor provides a cost-effective virtual appliance that requires no encryption or key management experience to encrypt customers’ entire data layer with the proven AES 256-bit encryption algorithm within minutes.
With Porticor’s VDP, each data object, such as a disk or file, is encrypted with a unique key which is split in two: a master key and a specific key. The master key is common to all data objects of one application, and remains the sole possession of the application owner and is unknown to Porticor; while the second specific key is different for each data object and is stored by the Porticor Virtual Key Management Service. As the application accesses the data store, Porticor uses both parts of the key to dynamically encrypt and decrypt the data. When the master key is in the cloud, it will be homomorphically encrypted – even when in use – and can never be seen in the cloud.
VSM: OK, so can you briefly describe to me what split-key encryption and what homomorphic encryption are, and why they are important in a virtual environment?
GPN: A good analogy for the split-key encryption technology would be that of a safety deposit box with two keys. One key belongs to the customer, the second key belongs to the banker, and only the combination of both keys will open the safe. Porticor uniquely adopted this approach for the world of data encryption in virtualized environments. For each project, Porticor generates a unique master key which is known only to the customer. At the same time, Porticor generates multiple keys per project to encrypt the customer data. But only the combination of the master key and the Porticor-generated keys will decrypt the data. This allows Porticor to create an encrypted environment without knowing the customer’s encryption key – an industry first. Homomorphic split-key encryption allows Porticor to perform encryption and decryption actions without ever storing the master key in its unencrypted format.
VSM: What are some of the benefits an organization should expect to experience with the Porticor solution?
GPN: Basically, you are outsourcing the complexity of the security solution, but you are keeping the control and trust for yourself. Using our technology, Porticor enables virtual and cloud users to create a secured encrypted environment within minutes while completely eliminating the need to trust the security vendor or cloud provider with their encryption keys, therefore solving the biggest challenge for data encryption in the cloud – storing the keys. This best ensures the privacy of data stored in the cloud and virtual environments.
VSM: Who is your target market?
GPN: Any organization which has its data in virtual or cloud environments, or is planning to move to virtual or cloud environments, is a good target for Porticor.
VSM: But why would enterprises be willing to outsource their security requirements?
GPN: With Porticor, enterprises actually maintain their security controls, and do not outsource them. What they do outsource is the complexity usually required for secure solution deployment. In addition to the quick and seamless deployment process, enterprises can also integrate Porticor into their workflow using the Porticor API, allowing them to automate and scale their security solution together with the rest of the environment.
VSM: Can you talk about a customer scenario, and what their virtual data security needs and requirements are?
GPN: An interesting scenario is virtual disaster recovery. One of our customers would like to use a virtualized cloud for disaster recovery purposes but until now did not move forward because of his data security concerns. Using Porticor he was able to ensure that his most confidential data remained secure and encrypted in a public environment while maintaining control of the encryption keys and not compromising on other virtual advantages, such as scalability and flexibility.
VSM: What can we expect to see from Porticor in the future?
GPN: We are on a very intense release schedule driven by our customer requirements. You can expect us to deliver on the best clouds and virtual environments.
VSM: It’s been great chatting with you today. Anything else you’d like to share about the state of virtualized data protection or the new Porticor solution?
GPN: Certainly. Starting to use Porticor is as simple as clicking through a wizard; it really can be up in minutes. Just go to http://www.porticor.com and give us a try.