Q&A with Gilad Parann-Nissany of Porticor
VSM: Porticor has recently launched as a company, and introduced a new solution for protecting private data in virtualized environments. Can you provide us with a brief overview of your new company?
GPN: Yes, I would be happy to. I joined with other experts in security, cloud computing and cryptography to start Porticor in 2010 to protect private information stored in virtual environments and public clouds.
As businesses seriously consider migrating to the cloud, one of the most significant concerns is data security. We understood that encryption was necessary for securing data at rest, yet we saw that the critical issue of keys stored in the cloud was being unaddressed. So we formed Porticor to enable companies of all sizes to safeguard their data, comply with regulatory standards, and streamline operations, while eliminating the need to trust the security vendor or the virtualization provider with the most important security element around data in the cloud – the encryption keys.
VSM: And what about the new Virtual Private Data security solution?
GPN: The Porticor VPD system introduces a number of industry firsts:
- It is the industry’s first solution that provides trust and control for data at rest, while working 100 percent in virtual, public, private and hybrid cloud environments.
- It is the industry’s first solution with patent-pending homomorphic split-key encryption technology to ensure the encryption key itself is never exposed in its unencrypted format.
- It is the industry’s only cloud data protection system that delivers data security across virtual disks, databases, and distributed storage and file systems.
Specifically, the Porticor VPD system is made up of the Porticor Virtual Appliance (or Agent) and the Porticor Virtual Key Management Service to deliver the industry’s highest level of data privacy in a virtual environment for data protection and compliance to regulations such as SOX, HIPAA, PCI DDS and GLBA, while also solving the issues raised by EU Data Protection and the U.S. Patriot Act.
VSM: What are the most significant threats to organizations’ private data stored in virtual and cloud environments?
GPN: In a virtual cloud environment, an enterprise’s data is no longer within their four walls. This exposes virtualized/cloud users to the following new threats which are unique to a cloud environment:
- In a virtualized infrastructure scenario – an attacker could steal the credentials to your cloud management and gain access to all of your virtual disks.
- Enterprises share the same infrastructure and therefore the separation between users is logical and not physical. If attackers gain access to a specific portion of the customer’s virtual account they could exploit a network, virtualization or operating system vulnerability and get access to others’ data stored on a different virtualized portion.
- We can’t forget the internal threat. It is highly unlikely, but possible, that a cloud provider employee will be involved in data theft. The more realistic scenario is an accidental incident related to an insider with physical access to the data center. One well known example is the HealthNet case where 1.9 million customer records of HealthNet, a major health insurer located in the U.S., were lost after its IT vendor misplaced nine server drives following a move to a new data center.
The above threats highlight the importance of an effective encryption and key management system in a virtualized environment.