byok: leveraging cloud encryption without … id: #rsac sol cates byok: leveraging cloud encryption...

SESSIONID:SESSIONID:

#RSAC

SolCates

BYOK:LeveragingCloudEncryptionWithoutCompromisingControl

VPofTechnicalStrategy,CTO- Thalese-SecurityCSO– Thalese-Security@solcates

CSV-F03

#RSAC

Let’sBegin

2

SoManyClouds

WhoDoesWhatandWhereItGetsMurky

It’sNotJustMeTellingYou,AndToolsYouCanUse

EncryptionandKeyManagementOptionsforIaaS/PaaS

KeyManagementforSaaS

BYOK101

SmartQuestions

HowtoApply

#RSAC

DataProtectionSharedResponsibilityModel

3

#RSAC

DataProtectionSharedResponsibilityModel

4

Infrastructure as a Service (laaS)

Application

Data

Runtime

Middleware

O/S

Virtualization

Servers

Storage

Networking

Platform as a Service (PaaS)

Software as a Service (SaaS)

Application

Data

Runtime

Middleware

O/S

Virtualization

Servers

Storage

Networking

Data

Runtime

Middleware

O/S

Virtualization

Servers

Storage

Networking

Application

Customer Responsibility

Provider Responsibility

#RSAC

CloudSecurityAlliance– YourAlly

• Global, nonprofit• Building security best practices for

next generation IT• The globally authoritative source for

trust in the cloud

5

#RSAC

KeyCSAResourcestoMakeYouSmarter

6

#RSAC

• Cloud supply chain risk managementDelineates control ownership— Provider, Customer

Ranks applicability to cloud provider type — SaaS vs PaaS vs IaaS

Anchor for security and compliance posture measurement

• Maps to global regulations and standardsNIST, ISO 27001, COBIT, PCI, HIPAA, FISMA, FedRAMP – mappings always growing

CloudControlsMatrix

7

#RSAC

• Cloud Controls Matrix companion• Binary questions assess CCM compliance

Narrative explanations permitted

• Create consistent cloud provider assessment processes

• Enables cloud providers to self-assess security posture

ConsensusAssessmentInitiativeQuestionnaire

8

#RSAC

EncryptionintheCCM/CAI

Encryption&KeyManagementPlatformanddata-appropriateencryption…shallberequired.— [Encryption]Keys

¡ Shallnotbestoredinthecloudbut¡ Shallbemaintainedbythecloudconsumerortrustedkeymanagementprovider.

We’recomingbacktothispointinamoment…

Yes

Yes

9

#RSAC

EncryptionOptions

#RSAC

DataProtectionwithEncryption

Varies by Cloud Model

IaaS

PaaSSaaS

Cloud Model

Native or Bring Your Own

§Native§CASB

Encryption Mechanism

If native, seek BYOK

If native, seek BYOK

Considerations

Youcan’tbringyourown

11

#RSAC

NativeorBringYourOwnEncryptiontoIaaS?

BYOEAdvantages• Samearchitectureacrossmultiplecloudproviders

• Youalwayscontrolyourkeys

NativeDisadvantages• Block-level/FDEonly• Noprotectionfordatainuse

12

#RSAC

BringingYourOwnKeyToIaaSNativeEncryption,andPaaSandSaaS

#RSAC

BYOK’sorigins

BYOKwasbornoutofnecessityCloudProvidersuse/create/storeyourdataYouwantyourdataprotectedCloudProvidersarestartingtoofferencryption,yetmostholdthekeysCustomerswant/needtocontroltheirkeys— Regulatory— Bestpractices(CSA,etc.)

14

#RSAC

UnderstandingBringYourOwnKey

15

A customersuppliedormanagedmasterkey,orderivedkeyThereareafewarchitecturetrendstounderstandCustomerMasterKeyImport— Customercreateskeys— Exportskeystocloudproviderasmasterkeytoprotecteitherdata,ordatakeysDerivedKeyCreation— CustomerdeliversMasterkeytrustedbytheprovidertocreatederivedkeysfor

usageintheprovidersencryptionHoldYourOwnKey(HYOK)— Providercallscustomer-hostedserviceforencryption,keydecryptionorkey

provisioningservices

#RSAC

CustomerMasterKeyImport

16

1. Create”ImportKey”incloud2. ImportPublicKeytoyourHSMorOpenSSL3. CreateAESMasterKeyinHSM/OpenSSL4. ExportMasterKeywrappedwithPublicImportKey5. ImportWrappedCKMtocloud

IaaS/PaaS/SaaSProviders

ImportKey

WrappedMasterKey

Hardware Security Module (HSM) Open SSL

YourPremises/YourControl

EncryptionEngine

#RSAC

DerivedKeyCreation

1. CloudProvider’sKeyisencrypting2. YoucreateyourkeyinHSMorOpenSSL3. Wrapandsendtoyourcloudprovider4. Keyscombinedmathematically5. NewkeyyoucontrolYourPremises/YourControl

Hardware Security Module (HSM) Open SSL

IaaS/PaaS/SaaSProviders

OriginalKey

YourKey

EncryptionEngine

CryptographicMath DerivedKey

17

#RSAC

HoldYourOwnKey– Scenario1

• Encryptionengineandkeysinyourpossession§ Onyourpremisesorelsewhere

• Cloudprovidersendsandreceivesyourdata§ Sendsdatafordecryption/receivesclear§ Sendsclear/receivedencrypted

YourPremises/YourControl

Hardware Security Module (HSM) Open SSL

IaaS/PaaS/SaaSProviders

YourKeysEncryptionEngine

DatabasesFileSystems

18

#RSAC

HoldYourOwnKey– Scenario2

• Encryptionengineandencryptedkeyatcloudprovider• Cloudproviderrequestskeydecryptionforuse

YourPremises/YourControl

Hardware Security Module (HSM) Open SSL

IaaS/PaaS/SaaSProviders

EncryptionEngine

DatabasesFileSystems

19

#RSAC

HoldYourOwnKey– Scenario3

• Encryptionengineincloud• Cloudproviderrequestskeysforen- anddecryption• KeyshaveTTL’s

YourPremises/YourControl

Hardware Security Module (HSM) Open SSL

IaaS/PaaS/SaaSProviders

EncryptionEngine

DatabasesFileSystems

20

#RSAC

Thingstoconsider

DerivedKeyandMasterKeyImport

Keysare”imported”intothecloudprovider

Authorizationofthekeysusageisdependentontheprovidersmodel

Doesn’timpactSLAs.Providermustguaranteekeyavailability

HoldYourOwnKey

Masterkeysremaininthehandsofthecustomer

Authorizationofthekeysusageisgovernedbythecustomer

CouldimpactSLAs.Customermustguaranteekeyavailability

21

#RSAC

BYOKvsBYOE

22

#RSAC

DifferencesbetweenBYOEandBYOK

BYOECustomerbringstheirownencryptionandkeymanagement.

WorksgreatinIaaSworkloadsIt’sjustanotherVMafterall…

CASBforSaaSandPaaSbutprovidercan’tseedatanorindexitnoranalyzeitnoraddvaluetoitandcouldbreakit…

BYOKCSPprovidesnativeorapplicationencryption

Customerbrings/imports/managestheirownkey

WorksgreatinSaaS/PaaSworkloadsDesignedinencryptionwithcustomermanagingthekeys

IaaSusuallyprovidesonlyblocklevelencryptionDoesn’treducerisktodatainuse

23

#RSAC

SmartQuestions

24

#RSAC

SmartQuestionsforIaaS

DotheyofferBYOK?Whatisencryptedandhowisitencrypted?DoIimportkeys,derivekeys,saltkeycreation,orreplytoakeyrequest?CanIcancontrolwherethekey,orderivedkeysareused,andwhocanauthorizeusageofthekey?HowdoIrevokeandrotatethekey(s)?Ifmykeysexpire… whathappens?Doesitprotectfromremotedatabreach?Whichusersandprocesses,haveaccesstothekeymaterial?

25

#RSAC

“Apply”Slide

26

WhenyougethomeDetermineyourorganizationsriskappetiteisforcloudhosteddata

Within30daysConsultyourCSPstofindoutwhatBYOKapproachtheyofferAsksmartquestionsabouthowBYOKworkswithintheiroffering

Within60daysTargetaCSPtoeitherBYOKorBYOEtogetcomfortablewithcloudencryption

#RSAC

Questions?