encryption in the cloud - brighttalk data security summit 2013
DESCRIPTION
Data is what underpins many companies' success, yet when it comes to protecting the data, companies are underinvesting in security capabilities. With the move to cloud computing, data security issues are not going away, instead are getting bigger visibility. Howevre, should companies only care about data security when their data is in the Cloud? Or should it be irrelevant where the data is processed or stored, with data security high on CIOs agenda? This session will look both at strategic options and discuss people, processes and technologies that companies should be looking.TRANSCRIPT
Encrypting your data: Is there a difference
between Cloud and your internal data centre?
Vladimir Jirasek, Founder of Jirasek Consulting ServicesResearch director, Cloud Security Alliance, UK chapter
16 January 2013
What you will learn today
Security architecture prime for CIOs
Encrypt, or not encrypt, that is the question!
Alternatives to encryption
Types of encryption
Encryption as a security boundary
Cloud delivery models and encryption
Practical examples of encryption in Public
AES-128 so it must be secure! Trust me!
PDFSecret
PDFSecret
010100011010101010110101010010101010101100110101
Cloud service user
Cloud service provider
Just because it is encrypted does not make it secure… Look end to end.
However not all data in the cloud are secret!
Sometimes too much encryption is bad though.
Who holds encryption keys? Are they available?
Should data security be on CIOs agendas?
Not many security breaches so far. Why?
Will become targeted as more enterprises rely more on public Cloud
computing
Mandatory reading!
Cloud provider
reputation/costs
Your company
reputation/costs
Consolidation of Cloud providers
Cost savings in Enterprises
PaaS/Saas
SaasSaas
Most breaches are
internal!
CIOs! Security architecture is not just firewalls and encryption…
A clever, sophisticated and fit for purpose combination of administrative and technical controls
Right mix of controls at all security domains: preventative, detective (mostly neglected) and recovery
Start with Processes then fit People and Technology
Types of encryption and security boundary
Encryption types
Symmetric – one key to encrypt and decrypt. Speed and better security
Asymmetric – large prime numbers create a pair of keys where one key can decrypt what other encrypted. Slower as bigger keys are needed (look for ECC twice the length of symmetric for same strength) (size of output based on size of keys)
Homomorphic - not new concept but made practical by Craig gentry. Allows for operations on encrypted data without revealing the content!
Security boundary
Encryption can be used as a security boundary: Key management is an
enforcement point
Think of SSL VPN over untrusted network
Encrypted data in database
eDRM
Different ways to protect data in Cloud
PDFSecret Encryption at Cloud provider
end
Tokenisation at Cloud user end
Anonymisation at Cloud user end
Encryption at Customer end
Cloud deployment models effect data security
Infrastructure as a Service
Platform as a Service
Software as a Service
• Cloud provider offers virtual machine (typically) – Virtual CPU, Memory, Disks, Network
• Operating system is Customer’s responsibility
• Extending key management from Internal DC easy
• Cloud provider offers standardised (mostly) platforms for database, middleware, web …
• Operating system is Provider’s responsibility
• Extending key management from Internal DC possible
• Cloud provider offers mostly custom build Software (typically web based)
• Full OS stack is Provider’s responsibility
• Extending key management to Cloud provider from Internal DC difficult
Data protection options in cloud models
Infrastructure as a Service
Platform as a Service
Software as a Service
Encryption appliance
(e.g. Safe-Net ProtectV)
Application encryption (customer retains keys)
Netw
ork
Network VPN (could extend to SaaS)
Web TLS (for IaaS operated by customer)
Hos
t Provider dependent and operated host encryption
App
licati
on
Tokenisation and anonymisation
Data
Extend company file or object encryption
Encrypting/tokenising reverse proxy engines
(e.g. CipherCloud)
SIE
M
Extend company SIEM Plug-in to Provider’s SIEM
Extend DLP or eDRM Provider operated data/database encryption
Example of SaaS – Use of Gmail inside and outside an organisation
SaaS web based application. Other standard interfaces – IMAP, POP3, SMTP, Web API
Data in Gmail available to anyone with proper authentication
TLS used on transport layer
Consider using CipherCloud like product but be mindful of traffic flows with external customers
Sender
Recipient
Intra company
Recipient
Proxy
Sender
Example of IaaS – Cloud provider offers virtual computing resources for Internal apps deployment
Cloud provider can theoretically access all data, if decryption happens on the virtual machine! But would they?
Use two possible models: Local crypto operations
with remote key management. Consider SafeNet ProtectV
Remote crypto operations over VPN – speed penalty
Internal user
Administrator
Intra company
VPN
VPN tunnel
Virtual serversTravelling
user
Key management
Data encrypted
Local encryption operations
Data encryptedRemote
encryption operations
HSM
Recommendations
Devise your security architecture holistically, not just looking at point solutions
But with regards to data security in the cloud: Always try to manage your keys – however in some cases
this would break cloud deployment model and therefore is not always practical
Use Hardware Security Modules to maintain key security supported by robust key management processes
Extend your enterprise key management, DLP, eDRP and SIEM to Cloud providers
Explore format preserving encryption before data enters Cloud – typically for PaaS and SaaS (reverse web encryption proxy)
Links
Cloud Security Guidance - https://cloudsecurityalliance.org/research/security-guidance/
Verizon Data Breach reports - http://www.verizonbusiness.com/about/events/2012dbir/
Dropbox access breach - http://www.securityweek.com/dropbox-confirms-data-breach-says-two-factor-authentication-coming
Microsoft BPOS Address book leakage - http://www.pcworld.com/article/214591/Microsoft_BPOS_cloud_service_hit_with_data_breach.html
Epsilon data breach - http://www.guardian.co.uk/technology/2011/apr/06/epsilon-email-hack-marks-spencer
Google email accounts hacked - http://www.washingtonpost.com/blogs/post-tech/post/google-hundreds-of-gmail-accounts-hacked-including-some-senior-us-government-officials/2011/06/01/AGgASgGH_blog.html
CipherCloud lists data breaches in Cloud - http://www.ciphercloud.com/learning-center/breach-watch.aspx
CloudTweaks.com – Cloud Cartoons - http://www.cloudtweaks.com/category/cartoon/
Privatecore - http://www.privatecore.com/
Contact me and CSA
Vladimir Jirasek http://about.me/jirasek @vjirasek [email protected]
Cloud Security Alliance https://cloudsecurityalliance.org.uk @csaukresearch