TMW04 – Securing Cloud Servers and

Services with PKI Certificates

Mark B. CooperPresident & Founder

PKI Solutions Inc.

Level: Intermediate

About PKI Solutions Inc.

• 10 years as “The PKI Guy” @ Microsoft

• Charter – Microsoft Certified Master DS

• Numerous books and whitepapers

• Services include:

• ADCS Architecture, Deployment and Consulting

• Assessment and Remediation Services

• In-Depth PKI Training

SFO January 2015, NYC February 2015

• Retainer and Support Services

Agenda

• It’s all about security

• Data and identity protection

• Hybrid PKI solutions

• Bring your own key

• Cloud-based solutions

• Security considerations

Security

Human nature and security

• Humans are inherently security conscience

– Information is not

• Technology can define procedures

• Human nature trumps every time

• Constant struggle to protect and assure

• Need to define methods to elevate security

The cloud

• Push to cloud changes paradigms

• Organizations moving data to the

cloud

• Security needs to adapt and adopt

• Lock and keys in the same place

Data and identity

protection

Public Key Infrastructure

• Increases assurance of data and identities

• Reduces ambiguity in the enterprise

• Information protection

– Signing/Assurance

– Encryption/Protection

The certificate

• Signing and/or encryption

• Unique identification of someone or

something

• Limited in scope and use by an authority

• Principles of private key instance

ownership

• Guaranteed uniqueness

– Non-Repudiation

Hybrid PKI solutions

Traditional PKIs

Three Tier Two Tier

Root CA

Policy CA

Issuing CA

Root CA

Issuing CA

Simple hybrid

Root CA

Issuing CA

• Easiest solution

• Subordinate role in

the cloud

– Root secured on premise

• Greatest risk

– Unrestricted issuance

– Signing keys

– Remote administration

Dual hybridRoot CA

Issuing CA

• Onsite and cloud

• Dynamic and elastic

• Preserves root

– Root secured on premise

• Same risks as simple

– Unrestricted issuance

– Signing keys

– Remote administration

Issuing CA

Not in my cloud you don’tRoot CA

Issuing CA

• Onsite and cloud

• Dynamic and elastic

• Preserves root

– Root secured on premise

• Same risks as simple

– Unrestricted issuance

– Signing keys

– Remote administration

The restricted approach

• True hybrid

• Policy restricts cloud

issuance

• Compromises are

limited

• Technically possible

with 2-tier*

• Some risks remain

– Signing keys

– Remote administration

Root CA

Policy CA

Issuing CA

Bring your own key

Trust but restrict

• Local key management

• Create and manage key locally

– Generally in a Hardware Security Module

• Key is restricted and placed in cloud

• Cradle to grace security is difficult

– Generate and then secure in transit to known service

• Few services ready today

– Microsoft Azure Rights Management Server

Cloud based solutions

Cloud – all in

• It’s all about the keys

• Adopt industry signing key practices to

the cloud

– Not easy in VM environment either

• Physical controls removed between keys

and attacker

– Your admin is their entry door

• Opposed to elastic concepts in cloud

computing

Cloud PKI – Soft keys

• Software key protection

• Limited isolation of root

• Risks shifted to provider

• Dynamic over secure

• It’s cloud and not much

else

Root CA

Issuing CA

Cloud PKI – Hard keys

• Hardware key protection

– Virtualized HSM access

• Limited providers

• Co-Mingling of keys

• Key propagation

• Provider key protections

• Mitigates some key risks

• Risks remain

Issuing CA

Root CA

Bring your own HSM

• Theoretical concept

– Not for everyone or all circumstances

• Breaks many conventional security practices

• Shifts risks and manages exposure

• Hybrid concept of BYOK, Cloud and legacy

• Ask me next year how I feel

– Body of practices and security practices to be defined

Issuing CA

Net HSM

Corporate

Firewall

Connection

Secure

Connection

Why Bother?

• Local key management

• Security defined around core risk

• Shifts service, but not risk

• Data and key are not stored near each other

• Compromise of one doesn’t affect the other

• Still enables full cloud migration in the future

Ideal cloud architecture

• No one architecture works for everyone

• Cloud forces reconsideration of tier models

– Modern architecture moved to two-tier

– Cloud is begging for three-tier

• Combination of on premise and hybrid

• At least a starting point in the design

discussion

Root CA

Policy CA

HSM

HSM

Explicit

Issuance Policies

Issuing CA

Cloud HSMCloud HSM

Service

Issuing CA

HSM

Security considerations

Follow the keys

• PKI keys are the core of trust and assurance

• Determine storage and access to keys

– Logical and physical

• Ensure policies and procedures define

access

• Eliminate redundant and superfluous access

– Provider limitations and controls

• Determine acceptable risk levels and mitigate

• Security trumps rush to the cloud

Agile PKI

• PKI can be defined for future migrations

• Elastic design and agility are possible

• Reduces future migration effort

• Build today with an eye on tomorrow

Questions?

pkisolutions.com

mark@pkisolutions.com

@pkisolutions