Your SlideShare is downloading. ×
Cloud encryption everything you always wanted to know but were afraid to ask
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Cloud encryption everything you always wanted to know but were afraid to ask


Published on

Cloud Asia Singapore 15 May 2013

Cloud Asia Singapore 15 May 2013

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. the private computing companyCloud Encryption:Everything You Always Wanted toKnow but Were Afraid to AskTodd ThiemannVice President – MarketingCo-chair CSA Solution Provider Advisory Council
  • 2. Recent Cloud Data Security CompromisesSources:
  • 3. 14%92%InsidersOutsidersWho is Perpetrating Breaches?2013 DATA BREACH INVESTIGATION REPORTOrigin of ThreatOrigin of Threat
  • 4. Old School Datacenter Attacks
  • 5. New School Cloud Attacks+
  • 6. 6Why Secure Your Data?ExecutiveMandate•  IP Protection•  BrandProtection•  CorporateDataGovernanceContractualObligation•  Outsourcing•  SaaS contractsComplianceRegulations•  PCI DSS•  Basel III•  National DataProtectionLaws
  • 7. 7REV 0.1Electronic Ledger StorageLaw (Japan)11MEDIS-DC (Japan)CanadianElectronicEvidence ActPCI DataSecurityStandard (WW)US State DataBreach LawsFDA 21CFR Part 11Sarbanes-Oxley Act(USA)AIPA (Italy)GDPdU and GoBS(Germany)EU DataProtectionDirectiveUK DataProtection ActNF Z 42-013 (France)FinancialServicesAuthority (UK)Basel IIICapitalAccordGLB ActJapan PIP ActInternational companies must adhere to regulations in each country ofoperation, such regulations can call for encryptionHIPAA/HITECH (USA)Worldwide ComplianceS. Korea PersonalInformation Protection ActSingapore Personal DataProtection ActTaiwan Personal DataProtection Act
  • 8. Encryption Architectures for Data at Rest8ControlSimplicityNative DBGatewayUsersApplicationsDatabaseOSHypervisorHardware (CPU/Memory)StorageOS/FileTechnologies balance between control and simplicityAPISAN, NAS, DAS Storage
  • 9. Application EncryptionApplication encryption using APIsbefore data is stored in databaseØ Pros: Most secure at top ofstack, cloud agnostic (portable)Ø Cons: Intrusive, requiring customcode development, not applicableto SaaSKey Management
  • 10. OS-level Encryption (File Encryption)OS-level (aka File-level) Encryptionencrypts and controls access to file-level dataØ Pros: Enables access control andseparation of duties with CSP andwithin enterprise, portableØ Cons: Enterprises cannot use withSaaS/PaaS, not extremely granularKey Management
  • 11. Cloud Storage EncryptionEncrypts data at mounted storage volumeØ Pros: Can enable access control andseparation of duties between CSP andenterpriseØ Cons: Uncertain key custody, noaccess control
  • 12. Gateway Encryption (Proxy)Gateway uses reverse proxy toencrypt or tokenize sensitive SaaS/PaaS dataØ Pros: Agentless architecture forsecuring SaaS/PaaS, noapplication changes, enterprisecontrols keysØ Cons: Can disrupt applicationfunctionality (indexing, searching,sorting, business logic in cloud),you must track cloud applicationchangesSaaSGateway
  • 13. 13Cloud Encryption LayersAPIEncryptionDatabaseEncryptionFileEncryptionStorageEncryptionUserApplicationDatabaseOSHypervisorHWStorageCaveat: Compromised Hardware/Memory Can Break Trust ModelGatewayEncryption
  • 14. Encryption Beyond Data At Rest• Data in Use (Memory)–  Memory is clear text and canbe parsed to find sensitive data–  Dumping memory cancompromise data andencryption keys for data at rest–  Evaluate emerging threat andsolutions to mitigate risk
  • 15. Questions To Consider• What information needs to be protected?• What threats do you want to protect theinformation against?• What application and infrastructure changes canyou tolerate?• Who holds the encryption keys?–  You? Partner? Cloud service provider?• Performance
  • 16. Todd’s Take-aways• Encryption enables trust in an untrustedenvironment• Encryption enables logical separation of data atany level (country, datacentre, database, etc)• Encryption protects sensitive data, but also canenable security intelligence–  Who is touching your data?• Minimize encryption silos to minimize costs–  Many encryption use cases can cause solutions to proliferate
  • 17. Questions & AnswersThank you!