the private computing companyCloud Encryption:Everything You Always Wanted toKnow but Were Afraid to AskTodd ThiemannVice ...
Recent Cloud Data Security CompromisesSources:http://arstechnica.com/security/2013/04/former-employee-arrested-charged-wit...
14%92%InsidersOutsidersWho is Perpetrating Breaches?2013 DATA BREACH INVESTIGATION REPORTOrigin of ThreatOrigin of Threat
Old School Datacenter Attacks
New School Cloud Attacks+
6Why Secure Your Data?ExecutiveMandate•  IP Protection•  BrandProtection•  CorporateDataGovernanceContractualObligation•  ...
7REV 0.1Electronic Ledger StorageLaw (Japan)11MEDIS-DC (Japan)CanadianElectronicEvidence ActPCI DataSecurityStandard (WW)U...
Encryption Architectures for Data at Rest8ControlSimplicityNative DBGatewayUsersApplicationsDatabaseOSHypervisorHardware (...
Application EncryptionApplication encryption using APIsbefore data is stored in databaseØ Pros: Most secure at top ofstac...
OS-level Encryption (File Encryption)OS-level (aka File-level) Encryptionencrypts and controls access to file-level dataØ...
Cloud Storage EncryptionEncrypts data at mounted storage volumeØ Pros: Can enable access control andseparation of duties ...
Gateway Encryption (Proxy)Gateway uses reverse proxy toencrypt or tokenize sensitive SaaS/PaaS dataØ Pros: Agentless arch...
13Cloud Encryption LayersAPIEncryptionDatabaseEncryptionFileEncryptionStorageEncryptionUserApplicationDatabaseOSHypervisor...
Encryption Beyond Data At Rest• Data in Use (Memory)–  Memory is clear text and canbe parsed to find sensitive data–  Dump...
Questions To Consider• What information needs to be protected?• What threats do you want to protect theinformation against...
Todd’s Take-aways• Encryption enables trust in an untrustedenvironment• Encryption enables logical separation of data atan...
Questions & AnswersThank you!todd@privatecore.com@cryptodd
Upcoming SlideShare
Loading in...5
×

Cloud encryption everything you always wanted to know but were afraid to ask

7,053

Published on

Cloud Asia Singapore 15 May 2013

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
7,053
On Slideshare
0
From Embeds
0
Number of Embeds
57
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Cloud encryption everything you always wanted to know but were afraid to ask

  1. 1. the private computing companyCloud Encryption:Everything You Always Wanted toKnow but Were Afraid to AskTodd ThiemannVice President – MarketingCo-chair CSA Solution Provider Advisory Council
  2. 2. Recent Cloud Data Security CompromisesSources:http://arstechnica.com/security/2013/04/former-employee-arrested-charged-with-rooting-2700-hostgator-servers/http://news.yahoo.com/vudu-customer-data-stolen-office-burglary-221655387.html
  3. 3. 14%92%InsidersOutsidersWho is Perpetrating Breaches?2013 DATA BREACH INVESTIGATION REPORTOrigin of ThreatOrigin of Threat
  4. 4. Old School Datacenter Attacks
  5. 5. New School Cloud Attacks+
  6. 6. 6Why Secure Your Data?ExecutiveMandate•  IP Protection•  BrandProtection•  CorporateDataGovernanceContractualObligation•  Outsourcing•  SaaS contractsComplianceRegulations•  PCI DSS•  Basel III•  National DataProtectionLaws
  7. 7. 7REV 0.1Electronic Ledger StorageLaw (Japan)11MEDIS-DC (Japan)CanadianElectronicEvidence ActPCI DataSecurityStandard (WW)US State DataBreach LawsFDA 21CFR Part 11Sarbanes-Oxley Act(USA)AIPA (Italy)GDPdU and GoBS(Germany)EU DataProtectionDirectiveUK DataProtection ActNF Z 42-013 (France)FinancialServicesAuthority (UK)Basel IIICapitalAccordGLB ActJapan PIP ActInternational companies must adhere to regulations in each country ofoperation, such regulations can call for encryptionHIPAA/HITECH (USA)Worldwide ComplianceS. Korea PersonalInformation Protection ActSingapore Personal DataProtection ActTaiwan Personal DataProtection Act
  8. 8. Encryption Architectures for Data at Rest8ControlSimplicityNative DBGatewayUsersApplicationsDatabaseOSHypervisorHardware (CPU/Memory)StorageOS/FileTechnologies balance between control and simplicityAPISAN, NAS, DAS Storage
  9. 9. Application EncryptionApplication encryption using APIsbefore data is stored in databaseØ Pros: Most secure at top ofstack, cloud agnostic (portable)Ø Cons: Intrusive, requiring customcode development, not applicableto SaaSKey Management
  10. 10. OS-level Encryption (File Encryption)OS-level (aka File-level) Encryptionencrypts and controls access to file-level dataØ Pros: Enables access control andseparation of duties with CSP andwithin enterprise, portableØ Cons: Enterprises cannot use withSaaS/PaaS, not extremely granularKey Management
  11. 11. Cloud Storage EncryptionEncrypts data at mounted storage volumeØ Pros: Can enable access control andseparation of duties between CSP andenterpriseØ Cons: Uncertain key custody, noaccess control
  12. 12. Gateway Encryption (Proxy)Gateway uses reverse proxy toencrypt or tokenize sensitive SaaS/PaaS dataØ Pros: Agentless architecture forsecuring SaaS/PaaS, noapplication changes, enterprisecontrols keysØ Cons: Can disrupt applicationfunctionality (indexing, searching,sorting, business logic in cloud),you must track cloud applicationchangesSaaSGateway
  13. 13. 13Cloud Encryption LayersAPIEncryptionDatabaseEncryptionFileEncryptionStorageEncryptionUserApplicationDatabaseOSHypervisorHWStorageCaveat: Compromised Hardware/Memory Can Break Trust ModelGatewayEncryption
  14. 14. Encryption Beyond Data At Rest• Data in Use (Memory)–  Memory is clear text and canbe parsed to find sensitive data–  Dumping memory cancompromise data andencryption keys for data at rest–  Evaluate emerging threat andsolutions to mitigate risk
  15. 15. Questions To Consider• What information needs to be protected?• What threats do you want to protect theinformation against?• What application and infrastructure changes canyou tolerate?• Who holds the encryption keys?–  You? Partner? Cloud service provider?• Performance
  16. 16. Todd’s Take-aways• Encryption enables trust in an untrustedenvironment• Encryption enables logical separation of data atany level (country, datacentre, database, etc)• Encryption protects sensitive data, but also canenable security intelligence–  Who is touching your data?• Minimize encryption silos to minimize costs–  Many encryption use cases can cause solutions to proliferate
  17. 17. Questions & AnswersThank you!todd@privatecore.com@cryptodd

×