Best Practices for DataEncryption in CloudImplementationsDavid C. Frier, CISM, CISSP, CCSK, CRISCISACA WNY - April 23, 2013
Outline• Who is this guy?• What is encryption, anyway?• Why do I need encryption?• What should I encrypt in the cloud?• How can I encrypt in the cloud?• How can I tell if my encryption is any good?• What are the best practices?• Why is this outline nothing but questions?
Who is this guy?1) David Frier has been an IT consultant since 19842) He has been specializing in Information Security since 20053) He holds the CISM, CISSP, CRISC and CCSK (Certificate of Cloud SecurityKnowledge)4) He has toured with Sting and The Who5) He has been providing implementation of enterprise security initiatives viaCiber since 20076) He has bungee-jumped Angel Falls in Venezuela7) He can make any cloud implementation attack-proof.8) Only the Fibonacci-numbered items on this list are true.9) The preceding item is false.
What is encryption, anyway?• Cleartext: The original data or message, in need ofprotection from disclosure• Encryption: the activity of converting cleartext intocoded form - ciphertext• Encryption Algorithm: The process used to performencryption given a cleartext and one or more keys• Encryption Key: The secret piece of information thatcontrols the output of the encryption algorithm
Why do I need encryption?• APIs Rule: Anyone who can access some of the datafrom an admin session can move it all – at machinespeed.• Multi-Tenancy: the main threat is an attack from a co-resident user.
What should I encrypt in the cloud?• Regulated Data: If you are putting data in a cloud thatis in scope of PCI, restricted by HIPAA or GLBA… thereare elements you must encrypt.• Intellectual Property: Anything that would constituteyour enterprise’s “Crown Jewels.”Or… don’t send the data; use tokenization
How can I encrypt in the cloud?IaaS• Volume Encryption• Virtual Private Storage• Files/Folders (Object Storage)• Three-tier approacho Engine / Data / Key Server
How can I encrypt in the cloud?PaaS• Virtual Private Storage• Database Encryptiono Consider a three-tier approach
How can I encrypt in the cloud?SaaS• Client-side encryptiono Locally built client application that encrypts databefore sending it to the servers• Encryption Proxyo Hardware or virtual appliance that intercepts webform input before submitting it• Trust the Providero They probably have pretty strong security measureso You can audit them… RIGHT?
How will I implement encryption?• Standard (non-cloud) tools (I, some P)• Client/app encryption (I, P)• Database encryption (P)• APIs (I, P)• Proxy encryption (Any)
How can I tell if my encryption is any good?Rule #1: PAASProprietary Algorithms All StinkIf an algorithm cannot face the scrutiny of the technicalcommunity… it’s not because it’s unbreakable.Anyone can produce an algorithm that he himself can’tcrackEven the gold standard (AES-256)will fall one day.
How can I tell if my encryption is any good?Rule #2: Control the KeysThe algorithms are out thereThey are being attacked all the time, but holding upThe only two ways the attacker is going to get through toyour data are:1. Brute Force2. Compromise your Keys
What are the best practices?• Know what you need to encrypt and why.• Know what your cloud architecture supports• Consider tokenization• Ensure use of standards-based algorithms• Plan the entire key-management lifecycle
More the best practices, please?• Maximize granularity• Capture and analyze all logs, audit trails• Encrypt all portable devices• Allow for integration
Tell ‘em what you told ‘em• Encrypt what you need to… only.• Use standards-based algorithmso PAAS!• Guard your keys like they were…o …your keys• Tokenize where it makes senseo They can’t steal what isn’t there