Your SlideShare is downloading. ×
  • Like
Best practices for data encryption in cloud implementations
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Best practices for data encryption in cloud implementations



Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Best Practices for DataEncryption in CloudImplementationsDavid C. Frier, CISM, CISSP, CCSK, CRISCISACA WNY - April 23, 2013
  • 2. Outline• Who is this guy?• What is encryption, anyway?• Why do I need encryption?• What should I encrypt in the cloud?• How can I encrypt in the cloud?• How can I tell if my encryption is any good?• What are the best practices?• Why is this outline nothing but questions?
  • 3. Who is this guy?1) David Frier has been an IT consultant since 19842) He has been specializing in Information Security since 20053) He holds the CISM, CISSP, CRISC and CCSK (Certificate of Cloud SecurityKnowledge)4) He has toured with Sting and The Who5) He has been providing implementation of enterprise security initiatives viaCiber since 20076) He has bungee-jumped Angel Falls in Venezuela7) He can make any cloud implementation attack-proof.8) Only the Fibonacci-numbered items on this list are true.9) The preceding item is false.
  • 4. What is encryption, anyway?• Cleartext: The original data or message, in need ofprotection from disclosure• Encryption: the activity of converting cleartext intocoded form - ciphertext• Encryption Algorithm: The process used to performencryption given a cleartext and one or more keys• Encryption Key: The secret piece of information thatcontrols the output of the encryption algorithm
  • 5. Why do I need encryption?• APIs Rule: Anyone who can access some of the datafrom an admin session can move it all – at machinespeed.• Multi-Tenancy: the main threat is an attack from a co-resident user.
  • 6. What should I encrypt in the cloud?• Regulated Data: If you are putting data in a cloud thatis in scope of PCI, restricted by HIPAA or GLBA… thereare elements you must encrypt.• Intellectual Property: Anything that would constituteyour enterprise’s “Crown Jewels.”Or… don’t send the data; use tokenization
  • 7. How can I encrypt in the cloud?IaaS• Volume Encryption• Virtual Private Storage• Files/Folders (Object Storage)• Three-tier approacho Engine / Data / Key Server
  • 8. How can I encrypt in the cloud?PaaS• Virtual Private Storage• Database Encryptiono Consider a three-tier approach
  • 9. How can I encrypt in the cloud?SaaS• Client-side encryptiono Locally built client application that encrypts databefore sending it to the servers• Encryption Proxyo Hardware or virtual appliance that intercepts webform input before submitting it• Trust the Providero They probably have pretty strong security measureso You can audit them… RIGHT?
  • 10. How will I implement encryption?• Standard (non-cloud) tools (I, some P)• Client/app encryption (I, P)• Database encryption (P)• APIs (I, P)• Proxy encryption (Any)
  • 11. How can I tell if my encryption is any good?Rule #1: PAASProprietary Algorithms All StinkIf an algorithm cannot face the scrutiny of the technicalcommunity… it’s not because it’s unbreakable.Anyone can produce an algorithm that he himself can’tcrackEven the gold standard (AES-256)will fall one day.
  • 12. How can I tell if my encryption is any good?Rule #2: Control the KeysThe algorithms are out thereThey are being attacked all the time, but holding upThe only two ways the attacker is going to get through toyour data are:1. Brute Force2. Compromise your Keys
  • 13. What are the best practices?• Know what you need to encrypt and why.• Know what your cloud architecture supports• Consider tokenization• Ensure use of standards-based algorithms• Plan the entire key-management lifecycle
  • 14. More the best practices, please?• Maximize granularity• Capture and analyze all logs, audit trails• Encrypt all portable devices• Allow for integration
  • 15. Tell ‘em what you told ‘em• Encrypt what you need to… only.• Use standards-based algorithmso PAAS!• Guard your keys like they were…o …your keys• Tokenize where it makes senseo They can’t steal what isn’t there
  • 16. Question everything