• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
HighCloud Security CSA LA and Seattle chapter presentation
 

HighCloud Security CSA LA and Seattle chapter presentation

on

  • 169 views

This presentation "Can encryption help alleviate concerns about moving to the cloud?" was presented to the Seattle and LA chapters of the Cloud Security Alliance in Q1 of 2013. ...

This presentation "Can encryption help alleviate concerns about moving to the cloud?" was presented to the Seattle and LA chapters of the Cloud Security Alliance in Q1 of 2013.

HighCloud CTO Steve Pate talks about the use of encryption and key management in virtualized and cloud environments.

Statistics

Views

Total Views
169
Views on SlideShare
169
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    HighCloud Security CSA LA and Seattle chapter presentation HighCloud Security CSA LA and Seattle chapter presentation Presentation Transcript

    • "C AN  ENCRYPTION  HELP  ALLEVIATE  CONCERNS  ABOUT   MOVING  TO  THE  CLOUD ?" Presented  to: Steve  Pate          -­‐  Co-­‐Founder  /  CTO
    • Securing  Cloud  Data  With  Encryp?onAgenda •  How  much  of  a  concern  does  the  cloud  present  us? •  An  encrypIon  refresher •  Looking  at  virtualized  environments •  What  do  the  regulaIons  say  about  virtualizaIon  and  cloud? •  Methods  of  deploying  encrypIon  in  the  cloud •  It’s  all  about  key  management! 2
    • Securing  Cloud  Data  With  Encryp?onWhat  do  the  surveys  say? Back  in  2010  ... Only  34%  of  Servers  are  virtualized  ....  the    #1   restric;on  cited  to  further  virtualiza;on  was  security  –  CDW  2009 87%  of  respondents  rated  “Security  Challenges”  as  the  #1  issue  ascribed   to  the  Cloud  model  –  IDC  Enterprise  Panel  2009 “73  percent  said  security  was  the  primary  obstacle  to  their  adop;ng   cloud  compu;ng,  followed  by  compliance  (54  percent)  and  portability   and  ownership  of  data  (48  percent).  Most  said  they  were  worried  about   stopping  unauthorized  access  to  their  company  data  in  the  cloud,  and   42  percent  said  security  worries  have  stopped  their  organiza;ons  from   going  to  the  cloud.”  –  PhoneFactor  survey "By  2015,  security  will  shiO  from  being  the  No.  1  inhibitor  of  cloud  to  one   of  the  top  enablers”  –  Forrester  Research 3
    • Securing  Cloud  Data  With  Encryp?onWhat  do  the  surveys  say? Today  ... In  the  x86  environment,  which  represents  more  than  80%  of   respondents  compu;ng  capacity,  average  virtualiza)on  levels  have   increased  13%  from  last  year  to  51%,  with  a  notable  increase  at  the   higher  levels,  roughly  doubling  the  number  of  organiza;ons  virtualizing   produc;on  applica;ons  -­‐  451  Group Security  problems  were  the  primary  concern  for  48  percent  of  IT   professionals  who  didn’t  plan  to  adopt  cloud  -­‐  InformaIonWeek  2012  Cloud   Security  and  Risk  Survey 80  percent  of  security  issues  in  the  cloud  through  2013  will  be  due  to   error  on  the  part  of  providers  and  customers  of  cloud  services,  not   fundamental  issues  with  the  cloud  -­‐  Gartner Median  cost  of  a  breach  in  2012:  $8.9M  per  year 46  US  states  have  passed  breach  no?fica?on  laws 4
    • Securing  Cloud  Data  With  Encryp?on 5Data  breach  laws
    • An  Encryp?on  Refresher 6
    • Securing  Cloud  Data  With  Encryp?onAn  Encryp?on  Refresher •  Two  types  of  encrypIon: •  Symmetric  -­‐  single  key,  best  performance •  Also  called  secret  key  cryptography •  Data  at  rest •  Algorithms  such  as  AES,  Blowfish,  DES,  3DES,  Serpent,  Twofish •  Asymmetric  -­‐  public  /  private  key  pair,  poor  performance •  Also  called  public  key  cryptography •  Used  when  sharing  between  two  or  more  parIes •  Web  commerce •  Exchanging  files  between  colleagues •  Algorithms  such  as  RSA,  Diffie-­‐Hellman,  ... 7
    • Securing  Cloud  Data  With  Encryp?onAn  Encryp?on  Refresher •  Symmetric  encrypIon: Clear Text Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmo Encryption Software Cypher Text Ki8^.5R7=;%dWk3... 0lv#-Q,pHk04$c*j[2. EncrypIon  Key <*gDn@s!X90,}$8s (larger  =  more  secure) )8vdhj^3776^&v3hg AES  uses  128  /  256  bit  keys 8
    • Securing  Cloud  Data  With  Encryp?onAn  Encryp?on  Refresher •  Symmetric  encrypIon  -­‐  block  ciphers Lorem ipsum dolor sit amet, consetetur Application sadipscing elitr, sed diam nonumy eirmo write(fd, buf, size) user space kernel space Lorem ipsum dolor Filesystem sit amet, consetetur Device Driver Ki8^.5R7=;%dWk3... 0lv#-Q,pHk04$c*j[2. 9
    • Securing  Cloud  Data  With  Encryp?onAn  Encryp?on  Refresher •  Asymmetric  encrypIon: Clear Text Public Key Lorem ipsum dolor sit amet, consetetur Encryption Software sadipscing elitr, sed diam nonumy eirmo Cypher Text Ki8^.5R7=;%dWk3... 0lv#-Q,pHk04$c*j[2. <*gDn@s!X90,}$8s )8vdhj^3776^&v3hg Private Key Encryption Software Clear Text RSA  uses  1024  bit  keys Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmo 10
    • Securing  Cloud  Data  With  Encryp?onAn  Encryp?on  Refresher •  Usual  places  of  deployment •  ApplicaIon  (libraries,  column-­‐level  encrypIon,  ...) •  Filesystem  -­‐  encrypt  individual  files •  Device  driver  -­‐  volume  encrypIon  (whole  devices  /  parIIons) •  SAN  switch  -­‐  within  the  storage  fabric •  FDE  -­‐  the  whole  drive •  Backup  -­‐  built  in •  Command-­‐line  tools $ gpg --import pub_key.asc $ gpg -e -a < src_code.tar.gz > src_code.tar.gz.asc $ tar cz files | openssl enc -aes-256-cbc -e -out files.tgz.enc enter aes-256-cbc encryption password: ******** Verifying - enter aes-256-cbc encryption password: ******** 11
    • Securing  Cloud  Data  With  Encryp?onWhat  about  performance?  Performance  is  terrible  right?  It  depends  ... •  On  applicaIons  /  workloads •  On  the  availability  of  hardware  support •  Most  Intel  /  AMD  processors  now  have  AES-­‐NI  support •  8-­‐10x  performance  improvement •  Should  encrypIon  cost  just  be  factored  in? Median  cost  of  a  breach  in  2012:  $8.9M  per  year 12
    • Securing  Cloud  Data  With  Encryp?onHow  oVen  is  encryp?on  used? •  That’s  25+  million  downloads •  Keys  are  protected  by  passwords •  Password  must  be  typed  before  keys  are  accessed •  Does  not  scale  for  the  enterprise 13
    • Securing  Cloud  Data  With  Encryp?onWhat  to  do  with  the  key? •  Assume  I  have  many  keys  ... •  What  do  I  do  with  all  those  keys? •  Who  owns  the  keys? “Key  management  is  the  hardest  part  of   cryptography  and  o<en  the  Achilles  heel  of   an  otherwise  secure  system”   Bruce  Schneier Preface  to  “Applied  Cryptography” Second  EdiIon 14
    • Encryp?on  Within  a  Virtualized  Stack 15
    • Securing  Cloud  Data  With  Encryp?onWhat  is  a  Virtual  Machine?   •  Memory  images  are  exposed: •  Password,  crypto  keys,  email  messages,  AcIve  Directory  data,  … •  SensiIve  data  can  be  leo  everywhere  the  VM  travels •  Data  center,  public  clouds,  desktops,  notebooks,  … •  VM  Templates  need  to  be  protected Virtual Disk Virtual Disk (Data) (Data) Virtual Disk Virtual Disk Data (Data) (Data) Virtual Disk Virtual Disk (Guest OS) (Applications) Executables Suspend File Config Files Virtual Machine state Snapshot File Log Files and environment: ➤ VM memory image ➤ Critical VM configuration Paging File VM meta-data ➤ Forensics information Virtual Machine Image 16
    • Securing  Cloud  Data  With  Encryp?onProtec?ng  the  Virtual  Machine?   Have all defense in depth mechanisms work together.  Security needs to follow VMs in the infrastructure.” VMware CEO Maritz - VMworld 2010 17
    • Securing  Cloud  Data  With  Encryp?onVirtual  Machines  present  new  challenges!  -­‐  recognized  by  the  new  PCI  virtualiza)on  guidelines 18
    • Securing  Cloud  Data  With  Encryp?onEncryp?on  in  Virtualized  Environments •  There  are  mulIple  choices  to  encrypt  all  /  part  of  a  VM •  Each  have  pros  /  cons •  Many  factors  to  take  into  account ① VM VM VM VM Virtualization Layer ② ③ NAS ④ SAN Switch ⑤ ⑥ Storage Array Backup / DR 19
    • Securing  Cloud  Data  With  Encryp?onEncryp?on  below  the  Hypervisor •  Block-­‐based  or  file-­‐based •  EncrypIon  of  the  whole  VM •  By  seeing  the  VM,  we  get  to  do  some  special  things VM VM VM VM VM VM VM Virtualization Layer Virtualization Layer Multi-Tenant Administration NFS / iSCSI Encrypted Path Key and Policy Server Backup Server Key and Policy Server Virtual Machine Vault Restore path Protected Protected VM Images VM Images and Data and Data Cypher Text Cypher Text Ki8^.5R7=;%dWk3... Ki8^.5R7=;%dWk3... 0lv#-Q,pHk04$c*j[2. 0lv#-Q,pHk04$c*j[2. <*gDn@s!X90,}$k5 <*gDn@s!X90,}$k5 Tenant A Tenant B 20
    • Securing  Cloud  Data  With  Encryp?onEncryp?on  above  the  Hypervisor • Footprint  inside  every  VM • Encrypted  path  through  the  hypervisor • Does  not  need  help  from  your  service  provider VM VM VM HYPERVISOR Key Server Encrypted Data Encrypted VMDKs 21
    • How  to  deploy  encryp?on  in  the  cloud 22
    • Securing  Cloud  Data  With  Encryp?onJust  use  what  the  provider  gives  you •  Some  providers  offer  encrypIon: •  Amazon  S3  for  example •  Good  enough  for  some  people •  No  good  for  others •  Would  you  put  the  family  jewels  in  the  safe  ....  ....  and  give  a  stranger  the  key? •  Some  providers  want  to  offer  encrypIon  ...  ....  but  don’t  want  to  host/own  the  keys! 23
    • Securing  Cloud  Data  With  Encryp?onRoll  your  own  ... •  A  number  of  open  source  and  commercial  soluIons 24
    • Securing  Cloud  Data  With  Encryp?onCloud  Encryp?on  Gateway •  Encrypt  data  before  it’s  sent  to  the  cloud •  Requires  access  to  corporate  network 25
    • Securing  Cloud  Data  With  Encryp?onInfrastructure  as  a  Service  Clouds •  VMs  running  in  the  public  cloud   •  EncrypIon  within  the  VM •  Filesystem  or  logical  volume  level •  One  VM  offers  encrypIon  to  other  VMs VM VM VM Public or Private NFS, CIFS, iSCSI Cloud Running Secure File Server VM ENC/DEC Key Server Key and Policy Server ENC/DEC Running VM Cloud Infrastructure Cloud Storage Encrypted Encrypted Data Data Private Data Center 26
    • Securing  Cloud  Data  With  Encryp?onQues?ons  to  ask? •  How  is  my  data  backed  up? •  Can  anyone  access  my  VMs? •  How  are  VMs  replicated? •  Where  are  those  backups? •  Do  the  VMs  ever  get  snapshored? •  When  I  want  to  decommission,  how  is  my  data  removed? Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 - CSA 27
    • Key  Management  Op?ons 28
    • Securing  Cloud  Data  With  Encryp?onWhat  key  management  op?ons  are  there? •  Low  end  encrypIon  soluIons  have  no  key  management •  Enterprise-­‐grade  soluIons  have  expensive  key  servers •  Enterprise  key  managers •  FIPS  140-­‐2,  KMIP,  ... •  Highly  available •  Can  be  extremely  expensive •  Defeats  the  purpose  of  virtualizaIon  /  cloud  for  cost •  Many  organizaIons  are  nervous  about  managing  keys •  Who  gets  to  access  the  keys? •  How  are  they  safely  backed  up? •  What  happens  if  keys  expire? •  Are  the  keys  well  protected? 29
    • Securing  Cloud  Data  With  Encryp?onWhat  key  management  op?ons  are  there? •  3  main  opIons: •  CSP  holds  the  keys •  Customer  holds  the  keys •  A  third  party  holds  the  keys Customers Key Server Data Center Provider Key Server Key Server VM VM VM VM Key Server Cloud Service Provider 30
    • Securing  Cloud  Data  With  Encryp?onHosted  key  management •  QuesIons  to  ask: •  Can  I  change  my  mind?  I  now  want  to  host  my  own  keys •  I’m  hosIng  keys  but  now  want  you  to  host  them •  Can  you  actually  see  my  keys? •  Is  the  system  highly-­‐available?  What  about  DR? •  I  need  a  process  for  getng  my  data  back •  What  about  mulI-­‐tenancy? •  What  about  an  audit  stream? 31
    • Automa?ng  Encryp?on 32
    • Securing  Cloud  Data  With  Encryp?onAPIs  -­‐  Provisioning  a  new  server   •  VirtualizaIon  offers  a  lot  of  automaIon •  Cloud  infrastructures  are  all  automated: •  OpenStack  and  others •  Cloud  providers  automate  everything •  Many  organizaIons  large  and  small  automate  too •  Password  based  encrypIon  doesn’t  help •  We  need  encrypIon  to  be  a  drop  in  soluIon  too •  Needs  to  be  mulI-­‐tenant 33
    • Securing  Cloud  Data  With  Encryp?onTradi?onal  GUI-­‐based  administra?on •  Can  be  simple  to  use •  No  need  for  key  management  experIse • A  single  product  may  scan  mulIple  plauorms  and  cloud   providers • Very  important  to  increase  encrypIon  adopIon  ...  BUT! 34
    • Securing  Cloud  Data  With  Encryp?onAPIs  -­‐  Provisioning  a  new  server   •  Add  a  Linux  server  and  encrypt  a  devices  -­‐  5  line  script! Key and Policy Server Cluster Key and Policy Server Cluster System where APIs are run from Linux hicli VM Linux VM ~/.hicli/hicli.cfg #  hicli  kps  select  kps-­‐2 #  hicli  user  login  spate  -­‐-­‐password=******** #  hicli  cvmset  select  "Amazon  VMs" #  hicli  cvm  new  ubuntu10.04 #  hicli  cvm  ubuntu10.04  add_disk  sdb1 35
    • Where  to  get  more  informa?on? 36
    • Securing  Cloud  Data  With  Encryp?onMore  Informa?on? •  Cloud  Security  Alliance •  hrps://cloudsecurityalliance.org •  ENISA   •  hrp://www.enisa.europa.eu •  NIST •  hrp://www.nist.gov/index.html •  Payment  Card  Industry •  www.highcloudsecurity.com •  Under  Resources  ➜  Collateral 37
    • And  last  but  not  least  ... 38
    • Securing  Cloud  Data  With  Encryp?on3  different  steps  you  can  take  ... 1.  Download  the  HighCloud  Sooware  and  try  for  free! 2.  Fill  in  our  survey   •  hrp://www.highcloudsecurity.com/resources/survey/ 3.  An  exclusive  for  tonight’s  arendees: •  A  free  account  on  HighCloud’s  hosted  key  server •  Not  yet  in  beta!   •  To  sign  up  contact:  spate@highcloudsecurity.com 39
    • Q&A Q&A spate@highcloudsecurity.com 40