0
Cloud Security: Rules and
Best Practices
patrick.duboys@ssl-europa.com
20/11/2013
Autorité d’Enregistrement
Agenda







Seven Cloud Computing Risks
Asymmetric encryption
Electronic signature
Strong authentication
Rules
Bes...
Cloud-Computing Security Risks (1)
Risk Assessment
•
•
•

Data integrity, recovery privacy
Evaluation of legal issues, reg...
Seven Cloud-Computing Risks (1)
1.

Privileged user access
•
•
•

2.

Regulatory compliance
•
•

3.

Customers are respons...
Seven Cloud-Computing Risks (2)
5. Recovery
•
•
•

What happens in case of a disaster?
Replication of data and application...
Asymmetric Encryption
 Symmetric Encryption
 Asymmetric Encryption

Autorité d’Enregistrement
Symmetric Encryption
Message in clear

Encryption

Encrypted Message

Decryption

Message in clear

Autorité d’Enregistrem...
Symmetric Encryption

Autorité d’Enregistrement
Symmetric Encryption
Advantages
– Fast
– Relatively simple to
implement
– Very efficient in particular
when the key is use...
Symmetric Encryption
Internet & Cloud Applications

Authentication

Confidentiality

Authorization

Integrity

(applicativ...
Asymmetric Encryption
Invented in 1975 by Whitfield Diffie and Martin Hellman
Each user owns a pair of key
– The public ke...
Asymmetric Encryption
Encryption

Symmetric Key

Decryption

=

=

Asymmetric Key

Autorité d’Enregistrement
Asymmetric Encryption

Autorité d’Enregistrement
Asymmetric Encryption: Signature

Autorité d’Enregistrement
Symmetric Encryption
Internet & Cloud Applications

Authentication

Confidentiality

Authorization

Integrity

Non
repudia...
Example : SSL Server
Client

Server

Send a message A
Verification of the certificate
and of the signature
Negotiation of ...
Symmetric Encryption
Internet & Cloud Applications

Authentication

Confidentiality

Authorization

Integrity

Non
repudia...
Examples of Solutions

Autorité d’Enregistrement
Rules of thumbs
 Use encryption



For exchanges of data with the Cloud
For data in the Cloud

 Use strong authenticat...
Best Practices (1)








Protect data transfer but also data in the cloud
Use data-centric encryption & encryptio...
Best Practices (2)
 Content aware Encryption
 Format-preserving Encryption
 Use Data Leak Prevention (DLP)
solutions

A...
Best Practices (3. Data Base)
 Be aware of performances issues
 Use object security
 Store a secure hash

Autorité d’En...
Best Practices (4)
Use a Key Management Software
Use group levels keys
Maintain keys within the Enterprise
Revoking keys
D...
Recommendations (1)
 Use best practices key management
practices
 Use off-the-shelf products from credible
sources
 Mai...
Recommendations (2)
 Use standard algorithm
 Avoid old ones such as DES
 Use central and internal key
management (with ...
Reference

http://www.cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf

Autorité d’Enregistrement
Thank you for your attention
SSL EUROPA

8 chemin des escargots
18200 Orval - France
+33 (0)9 88 99 54 09
www.ssl-europa.c...
Upcoming SlideShare
Loading in...5
×

SSL Europa Cloud Security 2013

215

Published on

Cloud Security: the rules and best practices by SSL Europa

Published in: Technology, Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
215
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
10
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "SSL Europa Cloud Security 2013"

  1. 1. Cloud Security: Rules and Best Practices patrick.duboys@ssl-europa.com 20/11/2013 Autorité d’Enregistrement
  2. 2. Agenda       Seven Cloud Computing Risks Asymmetric encryption Electronic signature Strong authentication Rules Best Practices Autorité d’Enregistrement
  3. 3. Cloud-Computing Security Risks (1) Risk Assessment • • • Data integrity, recovery privacy Evaluation of legal issues, regulatory compliance, auditing Etc… Transparency • • • • • Qualification of policy makers, architects, coders, operators Risk-control processes and technical mechanisms Level of testing How unanticipated vulnerabilities are identified Etc… Autorité d’Enregistrement
  4. 4. Seven Cloud-Computing Risks (1) 1. Privileged user access • • • 2. Regulatory compliance • • 3. Customers are responsible Check external audits and security certifications Data location • • 4. Physical, logical and personnel control Ask about hiring and oversight of administrators What control there is ? Commitment to storing and processing data in specific jurisdictions Contractual commitment Data segregation • • Data at rest and in use ? Encryption designed and tested by experienced specialist Autorité d’Enregistrement
  5. 5. Seven Cloud-Computing Risks (2) 5. Recovery • • • What happens in case of a disaster? Replication of data and application across multiple sites? Ability to do a complete restoration ? how long would it take? 6. Investigative support • • • • How to trace inappropriate or illegal activities? Logging and data may be for multiple customers Contractual commitment to support specific forms of investigation Get evidence that the vendor has already supported such activities 7. Long-term viability • • What if your Cloud provider goes broke or gets acquired? How could you get your data back? In which format? Replacement application? Autorité d’Enregistrement
  6. 6. Asymmetric Encryption  Symmetric Encryption  Asymmetric Encryption Autorité d’Enregistrement
  7. 7. Symmetric Encryption Message in clear Encryption Encrypted Message Decryption Message in clear Autorité d’Enregistrement
  8. 8. Symmetric Encryption Autorité d’Enregistrement
  9. 9. Symmetric Encryption Advantages – Fast – Relatively simple to implement – Very efficient in particular when the key is used only once Drawbacks – A different key by pair of users • The major issue : Keys management (as many keys to exchange as there are users) • How do Alice and Bob get the key without anybody else having access to it ? • The key must follow a different channel (phone, fax, …) Autorité d’Enregistrement
  10. 10. Symmetric Encryption Internet & Cloud Applications Authentication Confidentiality Authorization Integrity (applicative) � Security Infrastructure Security Policy Autorité d’Enregistrement Non repudiation
  11. 11. Asymmetric Encryption Invented in 1975 by Whitfield Diffie and Martin Hellman Each user owns a pair of key – The public key that is used to encrypt and which is known by everybody – The private key that is used to decrypt and which is only known by the owner Autorité d’Enregistrement
  12. 12. Asymmetric Encryption Encryption Symmetric Key Decryption = = Asymmetric Key Autorité d’Enregistrement
  13. 13. Asymmetric Encryption Autorité d’Enregistrement
  14. 14. Asymmetric Encryption: Signature Autorité d’Enregistrement
  15. 15. Symmetric Encryption Internet & Cloud Applications Authentication Confidentiality Authorization Integrity Non repudiation (applicative) � � Security Infrastructure Security Policy Autorité d’Enregistrement �
  16. 16. Example : SSL Server Client Server Send a message A Verification of the certificate and of the signature Negotiation of the encryption algorithm Send the certificate and the message A signed Negotiation of the encryption algorithm Generation of a session key Encryption of the session Key with the server public key Send the session key Encrypted Decryption of the session key with the private key The session key is shared Autorité d’Enregistrement
  17. 17. Symmetric Encryption Internet & Cloud Applications Authentication Confidentiality Authorization Integrity Non repudiation (applicative) � � � Security Infrastructure Security Policy Autorité d’Enregistrement � �
  18. 18. Examples of Solutions Autorité d’Enregistrement
  19. 19. Rules of thumbs  Use encryption   For exchanges of data with the Cloud For data in the Cloud  Use strong authentication   To connect to the Cloud To identify the Cloud server  Use signature  For exchanges of data in the Cloud Autorité d’Enregistrement
  20. 20. Best Practices (1)        Protect data transfer but also data in the cloud Use data-centric encryption & encryption embedded in the file format Understand how the keys will be managed (avoid reliance on cloud providers) Include files such as logs and metadata in encryption Use strong standard algorithm (such as AES-256) Use open validated formats Avoid proprietary encryption Autorité d’Enregistrement
  21. 21. Best Practices (2)  Content aware Encryption  Format-preserving Encryption  Use Data Leak Prevention (DLP) solutions Autorité d’Enregistrement
  22. 22. Best Practices (3. Data Base)  Be aware of performances issues  Use object security  Store a secure hash Autorité d’Enregistrement
  23. 23. Best Practices (4) Use a Key Management Software Use group levels keys Maintain keys within the Enterprise Revoking keys Define and enforce strong Key management processes and practices  Implement segregation of duties      Autorité d’Enregistrement
  24. 24. Recommendations (1)  Use best practices key management practices  Use off-the-shelf products from credible sources  Maintain your own trusted cryptographic source  Key scoping at the individual or group level  Use DRM systems Autorité d’Enregistrement
  25. 25. Recommendations (2)  Use standard algorithm  Avoid old ones such as DES  Use central and internal key management (with your own HSM, etc.)  Use segregation of duties Autorité d’Enregistrement
  26. 26. Reference http://www.cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf Autorité d’Enregistrement
  27. 27. Thank you for your attention SSL EUROPA 8 chemin des escargots 18200 Orval - France +33 (0)9 88 99 54 09 www.ssl-europa.com Autorité d’Enregistrement
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×