SSL Europa Cloud Security 2013

276
-1

Published on

Cloud Security: the rules and best practices by SSL Europa

Published in: Technology, Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
276
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
11
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

SSL Europa Cloud Security 2013

  1. 1. Cloud Security: Rules and Best Practices patrick.duboys@ssl-europa.com 20/11/2013 Autorité d’Enregistrement
  2. 2. Agenda       Seven Cloud Computing Risks Asymmetric encryption Electronic signature Strong authentication Rules Best Practices Autorité d’Enregistrement
  3. 3. Cloud-Computing Security Risks (1) Risk Assessment • • • Data integrity, recovery privacy Evaluation of legal issues, regulatory compliance, auditing Etc… Transparency • • • • • Qualification of policy makers, architects, coders, operators Risk-control processes and technical mechanisms Level of testing How unanticipated vulnerabilities are identified Etc… Autorité d’Enregistrement
  4. 4. Seven Cloud-Computing Risks (1) 1. Privileged user access • • • 2. Regulatory compliance • • 3. Customers are responsible Check external audits and security certifications Data location • • 4. Physical, logical and personnel control Ask about hiring and oversight of administrators What control there is ? Commitment to storing and processing data in specific jurisdictions Contractual commitment Data segregation • • Data at rest and in use ? Encryption designed and tested by experienced specialist Autorité d’Enregistrement
  5. 5. Seven Cloud-Computing Risks (2) 5. Recovery • • • What happens in case of a disaster? Replication of data and application across multiple sites? Ability to do a complete restoration ? how long would it take? 6. Investigative support • • • • How to trace inappropriate or illegal activities? Logging and data may be for multiple customers Contractual commitment to support specific forms of investigation Get evidence that the vendor has already supported such activities 7. Long-term viability • • What if your Cloud provider goes broke or gets acquired? How could you get your data back? In which format? Replacement application? Autorité d’Enregistrement
  6. 6. Asymmetric Encryption  Symmetric Encryption  Asymmetric Encryption Autorité d’Enregistrement
  7. 7. Symmetric Encryption Message in clear Encryption Encrypted Message Decryption Message in clear Autorité d’Enregistrement
  8. 8. Symmetric Encryption Autorité d’Enregistrement
  9. 9. Symmetric Encryption Advantages – Fast – Relatively simple to implement – Very efficient in particular when the key is used only once Drawbacks – A different key by pair of users • The major issue : Keys management (as many keys to exchange as there are users) • How do Alice and Bob get the key without anybody else having access to it ? • The key must follow a different channel (phone, fax, …) Autorité d’Enregistrement
  10. 10. Symmetric Encryption Internet & Cloud Applications Authentication Confidentiality Authorization Integrity (applicative) � Security Infrastructure Security Policy Autorité d’Enregistrement Non repudiation
  11. 11. Asymmetric Encryption Invented in 1975 by Whitfield Diffie and Martin Hellman Each user owns a pair of key – The public key that is used to encrypt and which is known by everybody – The private key that is used to decrypt and which is only known by the owner Autorité d’Enregistrement
  12. 12. Asymmetric Encryption Encryption Symmetric Key Decryption = = Asymmetric Key Autorité d’Enregistrement
  13. 13. Asymmetric Encryption Autorité d’Enregistrement
  14. 14. Asymmetric Encryption: Signature Autorité d’Enregistrement
  15. 15. Symmetric Encryption Internet & Cloud Applications Authentication Confidentiality Authorization Integrity Non repudiation (applicative) � � Security Infrastructure Security Policy Autorité d’Enregistrement �
  16. 16. Example : SSL Server Client Server Send a message A Verification of the certificate and of the signature Negotiation of the encryption algorithm Send the certificate and the message A signed Negotiation of the encryption algorithm Generation of a session key Encryption of the session Key with the server public key Send the session key Encrypted Decryption of the session key with the private key The session key is shared Autorité d’Enregistrement
  17. 17. Symmetric Encryption Internet & Cloud Applications Authentication Confidentiality Authorization Integrity Non repudiation (applicative) � � � Security Infrastructure Security Policy Autorité d’Enregistrement � �
  18. 18. Examples of Solutions Autorité d’Enregistrement
  19. 19. Rules of thumbs  Use encryption   For exchanges of data with the Cloud For data in the Cloud  Use strong authentication   To connect to the Cloud To identify the Cloud server  Use signature  For exchanges of data in the Cloud Autorité d’Enregistrement
  20. 20. Best Practices (1)        Protect data transfer but also data in the cloud Use data-centric encryption & encryption embedded in the file format Understand how the keys will be managed (avoid reliance on cloud providers) Include files such as logs and metadata in encryption Use strong standard algorithm (such as AES-256) Use open validated formats Avoid proprietary encryption Autorité d’Enregistrement
  21. 21. Best Practices (2)  Content aware Encryption  Format-preserving Encryption  Use Data Leak Prevention (DLP) solutions Autorité d’Enregistrement
  22. 22. Best Practices (3. Data Base)  Be aware of performances issues  Use object security  Store a secure hash Autorité d’Enregistrement
  23. 23. Best Practices (4) Use a Key Management Software Use group levels keys Maintain keys within the Enterprise Revoking keys Define and enforce strong Key management processes and practices  Implement segregation of duties      Autorité d’Enregistrement
  24. 24. Recommendations (1)  Use best practices key management practices  Use off-the-shelf products from credible sources  Maintain your own trusted cryptographic source  Key scoping at the individual or group level  Use DRM systems Autorité d’Enregistrement
  25. 25. Recommendations (2)  Use standard algorithm  Avoid old ones such as DES  Use central and internal key management (with your own HSM, etc.)  Use segregation of duties Autorité d’Enregistrement
  26. 26. Reference http://www.cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf Autorité d’Enregistrement
  27. 27. Thank you for your attention SSL EUROPA 8 chemin des escargots 18200 Orval - France +33 (0)9 88 99 54 09 www.ssl-europa.com Autorité d’Enregistrement

×