Downloaded 61 times
Uploaded byTrend Micro
Encryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Dave Asprey, VP of Cloud Security at Trend Micro, presented on encryption techniques for securing data and applications in public clouds. He outlined 16 pieces of advice, including encrypting network traffic, files systems, and data in shared storage. Only allow decryption keys to enter the cloud during decryption. Minimize the number of services per virtual machine instance and only open necessary ports. Use host-based intrusion detection and system hardening tools.
More Related Content
Similar to Encryption in the Public Cloud: 16 Bits of Advice for Security Techniques
![[Case Study ~ 2011] Baptist Hospitals of Southest Texas](https://cdn.slidesharecdn.com/ss_thumbnails/casestudybaptisthospitalsofsouthesttexas-111002205859-phpapp02-thumbnail.jpg?width=640&height=640&fit=bounds)
Encryption in the Public Cloud: 16 Bits of Advice for Security Techniques
- 1. Dave Asprey • VP Cloud SecurityDave_asprey@trendmicro.com@daveasprey (cloud + virtual security tweets)Encryption in the public cloud: 16 Bits of Advice for Security techniques
- 2. Trend Micro Confidential 3/23/20112Adapted from an original presentation delivered toMembers of the SDforum, Jan. 2011By Dave Asprey, VP of Cloud Security, Trend Micro
- 3. Your speakerDave AspreyVP,Cloud SecurityCloud & Virtualization Evangelistdave_asprey@trendmicro.com @daveaspreycloudsecurity.trendmicro.com Linkedin.com/in/aspreyBackgroundBlue Coat - VP TechnologyCitrix - Strategic Planning, Virtualization BusinessNetscaler – Dir PMExodus/Savvis – Dir PM & Strategy execSpeedera/Akamai – Sr. Dir PM3Com – Web IT guyUC Santa Cruz – Ran Web & Internet Engineering Program Author, PWC Tech Forecast: Systems & Network Mgt + ScalingTrend Micro Confidential3/23/20113
- 4. Data Privacy Concernsin the Cloud▪ Data is stored in plain text▪ Virtual volumes can move without the owners knowledge▪ Little ability to audit or monitor access to resources or data▪ Hypervisors and storage are shared with other users▪ Storage devices contain residual data
- 5. Amazon Web Services™Customer AgreementTrend Micro Confidential3/23/201157.2. Security. We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet. Accordingly, without limitation to Section 4.3 above and Section 11.5 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications.Translation: If it gets hacked, it’s your fault.http://aws.amazon.com/agreement/#7 (23 November 2010)
- 6. 6Security: the #1Cloud ChallengeSecurity and privacy higher than Sum (performance, immaturity, regulatory compliance)Gartner (April 2010)Classification 3/23/2011
- 7. Use encrypted, self-defendinghostsClassification 3/23/20117Multiple customers on one physical server – potential for attacks via the hypervisorShared network inside the firewallDoesn’t matter – the edge of my virtual machine is protectedDoesn’t matter – treat the LAN as publicInternetShared StorageShared FirewallShared firewall – Lowest common denominator – less fine grained controlEasily copied machine images – who else has your server?Shared storage – is customer segmentation secure against attack?Virtual ServersDoesn’t matter – They can start my server but only I can unlock my dataDoesn’t matter – My data is encryptedDoesn’t matter – treat the LAN as public
- 8. Advice1. Encrypt network traffic2. Use only encrypted file systems for block devices3. Encrypt everything in shared storage4. Only allow decryption keys to enter the cloud during decryption5. Only authentication credential in VMs = key to decrypt file system keyTrend Micro Confidential3/23/20118
- 9. …More advice6. Atinstance startup, fetch encrypted file system key7. No password-based authentication for shell access8. No allowed passwords for sudo access (!)9. Make regular backups off-cloudTrend Micro Confidential3/23/20119
- 10. …Even more advice10.Minimize # of services per VM instance (goal = 1)11. Only open ports you need12. Specify source addresses & only allow HTTP global access13. Keep sensitive data in a separate databaseTrend Micro Confidential3/23/201110
- 11. Final advice14. Usehost-based intrusion detection system15. Use system hardening tools16. Write better applications!Trend Micro Confidential3/23/201111
- 12. Thank You. DaveAspreyVP Cloud Securitydave_asprey@trendmicro.com@daveaspreycloudsecurity.trendmicro.comProps to: George Reese & O’Reilly BlogTrend Micro Confidential3/23/201112
Editor's Notes
- #2 My name is Todd Thiemann thank you for attending this session on
- #5 Data is stored in plain textWho can see my sensitive information? Data stored in a raw format removes confidentiality and allows a savvy attacker an open door to view all of your information.Virtual volumes can be moved without the owners knowledgeHas my data been moved offshore, breaking laws or regulations? Privacy laws like Little ability to audit or monitor access resources or dataWhat happened to my data when I was not looking?How can I comply with legislation, security policies and best practices?Hypervisors and storage are shared with other usersIs my neighbor trustworthy? How good is my neighbor’s security? Will he get hacked and attack me?Storage devices contain residual data - Is storage recycled securely when I change vendors?What happens if my cloud provider goes out of business?