0
Where to Store Cloud Encryption Keys         Securing Your Journey to the Cloud         Dave Asprey, VP Cloud Security    ...
Focus• State of encryption deployment• Key management details of COBIT, PCI, HIPAA and SOX• Best practices for cloud encry...
30 million   # of Americans who are victims of reported data breaches
90%  of enterprises encrypt in the public cloud
Why key management matters now• Increased amount of sensitive data in the cloud• Risk of data loss caused by employees mis...
Higher Risks• Reputation and profitability• Brand damage and potential loss of customers• Litigation expenses and large fi...
Breach notification is a disaster • Allowances if data was encrypted • 44 states have independent data breach laws • Nevad...
The following need keys: • Tokenization or data anonymization schemes • Mounted storage volume encryption • File encryptio...
Key issues in key management • Security of key management infrastructure    Compromised key means compromised data • Separ...
“COBIT is an IT governance framework and supporting toolsetthat allows managers to bridge the gap betweencontrol requireme...
COBIT Encryption Key Management Requirements      •      transporting      •      storage      •      recovery      •     ...
“   Keys should be maintained on a computer that is notaccessible by any programmers or users, such as routercontrols for ...
PCI“Encryption keys used for encryption  Of cardholder data must be protected                                    ”  agains...
PCI Requirement3.6 Fully document and implement all key-management processes and procedures for  cryptographic keys used ...
PCI Requirement3.6.4 Mandates that encryption keys be rotated at least annually or vendor best practice (every 3  years)...
PCI Requirement3.6.8 Mandates documentation with formal key custodian forms & sign-off procedures
PCI Requirement3.6.b Service providers should provide key management guidance to customers     covering transmission, sto...
HIPAAProtected health information (PHI) is renderedunusable, unreadable, or indecipherable to unauthorized individuals ifo...
SOX• Sarbanes Oxley adheres to COBIT in section DS 5.7“Accepted frameworks for use with SOX are COSO and COBIT“• Section D...
COBIT, PCI, HIPAA, and SOX store encryption keys:  1. Securely  2. Separately from data  3.Under the control of the cloud ...
Three Key Options1. Enterprise data center2. SaaS Key Management3. laaS Key Management
Enterprise Datacenter• Maximum control• Potentially higher security and availability (DR possible)• No risk of external pa...
SaaS Key Management• SaaS vendor takes responsibility for the keys• Cloud economics• Availability of SaaS vendor is based ...
IaaS Key Management• Use tokenization or encryption services from IaaS vendor• Same security and availability problem as S...
Which Secure Cloud Deployment Option? Requirement  Download at:   cloud.trendmicro.com
Thank you         Dave Asprey, VP Cloud Security         @daveasprey                                                    26...
Upcoming SlideShare
Loading in...5
×

Where to Store the Cloud Encryption Keys - InterOp 2012

895

Published on

Dave Asprey's presentation on "Where to Store the Cloud Encryption Keys" from InterOp 2012.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
895
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • This half hour presentation covers current trends in mobile and cloud and predicts how they will come together over the next few years. It includes an overview of ambient clouds, or clouds assembled on the fly from distributed devices, and reviews Smart Protection Network as a working large scale example of an ambient cloud. You will walk away with a new way to think about scaling and securing all infrastructure, including clouds.
  • Identity Theft Resource Center. This is not withstanding the fact that these statistics only count breaches that have been reported, and it’s just in the US.
  • For example, Amazon’s S3 storage includes encryption options to encrypt volumes of data while enabling you to either manage your own encryption keys or to have Amazon hold the keys.
  • Transcript of "Where to Store the Cloud Encryption Keys - InterOp 2012"

    1. 1. Where to Store Cloud Encryption Keys Securing Your Journey to the Cloud Dave Asprey, VP Cloud Security @daveasprey 110/30/2012 Copyright 2012 Trend Micro Inc. 1
    2. 2. Focus• State of encryption deployment• Key management details of COBIT, PCI, HIPAA and SOX• Best practices for cloud encryption key management• Where to maintain encryption keys
    3. 3. 30 million # of Americans who are victims of reported data breaches
    4. 4. 90% of enterprises encrypt in the public cloud
    5. 5. Why key management matters now• Increased amount of sensitive data in the cloud• Risk of data loss caused by employees mishandling data• More sharing of authorized data with external users• Emerging marketplaces for stolen data• New (crazy) regulatory requirements
    6. 6. Higher Risks• Reputation and profitability• Brand damage and potential loss of customers• Litigation expenses and large fines
    7. 7. Breach notification is a disaster • Allowances if data was encrypted • 44 states have independent data breach laws • Nevada and Minnesota use PCI
    8. 8. The following need keys: • Tokenization or data anonymization schemes • Mounted storage volume encryption • File encryption • Native database encryption (transparent data encryption)
    9. 9. Key issues in key management • Security of key management infrastructure Compromised key means compromised data • Separation of duties ACL so admins can backup files but not view sensitive data • Availability If your key is lost, your data is cryptographically destroyed • Legal issues Hidden law enforcement requests for keys and data
    10. 10. “COBIT is an IT governance framework and supporting toolsetthat allows managers to bridge the gap betweencontrol requirements, technical issues and business risks. ” -ISACA
    11. 11. COBIT Encryption Key Management Requirements • transporting • storage • recovery • retirement/destruction • theft • frequency of required use*Included with these procedures should be requirements over securing the key and controlling theelevation of the key
    12. 12. “ Keys should be maintained on a computer that is notaccessible by any programmers or users, such as routercontrols for logical access and strong physical controlswith an air gap in a secured area/room. ”
    13. 13. PCI“Encryption keys used for encryption Of cardholder data must be protected ” against both disclosure and misuse.
    14. 14. PCI Requirement3.6 Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data
    15. 15. PCI Requirement3.6.4 Mandates that encryption keys be rotated at least annually or vendor best practice (every 3 years) Hardware security module (HSM) easily encrypts database columns and rotate keys on a per record basis, but won’t work for flat files or logs (extract-decrypt-re-encrypt)
    16. 16. PCI Requirement3.6.8 Mandates documentation with formal key custodian forms & sign-off procedures
    17. 17. PCI Requirement3.6.b Service providers should provide key management guidance to customers covering transmission, storage, and update of customer keys (not just storage) Split knowledge and dual control applies only for manual key management processes Notify customers of a data breach regardless of whether the data was encrypted or not.
    18. 18. HIPAAProtected health information (PHI) is renderedunusable, unreadable, or indecipherable to unauthorized individuals ifone or more of the following applies: To avoid a breach of the confidential process or key, decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. The encryption processes should have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard. Electronic PHI has been encrypted as specified in the HIPAA Security
    19. 19. SOX• Sarbanes Oxley adheres to COBIT in section DS 5.7“Accepted frameworks for use with SOX are COSO and COBIT“• Section DS 5.8“Dedicated key storage devices and application” -A separation of duties
    20. 20. COBIT, PCI, HIPAA, and SOX store encryption keys: 1. Securely 2. Separately from data 3.Under the control of the cloud consumer
    21. 21. Three Key Options1. Enterprise data center2. SaaS Key Management3. laaS Key Management
    22. 22. Enterprise Datacenter• Maximum control• Potentially higher security and availability (DR possible)• No risk of external party breach compromising your data• Virtual appliance vs. hardware appliance vs. software
    23. 23. SaaS Key Management• SaaS vendor takes responsibility for the keys• Cloud economics• Availability of SaaS vendor is based on your data availability level• Potential Security risks if SaaS vendor loses key• Legal issues under Patriot Act
    24. 24. IaaS Key Management• Use tokenization or encryption services from IaaS vendor• Same security and availability problem as SaaS• Effectively makes IaaS provider custodian of keys and data• Some providers offer encryption so you can manage the keys yourself• Enterprises must assess their risk tolerance and audit requirements before they can select a solution that best meets their encryption key management needs.
    25. 25. Which Secure Cloud Deployment Option? Requirement Download at: cloud.trendmicro.com
    26. 26. Thank you Dave Asprey, VP Cloud Security @daveasprey 2610/30/2012 Copyright 2012 Trend Micro Inc. 26
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×