Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cloud encryption everything you always wanted to know but were afraid to ask


Published on

Cloud Asia Singapore 15 May 2013

Published in: Technology
  • Be the first to comment

Cloud encryption everything you always wanted to know but were afraid to ask

  1. 1. the private computing companyCloud Encryption:Everything You Always Wanted toKnow but Were Afraid to AskTodd ThiemannVice President – MarketingCo-chair CSA Solution Provider Advisory Council
  2. 2. Recent Cloud Data Security CompromisesSources:
  3. 3. 14%92%InsidersOutsidersWho is Perpetrating Breaches?2013 DATA BREACH INVESTIGATION REPORTOrigin of ThreatOrigin of Threat
  4. 4. Old School Datacenter Attacks
  5. 5. New School Cloud Attacks+
  6. 6. 6Why Secure Your Data?ExecutiveMandate•  IP Protection•  BrandProtection•  CorporateDataGovernanceContractualObligation•  Outsourcing•  SaaS contractsComplianceRegulations•  PCI DSS•  Basel III•  National DataProtectionLaws
  7. 7. 7REV 0.1Electronic Ledger StorageLaw (Japan)11MEDIS-DC (Japan)CanadianElectronicEvidence ActPCI DataSecurityStandard (WW)US State DataBreach LawsFDA 21CFR Part 11Sarbanes-Oxley Act(USA)AIPA (Italy)GDPdU and GoBS(Germany)EU DataProtectionDirectiveUK DataProtection ActNF Z 42-013 (France)FinancialServicesAuthority (UK)Basel IIICapitalAccordGLB ActJapan PIP ActInternational companies must adhere to regulations in each country ofoperation, such regulations can call for encryptionHIPAA/HITECH (USA)Worldwide ComplianceS. Korea PersonalInformation Protection ActSingapore Personal DataProtection ActTaiwan Personal DataProtection Act
  8. 8. Encryption Architectures for Data at Rest8ControlSimplicityNative DBGatewayUsersApplicationsDatabaseOSHypervisorHardware (CPU/Memory)StorageOS/FileTechnologies balance between control and simplicityAPISAN, NAS, DAS Storage
  9. 9. Application EncryptionApplication encryption using APIsbefore data is stored in databaseØ Pros: Most secure at top ofstack, cloud agnostic (portable)Ø Cons: Intrusive, requiring customcode development, not applicableto SaaSKey Management
  10. 10. OS-level Encryption (File Encryption)OS-level (aka File-level) Encryptionencrypts and controls access to file-level dataØ Pros: Enables access control andseparation of duties with CSP andwithin enterprise, portableØ Cons: Enterprises cannot use withSaaS/PaaS, not extremely granularKey Management
  11. 11. Cloud Storage EncryptionEncrypts data at mounted storage volumeØ Pros: Can enable access control andseparation of duties between CSP andenterpriseØ Cons: Uncertain key custody, noaccess control
  12. 12. Gateway Encryption (Proxy)Gateway uses reverse proxy toencrypt or tokenize sensitive SaaS/PaaS dataØ Pros: Agentless architecture forsecuring SaaS/PaaS, noapplication changes, enterprisecontrols keysØ Cons: Can disrupt applicationfunctionality (indexing, searching,sorting, business logic in cloud),you must track cloud applicationchangesSaaSGateway
  13. 13. 13Cloud Encryption LayersAPIEncryptionDatabaseEncryptionFileEncryptionStorageEncryptionUserApplicationDatabaseOSHypervisorHWStorageCaveat: Compromised Hardware/Memory Can Break Trust ModelGatewayEncryption
  14. 14. Encryption Beyond Data At Rest• Data in Use (Memory)–  Memory is clear text and canbe parsed to find sensitive data–  Dumping memory cancompromise data andencryption keys for data at rest–  Evaluate emerging threat andsolutions to mitigate risk
  15. 15. Questions To Consider• What information needs to be protected?• What threats do you want to protect theinformation against?• What application and infrastructure changes canyou tolerate?• Who holds the encryption keys?–  You? Partner? Cloud service provider?• Performance
  16. 16. Todd’s Take-aways• Encryption enables trust in an untrustedenvironment• Encryption enables logical separation of data atany level (country, datacentre, database, etc)• Encryption protects sensitive data, but also canenable security intelligence–  Who is touching your data?• Minimize encryption silos to minimize costs–  Many encryption use cases can cause solutions to proliferate
  17. 17. Questions & AnswersThank you!