Encryption in the Cloud


Published on

Dave Asprey of Trend Micro discusses how to improve security in cloud-based applications

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • My name is Todd Thiemann thank you for attending this session on
  • Data is stored in plain text Who can see my sensitive information? Data stored in a raw format removes confidentiality and allows a savvy attacker an open door to view all of your information. Virtual volumes can be moved without the owners knowledge Has my data been moved offshore, breaking laws or regulations? Privacy laws like Little ability to audit or monitor access resources or data What happened to my data when I was not looking? How can I comply with legislation, security policies and best practices? Hypervisors and storage are shared with other users Is my neighbor trustworthy? How good is my neighbor’s security? Will he get hacked and attack me? Storage devices contain residual data - Is storage recycled securely when I change vendors? What happens if my cloud provider goes out of business?
  • This is the online Amazon EC2 Customer Agreement. You can read the whole thing, but the bolded part is the key concept. The user of the virtual machine is responsible for security of their virtual machine. You have the responsibility and accountability for security in the IaaS world. You need to plan for protection in the public cloud.
  • Encryption in the Cloud

    1. 1. Encryption in the public cloud: Security techniques Dave Asprey • VP Cloud Security [email_address] @daveasprey (cloud + virtual security tweets)
    2. 2. Your speaker <ul><li>Dave Asprey </li></ul><ul><ul><li>VP, Cloud Security </li></ul></ul><ul><ul><li>Cloud & Virtualization Evangelist </li></ul></ul><ul><ul><li>dave_asprey@trendmicro.com @daveasprey </li></ul></ul><ul><ul><li>cloudsecurity.trendmicro.com Linkedin.com/in/asprey </li></ul></ul><ul><li>Background </li></ul><ul><ul><li>Blue Coat - VP Technology </li></ul></ul><ul><ul><li>Citrix - Strategic Planning, Virtualization Business </li></ul></ul><ul><ul><li>Netscaler – Dir PM </li></ul></ul><ul><ul><li>Exodus/Savvis – Dir PM & Strategy exec </li></ul></ul><ul><ul><li>Speedera/Akamai – Sr. Dir PM </li></ul></ul><ul><ul><li>3Com – Web IT guy </li></ul></ul><ul><ul><li>UC Santa Cruz – Ran Web & Internet Engineering Program </li></ul></ul><ul><ul><li>Author, PWC Tech Forecast: Systems & Network Mgt + Scaling </li></ul></ul>Trend Micro Confidential 01/27/11
    3. 3. Data Privacy Concerns in the Cloud <ul><li>Data is stored in plain text </li></ul><ul><li>Virtual volumes can move without the owners knowledge </li></ul><ul><li>Little ability to audit or monitor access to resources or data </li></ul><ul><li>Hypervisors and storage are shared with other users </li></ul><ul><li>Storage devices contain residual data </li></ul>
    4. 4. Amazon Web Services™ Customer Agreement 7.2. Security. We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet. Accordingly, without limitation to Section 4.3 above and Section 11.5 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications . We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access , (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications. Translation: If it gets hacked, it’s your fault. Trend Micro Confidential 01/27/11 http://aws.amazon.com/agreement/#7 (23 November 2010)
    5. 5. Security and privacy higher than Sum (performance, immaturity, regulatory compliance) Gartner (April 2010) Security: the #1 Cloud Challenge Classification 01/27/11
    6. 6. Use encrypted, self-defending hosts Classification 01/27/11 Shared Storage Shared Firewall Virtual Servers Shared network inside the firewall Shared firewall – Lowest common denominator – less fine grained control Multiple customers on one physical server – potential for attacks via the hypervisor Shared storage – is customer segmentation secure against attack? Easily copied machine images – who else has your server? Doesn’t matter – the edge of my virtual machine is protected Doesn’t matter – treat the LAN as public Doesn’t matter – treat the LAN as public Doesn’t matter – They can start my server but only I can unlock my data Doesn’t matter – My data is encrypted Internet
    7. 7. Advice <ul><li>Encrypt network traffic </li></ul><ul><li>Use only encrypted file systems for block devices </li></ul><ul><li>Encrypt everything in shared storage </li></ul><ul><li>Only allow decryption keys to enter the cloud during decryption </li></ul><ul><li>Only authentication credential in VMs = key to decrypt file system key </li></ul>Trend Micro Confidential 01/27/11
    8. 8. More advice <ul><li>At instance startup, fetch encrypted file system key </li></ul><ul><li>No password-based authentication for shell access </li></ul><ul><li>No allowed passwords for sudo access (!) </li></ul><ul><li>Make regular backups off-cloud </li></ul>Trend Micro Confidential 01/27/11
    9. 9. Even more advice <ul><li>Minimize # of services per VM instance (goal = 1) </li></ul><ul><li>Only open ports you need </li></ul><ul><li>Specify source addresses & only allow HTTP global access </li></ul><ul><li>Keep sensitive data in a separate database </li></ul>Trend Micro Confidential 01/27/11
    10. 10. Final advice <ul><li>Use host-based intrusion detection system </li></ul><ul><li>Use system hardening tools </li></ul><ul><li>Write better applications! </li></ul>Trend Micro Confidential 01/27/11
    11. 11. Thank You. Questions? <ul><li>Dave Asprey </li></ul><ul><li>VP Cloud Security </li></ul><ul><li>[email_address] </li></ul><ul><li>@daveasprey </li></ul><ul><li>cloudsecurity.trendmicro.com </li></ul><ul><li>Props to: George Reese & O’Reilly Blog </li></ul>Trend Micro Confidential 01/27/11