SlideShare a Scribd company logo

Securing data in the cloud

Download as PPTX, PDF
Eyal Estrin
Eyal Estrin

Explanation about security controls in public cloud

Technology
1 of 15
@eyalestrin
Agenda Encryption in the cloud Controlling access to customer's data Logging, Auditing and Incident Response Compliance to Law and Regulation 2
Encryption – Common Terms Symmetric encryption – The same encryption key is used for encryption and decryption Asymmetric encryption – A public key is used for encryption, while a private key is used for decryption Key Encryption Key (KEK) – The master key used for encryption and decryption of data keys Data Encryption Key (DEK) – The key used for encryption and decryption of the customer’s data Vault – A secure location for storing encryption keys HSM – Hardware based vault for storing encryption keys 3
Encryption – Type of data encryption Client Side Encryption – Encrypting customer’s data before storing it in public cloud services Server Side Encryption – Encrypting data at rest on the public cloud services (such as storage, database, etc.), while the cloud vendor controls the encryption keys Customer Managed Key / Bring Your Own Key - Encrypting data at rest on the public cloud services (such as storage, database, etc.), while the customer controls the encryption keys 4
Encryption – Key Hierarchy Customer’s data is stored in an object file store or in a database Data encryption key (DEK) encrypts that customer’s data The DEK is stored near the data itself Key encryption key (KEK) / Master key, encrypts the Data encryption key (DEK) The KEK is stored in a secured vault / HSM 5
6
7
Encryption – Reference Azure Key Vault https://azure.microsoft.com/en-us/services/key-vault/ AWS Key Management Service (KMS) https://aws.amazon.com/kms/ Google Cloud Key Management Service (KMS) https://cloud.google.com/kms/ Oracle Break Glass https://docs.oracle.com/en/cloud/get-started/subscriptions- cloud/mmocs/overview-oracle-break-glass.html Salesforce Shield Platform Encryption https://www.salesforce.com/eu/products/platform/products/shi eld/ 8
Controlling access to customer's data  According to the “Shared Responsibility Model”, cloud providers maintain the lower layers of the infrastructure (Hardware, network, storage, virtualization, etc.)  In the rare cases where cloud vendor support engineer may need access to customer content to resolve a customer issue, there are access control mechanisms to allow the support engineer temporary access rights to customer data  Examples:  Customer Lockbox for Office 365: https://www.microsoft.com/en-us/microsoft-365/blog/2015/04/21/announcing- customer-lockbox-for-office-365/  Customer Lockbox for Azure VM: https://azure.microsoft.com/en-us/blog/approve-audit-support-access-requests-to- vms-using-customer-lockbox-for-azure/  Oracle Break Glass for Fusion Cloud Service: https://cloud.oracle.com/opc/saas/fsdep/datasheets/oracle-break-glass-for-fusion- cloud-ds.pdf 9
Controlling access to customer's data – Workflow 10
Logging, Auditing and Incident Response Major public cloud vendors provides customer with a unified interface for managing security compliance, identify threats and perform automatic actions Examples: Azure Security Center: https://azure.microsoft.com/en-us/services/security-center/ Amazon Guard​Duty: https://aws.amazon.com/guardduty/ Google Cloud Security Command Center: https://cloud.google.com/security-command-center/ 11
Azure Security Center 12
Amazon GuardDuty 13
Google Cloud Security Command Center 14
Reference for Compliance to Law and Regulations Azure: https://www.microsoft.com/en- us/trustcenter/compliance/complianceofferings AWS: https://aws.amazon.com/compliance/programs/ Google Cloud Platform: https://cloud.google.com/security/compliance/#/ Oracle Cloud: https://cloud.oracle.com/cloud-compliance 15

Recommended

Choosing Encryption for Microsoft SQL Server
Choosing Encryption for Microsoft SQL ServerChoosing Encryption for Microsoft SQL Server
Choosing Encryption for Microsoft SQL Server
Jerome J. Penna
 
SQL Server Encryption - Adi Cohn
SQL Server Encryption - Adi CohnSQL Server Encryption - Adi Cohn
SQL Server Encryption - Adi Cohn
sqlserver.co.il
 
SQL Server Column Based Encryption
SQL Server Column Based EncryptionSQL Server Column Based Encryption
SQL Server Column Based Encryption
David Dye
 
Column Level Encryption in Microsoft SQL Server
Column Level Encryption in Microsoft SQL ServerColumn Level Encryption in Microsoft SQL Server
Column Level Encryption in Microsoft SQL Server
Behnam Mohammadi
 
Your only as strong as your weakest link – Edward Ogden
Your only as strong as your weakest link – Edward OgdenYour only as strong as your weakest link – Edward Ogden
Your only as strong as your weakest link – Edward Ogden
owaspsuffolk
 
Techgate's Business Cloud Backup
Techgate's Business Cloud BackupTechgate's Business Cloud Backup
Techgate's Business Cloud Backup
Techgate plc
 
How does "Self-Defending Data" Work?
How does "Self-Defending Data" Work?How does "Self-Defending Data" Work?
How does "Self-Defending Data" Work?
Vic Winkler
 
AWS Summit London - Keynote - Stephen Schmidt
AWS Summit London - Keynote - Stephen SchmidtAWS Summit London - Keynote - Stephen Schmidt
AWS Summit London - Keynote - Stephen Schmidt
Amazon Web Services
 

Recommended

Choosing Encryption for Microsoft SQL Server
Choosing Encryption for Microsoft SQL ServerChoosing Encryption for Microsoft SQL Server
Choosing Encryption for Microsoft SQL Server
Jerome J. Penna
 
SQL Server Encryption - Adi Cohn
SQL Server Encryption - Adi CohnSQL Server Encryption - Adi Cohn
SQL Server Encryption - Adi Cohn
sqlserver.co.il
 
SQL Server Column Based Encryption
SQL Server Column Based EncryptionSQL Server Column Based Encryption
SQL Server Column Based Encryption
David Dye
 
Column Level Encryption in Microsoft SQL Server
Column Level Encryption in Microsoft SQL ServerColumn Level Encryption in Microsoft SQL Server
Column Level Encryption in Microsoft SQL Server
Behnam Mohammadi
 
Your only as strong as your weakest link – Edward Ogden
Your only as strong as your weakest link – Edward OgdenYour only as strong as your weakest link – Edward Ogden
Your only as strong as your weakest link – Edward Ogden
owaspsuffolk
 
Techgate's Business Cloud Backup
Techgate's Business Cloud BackupTechgate's Business Cloud Backup
Techgate's Business Cloud Backup
Techgate plc
 
How does "Self-Defending Data" Work?
How does "Self-Defending Data" Work?How does "Self-Defending Data" Work?
How does "Self-Defending Data" Work?
Vic Winkler
 
AWS Summit London - Keynote - Stephen Schmidt
AWS Summit London - Keynote - Stephen SchmidtAWS Summit London - Keynote - Stephen Schmidt
AWS Summit London - Keynote - Stephen Schmidt
Amazon Web Services
 
Cloud storage security
Cloud storage securityCloud storage security
Cloud storage security
Pankaj Watekar
 
Thales bloombase store_safe_sb
Thales bloombase store_safe_sbThales bloombase store_safe_sb
Thales bloombase store_safe_sb
Bloombase
 
Oracle Key Vault Data Subsetting and Masking
Oracle Key Vault Data Subsetting and MaskingOracle Key Vault Data Subsetting and Masking
Oracle Key Vault Data Subsetting and Masking
DLT Solutions
 
9i R2 Checklist
9i R2 Checklist9i R2 Checklist
9i R2 Checklist
LiquidHub
 
Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...
MongoDB
 
Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2
Oracle BH
 
Oracle Key Vault Overview
Oracle Key Vault OverviewOracle Key Vault Overview
Oracle Key Vault Overview
Troy Kitch
 
12
1212
12
Technology_solution
 
What is the Future of SIEM?
What is the Future of SIEM? What is the Future of SIEM?
What is the Future of SIEM?
Elasticsearch
 
Storage datasheet
Storage datasheetStorage datasheet
Storage datasheet
Ory Chhean
 
Bloombase store safe mf solution brief 2017 pdf
Bloombase store safe mf solution brief 2017 pdfBloombase store safe mf solution brief 2017 pdf
Bloombase store safe mf solution brief 2017 pdf
Bloombase
 
Is your distributed system secure?
Is your distributed system secure?Is your distributed system secure?
Is your distributed system secure?
Lacey Trebaol
 
Raabit and bacteria
Raabit and bacteriaRaabit and bacteria
Raabit and bacteria
sabin kafle
 
Big data security in AWS.pptx
Big data security in AWS.pptxBig data security in AWS.pptx
Big data security in AWS.pptx
Ashish210583
 
Using encryption with_aws
Using encryption with_awsUsing encryption with_aws
Using encryption with_aws
saifam
 
Protect your Data on AWS using the Encryption method.pdf
Protect your Data on AWS using the Encryption method.pdfProtect your Data on AWS using the Encryption method.pdf
Protect your Data on AWS using the Encryption method.pdf
Zen Bit Tech
 
Architecting Data Services for the Cloud: Security Considerations and Best Pr...
Architecting Data Services for the Cloud: Security Considerations and Best Pr...Architecting Data Services for the Cloud: Security Considerations and Best Pr...
Architecting Data Services for the Cloud: Security Considerations and Best Pr...
Adnene Guabtni
 
apsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLPapsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLP
andreasschuster
 
Secure Channels Financal Institution Presentation
Secure Channels Financal Institution PresentationSecure Channels Financal Institution Presentation
Secure Channels Financal Institution Presentation
Richard Blech
 
Multi-part Dynamic Key Generation For Secure Data Encryption
Multi-part Dynamic Key Generation For Secure Data EncryptionMulti-part Dynamic Key Generation For Secure Data Encryption
Multi-part Dynamic Key Generation For Secure Data Encryption
CSCJournals
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
lior mazor
 
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
Amazon Web Services
 

More Related Content

What's hot

9i R2 Checklist
9i R2 Checklist9i R2 Checklist
9i R2 Checklist
LiquidHub
 
Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...
MongoDB
 
Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2
Oracle BH
 
Oracle Key Vault Overview
Oracle Key Vault OverviewOracle Key Vault Overview
Oracle Key Vault Overview
Troy Kitch
 
Storage datasheet
Storage datasheetStorage datasheet
Storage datasheet
Ory Chhean
 

What's hot (13)

Cloud storage security
Cloud storage securityCloud storage security
Cloud storage security
 
Thales bloombase store_safe_sb
Thales bloombase store_safe_sbThales bloombase store_safe_sb
Thales bloombase store_safe_sb
 
Oracle Key Vault Data Subsetting and Masking
Oracle Key Vault Data Subsetting and MaskingOracle Key Vault Data Subsetting and Masking
Oracle Key Vault Data Subsetting and Masking
 
9i R2 Checklist
9i R2 Checklist9i R2 Checklist
9i R2 Checklist
 
Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...
 
Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2Ppt security-database-overview-11g r2
Ppt security-database-overview-11g r2
 
Oracle Key Vault Overview
Oracle Key Vault OverviewOracle Key Vault Overview
Oracle Key Vault Overview
 
12
1212
12
 
What is the Future of SIEM?
What is the Future of SIEM? What is the Future of SIEM?
What is the Future of SIEM?
 
Storage datasheet
Storage datasheetStorage datasheet
Storage datasheet
 
Bloombase store safe mf solution brief 2017 pdf
Bloombase store safe mf solution brief 2017 pdfBloombase store safe mf solution brief 2017 pdf
Bloombase store safe mf solution brief 2017 pdf
 
Is your distributed system secure?
Is your distributed system secure?Is your distributed system secure?
Is your distributed system secure?
 
Raabit and bacteria
Raabit and bacteriaRaabit and bacteria
Raabit and bacteria
 

Similar to Securing data in the cloud

Protect your Data on AWS using the Encryption method.pdf
Protect your Data on AWS using the Encryption method.pdfProtect your Data on AWS using the Encryption method.pdf
Protect your Data on AWS using the Encryption method.pdf
Zen Bit Tech
 
Multi-part Dynamic Key Generation For Secure Data Encryption
Multi-part Dynamic Key Generation For Secure Data EncryptionMulti-part Dynamic Key Generation For Secure Data Encryption
Multi-part Dynamic Key Generation For Secure Data Encryption
CSCJournals
 
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template DeploymentAzure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
Roy Kim
 

Similar to Securing data in the cloud (20)

Big data security in AWS.pptx
Big data security in AWS.pptxBig data security in AWS.pptx
Big data security in AWS.pptx
 
Using encryption with_aws
Using encryption with_awsUsing encryption with_aws
Using encryption with_aws
 
Protect your Data on AWS using the Encryption method.pdf
Protect your Data on AWS using the Encryption method.pdfProtect your Data on AWS using the Encryption method.pdf
Protect your Data on AWS using the Encryption method.pdf
 
Architecting Data Services for the Cloud: Security Considerations and Best Pr...
Architecting Data Services for the Cloud: Security Considerations and Best Pr...Architecting Data Services for the Cloud: Security Considerations and Best Pr...
Architecting Data Services for the Cloud: Security Considerations and Best Pr...
 
apsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLPapsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLP
 
Secure Channels Financal Institution Presentation
Secure Channels Financal Institution PresentationSecure Channels Financal Institution Presentation
Secure Channels Financal Institution Presentation
 
Multi-part Dynamic Key Generation For Secure Data Encryption
Multi-part Dynamic Key Generation For Secure Data EncryptionMulti-part Dynamic Key Generation For Secure Data Encryption
Multi-part Dynamic Key Generation For Secure Data Encryption
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
 
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
Encryption and key management in AWS (SEC304) | AWS re:Invent 2013
 
Data protection using encryption in AWS - SEC201 - Santa Clara AWS Summit
Data protection using encryption in AWS - SEC201 - Santa Clara AWS SummitData protection using encryption in AWS - SEC201 - Santa Clara AWS Summit
Data protection using encryption in AWS - SEC201 - Santa Clara AWS Summit
 
How to implement data encryption at rest in compliance with enterprise requir...
How to implement data encryption at rest in compliance with enterprise requir...How to implement data encryption at rest in compliance with enterprise requir...
How to implement data encryption at rest in compliance with enterprise requir...
 
Protecting Your Key Asset – Data Protection Best Practices V2.0 Final
Protecting Your Key Asset – Data Protection Best Practices V2.0 FinalProtecting Your Key Asset – Data Protection Best Practices V2.0 Final
Protecting Your Key Asset – Data Protection Best Practices V2.0 Final
 
Well-Architected for Security: Advanced Session
Well-Architected for Security: Advanced SessionWell-Architected for Security: Advanced Session
Well-Architected for Security: Advanced Session
 
Encryption in the Cloud
Encryption in the CloudEncryption in the Cloud
Encryption in the Cloud
 
Hadoop Distributed File System (HDFS) Encryption with Cloudera Navigator Key ...
Hadoop Distributed File System (HDFS) Encryption with Cloudera Navigator Key ...Hadoop Distributed File System (HDFS) Encryption with Cloudera Navigator Key ...
Hadoop Distributed File System (HDFS) Encryption with Cloudera Navigator Key ...
 
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
[Toroman/Kranjac] Red Team vs. Blue Team in Microsoft Cloud
 
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template DeploymentAzure Key Vault with a PaaS Architecture and ARM Template Deployment
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
 
AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)AWS Security Best Practices (March 2017)
AWS Security Best Practices (March 2017)
 
Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017Security best practices on AWS - Pop-up Loft TLV 2017
Security best practices on AWS - Pop-up Loft TLV 2017
 
EXPLORING WOMEN SECURITY BY DEDUPLICATION OF DATA
EXPLORING WOMEN SECURITY BY DEDUPLICATION OF DATAEXPLORING WOMEN SECURITY BY DEDUPLICATION OF DATA
EXPLORING WOMEN SECURITY BY DEDUPLICATION OF DATA
 

Recently uploaded

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Recently uploaded (20)

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 

Securing data in the cloud

  • 2. Agenda Encryption in the cloud Controlling access to customer's data Logging, Auditing and Incident Response Compliance to Law and Regulation 2
  • 3. Encryption – Common Terms Symmetric encryption – The same encryption key is used for encryption and decryption Asymmetric encryption – A public key is used for encryption, while a private key is used for decryption Key Encryption Key (KEK) – The master key used for encryption and decryption of data keys Data Encryption Key (DEK) – The key used for encryption and decryption of the customer’s data Vault – A secure location for storing encryption keys HSM – Hardware based vault for storing encryption keys 3
  • 4. Encryption – Type of data encryption Client Side Encryption – Encrypting customer’s data before storing it in public cloud services Server Side Encryption – Encrypting data at rest on the public cloud services (such as storage, database, etc.), while the cloud vendor controls the encryption keys Customer Managed Key / Bring Your Own Key - Encrypting data at rest on the public cloud services (such as storage, database, etc.), while the customer controls the encryption keys 4
  • 5. Encryption – Key Hierarchy Customer’s data is stored in an object file store or in a database Data encryption key (DEK) encrypts that customer’s data The DEK is stored near the data itself Key encryption key (KEK) / Master key, encrypts the Data encryption key (DEK) The KEK is stored in a secured vault / HSM 5
  • 6. 6
  • 7. 7
  • 8. Encryption – Reference Azure Key Vault https://azure.microsoft.com/en-us/services/key-vault/ AWS Key Management Service (KMS) https://aws.amazon.com/kms/ Google Cloud Key Management Service (KMS) https://cloud.google.com/kms/ Oracle Break Glass https://docs.oracle.com/en/cloud/get-started/subscriptions- cloud/mmocs/overview-oracle-break-glass.html Salesforce Shield Platform Encryption https://www.salesforce.com/eu/products/platform/products/shi eld/ 8
  • 9. Controlling access to customer's data  According to the “Shared Responsibility Model”, cloud providers maintain the lower layers of the infrastructure (Hardware, network, storage, virtualization, etc.)  In the rare cases where cloud vendor support engineer may need access to customer content to resolve a customer issue, there are access control mechanisms to allow the support engineer temporary access rights to customer data  Examples:  Customer Lockbox for Office 365: https://www.microsoft.com/en-us/microsoft-365/blog/2015/04/21/announcing- customer-lockbox-for-office-365/  Customer Lockbox for Azure VM: https://azure.microsoft.com/en-us/blog/approve-audit-support-access-requests-to- vms-using-customer-lockbox-for-azure/  Oracle Break Glass for Fusion Cloud Service: https://cloud.oracle.com/opc/saas/fsdep/datasheets/oracle-break-glass-for-fusion- cloud-ds.pdf 9
  • 10. Controlling access to customer's data – Workflow 10
  • 11. Logging, Auditing and Incident Response Major public cloud vendors provides customer with a unified interface for managing security compliance, identify threats and perform automatic actions Examples: Azure Security Center: https://azure.microsoft.com/en-us/services/security-center/ Amazon Guard​Duty: https://aws.amazon.com/guardduty/ Google Cloud Security Command Center: https://cloud.google.com/security-command-center/ 11
  • 14. Google Cloud Security Command Center 14
  • 15. Reference for Compliance to Law and Regulations Azure: https://www.microsoft.com/en- us/trustcenter/compliance/complianceofferings AWS: https://aws.amazon.com/compliance/programs/ Google Cloud Platform: https://cloud.google.com/security/compliance/#/ Oracle Cloud: https://cloud.oracle.com/cloud-compliance 15