Encryption in the Cloud - BrightTalk Data Security Summit 2013


Published on

Data is what underpins many companies' success, yet when it comes to protecting the data, companies are underinvesting in security capabilities. With the move to cloud computing, data security issues are not going away, instead are getting bigger visibility. Howevre, should companies only care about data security when their data is in the Cloud? Or should it be irrelevant where the data is processed or stored, with data security high on CIOs agenda? This session will look both at strategic options and discuss people, processes and technologies that companies should be looking.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Working on a project – project managers says we have a VPN tunnel for data transfer so that is enough for security 
  • Talk about data classification. We will talk about dropbox later
  • Apply encryption only where needed and make sure that the key management is done properly. NIST document http://csrc.nist.gov/groups/ST/toolkit/key_management.html
  • Look at processes required by ISO, Cobit..Control objective = process (typically)
  • Also talk about extending DLP and eDRM
  • Encryption in the Cloud - BrightTalk Data Security Summit 2013

    1. 1. Encrypting your data: Is there a difference between Cloudand your internal data centre? Vladimir Jirasek, Founder of Jirasek Consulting Services Research director, Cloud Security Alliance, UK chapter 16 January 2013
    2. 2. What you will learn today Security architecture prime for CIOs Encrypt, or not encrypt, that is the question! Alternatives to encryption Types of encryption Encryption as a security boundary Cloud delivery models and encryption Practical examples of encryption in Public
    3. 3. AES-128 so it must be secure! Trust me! PDF Secret 01010001 10101010 10110101 PDF Secret 01001010 10101011 00110101 Cloud serviceCloud service provider user Just because it is encrypted does not make it secure… Look end to end.
    4. 4. However not all data in the cloud aresecret!
    5. 5. Sometimes too much encryption is badthough. Who holds encryption keys? Are they available?
    6. 6. Should data security be on CIOs agendas? PaaS/Saas Mandatory reading! Saas Saas Cloud provider Your company Consolidation of Cost savings inreputation/costs reputation/costs Cloud providers Enterprises Not many security breaches Will become targeted as more enterprises rely so far. Why? more on public Cloud computing
    7. 7. CIOs! Security architecture is not justfirewalls and encryption…  A clever, sophisticated and fit for purpose combination of administrative and technical controls  Right mix of controls at all security domains: preventative, detective (mostly neglected) and recovery  Start with Processes then fit People and Technology
    8. 8. Types of encryption and securityboundary Encryption types Security boundary Symmetric – one key to encrypt and  Encryption can be used as a decrypt. Speed and better security security boundary: Asymmetric – large prime numbers  Key management is an create a pair of keys where one key enforcement point can decrypt what other encrypted. Slower as bigger keys are needed (look for ECC twice the length of  Think of SSL VPN over symmetric for same strength) (size of untrusted network output based on size of keys) Homomorphic - not new concept but  Encrypted data in database made practical by Craig gentry. Allows for operations on encrypted data without revealing the content!  eDRM
    9. 9. Different ways to protect data in Cloud Encryption at Customer end PDF Secret Encryption at Cloud provider end Tokenisation at Cloud user end Anonymisation at Cloud user end
    10. 10. Cloud deployment models effect data security Infrastructure as a Platform as a Service Software as a Service Service• Cloud provider offers • Cloud provider offers • Cloud provider offers virtual machine standardised (mostly) mostly custom build (typically) – Virtual CPU, platforms for database, Software (typically web Memory, Disks, middleware, web … based) Network • Operating system is • Full OS stack is• Operating system is Provider’s responsibility Provider’s responsibility Customer’s • Extending key • Extending key responsibility management from management to Cloud• Extending key Internal DC possible provider from Internal management from DC difficult Internal DC easy
    11. 11. Data protection options in cloud models Infrastructure as a Platform as a Service Software as a Service ServiceSIEM Extend company SIEM Plug-in to Provider’s SIEM Extend DLP or eDRM Provider operated data/database encryptionData Extend company file or object Encrypting/tokenising reverse encryption proxy engines (e.g. CipherCloud)Application Tokenisation and anonymisation Application encryption (customer retains keys) Encryption applianceHost (e.g. Safe-Net ProtectV) Provider dependent and operated host encryption Web TLS (for IaaS operated by customer)Network Network VPN (could extend to SaaS)
    12. 12. Example of SaaS – Use of Gmail insideand outside an organisationIntra company  SaaS web based application. Other standard interfaces – IMAP, POP3, SMTP, Web API Sender  Data in Gmail available to anyone with proper authentication ProxyRecipient  TLS used on transport layer  Consider using CipherCloud like product but be mindful of traffic flows with external customers Sender Recipient
    13. 13. Example of IaaS – Cloud provider offers virtual computing resources for Internal apps deploymentIntra company  Cloud provider can Key management theoretically access all HSM data, if decryption happens on the virtualInternal machine! But would they? user  Use two possible models: VPN  Local crypto operations with remote keyAdministrator management. Consider SafeNet ProtectV  Remote crypto operations over VPN – speed penalty Data encrypted Data encrypted Remote Local encryption encryption operations Travelling user operations Virtual servers
    14. 14. Recommendations Devise your security architecture holistically, not just looking at point solutions But with regards to data security in the cloud:  Always try to manage your keys – however in some cases this would break cloud deployment model and therefore is not always practical  Use Hardware Security Modules to maintain key security supported by robust key management processes  Extend your enterprise key management, DLP, eDRP and SIEM to Cloud providers  Explore format preserving encryption before data enters Cloud – typically for PaaS and SaaS (reverse web encryption proxy)
    15. 15. Links Cloud Security Guidance - https://cloudsecurityalliance.org/research/security-guidance/ Verizon Data Breach reports - http://www.verizonbusiness.com/about/events/2012dbir/ Dropbox access breach - http://www.securityweek.com/dropbox-confirms-data-breach-says-two-factor-authentication-coming Microsoft BPOS Address book leakage - http://www.pcworld.com/article/214591/Microsoft_BPOS_cloud_service_hit_with_data_breach.html Epsilon data breach - http://www.guardian.co.uk/technology/2011/apr/06/epsilon-email-hack-marks-spencer Google email accounts hacked - http://www.washingtonpost.com/blogs/post-tech/post/google-hundreds-of-gmail-accounts-hacked- including-some-senior-us-government-officials/2011/06/01/AGgASgGH_blog.html CipherCloud lists data breaches in Cloud - http://www.ciphercloud.com/learning-center/breach-watch.aspx CloudTweaks.com – Cloud Cartoons - http://www.cloudtweaks.com/category/cartoon/ Privatecore - http://www.privatecore.com/
    16. 16. Contact me and CSA Vladimir Jirasek  http://about.me/jirasek  @vjirasek  vladimir@jirasekconsulting.com Cloud Security Alliance  https://cloudsecurityalliance.org.uk  @csaukresearch