Data is what underpins many companies' success, yet when it comes to protecting the data, companies are underinvesting in security capabilities. With the move to cloud computing, data security issues are not going away, instead are getting bigger visibility. Howevre, should companies only care about data security when their data is in the Cloud? Or should it be irrelevant where the data is processed or stored, with data security high on CIOs agenda? This session will look both at strategic options and discuss people, processes and technologies that companies should be looking.

1. Encrypting your data: Is there
a difference between Cloud
and your internal data centre?
Vladimir Jirasek, Founder of Jirasek Consulting Services
Research director, Cloud Security Alliance, UK chapter
16 January 2013

2. What you will learn today
 Security architecture prime for CIOs
 Encrypt, or not encrypt, that is the question!
 Alternatives to encryption
 Types of encryption
 Encryption as a security boundary
 Cloud delivery models and encryption
 Practical examples of encryption in Public

3. AES-128 so it must be secure! Trust me!
PDF
Secret
01010001
10101010
10110101 PDF
Secret
01001010
10101011
00110101
Cloud service
Cloud service
provider
user
Just because it is encrypted does not
make it secure… Look end to end.

4. However not all data in the cloud are
secret!

5. Sometimes too much encryption is bad
though.
Who holds encryption keys? Are they available?

6. Should data security be on CIOs agendas?
PaaS/Saas
Mandatory reading!
Saas
Saas
Cloud provider Your company Consolidation of Cost savings in
reputation/costs reputation/costs Cloud providers Enterprises
Not many security breaches Will become targeted as more enterprises rely
so far. Why? more on public Cloud computing

7. CIOs! Security architecture is not just
firewalls and encryption…
 A clever, sophisticated and fit
for purpose combination of
administrative and technical
controls
 Right mix of controls at all
security domains:
preventative, detective
(mostly neglected) and
recovery
 Start with Processes then fit
People and Technology

8. Types of encryption and security
boundary
Encryption types Security boundary
 Symmetric – one key to encrypt and  Encryption can be used as a
decrypt. Speed and better security
security boundary:
 Asymmetric – large prime numbers  Key management is an
create a pair of keys where one key enforcement point
can decrypt what other encrypted.
Slower as bigger keys are needed
(look for ECC twice the length of  Think of SSL VPN over
symmetric for same strength) (size of untrusted network
output based on size of keys)
 Homomorphic - not new concept but  Encrypted data in database
made practical by Craig gentry.
Allows for operations on encrypted
data without revealing the content!  eDRM

9. Different ways to protect data in Cloud
Encryption at Customer end
PDF
Secret
Encryption at Cloud provider end
Tokenisation at Cloud user end
Anonymisation at Cloud user end

10. Cloud deployment models effect data
security
Infrastructure as a
Platform as a Service Software as a Service
Service
• Cloud provider offers • Cloud provider offers • Cloud provider offers
virtual machine standardised (mostly) mostly custom build
(typically) – Virtual CPU, platforms for database, Software (typically web
Memory, Disks, middleware, web … based)
Network • Operating system is • Full OS stack is
• Operating system is Provider’s responsibility Provider’s responsibility
Customer’s • Extending key • Extending key
responsibility management from management to Cloud
• Extending key Internal DC possible provider from Internal
management from DC difficult
Internal DC easy

11. Data protection options in cloud models
Infrastructure as a
Platform as a Service Software as a Service
Service
SIEM
Extend company SIEM Plug-in to Provider’s SIEM
Extend DLP or eDRM Provider operated data/database encryption
Data
Extend company file or object Encrypting/tokenising reverse
encryption proxy engines (e.g. CipherCloud)
Application
Tokenisation and anonymisation
Application encryption (customer retains keys)
Encryption appliance
Host
(e.g. Safe-Net ProtectV)
Provider dependent and operated host encryption
Web TLS (for IaaS operated by customer)
Network
Network VPN (could extend to SaaS)

12. Example of SaaS – Use of Gmail inside
and outside an organisation
Intra company  SaaS web based application.
Other standard interfaces –
IMAP, POP3, SMTP, Web API
Sender  Data in Gmail available to
anyone with proper
authentication
Proxy
Recipient  TLS used on transport layer
 Consider using CipherCloud
like product but be mindful of
traffic flows with external
customers
Sender Recipient

13. Example of IaaS – Cloud provider offers virtual
computing resources for Internal apps deployment
Intra company  Cloud provider can
Key management
theoretically access all
HSM data, if decryption
happens on the virtual
Internal machine! But would they?
user
 Use two possible models:
VPN
 Local crypto operations
with remote key
Administrator
management. Consider
SafeNet ProtectV
 Remote crypto
operations over VPN –
speed penalty
Data encrypted
Data encrypted
Remote
Local encryption
encryption
operations
Travelling user operations
Virtual servers

14. Recommendations
 Devise your security architecture holistically, not just looking at
point solutions
 But with regards to data security in the cloud:
 Always try to manage your keys – however in some cases this would
break cloud deployment model and therefore is not always
practical
 Use Hardware Security Modules to maintain key security supported
by robust key management processes
 Extend your enterprise key management, DLP, eDRP and SIEM to
Cloud providers
 Explore format preserving encryption before data enters Cloud –
typically for PaaS and SaaS (reverse web encryption proxy)

15. Links
 Cloud Security Guidance - https://cloudsecurityalliance.org/research/security-guidance/
 Verizon Data Breach reports - http://www.verizonbusiness.com/about/events/2012dbir/
 Dropbox access breach - http://www.securityweek.com/dropbox-confirms-data-breach-says-two-factor-authentication-coming
 Microsoft BPOS Address book leakage -
http://www.pcworld.com/article/214591/Microsoft_BPOS_cloud_service_hit_with_data_breach.html
 Epsilon data breach - http://www.guardian.co.uk/technology/2011/apr/06/epsilon-email-hack-marks-spencer
 Google email accounts hacked - http://www.washingtonpost.com/blogs/post-tech/post/google-hundreds-of-gmail-accounts-hacked-
including-some-senior-us-government-officials/2011/06/01/AGgASgGH_blog.html
 CipherCloud lists data breaches in Cloud - http://www.ciphercloud.com/learning-center/breach-watch.aspx
 CloudTweaks.com – Cloud Cartoons - http://www.cloudtweaks.com/category/cartoon/
 Privatecore - http://www.privatecore.com/

16. Contact me and CSA
 Vladimir Jirasek
 http://about.me/jirasek
 @vjirasek
 vladimir@jirasekconsulting.com
 Cloud Security Alliance
 https://cloudsecurityalliance.org.uk
 @csaukresearch