Data is what underpins many companies' success, yet when it comes to protecting the data, companies are underinvesting in security capabilities. With the move to cloud computing, data security issues are not going away, instead are getting bigger visibility. Howevre, should companies only care about data security when their data is in the Cloud? Or should it be irrelevant where the data is processed or stored, with data security high on CIOs agenda? This session will look both at strategic options and discuss people, processes and technologies that companies should be looking.
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Encryption in the Cloud - BrightTalk Data Security Summit 2013
1. Encrypting your data: Is there
a difference between Cloud
and your internal data centre?
Vladimir Jirasek, Founder of Jirasek Consulting Services
Research director, Cloud Security Alliance, UK chapter
16 January 2013
2. What you will learn today
Security architecture prime for CIOs
Encrypt, or not encrypt, that is the question!
Alternatives to encryption
Types of encryption
Encryption as a security boundary
Cloud delivery models and encryption
Practical examples of encryption in Public
3. AES-128 so it must be secure! Trust me!
PDF
Secret
01010001
10101010
10110101 PDF
Secret
01001010
10101011
00110101
Cloud service
Cloud service
provider
user
Just because it is encrypted does not
make it secure… Look end to end.
5. Sometimes too much encryption is bad
though.
Who holds encryption keys? Are they available?
6. Should data security be on CIOs agendas?
PaaS/Saas
Mandatory reading!
Saas
Saas
Cloud provider Your company Consolidation of Cost savings in
reputation/costs reputation/costs Cloud providers Enterprises
Not many security breaches Will become targeted as more enterprises rely
so far. Why? more on public Cloud computing
7. CIOs! Security architecture is not just
firewalls and encryption…
A clever, sophisticated and fit
for purpose combination of
administrative and technical
controls
Right mix of controls at all
security domains:
preventative, detective
(mostly neglected) and
recovery
Start with Processes then fit
People and Technology
8. Types of encryption and security
boundary
Encryption types Security boundary
Symmetric – one key to encrypt and Encryption can be used as a
decrypt. Speed and better security
security boundary:
Asymmetric – large prime numbers Key management is an
create a pair of keys where one key enforcement point
can decrypt what other encrypted.
Slower as bigger keys are needed
(look for ECC twice the length of Think of SSL VPN over
symmetric for same strength) (size of untrusted network
output based on size of keys)
Homomorphic - not new concept but Encrypted data in database
made practical by Craig gentry.
Allows for operations on encrypted
data without revealing the content! eDRM
9. Different ways to protect data in Cloud
Encryption at Customer end
PDF
Secret
Encryption at Cloud provider end
Tokenisation at Cloud user end
Anonymisation at Cloud user end
10. Cloud deployment models effect data
security
Infrastructure as a
Platform as a Service Software as a Service
Service
• Cloud provider offers • Cloud provider offers • Cloud provider offers
virtual machine standardised (mostly) mostly custom build
(typically) – Virtual CPU, platforms for database, Software (typically web
Memory, Disks, middleware, web … based)
Network • Operating system is • Full OS stack is
• Operating system is Provider’s responsibility Provider’s responsibility
Customer’s • Extending key • Extending key
responsibility management from management to Cloud
• Extending key Internal DC possible provider from Internal
management from DC difficult
Internal DC easy
11. Data protection options in cloud models
Infrastructure as a
Platform as a Service Software as a Service
Service
SIEM
Extend company SIEM Plug-in to Provider’s SIEM
Extend DLP or eDRM Provider operated data/database encryption
Data
Extend company file or object Encrypting/tokenising reverse
encryption proxy engines (e.g. CipherCloud)
Application
Tokenisation and anonymisation
Application encryption (customer retains keys)
Encryption appliance
Host
(e.g. Safe-Net ProtectV)
Provider dependent and operated host encryption
Web TLS (for IaaS operated by customer)
Network
Network VPN (could extend to SaaS)
12. Example of SaaS – Use of Gmail inside
and outside an organisation
Intra company SaaS web based application.
Other standard interfaces –
IMAP, POP3, SMTP, Web API
Sender Data in Gmail available to
anyone with proper
authentication
Proxy
Recipient TLS used on transport layer
Consider using CipherCloud
like product but be mindful of
traffic flows with external
customers
Sender Recipient
13. Example of IaaS – Cloud provider offers virtual
computing resources for Internal apps deployment
Intra company Cloud provider can
Key management
theoretically access all
HSM data, if decryption
happens on the virtual
Internal machine! But would they?
user
Use two possible models:
VPN
Local crypto operations
with remote key
Administrator
management. Consider
SafeNet ProtectV
Remote crypto
operations over VPN –
speed penalty
Data encrypted
Data encrypted
Remote
Local encryption
encryption
operations
Travelling user operations
Virtual servers
14. Recommendations
Devise your security architecture holistically, not just looking at
point solutions
But with regards to data security in the cloud:
Always try to manage your keys – however in some cases this would
break cloud deployment model and therefore is not always
practical
Use Hardware Security Modules to maintain key security supported
by robust key management processes
Extend your enterprise key management, DLP, eDRP and SIEM to
Cloud providers
Explore format preserving encryption before data enters Cloud –
typically for PaaS and SaaS (reverse web encryption proxy)
15. Links
Cloud Security Guidance - https://cloudsecurityalliance.org/research/security-guidance/
Verizon Data Breach reports - http://www.verizonbusiness.com/about/events/2012dbir/
Dropbox access breach - http://www.securityweek.com/dropbox-confirms-data-breach-says-two-factor-authentication-coming
Microsoft BPOS Address book leakage -
http://www.pcworld.com/article/214591/Microsoft_BPOS_cloud_service_hit_with_data_breach.html
Epsilon data breach - http://www.guardian.co.uk/technology/2011/apr/06/epsilon-email-hack-marks-spencer
Google email accounts hacked - http://www.washingtonpost.com/blogs/post-tech/post/google-hundreds-of-gmail-accounts-hacked-
including-some-senior-us-government-officials/2011/06/01/AGgASgGH_blog.html
CipherCloud lists data breaches in Cloud - http://www.ciphercloud.com/learning-center/breach-watch.aspx
CloudTweaks.com – Cloud Cartoons - http://www.cloudtweaks.com/category/cartoon/
Privatecore - http://www.privatecore.com/
16. Contact me and CSA
Vladimir Jirasek
http://about.me/jirasek
@vjirasek
vladimir@jirasekconsulting.com
Cloud Security Alliance
https://cloudsecurityalliance.org.uk
@csaukresearch
Editor's Notes
Working on a project – project managers says we have a VPN tunnel for data transfer so that is enough for security
Talk about data classification. We will talk about dropbox later
Apply encryption only where needed and make sure that the key management is done properly. NIST document http://csrc.nist.gov/groups/ST/toolkit/key_management.html
Look at processes required by ISO, Cobit..Control objective = process (typically)