HighCloud Security CSA LA and Seattle chapter presentation
-
Upload
highcloud-security -
Category
Technology
-
view
121 -
download
0
description
Transcript of HighCloud Security CSA LA and Seattle chapter presentation
"CAN ENCRYPTION HELP ALLEVIATE CONCERNS ABOUT MOVING TO THE CLOUD?"
Steve Pate -‐ Co-‐Founder / CTO
Presented to:
Securing Cloud Data With Encryp?on
2
• How much of a concern does the cloud present us?• An encrypIon refresher• Looking at virtualized environments• What do the regulaIons say about virtualizaIon and cloud?• Methods of deploying encrypIon in the cloud• It’s all about key management!
Agenda
Securing Cloud Data With Encryp?on
3
What do the surveys say?
Only 34% of Servers are virtualized .... the #1 restric;on cited to further virtualiza;on was security – CDW 2009
87% of respondents rated “Security Challenges” as the #1 issue ascribed to the Cloud model – IDC Enterprise Panel 2009
“73 percent said security was the primary obstacle to their adop;ng cloud compu;ng, followed by compliance (54 percent) and portability and ownership of data (48 percent). Most said they were worried about stopping unauthorized access to their company data in the cloud, and 42 percent said security worries have stopped their organiza;ons from going to the cloud.” – PhoneFactor survey
"By 2015, security will shiO from being the No. 1 inhibitor of cloud to one of the top enablers” – Forrester Research
Back in 2010 ...
Securing Cloud Data With Encryp?on
4
What do the surveys say?
In the x86 environment, which represents more than 80% of respondents' compu;ng capacity, average virtualiza)on levels have increased 13% from last year to 51%, with a notable increase at the higher levels, roughly doubling the number of organiza;ons virtualizing produc;on applica;ons -‐ 451 Group
Security problems were the primary concern for 48 percent of IT professionals who didn’t plan to adopt cloud -‐ InformaIonWeek 2012 Cloud Security and Risk Survey
80 percent of security issues in the cloud through 2013 will be due to error on the part of providers and customers of cloud services, not fundamental issues with the cloud -‐ Gartner
Median cost of a breach in 2012: $8.9M per year
46 US states have passed breach no?fica?on laws
Today ...
Securing Cloud Data With Encryp?on
5
Data breach laws
6
An Encryp?on Refresher
Securing Cloud Data With Encryp?on
7
An Encryp?on Refresher
• Two types of encrypIon:• Symmetric -‐ single key, best performance• Also called secret key cryptography• Data at rest• Algorithms such as AES, Blowfish, DES, 3DES, Serpent, Twofish
• Asymmetric -‐ public / private key pair, poor performance• Also called public key cryptography• Used when sharing between two or more parIes• Web commerce• Exchanging files between colleagues• Algorithms such as RSA, Diffie-‐Hellman, ...
Cypher Text
Ki8^.5R7=;%dWk3...0lv#-Q,pHk04$c*j[2.<*gDn@s!X90,}'$8s)8vdhj^3776^&v3hg
Clear Text
Lorem ipsum dolorsit amet, consetetursadipscing elitr, seddiam nonumy eirmo
Encryption Software
Securing Cloud Data With Encryp?on
8
An Encryp?on Refresher
• Symmetric encrypIon:
EncrypIon Key(larger = more secure)
AES uses 128 / 256 bit keys
Ki8^.5R7=;%dWk3...0lv#-Q,pHk04$c*j[2.
Lorem ipsum dolorsit amet, consetetursadipscing elitr, seddiam nonumy eirmo
Filesystem
Application
kernel space
user spacewrite(fd, buf, size)
Lorem ipsum dolorsit amet, consetetur
Device Driver
Securing Cloud Data With Encryp?on
9
An Encryp?on Refresher
• Symmetric encrypIon -‐ block ciphers
Cypher Text
Ki8^.5R7=;%dWk3...0lv#-Q,pHk04$c*j[2.<*gDn@s!X90,}'$8s)8vdhj^3776^&v3hg
Clear Text
Lorem ipsum dolorsit amet, consetetursadipscing elitr, seddiam nonumy eirmo
Encryption Software
Public Key
Encryption Software
Private Key
Clear Text
Lorem ipsum dolorsit amet, consetetursadipscing elitr, seddiam nonumy eirmo
Securing Cloud Data With Encryp?on
10
An Encryp?on Refresher
• Asymmetric encrypIon:
RSA uses 1024 bit keys
Securing Cloud Data With Encryp?on
11
An Encryp?on Refresher
• Usual places of deployment
• ApplicaIon (libraries, column-‐level encrypIon, ...)• Filesystem -‐ encrypt individual files• Device driver -‐ volume encrypIon (whole devices / parIIons)• SAN switch -‐ within the storage fabric• FDE -‐ the whole drive• Backup -‐ built in• Command-‐line tools
$ gpg --import pub_key.asc
$ gpg -e -a < src_code.tar.gz > src_code.tar.gz.asc
$ tar cz files | openssl enc -aes-256-cbc -e -out files.tgz.enc
enter aes-256-cbc encryption password: ********
Verifying - enter aes-256-cbc encryption password: ********
Securing Cloud Data With Encryp?on
12
What about performance?
Performance is terrible right?
It depends ...
• On applicaIons / workloads• On the availability of hardware support• Most Intel / AMD processors now have AES-‐NI support
• 8-‐10x performance improvement
• Should encrypIon cost just be factored in?Median cost of a breach in 2012: $8.9M per year
Securing Cloud Data With Encryp?on
13
How oVen is encryp?on used?
• That’s 25+ million downloads• Keys are protected by passwords• Password must be typed before keys are accessed• Does not scale for the enterprise
Securing Cloud Data With Encryp?on
14
What to do with the key?
“Key management is the hardest part of cryptography and o<en the Achilles' heel of an otherwise secure system”
Bruce SchneierPreface to “Applied Cryptography”Second EdiIon
• Assume I have many keys ...• What do I do with all those keys?• Who owns the keys?
15
Encryp?on Within a Virtualized Stack
Securing Cloud Data With Encryp?on
16
What is a Virtual Machine?
• Memory images are exposed:• Password, crypto keys, email messages, AcIve Directory data, …
• SensiIve data can be leo everywhere the VM travels• Data center, public clouds, desktops, notebooks, …
• VM Templates need to be protected
Paging File
Suspend File
Snapshot File
Config Files
Log Files
VM meta-data
Virtual Disk(Data)
Data
Virtual Machine stateand environment: ➤�VM memory image ➤�Critical VM configuration ➤�Forensics information
Virtual Machine Image
Virtual Disk(Data)
Virtual Disk(Data)
Virtual Disk(Data)
Virtual Disk(Guest OS)
Virtual Disk(Applications) Executables
Securing Cloud Data With Encryp?on
17
Protec?ng the Virtual Machine?
Have all defense in depth mechanisms work together. Security needs to follow VMs in the infrastructure.”
VMware CEO Maritz - VMworld 2010
Securing Cloud Data With Encryp?on
18
Virtual Machines present new challenges! -‐ recognized by the new PCI virtualiza)on guidelines
①
②
③
④
⑤⑥
NASSAN Switch
Storage ArrayBackup / DR
VM VMVM VM
Virtualization Layer
Securing Cloud Data With Encryp?on
19
Encryp?on in Virtualized Environments
• There are mulIple choices to encrypt all / part of a VM• Each have pros / cons• Many factors to take into account
Key and Policy ServerVirtual Machine Vault
Cypher TextKi8^.5R7=;%dWk3...0lv#-Q,pHk04$c*j[2.<*gDn@s!X90,}'$k5
ProtectedVM Imagesand Data
Cypher TextKi8^.5R7=;%dWk3...0lv#-Q,pHk04$c*j[2.<*gDn@s!X90,}'$k5
ProtectedVM Imagesand Data
VM VMVM VM VM VM VM
Tenant A Tenant B
Backup Server
Encrypted Path
Restore pathKey and Policy Server
Virtualization Layer Virtualization Layer
Multi-Tenant Administration
NFS / iSCSI
Securing Cloud Data With Encryp?on
20
Encryp?on below the Hypervisor
• Block-‐based or file-‐based• EncrypIon of the whole VM• By seeing the VM, we get to do some special things
Encrypted VMDKs
Key Server
VM VM
HYPERVISOR
VM
EncryptedData
Securing Cloud Data With Encryp?on
21
•Footprint inside every VM•Encrypted path through the hypervisor•Does not need help from your service provider
Encryp?on above the Hypervisor
22
How to deploy encryp?on in the cloud
Securing Cloud Data With Encryp?on
23
Just use what the provider gives you
• Some providers offer encrypIon:• Amazon S3 for example
• Good enough for some people• No good for others
• Would you put the family jewels in the safe .... .... and give a stranger the key?
• Some providers want to offer encrypIon ...
.... but don’t want to host/own the keys!
Securing Cloud Data With Encryp?on
24
Roll your own ...
• A number of open source and commercial soluIons
Securing Cloud Data With Encryp?on
25
Cloud Encryp?on Gateway
• Encrypt data before it’s sent to the cloud• Requires access to corporate network
Private Data Center
RunningVM
EncryptedData
CloudInfrastructure
Cloud Storage
NFS, CIFS, iSCSI
Key and Policy Server ENC/DEC
ENC/DEC
VM VM VM
EncryptedData
Public or PrivateCloud
Running VM
Secure File Server
Key Server
Securing Cloud Data With Encryp?on
26
Infrastructure as a Service Clouds
• VMs running in the public cloud • EncrypIon within the VM• Filesystem or logical volume level
• One VM offers encrypIon to other VMs
Securing Cloud Data With Encryp?on
27
Ques?ons to ask?
• How is my data backed up?• Can anyone access my VMs?• How are VMs replicated?• Where are those backups?• Do the VMs ever get snapshored?• When I want to decommission, how is my data removed?
Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 - CSA
28
Key Management Op?ons
Securing Cloud Data With Encryp?on
29
What key management op?ons are there?
• Low end encrypIon soluIons have no key management• Enterprise-‐grade soluIons have expensive key servers• Enterprise key managers• FIPS 140-‐2, KMIP, ...• Highly available• Can be extremely expensive• Defeats the purpose of virtualizaIon / cloud for cost
• Many organizaIons are nervous about managing keys• Who gets to access the keys?• How are they safely backed up?• What happens if keys expire?• Are the keys well protected?
Key Server
Key ServerProvider
Cloud ServiceProvider
Key Server
VM
VM VM
VM
Key Server
Customer'sData Center
Securing Cloud Data With Encryp?on
30
What key management op?ons are there?
• 3 main opIons:• CSP holds the keys• Customer holds the keys• A third party holds the keys
Securing Cloud Data With Encryp?on
31
Hosted key management
• QuesIons to ask:• Can I change my mind? I now want to host my own keys• I’m hosIng keys but now want you to host them• Can you actually see my keys?• Is the system highly-‐available? What about DR?• I need a process for getng my data back• What about mulI-‐tenancy?• What about an audit stream?
32
Automa?ng Encryp?on
Securing Cloud Data With Encryp?on
33
APIs -‐ Provisioning a new server
• VirtualizaIon offers a lot of automaIon• Cloud infrastructures are all automated:• OpenStack and others• Cloud providers automate everything
• Many organizaIons large and small automate too• Password based encrypIon doesn’t help
• We need encrypIon to be a drop in soluIon too• Needs to be mulI-‐tenant
Securing Cloud Data With Encryp?on
34
Tradi?onal GUI-‐based administra?on
• Can be simple to use• No need for key management experIse• A single product may scan mulIple plauorms and cloud providers• Very important to increase encrypIon adopIon ... BUT!
LinuxVM
System whereAPIs are run from
Key and Policy Server ClusterKey and Policy Server Cluster
LinuxVMhicli
~/.hicli/hicli.cfg
Securing Cloud Data With Encryp?on
35
APIs -‐ Provisioning a new server
• Add a Linux server and encrypt a devices -‐ 5 line script!
# hicli kps select kps-‐2# hicli user login spate -‐-‐password=********# hicli cvmset select "Amazon VMs"# hicli cvm new ubuntu10.04# hicli cvm ubuntu10.04 add_disk sdb1
36
Where to get more informa?on?
Securing Cloud Data With Encryp?on
37
More Informa?on?
• Cloud Security Alliance• hrps://cloudsecurityalliance.org• ENISA • hrp://www.enisa.europa.eu• NIST• hrp://www.nist.gov/index.html
• Payment Card Industry
• www.highcloudsecurity.com• Under Resources ➜ Collateral
38
And last but not least ...
Securing Cloud Data With Encryp?on
39
3 different steps you can take ...
1. Download the HighCloud Sooware and try for free!
2. Fill in our survey • hrp://www.highcloudsecurity.com/resources/survey/
3. An exclusive for tonight’s arendees:• A free account on HighCloud’s hosted key server• Not yet in beta! • To sign up contact: [email protected]