highcloud security csa la and seattle chapter presentation

"CAN ENCRYPTION HELP ALLEVIATE CONCERNS ABOUT MOVING TO THE CLOUD?"

Steve Pate -‐ Co-‐Founder / CTO

Presented to:

Securing Cloud Data With Encryp?on

2

• How much of a concern does the cloud present us?• An encrypIon refresher• Looking at virtualized environments• What do the regulaIons say about virtualizaIon and cloud?• Methods of deploying encrypIon in the cloud• It’s all about key management!

Agenda


3

What do the surveys say?

Only 34% of Servers are virtualized .... the #1 restric;on cited to further virtualiza;on was security – CDW 2009

87% of respondents rated “Security Challenges” as the #1 issue ascribed to the Cloud model – IDC Enterprise Panel 2009

“73 percent said security was the primary obstacle to their adop;ng cloud compu;ng, followed by compliance (54 percent) and portability and ownership of data (48 percent). Most said they were worried about stopping unauthorized access to their company data in the cloud, and 42 percent said security worries have stopped their organiza;ons from going to the cloud.” – PhoneFactor survey

"By 2015, security will shiO from being the No. 1 inhibitor of cloud to one of the top enablers” – Forrester Research

Back in 2010 ...


4

What do the surveys say?

In the x86 environment, which represents more than 80% of respondents' compu;ng capacity, average virtualiza)on levels have increased 13% from last year to 51%, with a notable increase at the higher levels, roughly doubling the number of organiza;ons virtualizing produc;on applica;ons -‐ 451 Group

Security problems were the primary concern for 48 percent of IT professionals who didn’t plan to adopt cloud -‐ InformaIonWeek 2012 Cloud Security and Risk Survey

80 percent of security issues in the cloud through 2013 will be due to error on the part of providers and customers of cloud services, not fundamental issues with the cloud -‐ Gartner

Median cost of a breach in 2012: $8.9M per year

46 US states have passed breach no?fica?on laws

Today ...


5

Data breach laws

6

An Encryp?on Refresher


7


• Two types of encrypIon:• Symmetric -‐ single key, best performance• Also called secret key cryptography• Data at rest• Algorithms such as AES, Blowfish, DES, 3DES, Serpent, Twofish

• Asymmetric -‐ public / private key pair, poor performance• Also called public key cryptography• Used when sharing between two or more parIes• Web commerce• Exchanging files between colleagues• Algorithms such as RSA, Diffie-‐Hellman, ...

Cypher Text

Ki8^.5R7=;%dWk3...0lv#-Q,pHk04$c*j[2.<*gDn@s!X90,}'$8s)8vdhj^3776^&v3hg

Clear Text

Lorem ipsum dolorsit amet, consetetursadipscing elitr, seddiam nonumy eirmo

Encryption Software


8


• Symmetric encrypIon:

EncrypIon Key(larger = more secure)

AES uses 128 / 256 bit keys

Ki8^.5R7=;%dWk3...0lv#-Q,pHk04$c*j[2.


Filesystem

Application

kernel space

user spacewrite(fd, buf, size)

Lorem ipsum dolorsit amet, consetetur

Device Driver


9


• Symmetric encrypIon -‐ block ciphers

Cypher Text

Ki8^.5R7=;%dWk3...0lv#-Q,pHk04$c*j[2.<*gDn@s!X90,}'$8s)8vdhj^3776^&v3hg

Clear Text


Encryption Software

Public Key

Encryption Software

Private Key

Clear Text



10


• Asymmetric encrypIon:

RSA uses 1024 bit keys


11


• Usual places of deployment

• ApplicaIon (libraries, column-‐level encrypIon, ...)• Filesystem -‐ encrypt individual files• Device driver -‐ volume encrypIon (whole devices / parIIons)• SAN switch -‐ within the storage fabric• FDE -‐ the whole drive• Backup -‐ built in• Command-‐line tools

$ gpg --import pub_key.asc

$ gpg -e -a < src_code.tar.gz > src_code.tar.gz.asc

$ tar cz files | openssl enc -aes-256-cbc -e -out files.tgz.enc

enter aes-256-cbc encryption password: ********

Verifying - enter aes-256-cbc encryption password: ********


12

What about performance?

Performance is terrible right?

It depends ...

• On applicaIons / workloads• On the availability of hardware support• Most Intel / AMD processors now have AES-‐NI support

• 8-‐10x performance improvement

• Should encrypIon cost just be factored in?Median cost of a breach in 2012: $8.9M per year


13

How oVen is encryp?on used?

• That’s 25+ million downloads• Keys are protected by passwords• Password must be typed before keys are accessed• Does not scale for the enterprise


14

What to do with the key?

“Key management is the hardest part of cryptography and o<en the Achilles' heel of an otherwise secure system”

Bruce SchneierPreface to “Applied Cryptography”Second EdiIon

• Assume I have many keys ...• What do I do with all those keys?• Who owns the keys?

15

Encryp?on Within a Virtualized Stack


16

What is a Virtual Machine?

• Memory images are exposed:• Password, crypto keys, email messages, AcIve Directory data, …

• SensiIve data can be leo everywhere the VM travels• Data center, public clouds, desktops, notebooks, …

• VM Templates need to be protected

Paging File

Suspend File

Snapshot File

Config Files

Log Files

VM meta-data

Virtual Disk(Data)

Data

Virtual Machine stateand environment: ➤�VM memory image ➤�Critical VM configuration ➤�Forensics information

Virtual Machine Image

Virtual Disk(Data)

Virtual Disk(Data)

Virtual Disk(Data)

Virtual Disk(Guest OS)

Virtual Disk(Applications) Executables


17

Protec?ng the Virtual Machine?

Have all defense in depth mechanisms work together. Security needs to follow VMs in the infrastructure.”

VMware CEO Maritz - VMworld 2010


18

Virtual Machines present new challenges! -‐ recognized by the new PCI virtualiza)on guidelines

①

②

③

④

⑤⑥

NASSAN Switch

Storage ArrayBackup / DR

VM VMVM VM

Virtualization Layer


19

Encryp?on in Virtualized Environments

• There are mulIple choices to encrypt all / part of a VM• Each have pros / cons• Many factors to take into account

Key and Policy ServerVirtual Machine Vault

Cypher TextKi8^.5R7=;%dWk3...0lv#-Q,pHk04$c*j[2.<*gDn@s!X90,}'$k5

ProtectedVM Imagesand Data

Cypher TextKi8^.5R7=;%dWk3...0lv#-Q,pHk04$c*j[2.<*gDn@s!X90,}'$k5

ProtectedVM Imagesand Data

VM VMVM VM VM VM VM

Tenant A Tenant B

Backup Server

Encrypted Path

Restore pathKey and Policy Server

Virtualization Layer Virtualization Layer

Multi-Tenant Administration

NFS / iSCSI


20

Encryp?on below the Hypervisor

• Block-‐based or file-‐based• EncrypIon of the whole VM• By seeing the VM, we get to do some special things

Encrypted VMDKs

Key Server

VM VM

HYPERVISOR

VM

EncryptedData


21

•Footprint inside every VM•Encrypted path through the hypervisor•Does not need help from your service provider

Encryp?on above the Hypervisor

22

How to deploy encryp?on in the cloud


23

Just use what the provider gives you

• Some providers offer encrypIon:• Amazon S3 for example

• Good enough for some people• No good for others

• Would you put the family jewels in the safe .... .... and give a stranger the key?

• Some providers want to offer encrypIon ...

.... but don’t want to host/own the keys!


24

Roll your own ...

• A number of open source and commercial soluIons


25

Cloud Encryp?on Gateway

• Encrypt data before it’s sent to the cloud• Requires access to corporate network

Private Data Center

RunningVM

EncryptedData

CloudInfrastructure

Cloud Storage

NFS, CIFS, iSCSI

Key and Policy Server ENC/DEC

ENC/DEC

VM VM VM

EncryptedData

Public or PrivateCloud

Running VM

Secure File Server

Key Server


26

Infrastructure as a Service Clouds

• VMs running in the public cloud • EncrypIon within the VM• Filesystem or logical volume level

• One VM offers encrypIon to other VMs


27

Ques?ons to ask?

• How is my data backed up?• Can anyone access my VMs?• How are VMs replicated?• Where are those backups?• Do the VMs ever get snapshored?• When I want to decommission, how is my data removed?

Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 - CSA

28

Key Management Op?ons


29

What key management op?ons are there?

• Low end encrypIon soluIons have no key management• Enterprise-‐grade soluIons have expensive key servers• Enterprise key managers• FIPS 140-‐2, KMIP, ...• Highly available• Can be extremely expensive• Defeats the purpose of virtualizaIon / cloud for cost

• Many organizaIons are nervous about managing keys• Who gets to access the keys?• How are they safely backed up?• What happens if keys expire?• Are the keys well protected?

Key Server

Key ServerProvider

Cloud ServiceProvider

Key Server

VM

VM VM

VM

Key Server

Customer'sData Center


30

What key management op?ons are there?

• 3 main opIons:• CSP holds the keys• Customer holds the keys• A third party holds the keys


31

Hosted key management

• QuesIons to ask:• Can I change my mind? I now want to host my own keys• I’m hosIng keys but now want you to host them• Can you actually see my keys?• Is the system highly-‐available? What about DR?• I need a process for getng my data back• What about mulI-‐tenancy?• What about an audit stream?

32

Automa?ng Encryp?on


33

APIs -‐ Provisioning a new server

• VirtualizaIon offers a lot of automaIon• Cloud infrastructures are all automated:• OpenStack and others• Cloud providers automate everything

• Many organizaIons large and small automate too• Password based encrypIon doesn’t help

• We need encrypIon to be a drop in soluIon too• Needs to be mulI-‐tenant


34

Tradi?onal GUI-‐based administra?on

• Can be simple to use• No need for key management experIse• A single product may scan mulIple plauorms and cloud providers• Very important to increase encrypIon adopIon ... BUT!

LinuxVM

System whereAPIs are run from

Key and Policy Server ClusterKey and Policy Server Cluster

LinuxVMhicli

~/.hicli/hicli.cfg


35

APIs -‐ Provisioning a new server

• Add a Linux server and encrypt a devices -‐ 5 line script!

# hicli kps select kps-‐2# hicli user login spate -‐-‐password=********# hicli cvmset select "Amazon VMs"# hicli cvm new ubuntu10.04# hicli cvm ubuntu10.04 add_disk sdb1

36

Where to get more informa?on?


37

More Informa?on?

• Cloud Security Alliance• hrps://cloudsecurityalliance.org• ENISA • hrp://www.enisa.europa.eu• NIST• hrp://www.nist.gov/index.html

• Payment Card Industry

• www.highcloudsecurity.com• Under Resources ➜ Collateral

38

And last but not least ...


39

3 different steps you can take ...

1. Download the HighCloud Sooware and try for free!

2. Fill in our survey • hrp://www.highcloudsecurity.com/resources/survey/

3. An exclusive for tonight’s arendees:• A free account on HighCloud’s hosted key server• Not yet in beta! • To sign up contact: [email protected]

40

Q&A

[email protected]

Q&A

highcloud security csa la and seattle chapter presentation

Technology