In Cloud We Encrypt #GHC15
1 like2,101 views
The document discusses the importance of encryption for securing sensitive data in the cloud, emphasizing that users should know who has access to encryption keys and whether their data is protected end-to-end. It outlines various encryption methodologies applicable to SaaS, PaaS, and IaaS environments, providing best practices for data management and key security. The conclusion insists on the necessity for users to manage their keys rigorously and to incorporate holistic security architectures across all data protection strategies.
In Cloud We Encrypt #GHC15
- 1. 2015 In Cloud We Encrypt Vivian Gerritsen Intuit Oct 16, 2015 #GHC15 2015
- 2. 2015 About Me Graduate of the Ohio State University (MSEE) Practice broad set of computer technologies from hardware, system-level software, applications to UI Focus on security and compliance software for the past 5 years I’m a security ninja who protects against all possible attacks in cyber space
- 3. 2015 The Need for Encryption Security breaches almost daily! It’s industry trend to encrypt all sensitive data in the cloud. Many cloud providers offer encryption solutions.
- 4. 2015 What is Encryption? Engine Input Data SSN 123-45-6789 Output Data “Cipher Text” QSBwZX24ncyBhI HBlcnNvbiwgbm8g bWF0JzbdGVyIGh vdyBzbWFsbC4= Three major components to any encryption system: 1. Data 2. Encryption engine 3. Key management Encryption Key
- 5. 2015 What Users Should Know Users should ask two data encryption questions: Who has the key? Is my data protected end-to-end?
- 6. 2015 Encryption in the Cloud User-Oriented Storage Example: File sharing Best Practices: You own the key, not cloud administrator Choose a vendor that only you have the entire control of the key access
- 7. 2015 Encryption in the Cloud SaaS-PaaS-IaaS Intuit example: SaaS services use a platform with key management APIs to encrypt application data. The platform uses an Intuit-certified service to store encryption keys. Amazon AWS is used as building blocks and infrastructure.
- 8. 2015 Encryption in the Cloud Three-Tiered, End-to-End Web Server Database, File System, Big Data Key Manager Applications Application Server Three-tiered SaaS application – encryption in transit and at rest
- 9. 2015 SaaS Encryption Client-side encryption − Encrypts data before sending it to servers • Protect highly sensitive information • You own the key Server-side encryption − Protects data at rest. Options: • Trust the provider • Use customer-provided keys • Or separate out key management
- 10. 2015 SaaS Encryption (cont’d) Cloud encryption gateway − Act as proxy to encrypt or tokenize sensitive SaaS data • Between corporate network and cloud • Single point of security configuration • Encrypt with enterprise controlled keys
- 11. 2015 PaaS Encryption Database encryption − Transparent database encryption • Whole database or finer-grained (e.g., column, tablespace) • Keys managed by database • Authorized users such as admin may see data − Alternative: • Encrypt data fields in the application (SaaS) • Volume encryption (IaaS)
- 12. 2015 IaaS Encryption Volume encryption − Protect the storage systems of running instances − Build encryption into your instance • Keys in instance – only protects you from anyone without the right access − Separate key from encryption engine • Returns the key when a set of policy-based criteria are met
- 13. 2015 laaS Encryption (cont’d) Object storage − Transparent data encryption – protects object(s), bucket(s) via server-side encryption − Client-side encryption – encrypts the objects before sending up Rest API Application
- 14. 2015 Encryption in Transit: Mechanisms SSL − Used mostly by HTTPS to secure browser session IPSec − Host-to-host, network-to-network transport − Network tunneling - VPN
- 16. 2015 Data Residency International data safety Does your vendor’s vendor protect your data the same way you do? Data sovereignty: government in other country may look into your data Data residency: key needs to stay in US
- 17. 2015 Conclusions Always try to manage your keys, and guard them like they were … your keys − Enforce strong policy (least privileged) − Enable key rotation − Be aware of jurisdiction! Devise your security architecture holistically, not just looking at point solutions − Classify your data and apply proper encryption − Encrypt end-to-end in transit and at rest
- 18. 2015 Got Feedback? Rate and review the session on our mobile app Download at http://ddut.ch/ghc15 or search GHC 2015 in the app store