Embed Size (px)
Citation preview
2015
In Cloud We Encrypt
Vivian Gerritsen Intuit
Oct 16, 2015
#GHC15
2015
2015
About Me
Graduate of the Ohio State University (MSEE)
Practice broad set of computer technologies from hardware, system-level software, applications to UI
Focus on security and compliance software for the past 5 years
I’m a security ninja who protects against all possible attacks in cyber space
2015
The Need for Encryption
Security breaches almost daily!
It’s industry trend to encrypt all sensitive data in the cloud. Many cloud providers offer encryption solutions.
2015
What is Encryption?
Engine
Input Data
SSN 123-45-6789
Output Data
“Cipher Text”
QSBwZX24ncyBhI
HBlcnNvbiwgbm8g
bWF0JzbdGVyIGh
vdyBzbWFsbC4=
Three major components to any encryption system:
1. Data
2. Encryption engine
3. Key management
Encryption Key
2015
What Users Should Know
Users should ask two data encryption questions:
Who has the key?
Is my data protected end-to-end?
2015
Encryption in the Cloud User-Oriented Storage
Example: File sharing
Best Practices:
You own the key, not cloud administrator
Choose a vendor that only you have the entire control of the key access
2015
Encryption in the Cloud SaaS-PaaS-IaaS
Intuit example:
SaaS services use a platform with key management APIs to encrypt
application data.
The platform uses an Intuit-certified service to store encryption keys.
Amazon AWS is used as building blocks and infrastructure.
2015
Encryption in the Cloud Three-Tiered, End-to-End
Web Server
Database, File
System, Big Data
Key Manager
Applications
Application
Server
Three-tiered SaaS application – encryption in transit and at rest
2015
SaaS Encryption
Client-side encryption
− Encrypts data before sending it to servers
• Protect highly sensitive information
• You own the key
Server-side encryption
− Protects data at rest. Options:
• Trust the provider
• Use customer-provided keys
• Or separate out key management
2015
SaaS Encryption (cont’d)
Cloud encryption gateway − Act as proxy to encrypt or tokenize sensitive
SaaS data • Between corporate network and cloud
• Single point of security configuration
• Encrypt with enterprise controlled keys
2015
PaaS Encryption
Database encryption − Transparent database encryption
• Whole database or finer-grained (e.g., column, tablespace)
• Keys managed by database
• Authorized users such as admin may see data
− Alternative: • Encrypt data fields in the application (SaaS)
• Volume encryption (IaaS)
2015
IaaS Encryption
Volume encryption − Protect the storage systems of running instances
− Build encryption into your instance • Keys in instance – only protects you from anyone without the right access
− Separate key from encryption engine • Returns the key when a set of policy-based criteria are met
2015
laaS Encryption (cont’d)
Object storage − Transparent data encryption – protects
object(s), bucket(s) via server-side encryption
− Client-side encryption – encrypts the objects before sending up
Rest API
Application
2015
Encryption in Transit: Mechanisms
SSL − Used mostly by HTTPS to secure
browser session
IPSec − Host-to-host, network-to-network
transport
− Network tunneling - VPN
2015
Cloud Encryption Layers
2015
Data Residency International data safety
Does your vendor’s vendor protect your data the same way you do?
Data sovereignty: government in other country may look into your data
Data residency: key needs to stay in US
2015
Conclusions
Always try to manage your keys, and guard them like they were … your keys − Enforce strong policy (least privileged)
− Enable key rotation
− Be aware of jurisdiction!
Devise your security architecture holistically, not just looking at point solutions − Classify your data and apply proper encryption
− Encrypt end-to-end in transit and at rest
2015
Got Feedback?
Rate and review the session on our mobile app
Download at http://ddut.ch/ghc15
or search GHC 2015 in the app store
