Encryption in the Cloud

Copyright 2009 Trend Micro Inc.

Encryption in the public cloud: Security techniques

Dave Asprey • VP Cloud Security

[email protected]

@daveasprey (cloud + virtual security tweets)


Your speaker

Dave AspreyVP, Cloud SecurityCloud & Virtualization [email protected] @daveaspreycloudsecurity.trendmicro.com Linkedin.com/in/asprey

BackgroundBlue Coat - VP TechnologyCitrix - Strategic Planning, Virtualization BusinessNetscaler – Dir PMExodus/Savvis – Dir PM & Strategy execSpeedera/Akamai – Sr. Dir PM3Com – Web IT guyUC Santa Cruz – Ran Web & Internet Engineering Program Author, PWC Tech Forecast: Systems & Network Mgt + Scaling

Trend Micro Confidential04/09/23 2


Data Privacy Concerns in the Cloud

Data is stored in plain text

Virtual volumes can move without the owners knowledge

Little ability to audit or monitor access to resources or data

Hypervisors and storage are shared with other users

Storage devices contain residual data


Amazon Web Services™ Customer Agreement

4

7.2. Security. We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet. Accordingly,

without limitation to Section 4.3 above and Section 11.5 below, you acknowledge that you bear sole responsibility for adequate security,

protection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption

technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you

use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption,

deletion, destruction or loss of any of Your Content or Applications.

Translation: If it gets hacked, it’s your fault.

Trend Micro Confidential04/09/23

http://aws.amazon.com/agreement/#7 (23 November 2010)

Copyright 2009 Trend Micro Inc. 5

Security and privacy higher than Sum (performance, immaturity, regulatory compliance)

Gartner (April 2010)

Security: the #1 Cloud Challenge

Classification 04/09/23

Copyright 2009 Trend Micro Inc.Classification 04/09/23 6

Use encrypted, self-defending hosts

Shared StorageShared

Firewall

Virtual Servers

Shared network inside the firewall

Shared firewall – Lowest common

denominator – less fine grained control

Multiple customers on one physical server –

potential for attacks via the hypervisor

Shared storage – is customer segmentation secure against attack?

Easily copied machine images – who else has

your server?

Doesn’t matter – the edge of my virtual

machine is protectedDoesn’t matter – treat the LAN as public

Doesn’t matter – treat the LAN as public

Doesn’t matter – They can start my server but

only I can unlock my data

Doesn’t matter – My data is encrypted

Internet


Advice

Encrypt network traffic

Use only encrypted file systems for block devices

Encrypt everything in shared storage

Only allow decryption keys to enter the cloud during decryption

Only authentication credential in VMs = key to decrypt file system key



More advice

At instance startup, fetch encrypted file system key

No password-based authentication for shell access

No allowed passwords for sudo access (!)

Make regular backups off-cloud



Even more advice

Minimize # of services per VM instance (goal = 1)

Only open ports you need

Specify source addresses & only allow HTTP global access

Keep sensitive data in a separate database



Final advice

Use host-based intrusion detection system

Use system hardening tools

Write better applications!



Thank You. Questions?

Dave Asprey

VP Cloud Security

[email protected]

@daveasprey

cloudsecurity.trendmicro.com

Props to: George Reese & O’Reilly BlogTrend Micro Confidential04/09/23 11

Documents

Encryption in the Cloud