Autorité d’Enregistrement
Seven Cloud Computing Risks Asymmetric encryption Electronic signature Strong authentication Rules Best Practices
Agenda
Autorité d’Enregistrement
Risk Assessment • Data integrity, recovery privacy • Evaluation of legal issues, regulatory compliance, auditing • Etc…
Transparency • Qualification of policy makers, architects, coders, operators • Risk-control processes and technical mechanisms • Level of testing • How unanticipated vulnerabilities are identified • Etc…
Cloud-Computing Security Risks (1)
Autorité d’Enregistrement
1. Privileged user access • Physical, logical and personnel control • Ask about hiring and oversight of administrators • What control there is ?
2. Regulatory compliance • Customers are responsible • Check external audits and security certifications
3. Data location • Commitment to storing and processing data in specific
jurisdictions • Contractual commitment
4. Data segregation • Data at rest and in use ? • Encryption designed and tested by experienced specialist
Seven Cloud-Computing Risks (1)
Autorité d’Enregistrement
5. Recovery • What happens in case of a disaster? • Replication of data and application across multiple sites? • Ability to do a complete restoration ? how long would it
take? 6. Investigative support
• How to trace inappropriate or illegal activities? • Logging and data may be for multiple customers • Contractual commitment to support specific forms of
investigation • Get evidence that the vendor has already supported
such activities 7. Long-term viability
• What if your Cloud provider goes broke or gets acquired? • How could you get your data back? In which format?
Replacement application?
Seven Cloud-Computing Risks (2)
Autorité d’Enregistrement
Symmetric Encryption Asymmetric Encryption
Asymmetric Encryption
Autorité d’Enregistrement
Symmetric Encryption
Message in clear
Encrypted Message
Encryption
Message in clear
Decryption
Autorité d’Enregistrement
Symmetric Encryption
Autorité d’Enregistrement
Symmetric Encryption
Advantages – Fast – Relatively simple to
implement – Very efficient in particular
when the key is used only once
Drawbacks – A different key by pair of
users
• The major issue : Keys management (as many keys to exchange as there are users)
• How do Alice and Bob get the key without anybody else having access to it ?
• The key must follow a different channel (phone, fax, …)
Autorité d’Enregistrement
Symmetric Encryption
Authentication Confidentiality Authorization Integrity Non repudiation
Security Policy
Security Infrastructure
Internet & Cloud Applications
�(applicative)
Autorité d’Enregistrement
Asymmetric Encryption
Invented in 1975 by Whitfield Diffie and Martin Hellman
Each user owns a pair of key – The public key that is used to encrypt and which is known by
everybody – The private key that is used to decrypt and which is only known by
the owner
Autorité d’Enregistrement
Asymmetric Encryption
=
=
Symmetric Key
Asymmetric Key
Encryption Decryption
Autorité d’Enregistrement
Asymmetric Encryption
Autorité d’Enregistrement
Asymmetric Encryption: Signature
Autorité d’Enregistrement
Symmetric Encryption
Authentication Confidentiality Authorization Integrity Non repudiation
Security Policy
Security Infrastructure
Internet & Cloud Applications
�(applicative)
� �
Autorité d’Enregistrement
Example : SSL Server
Verification of the certificate and of the signature
Send the certificate and the message A signed
Negotiation of the encryption algorithm Negotiation of the encryption
algorithm Generation of a session key
Encryption of the session Key with the server public key
Decryption of the session key with the private key
Send the session key Encrypted
The session key is shared
Client Server
Send a message A
Autorité d’Enregistrement
Symmetric Encryption
Authentication Confidentiality Authorization Integrity Non repudiation
Security Policy
Security Infrastructure
Internet & Cloud Applications
�(applicative)
� �� �
Autorité d’Enregistrement
Examples of Solutions
Autorité d’Enregistrement
Use encryption For exchanges of data with the Cloud For data in the Cloud
Use strong authentication To connect to the Cloud To identify the Cloud server
Use signature For exchanges of data in the Cloud
Rules of thumbs
Autorité d’Enregistrement
Protect data transfer but also data in the cloud Use data-centric encryption & encryption
embedded in the file format Understand how the keys will be managed
(avoid reliance on cloud providers) Include files such as logs and metadata in
encryption Use strong standard algorithm (such as AES-256) Use open validated formats Avoid proprietary encryption
Best Practices (1)
Autorité d’Enregistrement
Content aware Encryption Format-preserving Encryption Use Data Leak Prevention (DLP)
solutions
Best Practices (2)
Autorité d’Enregistrement
Be aware of performances issues Use object security Store a secure hash
Best Practices (3. Data Base)
Autorité d’Enregistrement
Use a Key Management Software Use group levels keys Maintain keys within the Enterprise Revoking keys Define and enforce strong Key
management processes and practices Implement segregation of duties
Best Practices (4)
Autorité d’Enregistrement
Use best practices key management practices
Use off-the-shelf products from credible sources
Maintain your own trusted cryptographic source
Key scoping at the individual or group level
Use DRM systems
Recommendations (1)
Autorité d’Enregistrement
Use standard algorithm Avoid old ones such as DES Use central and internal key
management (with your own HSM, etc.)
Use segregation of duties
Recommendations (2)
Autorité d’Enregistrement
Reference
http://www.cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf
Autorité d’Enregistrement
Thank you for your attention
SSL EUROPA 8 chemin des escargots
18200 Orval - France +33 (0)9 88 99 54 09
www.ssl-europa.com