Post on 06-Jun-2020
TMW04 – Securing Cloud Servers and
Services with PKI Certificates
Mark B. CooperPresident & Founder
PKI Solutions Inc.
Level: Intermediate
About PKI Solutions Inc.
• 10 years as “The PKI Guy” @ Microsoft
• Charter – Microsoft Certified Master DS
• Numerous books and whitepapers
• Services include:
• ADCS Architecture, Deployment and Consulting
• Assessment and Remediation Services
• In-Depth PKI Training
SFO January 2015, NYC February 2015
• Retainer and Support Services
Agenda
• It’s all about security
• Data and identity protection
• Hybrid PKI solutions
• Bring your own key
• Cloud-based solutions
• Security considerations
Security
Human nature and security
• Humans are inherently security conscience
– Information is not
• Technology can define procedures
• Human nature trumps every time
• Constant struggle to protect and assure
• Need to define methods to elevate security
The cloud
• Push to cloud changes paradigms
• Organizations moving data to the
cloud
• Security needs to adapt and adopt
• Lock and keys in the same place
Data and identity
protection
Public Key Infrastructure
• Increases assurance of data and identities
• Reduces ambiguity in the enterprise
• Information protection
– Signing/Assurance
– Encryption/Protection
The certificate
• Signing and/or encryption
• Unique identification of someone or
something
• Limited in scope and use by an authority
• Principles of private key instance
ownership
• Guaranteed uniqueness
– Non-Repudiation
Hybrid PKI solutions
Traditional PKIs
Three Tier Two Tier
Root CA
Policy CA
Issuing CA
Root CA
Issuing CA
Simple hybrid
Root CA
Issuing CA
• Easiest solution
• Subordinate role in
the cloud
– Root secured on premise
• Greatest risk
– Unrestricted issuance
– Signing keys
– Remote administration
Dual hybridRoot CA
Issuing CA
• Onsite and cloud
• Dynamic and elastic
• Preserves root
– Root secured on premise
• Same risks as simple
– Unrestricted issuance
– Signing keys
– Remote administration
Issuing CA
Not in my cloud you don’tRoot CA
Issuing CA
• Onsite and cloud
• Dynamic and elastic
• Preserves root
– Root secured on premise
• Same risks as simple
– Unrestricted issuance
– Signing keys
– Remote administration
The restricted approach
• True hybrid
• Policy restricts cloud
issuance
• Compromises are
limited
• Technically possible
with 2-tier*
• Some risks remain
– Signing keys
– Remote administration
Root CA
Policy CA
Issuing CA
Bring your own key
Trust but restrict
• Local key management
• Create and manage key locally
– Generally in a Hardware Security Module
• Key is restricted and placed in cloud
• Cradle to grace security is difficult
– Generate and then secure in transit to known service
• Few services ready today
– Microsoft Azure Rights Management Server
Cloud based solutions
Cloud – all in
• It’s all about the keys
• Adopt industry signing key practices to
the cloud
– Not easy in VM environment either
• Physical controls removed between keys
and attacker
– Your admin is their entry door
• Opposed to elastic concepts in cloud
computing
Cloud PKI – Soft keys
• Software key protection
• Limited isolation of root
• Risks shifted to provider
• Dynamic over secure
• It’s cloud and not much
else
Root CA
Issuing CA
Cloud PKI – Hard keys
• Hardware key protection
– Virtualized HSM access
• Limited providers
• Co-Mingling of keys
• Key propagation
• Provider key protections
• Mitigates some key risks
• Risks remain
Issuing CA
Root CA
Bring your own HSM
• Theoretical concept
– Not for everyone or all circumstances
• Breaks many conventional security practices
• Shifts risks and manages exposure
• Hybrid concept of BYOK, Cloud and legacy
• Ask me next year how I feel
– Body of practices and security practices to be defined
Issuing CA
Net HSM
Corporate
Firewall
Connection
Secure
Connection
Why Bother?
• Local key management
• Security defined around core risk
• Shifts service, but not risk
• Data and key are not stored near each other
• Compromise of one doesn’t affect the other
• Still enables full cloud migration in the future
Ideal cloud architecture
• No one architecture works for everyone
• Cloud forces reconsideration of tier models
– Modern architecture moved to two-tier
– Cloud is begging for three-tier
• Combination of on premise and hybrid
• At least a starting point in the design
discussion
Root CA
Policy CA
HSM
HSM
Explicit
Issuance Policies
Issuing CA
Cloud HSMCloud HSM
Service
Issuing CA
HSM
Security considerations
Follow the keys
• PKI keys are the core of trust and assurance
• Determine storage and access to keys
– Logical and physical
• Ensure policies and procedures define
access
• Eliminate redundant and superfluous access
– Provider limitations and controls
• Determine acceptable risk levels and mitigate
• Security trumps rush to the cloud
Agile PKI
• PKI can be defined for future migrations
• Elastic design and agility are possible
• Reduces future migration effort
• Build today with an eye on tomorrow
Questions?
pkisolutions.com
mark@pkisolutions.com
@pkisolutions