“Trust Me. Your - CLOUDSEC Data... · How Your Data is Encrypted in Cloud Cloud Key Vault Secured...
Transcript of “Trust Me. Your - CLOUDSEC Data... · How Your Data is Encrypted in Cloud Cloud Key Vault Secured...
www.cloudsec.com | #cloudsec
“Trust Me. Your Data is Safe.”Joseph Ling | Senior Solutions Architect@nCipherSecurity
#cloudsec
Data: The Most Valuable Strategic Asset in the World
https://reut.rs/2S7OWBK Reuters, 8 July 2019
#cloudsec
Most Products NowadaysDo Protect Data
Network Security Appliance
Databases (Privileged) Identity Management
Cloud Service
They do protect Data properly
SSL/TLS TDE Credential Vault Key Vault
Do you feel safe?
#cloudsec
Data Security “Anxiety”
Reasons that you may not feel very comfortable:
− Systems are isolated and fragmented
− Products are constrained by the environment
− Risks are linked to vulnerabilities in products
− Trust is based on the entire infrastructure
Data is usually assumed to be safe
− Network Security Appliance: Certificates
− Database: Encryption Keys
− Privileged Identity Management: Credentials
− Cloud Service: Keys
#cloudsec
Understanding Hardware Security Module (HSM)
Is a cryptographic device that generates, uses, and stores Keys and their related functions, such as encryption
Is able to centralize the Keys, a.k.a. the most sensitive data in the environment
Is one of the most robust cybersecurity devices with tamper resistant capability (FIPS 140-2 Level 3 Certified)
Has been a trusted tool for top-level Data Security for years
Hardware Security Module
#cloudsec
How to EnhanceNetwork Security Appliance?
Enforce SSL to encrypt the traffic
Protect the Certificates (Keys) by Hardware Security Module (HSM)
There is sensitive data getting through
Network Security Appliance
Decrypt and inspect the traffic for antivirus, anti-spyware, network forensics, etc.
The risk is transferred to HSM
#cloudsec
How to EnhanceIdentity Management?
Manage the Identities
Protect the privileged accounts by privileged identity management (PIM) product
Activate the encryption in the PIM product
Protect the encryption Key by Hardware Security Module (HSM)
There are various rights and permissions
(Privileged) Identity Management
The risk is transferred to HSM
#cloudsec
How to EnhanceDatabase Encryption?
Activate the encryption (Transparent Data Encryption, TDE) in the Database product
Protect the encryption Key by Hardware Security Module (HSM)
There are data files in Servers
Databases
The risk is transferred to HSM
#cloudsec
How to EnhanceCloud Service Security?
Subscribe the Key Management Service
Protect the Keys in the Key Management Service by Hardware Security Module (HSM)
There are lots of data in these Services
Cloud Service Encrypt the data in the Services using the Keys in the Key Management Service
The risk is transferred to HSM
#cloudsec
Most Cybersecurity Products Come from the Same Origin
Protect the Keys by Hardware Security Module (HSM)
Enforce SSL to encrypt the traffic
Decrypt and inspect the traffic for antivirus,
anti-spyware, network forensics, etc.
Manage the Identities
Protect the privileged accounts by privileged identity management
(PIM) product
Activate the encryption in the
PIM product
Activate the encryption (Transparent Data Encryption, TDE) in the Database product
Subscribe the Key Management Service
Encrypt the data in the Services using the Keys in the Key Management
Service
Root of Trust
Protecting the Keys in products by Hardware Security Module (HSM) simplifies and consolidates the Data
Security in the entire infrastructure
However, HSM is a hardware,could I utilize it for cloud environments?
#cloudsec
Key Management Service and Key Vault
Subscribe the Key Management Service
Protect the Keys in the Key Management Service by Hardware Security Module (HSM)
There are lots of data in these Services
Cloud Service Encrypt the data in the Services using the Keys in the Key Management Service
A service from Cloud Providers, utilizing the HSMs in their datacenters
You will be provisioned a “Key Vault”, which is a logical location storing your Keys in the Cloud
#cloudsec
How Your Data is Encryptedin Cloud
Cloud Key Vault Secured Cloud Service(e.g. Storage, Database TDE)
2. Data Encryption Key (DEK) is generated by the Cloud and
stored in the Key Vault
3. Data Encryption Key (DEK) is delivered to the Cloud Service
4. The Cloud Service uses the Data Encryption Key (DEK) to
encrypt the data in the Service
5. The Data Encryption Key (DEK) could be deleted after
validity period
6. Data Encryption Key (DEK) is usually protected /
encrypted by the Master Key encryption Key (KEK) in
the Key Vault
DEKKEK
1. The Master Key encryption Key (KEK) is usually generated when the
Key Vault service is activated
#cloudsec
What are theResponsibilities?
On Premise
Applications
Data
Runtime
Middleware
Operating System
Virtualization
Physical Servers
Storage
Networking
IaaS
Applications
Data
Runtime
Middleware
Operating System
Virtualization
Physical Servers
Storage
Networking
PaaS
Applications
Data
Runtime
Middleware
Operating System
Virtualization
Physical Servers
Storage
Networking
SaaS
Applications
Data
Runtime
Middleware
Operating System
Virtualization
Physical Servers
Storage
Networking
Self Managed
Provider Managed
Cloud infrastructure offers the same or even morethan traditional on premise infrastructure
However, all resources are literallythe Provider’s asset
#cloudsec
How Bring Your Own Key (BYOK) Works
Cloud Key Vault Secured Cloud Service
2. Data Encryption Key (DEK) is
generated by and stored in the Cloud
3. Data Encryption Key (DEK) is delivered to
the Cloud Service
4. The Cloud Service uses the Data Encryption Key (DEK) to
encrypt the data in the Service
5. The Data Encryption Key (DEK) could be deleted after
validity period
6. Data Encryption Key (DEK) is usually encrypted by / generated from the Key encryption Key (KEK)
YourHardware
Security Module
1. Cloud requested the Hardware Security Module (HSM) to generate and deliver a Key, the Master Key Encryption Key
(KEK) to the Key Vault
KEK
7. Key Encryption Key (KEK) could be deleted in the Cloud after validity period and has to be retrieved from Hardware
Security Module (HSM) again
DEK
#cloudsec
Key Management Service vs Bring Your Own Key
Cloud Key Vault Bring Your Own Key
You have proper Key management
You are granted Privileges
You can manage Keys
You have proper Key management
You have Ownership
You can manage Keys
You can encrypt Data, validate Signature, etc.
#cloudsec
More ComplicatedWhen the Cloud is Hybrid
Identity & Access Management
Databases / Storage
Applications Security Intelligence(SIEM)
On Premise
Identity & Access Management
Databases / Storage
Applications Security Intelligence(SIEM)
Cloud Environment
DedicatedNetwork?
SecuredTunnel?
CentralizedControl?
Internet
#cloudsec
Security Regardless of Infrastructure
Internet
ABCD1234
Network Security: If data is sync in plain text, the protection is subject to network
Data Security: If data is sync in ciphertext, data is protected anywhere
Databases / Storage
On Premise
Databases / Storage
Cloud
akjwi28s
#cloudsec
Data Security:Transferring the Risk
akjwi28s
Databases / Storage
On Premise
Databases / Storage
Cloud
EncryptionService
EncryptionService
Key
After data is encrypted, the risk is transferred to Key Synchronization
Encryption Services ensures that data could be encrypted and decrypted locally
Internet
#cloudsec
Hybrid Cloud Encryption: Encryptions in Applications
CloudOn Premise
akjwi28s
Applications
HSM
The On Premise HSM delivers the Keys to Tokenization Service in all locations
Tokenization Server provides encryption and decryption APIs for applications
Internet
Applications
TokenizationService
TokenizationService
Key Key
ABCD1234 akjwi28s akjwi28s
#cloudsec
Hybrid Cloud Encryption: Native Encryption
CloudOn Premise
akjwi28s
Database with Native Encryption
HSM
The On Premise HSM delivers the Keys to the product in all locations
Native Encryption Example: Database TDE
InternetKey
Database with Native Encryption
Key
#cloudsec
Key Management Service vs Bring Your Own Key
Cloud Key Vault Bring Your Own Key
You have proper Key management
You are granted Privileges
You can manage Keys in Cloud Servicesonly
You have proper Key management
You have Ownership
You can manage Keys on Premise and in Cloud Services
You can encrypt Data, validate Signature, etc.
#cloudsec
Data Ownership and Privacy
Enterprise Level EncryptionDigital Signature and Identity
Cloud Enabled Security
nCipher is an HSM market leader with a long history of industry certifications and validation
nCipher creates solutions delivering trust for business critical applications and information
#cloudsec
nCipher Services
PKI Professional Services
Design, deploy and manage world-class PKIs
Product Deployment
Complete important data protection projects quickly and correctly
Custom Cryptographic Solutions
Leverage our knowledge to protect your customers
Training and Certification
Learn best practices
nCipher Services comprise local experts, accelerate deployments, learn best practices, and maximize return on your investment in data protection and security solutions
www.cloudsec.com | #cloudsec
THANK YOU
Joseph Ling | Senior Solutions Architect
@nCipherSecurity