www.cloudsec.com | #cloudsec

“Trust Me. Your Data is Safe.”Joseph Ling | Senior Solutions Architect@nCipherSecurity

#cloudsec

Data: The Most Valuable Strategic Asset in the World

https://reut.rs/2S7OWBK Reuters, 8 July 2019

#cloudsec

Most Products NowadaysDo Protect Data

Network Security Appliance

Databases (Privileged) Identity Management

Cloud Service

They do protect Data properly

SSL/TLS TDE Credential Vault Key Vault

Do you feel safe?

#cloudsec

Data Security “Anxiety”

Reasons that you may not feel very comfortable:

− Systems are isolated and fragmented

− Products are constrained by the environment

− Risks are linked to vulnerabilities in products

− Trust is based on the entire infrastructure

Data is usually assumed to be safe

− Network Security Appliance: Certificates

− Database: Encryption Keys

− Privileged Identity Management: Credentials

− Cloud Service: Keys

#cloudsec

Understanding Hardware Security Module (HSM)

Is a cryptographic device that generates, uses, and stores Keys and their related functions, such as encryption

Is able to centralize the Keys, a.k.a. the most sensitive data in the environment

Is one of the most robust cybersecurity devices with tamper resistant capability (FIPS 140-2 Level 3 Certified)

Has been a trusted tool for top-level Data Security for years

Hardware Security Module

#cloudsec

How to EnhanceNetwork Security Appliance?

Enforce SSL to encrypt the traffic

Protect the Certificates (Keys) by Hardware Security Module (HSM)

There is sensitive data getting through

Network Security Appliance

Decrypt and inspect the traffic for antivirus, anti-spyware, network forensics, etc.

The risk is transferred to HSM

#cloudsec

How to EnhanceIdentity Management?

Manage the Identities

Protect the privileged accounts by privileged identity management (PIM) product

Activate the encryption in the PIM product

Protect the encryption Key by Hardware Security Module (HSM)

There are various rights and permissions

(Privileged) Identity Management

The risk is transferred to HSM

#cloudsec

How to EnhanceDatabase Encryption?

Activate the encryption (Transparent Data Encryption, TDE) in the Database product

Protect the encryption Key by Hardware Security Module (HSM)

There are data files in Servers

Databases

The risk is transferred to HSM

#cloudsec

How to EnhanceCloud Service Security?

Subscribe the Key Management Service

Protect the Keys in the Key Management Service by Hardware Security Module (HSM)

There are lots of data in these Services

Cloud Service Encrypt the data in the Services using the Keys in the Key Management Service

The risk is transferred to HSM

#cloudsec

Most Cybersecurity Products Come from the Same Origin

Protect the Keys by Hardware Security Module (HSM)

Enforce SSL to encrypt the traffic

Decrypt and inspect the traffic for antivirus,

anti-spyware, network forensics, etc.

Manage the Identities

Protect the privileged accounts by privileged identity management

(PIM) product

Activate the encryption in the

PIM product

Activate the encryption (Transparent Data Encryption, TDE) in the Database product

Subscribe the Key Management Service

Encrypt the data in the Services using the Keys in the Key Management

Service

Root of Trust

Protecting the Keys in products by Hardware Security Module (HSM) simplifies and consolidates the Data

Security in the entire infrastructure

However, HSM is a hardware,could I utilize it for cloud environments?

#cloudsec

Key Management Service and Key Vault

Subscribe the Key Management Service

Protect the Keys in the Key Management Service by Hardware Security Module (HSM)

There are lots of data in these Services

Cloud Service Encrypt the data in the Services using the Keys in the Key Management Service

A service from Cloud Providers, utilizing the HSMs in their datacenters

You will be provisioned a “Key Vault”, which is a logical location storing your Keys in the Cloud

#cloudsec

How Your Data is Encryptedin Cloud

Cloud Key Vault Secured Cloud Service(e.g. Storage, Database TDE)

2. Data Encryption Key (DEK) is generated by the Cloud and

stored in the Key Vault

3. Data Encryption Key (DEK) is delivered to the Cloud Service

4. The Cloud Service uses the Data Encryption Key (DEK) to

encrypt the data in the Service

5. The Data Encryption Key (DEK) could be deleted after

validity period

6. Data Encryption Key (DEK) is usually protected /

encrypted by the Master Key encryption Key (KEK) in

the Key Vault

DEKKEK

1. The Master Key encryption Key (KEK) is usually generated when the

Key Vault service is activated

#cloudsec

What are theResponsibilities?

On Premise

Applications

Data

Runtime

Middleware

Operating System

Virtualization

Physical Servers

Storage

Networking

IaaS

Applications

Data

Runtime

Middleware

Operating System

Virtualization

Physical Servers

Storage

Networking

PaaS

Applications

Data

Runtime

Middleware

Operating System

Virtualization

Physical Servers

Storage

Networking

SaaS

Applications

Data

Runtime

Middleware

Operating System

Virtualization

Physical Servers

Storage

Networking

Self Managed

Provider Managed

Cloud infrastructure offers the same or even morethan traditional on premise infrastructure

However, all resources are literallythe Provider’s asset

#cloudsec

How Bring Your Own Key (BYOK) Works

Cloud Key Vault Secured Cloud Service

2. Data Encryption Key (DEK) is

generated by and stored in the Cloud

3. Data Encryption Key (DEK) is delivered to

the Cloud Service

4. The Cloud Service uses the Data Encryption Key (DEK) to

encrypt the data in the Service

5. The Data Encryption Key (DEK) could be deleted after

validity period

6. Data Encryption Key (DEK) is usually encrypted by / generated from the Key encryption Key (KEK)

YourHardware

Security Module

1. Cloud requested the Hardware Security Module (HSM) to generate and deliver a Key, the Master Key Encryption Key

(KEK) to the Key Vault

KEK

7. Key Encryption Key (KEK) could be deleted in the Cloud after validity period and has to be retrieved from Hardware

Security Module (HSM) again

DEK

#cloudsec

Key Management Service vs Bring Your Own Key

Cloud Key Vault Bring Your Own Key

You have proper Key management

You are granted Privileges

You can manage Keys

You have proper Key management

You have Ownership

You can manage Keys

You can encrypt Data, validate Signature, etc.

#cloudsec

More ComplicatedWhen the Cloud is Hybrid

Identity & Access Management

Databases / Storage

Applications Security Intelligence(SIEM)

On Premise

Identity & Access Management

Databases / Storage

Applications Security Intelligence(SIEM)

Cloud Environment

DedicatedNetwork?

SecuredTunnel?

CentralizedControl?

Internet

#cloudsec

Security Regardless of Infrastructure

Internet

ABCD1234

Network Security: If data is sync in plain text, the protection is subject to network

Data Security: If data is sync in ciphertext, data is protected anywhere

Databases / Storage

On Premise

Databases / Storage

Cloud

akjwi28s

#cloudsec

Data Security:Transferring the Risk

akjwi28s

Databases / Storage

On Premise

Databases / Storage

Cloud

EncryptionService

EncryptionService

Key

After data is encrypted, the risk is transferred to Key Synchronization

Encryption Services ensures that data could be encrypted and decrypted locally

Internet

#cloudsec

Hybrid Cloud Encryption: Encryptions in Applications

CloudOn Premise

akjwi28s

Applications

HSM

The On Premise HSM delivers the Keys to Tokenization Service in all locations

Tokenization Server provides encryption and decryption APIs for applications

Internet

Applications

TokenizationService

TokenizationService

Key Key

ABCD1234 akjwi28s akjwi28s

#cloudsec

Hybrid Cloud Encryption: Native Encryption

CloudOn Premise

akjwi28s

Database with Native Encryption

HSM

The On Premise HSM delivers the Keys to the product in all locations

Native Encryption Example: Database TDE

InternetKey

Database with Native Encryption

Key

#cloudsec

Key Management Service vs Bring Your Own Key

Cloud Key Vault Bring Your Own Key

You have proper Key management

You are granted Privileges

You can manage Keys in Cloud Servicesonly

You have proper Key management

You have Ownership

You can manage Keys on Premise and in Cloud Services

You can encrypt Data, validate Signature, etc.

#cloudsec

Data Ownership and Privacy

Enterprise Level EncryptionDigital Signature and Identity

Cloud Enabled Security

nCipher is an HSM market leader with a long history of industry certifications and validation

nCipher creates solutions delivering trust for business critical applications and information

#cloudsec

nCipher Services

PKI Professional Services

Design, deploy and manage world-class PKIs

Product Deployment

Complete important data protection projects quickly and correctly

Custom Cryptographic Solutions

Leverage our knowledge to protect your customers

Training and Certification

Learn best practices

nCipher Services comprise local experts, accelerate deployments, learn best practices, and maximize return on your investment in data protection and security solutions

www.cloudsec.com | #cloudsec

THANK YOU

Joseph Ling | Senior Solutions Architect

@nCipherSecurity