Best Practices for Data Encryption in Cloud

ImplementationsDavid C. Frier, CISM, CISSP, CCSK, CRISC

ISACA WNY - April 23, 2013

Outline

• Who is this guy?

• What is encryption, anyway?

• Why do I need encryption?

• What should I encrypt in the cloud?

• How can I encrypt in the cloud?

• How can I tell if my encryption is any good?

• What are the best practices?

• Why is this outline nothing but questions?

Who is this guy?

1) David Frier has been an IT consultant since 1984

2) He has been specializing in Information Security since 2005

3) He holds the CISM, CISSP, CRISC and CCSK (Certificate of Cloud Security Knowledge)

4) He has toured with Sting and The Who

5) He has been providing implementation of enterprise security initiatives via Ciber since 2007

6) He has bungee-jumped Angel Falls in Venezuela

7) He can make any cloud implementation attack-proof.

8) Only the Fibonacci-numbered items on this list are true.

9) The preceding item is false.

What is encryption, anyway?

• Cleartext: The original data or message, in need of protection from disclosure

• Encryption: the activity of converting cleartext into coded form - ciphertext

• Encryption Algorithm: The process used to perform encryption given a cleartext and one or more keys

• Encryption Key: The secret piece of information that controls the output of the encryption algorithm

Why do I need encryption?

• APIs Rule: Anyone who can access some of the data from an admin session can move it all – at machine speed.

• Multi-Tenancy: the main threat is an attack from a co-resident user.

What should I encrypt in the cloud?

• Regulated Data: If you are putting data in a cloud that is in scope of PCI, restricted by HIPAA or GLBA… there are elements you must encrypt.

• Intellectual Property: Anything that would constitute your enterprise’s “Crown Jewels.”

Or… don’t send the data; use tokenization

How can I encrypt in the cloud?

IaaS

• Volume Encryption

• Virtual Private Storage

• Files/Folders (Object Storage)

• Three-tier approach o Engine / Data / Key Server

How can I encrypt in the cloud?

PaaS

• Virtual Private Storage

• Database Encryptiono Consider a three-tier approach

How can I encrypt in the cloud?

SaaS

• Client-side encryptiono Locally built client application that encrypts data

before sending it to the servers

• Encryption Proxyo Hardware or virtual appliance that intercepts web form

input before submitting it

• Trust the Providero They probably have pretty strong security measureso You can audit them… RIGHT?

How will I implement encryption?

• Standard (non-cloud) tools (I, some P)

• Client/app encryption (I, P)

• Database encryption (P)

• APIs (I, P)

• Proxy encryption (Any)

How can I tell if my encryption is any good?

Rule #1: PAASProprietary Algorithms All Stink

If an algorithm cannot face the scrutiny of the technical community… it’s not because it’s unbreakable.

Anyone can produce an algorithm that he himself can’t crack

Even the gold standard (AES-256)

will fall one day.

How can I tell if my encryption is any good?

Rule #2: Control the KeysThe algorithms are out there

They are being attacked all the time, but holding up

The only two ways the attacker is going to get through to your data are:

1. Brute Force

2. Compromise your Keys

What are the best practices?

• Know what you need to encrypt and why.

• Know what your cloud architecture supports

• Consider tokenization

• Ensure use of standards-based algorithms

• Plan the entire key-management lifecycle

More the best practices, please?

• Maximize granularity

• Capture and analyze all logs, audit trails

• Encrypt all portable devices

• Allow for integration

Tell ‘em what you told ‘em

• Encrypt what you need to… only.

• Use standards-based algorithmso PAAS!

• Guard your keys like they were… o …your keys

• Tokenize where it makes senseo They can’t steal what isn’t there

Question everything