3. Cloud-Computing Security Risks (1)
Risk Assessment
•
•
•
Data integrity, recovery privacy
Evaluation of legal issues, regulatory compliance, auditing
Etc…
Transparency
•
•
•
•
•
Qualification of policy makers, architects, coders, operators
Risk-control processes and technical mechanisms
Level of testing
How unanticipated vulnerabilities are identified
Etc…
Autorité d’Enregistrement
4. Seven Cloud-Computing Risks (1)
1.
Privileged user access
•
•
•
2.
Regulatory compliance
•
•
3.
Customers are responsible
Check external audits and security certifications
Data location
•
•
4.
Physical, logical and personnel control
Ask about hiring and oversight of administrators
What control there is ?
Commitment to storing and processing data in specific
jurisdictions
Contractual commitment
Data segregation
•
•
Data at rest and in use ?
Encryption designed and tested by experienced specialist
Autorité d’Enregistrement
5. Seven Cloud-Computing Risks (2)
5. Recovery
•
•
•
What happens in case of a disaster?
Replication of data and application across multiple sites?
Ability to do a complete restoration ? how long would it
take?
6. Investigative support
•
•
•
•
How to trace inappropriate or illegal activities?
Logging and data may be for multiple customers
Contractual commitment to support specific forms of
investigation
Get evidence that the vendor has already supported
such activities
7. Long-term viability
•
•
What if your Cloud provider goes broke or gets acquired?
How could you get your data back? In which format?
Replacement application?
Autorité d’Enregistrement
9. Symmetric Encryption
Advantages
– Fast
– Relatively simple to
implement
– Very efficient in particular
when the key is used only
once
Drawbacks
– A different key by pair of
users
• The major issue : Keys management (as many keys to exchange as
there are users)
• How do Alice and Bob get the key without anybody else having access
to it ?
• The key must follow a different channel (phone, fax, …)
Autorité d’Enregistrement
11. Asymmetric Encryption
Invented in 1975 by Whitfield Diffie and Martin Hellman
Each user owns a pair of key
– The public key that is used to encrypt and which is known by
everybody
– The private key that is used to decrypt and which is only known by
the owner
Autorité d’Enregistrement
16. Example : SSL Server
Client
Server
Send a message A
Verification of the certificate
and of the signature
Negotiation of the encryption
algorithm
Send the certificate and the
message A signed
Negotiation of the encryption
algorithm
Generation of a session key
Encryption of the session Key
with the server public key
Send the session key
Encrypted
Decryption of the session
key with the private key
The session key is shared
Autorité d’Enregistrement
19. Rules of thumbs
Use encryption
For exchanges of data with the Cloud
For data in the Cloud
Use strong authentication
To connect to the Cloud
To identify the Cloud server
Use signature
For exchanges of data in the Cloud
Autorité d’Enregistrement
20. Best Practices (1)
Protect data transfer but also data in the cloud
Use data-centric encryption & encryption
embedded in the file format
Understand how the keys will be managed
(avoid reliance on cloud providers)
Include files such as logs and metadata in
encryption
Use strong standard algorithm (such as AES-256)
Use open validated formats
Avoid proprietary encryption
Autorité d’Enregistrement
21. Best Practices (2)
Content aware Encryption
Format-preserving Encryption
Use Data Leak Prevention (DLP)
solutions
Autorité d’Enregistrement
22. Best Practices (3. Data Base)
Be aware of performances issues
Use object security
Store a secure hash
Autorité d’Enregistrement
23. Best Practices (4)
Use a Key Management Software
Use group levels keys
Maintain keys within the Enterprise
Revoking keys
Define and enforce strong Key
management processes and practices
Implement segregation of duties
Autorité d’Enregistrement
24. Recommendations (1)
Use best practices key management
practices
Use off-the-shelf products from credible
sources
Maintain your own trusted
cryptographic source
Key scoping at the individual or group
level
Use DRM systems
Autorité d’Enregistrement
25. Recommendations (2)
Use standard algorithm
Avoid old ones such as DES
Use central and internal key
management (with your own HSM,
etc.)
Use segregation of duties
Autorité d’Enregistrement
27. Thank you for your attention
SSL EUROPA
8 chemin des escargots
18200 Orval - France
+33 (0)9 88 99 54 09
www.ssl-europa.com
Autorité d’Enregistrement