Intuit's Vivian Gerritsen presents on what users should know about encryption in the cloud at the 2015 Grace Hopper Celebration of Women in Computing Conference.
Top profile Call Girls In Tumkur [ 7014168258 ] Call Me For Genuine Models We...
In Cloud We Encrypt #GHC15
1. 2015
In Cloud We Encrypt
Vivian Gerritsen
Intuit
Oct 16, 2015
#GHC15
2015
2. 2015
About Me
Graduate of the Ohio State University (MSEE)
Practice broad set of computer technologies from
hardware, system-level software, applications to UI
Focus on security and compliance software for
the past 5 years
I’m a security ninja who protects
against all possible attacks in cyber space
3. 2015
The Need for Encryption
Security breaches
almost daily!
It’s industry trend to encrypt all sensitive data in the cloud.
Many cloud providers offer encryption solutions.
4. 2015
What is Encryption?
Engine
Input Data
SSN
123-45-6789
Output Data
“Cipher Text”
QSBwZX24ncyBhI
HBlcnNvbiwgbm8g
bWF0JzbdGVyIGh
vdyBzbWFsbC4=
Three major components to any encryption system:
1. Data
2. Encryption engine
3. Key management
Encryption Key
5. 2015
What Users Should Know
Users should ask two data encryption questions:
Who has the key?
Is my data protected end-to-end?
6. 2015
Encryption in the Cloud
User-Oriented Storage
Example: File sharing
Best Practices:
You own the key, not cloud administrator
Choose a vendor that only you have the entire control of the key access
7. 2015
Encryption in the Cloud
SaaS-PaaS-IaaS
Intuit example:
SaaS services use a platform with key management APIs to encrypt
application data.
The platform uses an Intuit-certified service to store encryption keys.
Amazon AWS is used as building blocks and infrastructure.
8. 2015
Encryption in the Cloud
Three-Tiered, End-to-End
Web Server
Database, File
System, Big Data
Key Manager
Applications
Application
Server
Three-tiered SaaS application – encryption in transit and at rest
9. 2015
SaaS Encryption
Client-side encryption
− Encrypts data before sending it to servers
• Protect highly sensitive information
• You own the key
Server-side encryption
− Protects data at rest. Options:
• Trust the provider
• Use customer-provided keys
• Or separate out key management
10. 2015
SaaS Encryption (cont’d)
Cloud encryption gateway
− Act as proxy to encrypt or tokenize sensitive
SaaS data
• Between corporate network and cloud
• Single point of security configuration
• Encrypt with enterprise controlled keys
11. 2015
PaaS Encryption
Database encryption
− Transparent database encryption
• Whole database or finer-grained (e.g., column, tablespace)
• Keys managed by database
• Authorized users such as admin may see data
− Alternative:
• Encrypt data fields in the application (SaaS)
• Volume encryption (IaaS)
12. 2015
IaaS Encryption
Volume encryption
− Protect the storage systems of running instances
− Build encryption into your instance
• Keys in instance – only protects you from anyone without the right access
− Separate key from encryption engine
• Returns the key when a set of policy-based criteria are met
13. 2015
laaS Encryption (cont’d)
Object storage
− Transparent data encryption – protects
object(s), bucket(s) via server-side
encryption
− Client-side encryption – encrypts the
objects before sending up
Rest API
Application
14. 2015
Encryption in Transit: Mechanisms
SSL
− Used mostly by HTTPS to secure
browser session
IPSec
− Host-to-host, network-to-network
transport
− Network tunneling - VPN
16. 2015
Data Residency
International data safety
Does your vendor’s vendor protect your data
the same way you do?
Data sovereignty: government in other country
may look into your data
Data residency: key needs to stay in US
17. 2015
Conclusions
Always try to manage your keys, and guard them like they
were … your keys
− Enforce strong policy (least privileged)
− Enable key rotation
− Be aware of jurisdiction!
Devise your security architecture holistically, not just looking
at point solutions
− Classify your data and apply proper encryption
− Encrypt end-to-end in transit and at rest
18. 2015
Got Feedback?
Rate and review the session on our mobile app
Download at http://ddut.ch/ghc15
or search GHC 2015 in the app store