This presentation "Can encryption help alleviate concerns about moving to the cloud?" was presented to the Seattle and LA chapters of the Cloud Security Alliance in Q1 of 2013.
HighCloud CTO Steve Pate talks about the use of encryption and key management in virtualized and cloud environments.
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
HighCloud Security CSA LA and Seattle chapter presentation
1. "C AN
ENCRYPTION
HELP
ALLEVIATE
CONCERNS
ABOUT
MOVING
TO
THE
CLOUD ?"
Presented
to:
Steve
Pate
-‐
Co-‐Founder
/
CTO
2. Securing
Cloud
Data
With
Encryp?on
Agenda
•
How
much
of
a
concern
does
the
cloud
present
us?
•
An
encrypIon
refresher
•
Looking
at
virtualized
environments
•
What
do
the
regulaIons
say
about
virtualizaIon
and
cloud?
•
Methods
of
deploying
encrypIon
in
the
cloud
•
It’s
all
about
key
management!
2
3. Securing
Cloud
Data
With
Encryp?on
What
do
the
surveys
say?
Back
in
2010
...
Only
34%
of
Servers
are
virtualized
....
the
#1
restric;on
cited
to
further
virtualiza;on
was
security
–
CDW
2009
87%
of
respondents
rated
“Security
Challenges”
as
the
#1
issue
ascribed
to
the
Cloud
model
–
IDC
Enterprise
Panel
2009
“73
percent
said
security
was
the
primary
obstacle
to
their
adop;ng
cloud
compu;ng,
followed
by
compliance
(54
percent)
and
portability
and
ownership
of
data
(48
percent).
Most
said
they
were
worried
about
stopping
unauthorized
access
to
their
company
data
in
the
cloud,
and
42
percent
said
security
worries
have
stopped
their
organiza;ons
from
going
to
the
cloud.”
–
PhoneFactor
survey
"By
2015,
security
will
shiO
from
being
the
No.
1
inhibitor
of
cloud
to
one
of
the
top
enablers”
–
Forrester
Research
3
4. Securing
Cloud
Data
With
Encryp?on
What
do
the
surveys
say?
Today
...
In
the
x86
environment,
which
represents
more
than
80%
of
respondents'
compu;ng
capacity,
average
virtualiza)on
levels
have
increased
13%
from
last
year
to
51%,
with
a
notable
increase
at
the
higher
levels,
roughly
doubling
the
number
of
organiza;ons
virtualizing
produc;on
applica;ons
-‐
451
Group
Security
problems
were
the
primary
concern
for
48
percent
of
IT
professionals
who
didn’t
plan
to
adopt
cloud
-‐
InformaIonWeek
2012
Cloud
Security
and
Risk
Survey
80
percent
of
security
issues
in
the
cloud
through
2013
will
be
due
to
error
on
the
part
of
providers
and
customers
of
cloud
services,
not
fundamental
issues
with
the
cloud
-‐
Gartner
Median
cost
of
a
breach
in
2012:
$8.9M
per
year
46
US
states
have
passed
breach
no?fica?on
laws
4
7. Securing
Cloud
Data
With
Encryp?on
An
Encryp?on
Refresher
•
Two
types
of
encrypIon:
•
Symmetric
-‐
single
key,
best
performance
•
Also
called
secret
key
cryptography
•
Data
at
rest
•
Algorithms
such
as
AES,
Blowfish,
DES,
3DES,
Serpent,
Twofish
•
Asymmetric
-‐
public
/
private
key
pair,
poor
performance
•
Also
called
public
key
cryptography
•
Used
when
sharing
between
two
or
more
parIes
•
Web
commerce
•
Exchanging
files
between
colleagues
•
Algorithms
such
as
RSA,
Diffie-‐Hellman,
...
7
8. Securing
Cloud
Data
With
Encryp?on
An
Encryp?on
Refresher
•
Symmetric
encrypIon:
Clear Text
Lorem ipsum dolor
sit amet, consetetur
sadipscing elitr, sed
diam nonumy eirmo
Encryption Software
Cypher Text
Ki8^.5R7=;%dWk3...
0lv#-Q,pHk04$c*j[2. EncrypIon
Key
<*gDn@s!X90,}'$8s (larger
=
more
secure)
)8vdhj^3776^&v3hg
AES
uses
128
/
256
bit
keys
8
9. Securing
Cloud
Data
With
Encryp?on
An
Encryp?on
Refresher
•
Symmetric
encrypIon
-‐
block
ciphers
Lorem ipsum dolor
sit amet, consetetur
Application sadipscing elitr, sed
diam nonumy eirmo
write(fd, buf, size) user space
kernel space
Lorem ipsum dolor
Filesystem
sit amet, consetetur
Device Driver Ki8^.5R7=;%dWk3...
0lv#-Q,pHk04$c*j[2.
9
10. Securing
Cloud
Data
With
Encryp?on
An
Encryp?on
Refresher
•
Asymmetric
encrypIon:
Clear Text Public Key
Lorem ipsum dolor
sit amet, consetetur Encryption Software
sadipscing elitr, sed
diam nonumy eirmo
Cypher Text
Ki8^.5R7=;%dWk3...
0lv#-Q,pHk04$c*j[2.
<*gDn@s!X90,}'$8s
)8vdhj^3776^&v3hg Private Key
Encryption Software
Clear Text RSA
uses
1024
bit
keys
Lorem ipsum dolor
sit amet, consetetur
sadipscing elitr, sed
diam nonumy eirmo
10
11. Securing
Cloud
Data
With
Encryp?on
An
Encryp?on
Refresher
•
Usual
places
of
deployment
•
ApplicaIon
(libraries,
column-‐level
encrypIon,
...)
•
Filesystem
-‐
encrypt
individual
files
•
Device
driver
-‐
volume
encrypIon
(whole
devices
/
parIIons)
•
SAN
switch
-‐
within
the
storage
fabric
•
FDE
-‐
the
whole
drive
•
Backup
-‐
built
in
•
Command-‐line
tools
$ gpg --import pub_key.asc
$ gpg -e -a < src_code.tar.gz > src_code.tar.gz.asc
$ tar cz files | openssl enc -aes-256-cbc -e -out files.tgz.enc
enter aes-256-cbc encryption password: ********
Verifying - enter aes-256-cbc encryption password: ********
11
12. Securing
Cloud
Data
With
Encryp?on
What
about
performance?
Performance
is
terrible
right?
It
depends
...
•
On
applicaIons
/
workloads
•
On
the
availability
of
hardware
support
•
Most
Intel
/
AMD
processors
now
have
AES-‐NI
support
•
8-‐10x
performance
improvement
•
Should
encrypIon
cost
just
be
factored
in?
Median
cost
of
a
breach
in
2012:
$8.9M
per
year
12
13. Securing
Cloud
Data
With
Encryp?on
How
oVen
is
encryp?on
used?
•
That’s
25+
million
downloads
•
Keys
are
protected
by
passwords
•
Password
must
be
typed
before
keys
are
accessed
•
Does
not
scale
for
the
enterprise
13
14. Securing
Cloud
Data
With
Encryp?on
What
to
do
with
the
key?
•
Assume
I
have
many
keys
...
•
What
do
I
do
with
all
those
keys?
•
Who
owns
the
keys?
“Key
management
is
the
hardest
part
of
cryptography
and
o<en
the
Achilles'
heel
of
an
otherwise
secure
system”
Bruce
Schneier
Preface
to
“Applied
Cryptography”
Second
EdiIon
14
16. Securing
Cloud
Data
With
Encryp?on
What
is
a
Virtual
Machine?
•
Memory
images
are
exposed:
•
Password,
crypto
keys,
email
messages,
AcIve
Directory
data,
…
•
SensiIve
data
can
be
leo
everywhere
the
VM
travels
•
Data
center,
public
clouds,
desktops,
notebooks,
…
•
VM
Templates
need
to
be
protected
Virtual Disk Virtual Disk
(Data) (Data)
Virtual Disk Virtual Disk Data
(Data) (Data)
Virtual Disk Virtual Disk
(Guest OS) (Applications) Executables
Suspend File Config Files
Virtual Machine state
Snapshot File Log Files
and environment:
➤ VM memory image
➤ Critical VM configuration
Paging File VM meta-data
➤ Forensics information
Virtual Machine Image
16
17. Securing
Cloud
Data
With
Encryp?on
Protec?ng
the
Virtual
Machine?
Have all defense in depth mechanisms work together.
Security needs to follow VMs in the infrastructure.”
VMware CEO Maritz - VMworld 2010
17
18. Securing
Cloud
Data
With
Encryp?on
Virtual
Machines
present
new
challenges!
-‐
recognized
by
the
new
PCI
virtualiza)on
guidelines
18
19. Securing
Cloud
Data
With
Encryp?on
Encryp?on
in
Virtualized
Environments
•
There
are
mulIple
choices
to
encrypt
all
/
part
of
a
VM
•
Each
have
pros
/
cons
•
Many
factors
to
take
into
account
① VM VM VM VM
Virtualization Layer
②
③
NAS
④ SAN Switch
⑤
⑥
Storage Array
Backup / DR
19
20. Securing
Cloud
Data
With
Encryp?on
Encryp?on
below
the
Hypervisor
•
Block-‐based
or
file-‐based
•
EncrypIon
of
the
whole
VM
•
By
seeing
the
VM,
we
get
to
do
some
special
things
VM VM VM VM VM VM VM
Virtualization Layer Virtualization Layer
Multi-Tenant Administration
NFS / iSCSI
Encrypted Path
Key and Policy Server Backup Server
Key and Policy Server
Virtual Machine Vault
Restore path
Protected Protected
VM Images VM Images
and Data and Data
Cypher Text Cypher Text
Ki8^.5R7=;%dWk3... Ki8^.5R7=;%dWk3...
0lv#-Q,pHk04$c*j[2. 0lv#-Q,pHk04$c*j[2.
<*gDn@s!X90,}'$k5 <*gDn@s!X90,}'$k5
Tenant A Tenant B
20
21. Securing
Cloud
Data
With
Encryp?on
Encryp?on
above
the
Hypervisor
• Footprint
inside
every
VM
• Encrypted
path
through
the
hypervisor
• Does
not
need
help
from
your
service
provider
VM VM VM
HYPERVISOR
Key Server
Encrypted
Data
Encrypted VMDKs
21
23. Securing
Cloud
Data
With
Encryp?on
Just
use
what
the
provider
gives
you
•
Some
providers
offer
encrypIon:
•
Amazon
S3
for
example
•
Good
enough
for
some
people
•
No
good
for
others
•
Would
you
put
the
family
jewels
in
the
safe
....
....
and
give
a
stranger
the
key?
•
Some
providers
want
to
offer
encrypIon
...
....
but
don’t
want
to
host/own
the
keys!
23
24. Securing
Cloud
Data
With
Encryp?on
Roll
your
own
...
•
A
number
of
open
source
and
commercial
soluIons
24
25. Securing
Cloud
Data
With
Encryp?on
Cloud
Encryp?on
Gateway
•
Encrypt
data
before
it’s
sent
to
the
cloud
•
Requires
access
to
corporate
network
25
26. Securing
Cloud
Data
With
Encryp?on
Infrastructure
as
a
Service
Clouds
•
VMs
running
in
the
public
cloud
•
EncrypIon
within
the
VM
•
Filesystem
or
logical
volume
level
•
One
VM
offers
encrypIon
to
other
VMs
VM VM VM
Public or
Private NFS, CIFS, iSCSI
Cloud
Running Secure File Server
VM
ENC/DEC
Key Server
Key and Policy Server
ENC/DEC
Running VM
Cloud
Infrastructure
Cloud Storage
Encrypted Encrypted
Data Data
Private Data Center
26
27. Securing
Cloud
Data
With
Encryp?on
Ques?ons
to
ask?
•
How
is
my
data
backed
up?
•
Can
anyone
access
my
VMs?
•
How
are
VMs
replicated?
•
Where
are
those
backups?
•
Do
the
VMs
ever
get
snapshored?
•
When
I
want
to
decommission,
how
is
my
data
removed?
Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 - CSA
27
29. Securing
Cloud
Data
With
Encryp?on
What
key
management
op?ons
are
there?
•
Low
end
encrypIon
soluIons
have
no
key
management
•
Enterprise-‐grade
soluIons
have
expensive
key
servers
•
Enterprise
key
managers
•
FIPS
140-‐2,
KMIP,
...
•
Highly
available
•
Can
be
extremely
expensive
•
Defeats
the
purpose
of
virtualizaIon
/
cloud
for
cost
•
Many
organizaIons
are
nervous
about
managing
keys
•
Who
gets
to
access
the
keys?
•
How
are
they
safely
backed
up?
•
What
happens
if
keys
expire?
•
Are
the
keys
well
protected?
29
30. Securing
Cloud
Data
With
Encryp?on
What
key
management
op?ons
are
there?
•
3
main
opIons:
•
CSP
holds
the
keys
•
Customer
holds
the
keys
•
A
third
party
holds
the
keys
Customer's
Key Server Data Center
Provider
Key Server
Key Server
VM VM
VM VM
Key Server
Cloud Service
Provider
30
31. Securing
Cloud
Data
With
Encryp?on
Hosted
key
management
•
QuesIons
to
ask:
•
Can
I
change
my
mind?
I
now
want
to
host
my
own
keys
•
I’m
hosIng
keys
but
now
want
you
to
host
them
•
Can
you
actually
see
my
keys?
•
Is
the
system
highly-‐available?
What
about
DR?
•
I
need
a
process
for
getng
my
data
back
•
What
about
mulI-‐tenancy?
•
What
about
an
audit
stream?
31
33. Securing
Cloud
Data
With
Encryp?on
APIs
-‐
Provisioning
a
new
server
•
VirtualizaIon
offers
a
lot
of
automaIon
•
Cloud
infrastructures
are
all
automated:
•
OpenStack
and
others
•
Cloud
providers
automate
everything
•
Many
organizaIons
large
and
small
automate
too
•
Password
based
encrypIon
doesn’t
help
•
We
need
encrypIon
to
be
a
drop
in
soluIon
too
•
Needs
to
be
mulI-‐tenant
33
34. Securing
Cloud
Data
With
Encryp?on
Tradi?onal
GUI-‐based
administra?on
•
Can
be
simple
to
use
•
No
need
for
key
management
experIse
• A
single
product
may
scan
mulIple
plauorms
and
cloud
providers
• Very
important
to
increase
encrypIon
adopIon
...
BUT!
34
35. Securing
Cloud
Data
With
Encryp?on
APIs
-‐
Provisioning
a
new
server
•
Add
a
Linux
server
and
encrypt
a
devices
-‐
5
line
script!
Key and Policy Server Cluster
Key and Policy Server Cluster
System where
APIs are run from
Linux
hicli VM
Linux
VM
~/.hicli/hicli.cfg
#
hicli
kps
select
kps-‐2
#
hicli
user
login
spate
-‐-‐password=********
#
hicli
cvmset
select
"Amazon
VMs"
#
hicli
cvm
new
ubuntu10.04
#
hicli
cvm
ubuntu10.04
add_disk
sdb1
35
39. Securing
Cloud
Data
With
Encryp?on
3
different
steps
you
can
take
...
1.
Download
the
HighCloud
Sooware
and
try
for
free!
2.
Fill
in
our
survey
•
hrp://www.highcloudsecurity.com/resources/survey/
3.
An
exclusive
for
tonight’s
arendees:
•
A
free
account
on
HighCloud’s
hosted
key
server
•
Not
yet
in
beta!
•
To
sign
up
contact:
spate@highcloudsecurity.com
39