SecaaS overview webinar with Credant

For anyone who would like an overview of;

– What the ‘Cloud’ is

– Who the Cloud Security Alliance is and their mission

– What Security as a Service (SecaaS) is

– The work of the SecaaS working group so far and what is coming up

I am presenting a Webinar in association with Credant tomorrow (10/11/2011) at 1pm Central US time / 7pm UK time.

To register for this event please follow this link;

https://credantevents.webex.com/credantevents/onstage/g.php?t=a&d=668393321

This should be an interesting event, and there will be a Q&A session included should there be anything you want to know about Security as a Service, the CSA or Credant that we don’t cover in the pitch.

For those not familiar with them Credant are one of the leaders in Data Protection.  From their website they describe themselves as;

Your Trusted Data Protection Experts

We help you protect critical corporate data by mitigating the risk of data breaches and managing the complexity of securing data with a single, management framework. Our Data Protection Platform comprehensively addresses the unique security challenges of your enterprise organization’s data to ensure you’re compliant.

Our comprehensive Data Protection Platform helps you control, manage and protect data holistically at your enterprise organization from endpoints to servers, to storage, to applications and in the cloud.

For further details or to contact them Credant can be found here;

http://www.credant.com/

For reference I am in no way affiliated with Credant and the opinions expressed both here and in tomorrows presentation are 100% my own.

If you have data to be protected I would recommend checking Credants solutions out.

K

 

 

 

Homomorphic Encryption – Saviour of the cloud? Ready for prime time?

Homomorphic encryption has been around for a while (in fact it has been debated for around 30 years), but most systems that are Homomorphic are only partially homomorphic thus limiting their use in enabling real world distributed, including cloud based, systems.

I’ll start by briefly describing what the term homomorphic means when used to describe a cryptosystem.  If a mathematical operation can be performed on the encrypted data to produce an encrypted output that when decrypted gives the same result as if the operation had been performed on the plaintext.

I’m sure you can see how this removes one of the main barriers to the adoption of cloud computing.  If an efficient, proven and thoroughly tested homomorphic encryption system would potentially revolutionise the view of cloud computing security.  Currently it is easy to send data to and from the cloud in a secure encrypted manner, however if any computation is to be carried out in this data it has to be unencrypted at some point.  When the data is unencrypted in the cloud the risk that employees of the cloud provider, and potentially other customers, could access the data becomes a real concern.  It is this risk that is one of the key road blocks to companies moving their data to the cloud.

Additionally some legal / regulatory rules prevent certain unencrypted data types, such as personally identifiable information (PII), leaving countries / regions such as the EU.  A system that enabled data to remain encrypted would potentially get around these regulatory issues and allow data to be housed in the cloud (many cloud providers have data centres located in various global locations and can’t guarantee where data will reside.   In fact this is one of the benefits of the cloud – the high level of redundancy and resilience provided by multiple data centres in geographically diverse locations).

Some existing algorithms are partially homomorphic, this means that they are homomorphic with regards to one or maybe a couple of operations.  For example the RSA algorithm is homomorphic with regards to multiplication.

IBM has published some research in this area in 2009 they proposed fully homomorphic systems that are linked to from here;

http://domino.research.ibm.com/comm/research_projects.nsf/pages/security.homoenc.html

Currently fully homomorphic systems are too new and not yet practical enough to be implemented for production systems.  For any cryptographic algorithm to be recommended it requires considerably more time to be peer reviewed and tested by security and encryption researchers to allow a reasonable level of assurance that there are not attacks that could be used to unencrypt the data.  In terms of practicality currently proposed homomorphic encryption systems, the complexity of the system grows enormously as the number of actions you need to perform on the encrypted data increases.  This leads to a massive increase in the computational power required to run the system, this is a non-trivial increase that will not be solved by Moore’s law anytime in the near future.

So homomorphic encryption has now been proven to be possible which is a huge step forwards, and the work done by people like Craig Gentry and the guys at IBM and MIT must be hugely applauded.

Microsoft researchers published a paper in May of this year (2011) titled ‘Can Homomorphic Encyption be Practical’ that can be found here;

http://research.microsoft.com/apps/pubs/default.aspx?id=148825

This provides an overview of a proposed partially homomorphic implementation along with thoughts on how it could be made fully homomorphic and how the efficiency could be improved.  The page also contains some useful links to cloud and lattice based cryptography.

However the reality is that we need several more years for a broader range of cryptographers to examine the cryptosystem to be assured it is secure, and for further work to go into making the system much more efficient.

These are definitely interesting times, and over the next few years I would hope to see homomorphic cryptosystems removing some of today’s key barriers to the adoption of cloud computing services!

K

Cloud Security Alliance Security as a Service white paper press release

Can be found here;

https://cloudsecurityalliance.org/csa-news/csa-issues-first-secaas-white-paper/

 

I know I have mentioned this work already, but this is the official press release from the Cloud Security Alliance for the Security as a Service Categories of Service 2011 white paper.

Exciting for me as I actually wrote much of the release as well as my roles contributing to the paper and managing the groups work as one of the co-chairs.  Big thanks to Zenobia at Zag Communications for bringing the press release together.

K

 

Security as a Service – Defined Categories of Service 2011 white paper published!

The first officially published work from the recently formed Cloud Security Aliance – Security as a Service (SecaaS) working group has been published.  This is a great first step as we have identified the key categories of service that can / will make up security as a service.

This document can be found here;

https://cloudsecurityalliance.org/wp-content/uploads/2011/09/SecaaS_V1_0.pdf

I’m personally very proud of this work as I am the co-chair for the Security as a Service working group which has meant bringing together input from multiple streams of expersts working from many global locations and different time zones.  I have also had to arbitrate any disagreements around content and ensure all experts who wanted to participate were able to provide their input.

In addition to the coordinating the various inputs and running steering meetings I also provided input into various categories where extra detail was required and also wrote most of one category that wasn’t picked up by the various experts who volunteered to help.

Our next steps are to to be finalised but they are likely to include;

– Finalising the version of the document that will be put forward towards an ISO standard

– Working on getting SecaaS added as the 14th domain of the official Cloud Security Alliance guidance

– Creating implementation guidance and examples for those looking to implement various SecaaS solutions

Watch this space and / or check in on the Cloud Security Alliance web site for progress updates.

K

PCI-DSS Virtualisation Guidance

In what was obviously a response to my recent blog post stating
more detailed guidance would be helpful (yes I am that influential!) the ‘PCI
Security Standards Council Virtualisation Special Interest Group’ have just
released the ‘PCI DSS Virtualisation Guidelines’ Information Supplement.

This can be found here;

https://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp_v2.pdf

This is a welcome addition to the PCI-DSS as it makes the
requirements for handling card data in a virtual environment much more clear.
The use of the recommendations in this document along with the reference
architecture linked to in my previous post will provide a solid basis for
designing PCI-DSS compliant virtual environment.

The document itself is in 3 main sections. These comprise;

– ‘Virtualisation Overview’ which outlines the various components
of a virtual environment such as hosts, hypervisor, guests etc. and under what
circumstances they become in scope of the PCI-DSS

– ‘Risks for Virtualised Environments’ outlines the key risks
associated with keeping data safe in a virtual environment including the
increased attack surface or having a hypervisor, multiple functions per system,
in memory data potentially being saved to disk, Guests of different trust
levels on the same host etc. along with procedural issues such as a potential
lack of separation of duties.

– ‘Recommendations’; This section is the meat of the document that
will be of main interest to most of the audience as it details the PCI’s recommended
actions and best practices to meet the DSS requirements. This is split into 4
sections;

– General –
Covering broad topics such as evaluating risk, understanding the standard,
restricting physical access, defence in depth, hardening etc.   There is also a recommendation to review other guidance such as that from NIST (National Institute of Standards Technology), SANS (SysAdmin Audit Network Security) etc. – this is generally
good advice for any situation where a solid understanding of how to secure a
system is required.

– Recommendations for Mixed Mode Environments –

This is a key section for most businesses as the reality for most of us is that being able to run a mixed mode environment, (where guests in scope of PCI-DSS and guests not hosting card data are able to reside on the same hosts and virtual environment via acceptable logical separation), are the best option in order to gain the maximum benefits from virtualisation.  This section is rather shorter than expected with little detail other than many warnings about how difficult true separation can be.  On a bright note it does clearly
say that as long as separation of PCI-DSS guests and none PCI-DSS guests can be configured and I would imagine audited then this mode of operating is permitted.  Thus by separating the Virtual networks and segregating the guests into separate resource pools, along with the use of virtual IPS appliances and likely some sort of auditing (e.g. a netflow monitoring tool) it should be very possible to meet the DSS requirements in a mixed mode virtual environment.

– Recommendations for Cloud Computing Environments –

This section outlines various cloud scenarios such as Public / Private / Hybrid along with the different service offerings such as IaaS (Infrastructure as a Service), PaaS (Platform as a Service), SaaS (Software as a Service).  Overall it is highlighted that in many cloud scenarios it may not be possible to meet PCI-DSS requirements due to the complexities around understanding where the data resides at all times and multi tenancy etc.

– Guidance for Assessing Risks in Virtual Environments –

This is a brief section outlining areas to consider when performing a risk assessment, these are fairly standard and include Defining the environment, Identifying threats and vulnerabilities.

Overall this is a useful step forward for the PCI-DSS as it clearly shows that the PCI are moving with the times and understanding that the use of virtual environments can indeed be secure providing it is well managed, correctly configured and audited.

If you want to make use of virtualisation for the benefits of consolidation, resilience and management etc. and your environment handles card data this along with the aforementioned reference architecture should be high on your reading list.

K

 

Security as a Service – Category and Threat Definitions

We are currently in phase one of producing the Security as a Service guidance documentation;

–          Agreeing and documenting categories of service and their definitions

–          Agreeing and documenting categories of threats and their definitions

So far the top five categories of service are;

    1. IAM
    2. DLP
    3. Secure Web Gateway
    4. Vulnerability Assessments
    5. Pen Testing
    6. Intrusion Detection
    7. Encryption
    8. Log Management

With several further categories in the mix.  We will be looking to consolidate the above categories and the others identified into sensible easy to understand groupings.   For example it is likely that ‘vulnerability assessment’ and ‘pen testing’ will be a single category.

The top categories of threat identified are currently;

    1. Data Loss Leakage
    2. Traffic Hijacking
    3. Unauthorized Access
    4. Denial of Service
    5. Application Vulnerabilities

With about forty further ideas being assessed in the same way as for categories of service.

Should you have any ideas please do let me know either by posting a comment on this blog or by mailing me on LinkedIn, any assistance is greatly welcomed!

K

 

Cloud Security as a Service RSA conference presentation

An overview of the Cloud Security as a Service (SecaaS) working group goals, outputs and proposed timeline was presented at the RSA conference on the 14th of February.  His has been recorded for prosperity and uploaded to YouTube.  The presentation can be found here;

http://www.youtube.com/watch?v=fzejQuSR_xU

This gives a great update on one of the things I’ll be working on during the next few months.  Check the video out, fell free to ask me any questions you have, and of course if interested get involved and provide feedback via the surveys mentioned in the presentation.

K