RSA Conference Europe 2012 – Encrypt your cloud

Davi Ottenheimer – president, flyingpenguin

A perceived lack of security in the cloud is still one of the primary issues preventing organisations moving to the cloud.

I was hoping from the title this would touch on the issues with encrypting data while it is processed, but the introduction really only discussed only in rest and in transit.  We all know that;

–          Technically encrypting data moving to and from and around the cloud is not difficult, we have been using SSL / TLS etc. to achieve this in the public domain for years.

–          Encrypting data at rest is also technically easy and again something we have been doing for years for example with public key cryptography.

–          Even deleting data in the cloud can effectively be dealt with via good key management – if your data is encrypted with strong encryption, when you want to ‘delete’ it you can just delete the key!

For a general overview of issues with encryption in the cloud, the talk was interesting and useful covering terminology and some details on key exchange etc.

Some useful terminology when talking about crypto;

–          Encryption: reversible operation, cryptographically turns input into illegible cipher text

–          Hashing: non-reversible operation, cryptographically transforms input to illegible message

–          Tokenization: reversible operation, substitutes input with data that has no inherent value

–          Key management: life-cycle of a secret including creation, distribution, use and deletion

Consider the human / social element.  Some good slides on the Diffie-Hellman key exchange – worth looking up if you want a better understanding of this.

Consider how safe virtual machines are – how protected are they from someone who has full hypervisor access?  What happens when a VM moves to another host – for example VMware v-motion does not support encryption so your machine is copied to another host in ‘clear text’ so data contained in the guest may be accessible to anyone with network access.

Some slides and discussion on Encryption as a Service, which is cool as this is one of the domains of Security as a Service that we have identified and documented J  I’d recommend looking up Key Management Interoperability Protocol (KMIP) and Enterprise Key Management Infrastructure (EKMI) if you want to know more and potential encryption as a service key management options.

Ensure you understand key persistence and management – where are you keys – For example, make sure they are not in things like machine templates otherwise anyone who can create a clone with your template can have root access on all the machines made from that template.  Understand who has your keys, and who can access them and your data – read up on Dropbox legal case for an example of this and how important it is to understand SLAs from providers.

The presentation ended with 6 recommendations for next steps;

Next 3 months

–          Classify data for segmentation

–          Setup key management policy and procedures

–          Select standards for interoperability

Next 6 months

–          Configure apps for key and crypto management

–          Select a key app and crypto app solution

–          Plan and initiate a project to protect data in cloud

Obviously the timings will very much depend on the speed at which your organisation moves!

Overall this was an interesting talk, with some good considerations that highlighted the fact most issues with encryption in the cloud are people / process related rather than technology.  We already have known and understood methods for encrypting data in transit and at rest.

However the talk didn’t really touch on the issues around data processing aside from a mention on tokenization that allows portions of data to be available for some processing while protecting the sensitive portion.  This was a bit disappointing for me as I was hoping this area would be covered in some depth as it’s still the one hole left in the ‘can my data in the cloud be encrypted ALL the time, even when searching and processing it?’ question.