introduction to cloud encryption - by julien cathalo, smals - 21 03-2013

How to keep your data private in the cloud

Julien Cathalo Smals Research

CLOUD ENCRYPTION Introduction to

Agenda

• The need for Cloud Encryption

• Encryption for user-oriented storage in the Cloud

• Encryption for other SaaS applications

Cloud Encryption - Julien Cathalo - Smals Research

Remarks and questions are

welcome !

Infosecurity.be

The Cloud is great !

• Cost reduction

– Less licences

– Less hardware cost

– Less software administration

• Agility

– Resources fit the customer needs

– Resources rapidly available

Infosecurity.be

Cloud Security Concerns

• Organizations are worried…

• And experts say they are right !

– Gartner (2012) recommends not to trust your Cloud provider for the privacy of your data

Infosecurity.be Cloud Encryption - Julien Cathalo - Smals Research

(2012 Cisco Global Cloud Networking Survey)

Confidentiality in the Cloud

• Goal : prevent unauthorized access to the data

• How to do it ?

– Data Encryption (ex: AES 256 bits)

– Key Management

Infosecurity.be

Confidentiality in the Cloud

Infosecurity.be

Encryption is not enough

Infosecurity.be

Recommandation

• Encrypt the data

• Keep control of the keys

– The keys stay inside the organization

• Do not rely of the security measures taken by the Cloud provider

Infosecurity.be

Agenda

Infosecurity.be

User-oriented storage in the Cloud

• Local folder synced with the Cloud

• Some examples :

Infosecurity.be

Features

• Access your data from several devices

• Share data with others

• Online replication / backup

Infosecurity.be

Access from several devices

Infosecurity.be

Encryption Principle

• Encrypt the local folder(s)

• Keep the key on the device

(typically, password-encoded)

• Synchronise the encrypted folder

Infosecurity.be

How to do it ?

• Dedicated solution + existing Cloud service

e.g. :

• Generic encryption solution + existing Cloud service

e.g. :

• Solution that provide local encryption and Cloud service

e.g. :

Infosecurity.be

Example with BoxCryptor

• BoxCryptor Folder:

– On my hard drive

– Contains configuration file

– Contains encrypted files

– Synced with my Dropbox/Google Drive/other

• Virtual Drive

– Letter Z:

– Shows files in clear

Infosecurity.be

Text file in clear

Infosecurity.be

Encrypted text file

Infosecurity.be

How to choose a solution ?

• Most use the same encryption algorithm and key size (AES 256 bits)

• Features to evaluate :

– Performance

– Implementation (open source ? experts validation?)

– Ease of use

• Impact on sharing features

Opinion

• These products allow :

– Transparent use

– Low impact on performance in most cases

– Some functions are not affected

– Real security gain

• Their limits are :

– Sharing is more complex

– Security : the Cloud provider still can…

• Monitor your activity

• Know the file sizes

Infosecurity.be

Agenda

Infosecurity.be

Cloud Security Gateways : Goal

Allow to use Software as a Service applications

While preserving data confidentiality

Infosecurity.be

How it works (in-house gateway)

SaaS Application

Gateway

Clear Data

Encrypted Data

Organization

Infosecurity.be

More about the gateway

• It knows the SaaS application

• It knows the structure of the exchanged data

• Encrypts / Decrypts some fields on the fly

• Leaves other fields on clear

• Some basic features are not affected by encryption :

– Search

– Sorting

Infosecurity.be

Search on encrypted data ?

SaaS Application

Gateway

Search « John Doe »

Search « q89sj9 ?& »

Organization

Word by word encryption + deterministic encryption

Infosecurity.be

User view

The user logs in to the gateway url

instead of the SaaS application url

Then : transparent use of the application

Infosecurity.be

://application.com/

://application-gateway.com/

Cloud Security Gateways : market

• Providers

– Certes Networks

– CipherCloud

– Concealium

– Intel

– PerspecSys

– Symantec Source : Gartner 2012

Infosecurity.be

Custom application ?

• Each gateway is application-specific

(e.g. only works for Office 365)

• Some providers allow to customize a gateway for an application

– Application urls

– Policies e.g. specify which fields are encrypted or tokenized

Infosecurity.be

Conclusion on Cloud Security Gateways

• Allow to use Saas applications while protecting data

• Things are moving fast

• Trade-off between

– Functionality

– Security

Infosecurity.be

Opinion

– Use can be transparent

– Impact on performance can be limited

– True security gain

– Protect the data

– Impact on some cloud features

• Functionality

• Cost

• Availaibility

Recommendations

• If you think about buying a Cloud Security Gateway you should :

– Precisely find out how much security you gain from it

– Think about availibility of the service

– Determine which functions of your SaaS application are crucial

Infosecurity.be

Questions and remarks

are welcome !

www.smals.be Julien.Cathalo@smals.be

Infosecurity.be

introduction to cloud encryption - by julien cathalo, smals - 21 03-2013

Technology

julien resume v6.0

here - julien vehent -

deep suction dredger maas. - smals

julien gracq l'attente

open source vs commercial esb and api management platform ...

julien deransy texto

smals research 'secure application development lifecycle -...

niamh and julien

julien ppt

julien donkey-boy

julien denegre

julien r.l. priqueler

julien martin - paradizo.org

portfolio julien lafitte

essential oils - julien

julien dupré

julien sorel

audioprothésiste saint julien en genevois - centre auditif...

julien emile-geay

infosessie smals research - application platform as a...