How to keep your data private in the cloud
Julien Cathalo Smals Research
CLOUD ENCRYPTION Introduction to
Agenda
• The need for Cloud Encryption
• Encryption for user-oriented storage in the Cloud
• Encryption for other SaaS applications
Cloud Encryption - Julien Cathalo - Smals Research
2
Remarks and questions are
welcome !
Infosecurity.be
The Cloud is great !
• Cost reduction
– Less licences
– Less hardware cost
– Less software administration
• Agility
– Resources fit the customer needs
– Resources rapidly available
Cloud Encryption - Julien Cathalo - Smals Research
3
Infosecurity.be
Cloud Security Concerns
• Organizations are worried…
• And experts say they are right !
– Gartner (2012) recommends not to trust your Cloud provider for the privacy of your data
Infosecurity.be Cloud Encryption - Julien Cathalo - Smals Research
4
(2012 Cisco Global Cloud Networking Survey)
Confidentiality in the Cloud
• Goal : prevent unauthorized access to the data
• How to do it ?
– Data Encryption (ex: AES 256 bits)
– Key Management
Cloud Encryption - Julien Cathalo - Smals Research
5
Infosecurity.be
Confidentiality in the Cloud
Cloud Encryption - Julien Cathalo - Smals Research
6
Infosecurity.be
Encryption is not enough
Cloud Encryption - Julien Cathalo - Smals Research
7
Infosecurity.be
Recommandation
• Encrypt the data
• Keep control of the keys
– The keys stay inside the organization
• Do not rely of the security measures taken by the Cloud provider
Cloud Encryption - Julien Cathalo - Smals Research
8
Infosecurity.be
Agenda
• The need for Cloud Encryption
• Encryption for user-oriented storage in the Cloud
• Encryption for other SaaS applications
Cloud Encryption - Julien Cathalo - Smals Research
9
Infosecurity.be
User-oriented storage in the Cloud
• Local folder synced with the Cloud
• Some examples :
Cloud Encryption - Julien Cathalo - Smals Research
10
Infosecurity.be
Features
• Access your data from several devices
• Share data with others
• Online replication / backup
Cloud Encryption - Julien Cathalo - Smals Research
11
Infosecurity.be
Access from several devices
Cloud Encryption - Julien Cathalo - Smals Research
12
Infosecurity.be
Encryption Principle
• Encrypt the local folder(s)
• Keep the key on the device
(typically, password-encoded)
• Synchronise the encrypted folder
Cloud Encryption - Julien Cathalo - Smals Research
13
Infosecurity.be
How to do it ?
• Dedicated solution + existing Cloud service
e.g. :
• Generic encryption solution + existing Cloud service
e.g. :
• Solution that provide local encryption and Cloud service
e.g. :
Cloud Encryption - Julien Cathalo - Smals Research
14
Infosecurity.be
Example with BoxCryptor
• BoxCryptor Folder:
– On my hard drive
– Contains configuration file
– Contains encrypted files
– Synced with my Dropbox/Google Drive/other
• Virtual Drive
– Letter Z:
– Shows files in clear
Cloud Encryption - Julien Cathalo - Smals Research
15
Infosecurity.be
Text file in clear
Cloud Encryption - Julien Cathalo - Smals Research
16
Infosecurity.be
Encrypted text file
Cloud Encryption - Julien Cathalo - Smals Research
17
Infosecurity.be
How to choose a solution ?
• Most use the same encryption algorithm and key size (AES 256 bits)
• Features to evaluate :
– Performance
– Implementation (open source ? experts validation?)
– Ease of use
• Impact on sharing features
Infosecurity.be Cloud Encryption - Julien Cathalo - Smals Research
18
Opinion
• These products allow :
– Transparent use
– Low impact on performance in most cases
– Some functions are not affected
– Real security gain
• Their limits are :
– Sharing is more complex
– Security : the Cloud provider still can…
• Monitor your activity
• Know the file sizes
Cloud Encryption - Julien Cathalo - Smals Research
19
Infosecurity.be
Agenda
• The need for Cloud Encryption
• Encryption for user-oriented storage in the Cloud
• Encryption for other SaaS applications
Cloud Encryption - Julien Cathalo - Smals Research
20
Infosecurity.be
Cloud Security Gateways : Goal
Allow to use Software as a Service applications
While preserving data confidentiality
Cloud Encryption - Julien Cathalo - Smals Research
21
Infosecurity.be
How it works (in-house gateway)
Cloud Encryption - Julien Cathalo - Smals Research
22
SaaS Application
User
Gateway
Clear Data
Encrypted Data
Organization
Infosecurity.be
More about the gateway
• It knows the SaaS application
• It knows the structure of the exchanged data
• Encrypts / Decrypts some fields on the fly
• Leaves other fields on clear
• Some basic features are not affected by encryption :
– Search
– Sorting
Cloud Encryption - Julien Cathalo - Smals Research
23
Infosecurity.be
Search on encrypted data ?
Cloud Encryption - Julien Cathalo - Smals Research
24
SaaS Application
User
Gateway
Search « John Doe »
Search « q89sj9 ?& »
Organization
Word by word encryption + deterministic encryption
Infosecurity.be
User view
The user logs in to the gateway url
instead of the SaaS application url
Then : transparent use of the application
Cloud Encryption - Julien Cathalo - Smals Research
25
Infosecurity.be
://application.com/
://application-gateway.com/
Cloud Security Gateways : market
• Providers
– Certes Networks
– CipherCloud
– Concealium
– Intel
– PerspecSys
– Symantec Source : Gartner 2012
Cloud Encryption - Julien Cathalo - Smals Research
26
Infosecurity.be
Custom application ?
• Each gateway is application-specific
(e.g. only works for Office 365)
• Some providers allow to customize a gateway for an application
– Application urls
– Policies e.g. specify which fields are encrypted or tokenized
Cloud Encryption - Julien Cathalo - Smals Research
27
Infosecurity.be
Conclusion on Cloud Security Gateways
• Allow to use Saas applications while protecting data
• Things are moving fast
• Trade-off between
– Functionality
– Security
Cloud Encryption - Julien Cathalo - Smals Research
28
Infosecurity.be
Opinion
• Encryption for user-oriented storage in the Cloud
– Use can be transparent
– Impact on performance can be limited
– True security gain
• Encryption for other SaaS applications
– Protect the data
– Impact on some cloud features
• Functionality
• Cost
• Availaibility
Infosecurity.be Cloud Encryption - Julien Cathalo - Smals Research
29
Recommendations
• If you think about buying a Cloud Security Gateway you should :
– Precisely find out how much security you gain from it
– Think about availibility of the service
– Determine which functions of your SaaS application are crucial
Cloud Encryption - Julien Cathalo - Smals Research
30
Infosecurity.be
Questions and remarks
are welcome !
www.smals.be [email protected]
Cloud Encryption - Julien Cathalo - Smals Research
31
Infosecurity.be