introduction to cloud encryption - by julien cathalo, smals - 21 03-2013
DESCRIPTION
How to keep your data private in the Cloud? Slides from a live presentation at the Belgian edition of InfoSecurity on 21-3-2013. Smals-researcher Julien Cathalo discusses the needs, strategies and commercial products form building a Cloud encryption infrastructure. Organizations should not rely upon Cloud service providers for assuring their data privacy. He discusses several products for user-oriented storage in the Cloud, including Box, Google Drive, Dropbox, SkyDrive, SpiderOak, to be secured by BoxCryptor, TrueCrypt, TeamDrive or SpiderOak. SaaS applications like Gmail, Salesforce.com of Office 365 could be secured using security gateways like Certes, CipherCloud, Concealium, Intel, Perspecsys or Symantec. Smals is a not-for-profit shared services organization offering ICT solutions to Belgian government institutions in social security and health care. More info on www.smals.beTRANSCRIPT
How to keep your data private in the cloud
Julien Cathalo Smals Research
CLOUD ENCRYPTION Introduction to
Agenda
• The need for Cloud Encryption
• Encryption for user-oriented storage in the Cloud
• Encryption for other SaaS applications
Cloud Encryption - Julien Cathalo - Smals Research
2
Remarks and questions are
welcome !
Infosecurity.be
The Cloud is great !
• Cost reduction
– Less licences
– Less hardware cost
– Less software administration
• Agility
– Resources fit the customer needs
– Resources rapidly available
Cloud Encryption - Julien Cathalo - Smals Research
3
Infosecurity.be
Cloud Security Concerns
• Organizations are worried…
• And experts say they are right !
– Gartner (2012) recommends not to trust your Cloud provider for the privacy of your data
Infosecurity.be Cloud Encryption - Julien Cathalo - Smals Research
4
(2012 Cisco Global Cloud Networking Survey)
Confidentiality in the Cloud
• Goal : prevent unauthorized access to the data
• How to do it ?
– Data Encryption (ex: AES 256 bits)
– Key Management
Cloud Encryption - Julien Cathalo - Smals Research
5
Infosecurity.be
Confidentiality in the Cloud
Cloud Encryption - Julien Cathalo - Smals Research
6
Infosecurity.be
Encryption is not enough
Cloud Encryption - Julien Cathalo - Smals Research
7
Infosecurity.be
Recommandation
• Encrypt the data
• Keep control of the keys
– The keys stay inside the organization
• Do not rely of the security measures taken by the Cloud provider
Cloud Encryption - Julien Cathalo - Smals Research
8
Infosecurity.be
Agenda
• The need for Cloud Encryption
• Encryption for user-oriented storage in the Cloud
• Encryption for other SaaS applications
Cloud Encryption - Julien Cathalo - Smals Research
9
Infosecurity.be
User-oriented storage in the Cloud
• Local folder synced with the Cloud
• Some examples :
Cloud Encryption - Julien Cathalo - Smals Research
10
Infosecurity.be
Features
• Access your data from several devices
• Share data with others
• Online replication / backup
Cloud Encryption - Julien Cathalo - Smals Research
11
Infosecurity.be
Access from several devices
Cloud Encryption - Julien Cathalo - Smals Research
12
Infosecurity.be
Encryption Principle
• Encrypt the local folder(s)
• Keep the key on the device
(typically, password-encoded)
• Synchronise the encrypted folder
Cloud Encryption - Julien Cathalo - Smals Research
13
Infosecurity.be
How to do it ?
• Dedicated solution + existing Cloud service
e.g. :
• Generic encryption solution + existing Cloud service
e.g. :
• Solution that provide local encryption and Cloud service
e.g. :
Cloud Encryption - Julien Cathalo - Smals Research
14
Infosecurity.be
Example with BoxCryptor
• BoxCryptor Folder:
– On my hard drive
– Contains configuration file
– Contains encrypted files
– Synced with my Dropbox/Google Drive/other
• Virtual Drive
– Letter Z:
– Shows files in clear
Cloud Encryption - Julien Cathalo - Smals Research
15
Infosecurity.be
Text file in clear
Cloud Encryption - Julien Cathalo - Smals Research
16
Infosecurity.be
Encrypted text file
Cloud Encryption - Julien Cathalo - Smals Research
17
Infosecurity.be
How to choose a solution ?
• Most use the same encryption algorithm and key size (AES 256 bits)
• Features to evaluate :
– Performance
– Implementation (open source ? experts validation?)
– Ease of use
• Impact on sharing features
Infosecurity.be Cloud Encryption - Julien Cathalo - Smals Research
18
Opinion
• These products allow :
– Transparent use
– Low impact on performance in most cases
– Some functions are not affected
– Real security gain
• Their limits are :
– Sharing is more complex
– Security : the Cloud provider still can…
• Monitor your activity
• Know the file sizes
Cloud Encryption - Julien Cathalo - Smals Research
19
Infosecurity.be
Agenda
• The need for Cloud Encryption
• Encryption for user-oriented storage in the Cloud
• Encryption for other SaaS applications
Cloud Encryption - Julien Cathalo - Smals Research
20
Infosecurity.be
Cloud Security Gateways : Goal
Allow to use Software as a Service applications
While preserving data confidentiality
Cloud Encryption - Julien Cathalo - Smals Research
21
Infosecurity.be
How it works (in-house gateway)
Cloud Encryption - Julien Cathalo - Smals Research
22
SaaS Application
User
Gateway
Clear Data
Encrypted Data
Organization
Infosecurity.be
More about the gateway
• It knows the SaaS application
• It knows the structure of the exchanged data
• Encrypts / Decrypts some fields on the fly
• Leaves other fields on clear
• Some basic features are not affected by encryption :
– Search
– Sorting
Cloud Encryption - Julien Cathalo - Smals Research
23
Infosecurity.be
Search on encrypted data ?
Cloud Encryption - Julien Cathalo - Smals Research
24
SaaS Application
User
Gateway
Search « John Doe »
Search « q89sj9 ?& »
Organization
Word by word encryption + deterministic encryption
Infosecurity.be
User view
The user logs in to the gateway url
instead of the SaaS application url
Then : transparent use of the application
Cloud Encryption - Julien Cathalo - Smals Research
25
Infosecurity.be
://application.com/
://application-gateway.com/
Cloud Security Gateways : market
• Providers
– Certes Networks
– CipherCloud
– Concealium
– Intel
– PerspecSys
– Symantec Source : Gartner 2012
Cloud Encryption - Julien Cathalo - Smals Research
26
Infosecurity.be
Custom application ?
• Each gateway is application-specific
(e.g. only works for Office 365)
• Some providers allow to customize a gateway for an application
– Application urls
– Policies e.g. specify which fields are encrypted or tokenized
Cloud Encryption - Julien Cathalo - Smals Research
27
Infosecurity.be
Conclusion on Cloud Security Gateways
• Allow to use Saas applications while protecting data
• Things are moving fast
• Trade-off between
– Functionality
– Security
Cloud Encryption - Julien Cathalo - Smals Research
28
Infosecurity.be
Opinion
• Encryption for user-oriented storage in the Cloud
– Use can be transparent
– Impact on performance can be limited
– True security gain
• Encryption for other SaaS applications
– Protect the data
– Impact on some cloud features
• Functionality
• Cost
• Availaibility
Infosecurity.be Cloud Encryption - Julien Cathalo - Smals Research
29
Recommendations
• If you think about buying a Cloud Security Gateway you should :
– Precisely find out how much security you gain from it
– Think about availibility of the service
– Determine which functions of your SaaS application are crucial
Cloud Encryption - Julien Cathalo - Smals Research
30
Infosecurity.be
Questions and remarks
are welcome !
www.smals.be [email protected]
Cloud Encryption - Julien Cathalo - Smals Research
31
Infosecurity.be