introduction to cloud encryption - by julien cathalo, smals - 21 03-2013

How to keep your data private in the cloud

Julien Cathalo Smals Research

CLOUD ENCRYPTION Introduction to

Agenda

• The need for Cloud Encryption

• Encryption for user-oriented storage in the Cloud

• Encryption for other SaaS applications

Cloud Encryption - Julien Cathalo - Smals Research

2

Remarks and questions are

welcome !

Infosecurity.be

The Cloud is great !

• Cost reduction

– Less licences

– Less hardware cost

– Less software administration

• Agility

– Resources fit the customer needs

– Resources rapidly available


3

Infosecurity.be

Cloud Security Concerns

• Organizations are worried…

• And experts say they are right !

– Gartner (2012) recommends not to trust your Cloud provider for the privacy of your data

Infosecurity.be Cloud Encryption - Julien Cathalo - Smals Research

4

(2012 Cisco Global Cloud Networking Survey)

Confidentiality in the Cloud

• Goal : prevent unauthorized access to the data

• How to do it ?

– Data Encryption (ex: AES 256 bits)

– Key Management


5

Infosecurity.be

Confidentiality in the Cloud


6

Infosecurity.be

Encryption is not enough


7

Infosecurity.be

Recommandation

• Encrypt the data

• Keep control of the keys

– The keys stay inside the organization

• Do not rely of the security measures taken by the Cloud provider


8

Infosecurity.be

Agenda





9

Infosecurity.be

User-oriented storage in the Cloud

• Local folder synced with the Cloud

• Some examples :


10

Infosecurity.be

Features

• Access your data from several devices

• Share data with others

• Online replication / backup


11

Infosecurity.be

Access from several devices


12

Infosecurity.be

Encryption Principle

• Encrypt the local folder(s)

• Keep the key on the device

(typically, password-encoded)

• Synchronise the encrypted folder


13

Infosecurity.be

How to do it ?

• Dedicated solution + existing Cloud service

e.g. :

• Generic encryption solution + existing Cloud service

e.g. :

• Solution that provide local encryption and Cloud service

e.g. :


14

Infosecurity.be

Example with BoxCryptor

• BoxCryptor Folder:

– On my hard drive

– Contains configuration file

– Contains encrypted files

– Synced with my Dropbox/Google Drive/other

• Virtual Drive

– Letter Z:

– Shows files in clear


15

Infosecurity.be

Text file in clear


16

Infosecurity.be

Encrypted text file


17

Infosecurity.be

How to choose a solution ?

• Most use the same encryption algorithm and key size (AES 256 bits)

• Features to evaluate :

– Performance

– Implementation (open source ? experts validation?)

– Ease of use

• Impact on sharing features


18

Opinion

• These products allow :

– Transparent use

– Low impact on performance in most cases

– Some functions are not affected

– Real security gain

• Their limits are :

– Sharing is more complex

– Security : the Cloud provider still can…

• Monitor your activity

• Know the file sizes


19

Infosecurity.be

Agenda





20

Infosecurity.be

Cloud Security Gateways : Goal

Allow to use Software as a Service applications

While preserving data confidentiality


21

Infosecurity.be

How it works (in-house gateway)


22

SaaS Application

User

Gateway

Clear Data

Encrypted Data

Organization

Infosecurity.be

More about the gateway

• It knows the SaaS application

• It knows the structure of the exchanged data

• Encrypts / Decrypts some fields on the fly

• Leaves other fields on clear

• Some basic features are not affected by encryption :

– Search

– Sorting


23

Infosecurity.be

Search on encrypted data ?


24

SaaS Application

User

Gateway

Search « John Doe »

Search « q89sj9 ?& »

Organization

Word by word encryption + deterministic encryption

Infosecurity.be

User view

The user logs in to the gateway url

instead of the SaaS application url

Then : transparent use of the application


25

Infosecurity.be

://application.com/

://application-gateway.com/

Cloud Security Gateways : market

• Providers

– Certes Networks

– CipherCloud

– Concealium

– Intel

– PerspecSys

– Symantec Source : Gartner 2012


26

Infosecurity.be

Custom application ?

• Each gateway is application-specific

(e.g. only works for Office 365)

• Some providers allow to customize a gateway for an application

– Application urls

– Policies e.g. specify which fields are encrypted or tokenized


27

Infosecurity.be

Conclusion on Cloud Security Gateways

• Allow to use Saas applications while protecting data

• Things are moving fast

• Trade-off between

– Functionality

– Security


28

Infosecurity.be

Opinion


– Use can be transparent

– Impact on performance can be limited

– True security gain


– Protect the data

– Impact on some cloud features

• Functionality

• Cost

• Availaibility


29

Recommendations

• If you think about buying a Cloud Security Gateway you should :

– Precisely find out how much security you gain from it

– Think about availibility of the service

– Determine which functions of your SaaS application are crucial


30

Infosecurity.be

Questions and remarks

are welcome !

www.smals.be [email protected]


31

Infosecurity.be

introduction to cloud encryption - by julien cathalo, smals - 21 03-2013

Technology