ssl europa cloud security 2013
DESCRIPTION
Cloud Security: the rules and best practices by SSL EuropaTRANSCRIPT
![Page 2: SSL Europa Cloud Security 2013](https://reader034.vdocument.in/reader034/viewer/2022042713/547898255806b567048b4583/html5/thumbnails/2.jpg)
Autorité d’Enregistrement
Seven Cloud Computing Risks Asymmetric encryption Electronic signature Strong authentication Rules Best Practices
Agenda
![Page 3: SSL Europa Cloud Security 2013](https://reader034.vdocument.in/reader034/viewer/2022042713/547898255806b567048b4583/html5/thumbnails/3.jpg)
Autorité d’Enregistrement
Risk Assessment • Data integrity, recovery privacy • Evaluation of legal issues, regulatory compliance, auditing • Etc…
Transparency • Qualification of policy makers, architects, coders, operators • Risk-control processes and technical mechanisms • Level of testing • How unanticipated vulnerabilities are identified • Etc…
Cloud-Computing Security Risks (1)
![Page 4: SSL Europa Cloud Security 2013](https://reader034.vdocument.in/reader034/viewer/2022042713/547898255806b567048b4583/html5/thumbnails/4.jpg)
Autorité d’Enregistrement
1. Privileged user access • Physical, logical and personnel control • Ask about hiring and oversight of administrators • What control there is ?
2. Regulatory compliance • Customers are responsible • Check external audits and security certifications
3. Data location • Commitment to storing and processing data in specific
jurisdictions • Contractual commitment
4. Data segregation • Data at rest and in use ? • Encryption designed and tested by experienced specialist
Seven Cloud-Computing Risks (1)
![Page 5: SSL Europa Cloud Security 2013](https://reader034.vdocument.in/reader034/viewer/2022042713/547898255806b567048b4583/html5/thumbnails/5.jpg)
Autorité d’Enregistrement
5. Recovery • What happens in case of a disaster? • Replication of data and application across multiple sites? • Ability to do a complete restoration ? how long would it
take? 6. Investigative support
• How to trace inappropriate or illegal activities? • Logging and data may be for multiple customers • Contractual commitment to support specific forms of
investigation • Get evidence that the vendor has already supported
such activities 7. Long-term viability
• What if your Cloud provider goes broke or gets acquired? • How could you get your data back? In which format?
Replacement application?
Seven Cloud-Computing Risks (2)
![Page 6: SSL Europa Cloud Security 2013](https://reader034.vdocument.in/reader034/viewer/2022042713/547898255806b567048b4583/html5/thumbnails/6.jpg)
Autorité d’Enregistrement
Symmetric Encryption Asymmetric Encryption
Asymmetric Encryption
![Page 7: SSL Europa Cloud Security 2013](https://reader034.vdocument.in/reader034/viewer/2022042713/547898255806b567048b4583/html5/thumbnails/7.jpg)
Autorité d’Enregistrement
Symmetric Encryption
Message in clear
Encrypted Message
Encryption
Message in clear
Decryption
![Page 8: SSL Europa Cloud Security 2013](https://reader034.vdocument.in/reader034/viewer/2022042713/547898255806b567048b4583/html5/thumbnails/8.jpg)
Autorité d’Enregistrement
Symmetric Encryption
![Page 9: SSL Europa Cloud Security 2013](https://reader034.vdocument.in/reader034/viewer/2022042713/547898255806b567048b4583/html5/thumbnails/9.jpg)
Autorité d’Enregistrement
Symmetric Encryption
Advantages – Fast – Relatively simple to
implement – Very efficient in particular
when the key is used only once
Drawbacks – A different key by pair of
users
• The major issue : Keys management (as many keys to exchange as there are users)
• How do Alice and Bob get the key without anybody else having access to it ?
• The key must follow a different channel (phone, fax, …)
![Page 10: SSL Europa Cloud Security 2013](https://reader034.vdocument.in/reader034/viewer/2022042713/547898255806b567048b4583/html5/thumbnails/10.jpg)
Autorité d’Enregistrement
Symmetric Encryption
Authentication Confidentiality Authorization Integrity Non repudiation
Security Policy
Security Infrastructure
Internet & Cloud Applications
�(applicative)
![Page 11: SSL Europa Cloud Security 2013](https://reader034.vdocument.in/reader034/viewer/2022042713/547898255806b567048b4583/html5/thumbnails/11.jpg)
Autorité d’Enregistrement
Asymmetric Encryption
Invented in 1975 by Whitfield Diffie and Martin Hellman
Each user owns a pair of key – The public key that is used to encrypt and which is known by
everybody – The private key that is used to decrypt and which is only known by
the owner
![Page 12: SSL Europa Cloud Security 2013](https://reader034.vdocument.in/reader034/viewer/2022042713/547898255806b567048b4583/html5/thumbnails/12.jpg)
Autorité d’Enregistrement
Asymmetric Encryption
=
=
Symmetric Key
Asymmetric Key
Encryption Decryption
![Page 13: SSL Europa Cloud Security 2013](https://reader034.vdocument.in/reader034/viewer/2022042713/547898255806b567048b4583/html5/thumbnails/13.jpg)
Autorité d’Enregistrement
Asymmetric Encryption
![Page 14: SSL Europa Cloud Security 2013](https://reader034.vdocument.in/reader034/viewer/2022042713/547898255806b567048b4583/html5/thumbnails/14.jpg)
Autorité d’Enregistrement
Asymmetric Encryption: Signature
![Page 15: SSL Europa Cloud Security 2013](https://reader034.vdocument.in/reader034/viewer/2022042713/547898255806b567048b4583/html5/thumbnails/15.jpg)
Autorité d’Enregistrement
Symmetric Encryption
Authentication Confidentiality Authorization Integrity Non repudiation
Security Policy
Security Infrastructure
Internet & Cloud Applications
�(applicative)
� �
![Page 16: SSL Europa Cloud Security 2013](https://reader034.vdocument.in/reader034/viewer/2022042713/547898255806b567048b4583/html5/thumbnails/16.jpg)
Autorité d’Enregistrement
Example : SSL Server
Verification of the certificate and of the signature
Send the certificate and the message A signed
Negotiation of the encryption algorithm Negotiation of the encryption
algorithm Generation of a session key
Encryption of the session Key with the server public key
Decryption of the session key with the private key
Send the session key Encrypted
The session key is shared
Client Server
Send a message A
![Page 17: SSL Europa Cloud Security 2013](https://reader034.vdocument.in/reader034/viewer/2022042713/547898255806b567048b4583/html5/thumbnails/17.jpg)
Autorité d’Enregistrement
Symmetric Encryption
Authentication Confidentiality Authorization Integrity Non repudiation
Security Policy
Security Infrastructure
Internet & Cloud Applications
�(applicative)
� �� �
![Page 18: SSL Europa Cloud Security 2013](https://reader034.vdocument.in/reader034/viewer/2022042713/547898255806b567048b4583/html5/thumbnails/18.jpg)
Autorité d’Enregistrement
Examples of Solutions
![Page 19: SSL Europa Cloud Security 2013](https://reader034.vdocument.in/reader034/viewer/2022042713/547898255806b567048b4583/html5/thumbnails/19.jpg)
Autorité d’Enregistrement
Use encryption For exchanges of data with the Cloud For data in the Cloud
Use strong authentication To connect to the Cloud To identify the Cloud server
Use signature For exchanges of data in the Cloud
Rules of thumbs
![Page 20: SSL Europa Cloud Security 2013](https://reader034.vdocument.in/reader034/viewer/2022042713/547898255806b567048b4583/html5/thumbnails/20.jpg)
Autorité d’Enregistrement
Protect data transfer but also data in the cloud Use data-centric encryption & encryption
embedded in the file format Understand how the keys will be managed
(avoid reliance on cloud providers) Include files such as logs and metadata in
encryption Use strong standard algorithm (such as AES-256) Use open validated formats Avoid proprietary encryption
Best Practices (1)
![Page 21: SSL Europa Cloud Security 2013](https://reader034.vdocument.in/reader034/viewer/2022042713/547898255806b567048b4583/html5/thumbnails/21.jpg)
Autorité d’Enregistrement
Content aware Encryption Format-preserving Encryption Use Data Leak Prevention (DLP)
solutions
Best Practices (2)
![Page 22: SSL Europa Cloud Security 2013](https://reader034.vdocument.in/reader034/viewer/2022042713/547898255806b567048b4583/html5/thumbnails/22.jpg)
Autorité d’Enregistrement
Be aware of performances issues Use object security Store a secure hash
Best Practices (3. Data Base)
![Page 23: SSL Europa Cloud Security 2013](https://reader034.vdocument.in/reader034/viewer/2022042713/547898255806b567048b4583/html5/thumbnails/23.jpg)
Autorité d’Enregistrement
Use a Key Management Software Use group levels keys Maintain keys within the Enterprise Revoking keys Define and enforce strong Key
management processes and practices Implement segregation of duties
Best Practices (4)
![Page 24: SSL Europa Cloud Security 2013](https://reader034.vdocument.in/reader034/viewer/2022042713/547898255806b567048b4583/html5/thumbnails/24.jpg)
Autorité d’Enregistrement
Use best practices key management practices
Use off-the-shelf products from credible sources
Maintain your own trusted cryptographic source
Key scoping at the individual or group level
Use DRM systems
Recommendations (1)
![Page 25: SSL Europa Cloud Security 2013](https://reader034.vdocument.in/reader034/viewer/2022042713/547898255806b567048b4583/html5/thumbnails/25.jpg)
Autorité d’Enregistrement
Use standard algorithm Avoid old ones such as DES Use central and internal key
management (with your own HSM, etc.)
Use segregation of duties
Recommendations (2)
![Page 26: SSL Europa Cloud Security 2013](https://reader034.vdocument.in/reader034/viewer/2022042713/547898255806b567048b4583/html5/thumbnails/26.jpg)
Autorité d’Enregistrement
Reference
http://www.cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf
![Page 27: SSL Europa Cloud Security 2013](https://reader034.vdocument.in/reader034/viewer/2022042713/547898255806b567048b4583/html5/thumbnails/27.jpg)
Autorité d’Enregistrement
Thank you for your attention
SSL EUROPA 8 chemin des escargots
18200 Orval - France +33 (0)9 88 99 54 09
www.ssl-europa.com