byok: leveraging cloud encryption without … id: #rsac sol cates byok: leveraging cloud encryption...
Post on 28-Apr-2018
224 Views
Preview:
TRANSCRIPT
SESSIONID:SESSIONID:
#RSAC
SolCates
BYOK:LeveragingCloudEncryptionWithoutCompromisingControl
VPofTechnicalStrategy,CTO- Thalese-SecurityCSO– Thalese-Security@solcates
CSV-F03
#RSAC
Let’sBegin
2
SoManyClouds
WhoDoesWhatandWhereItGetsMurky
It’sNotJustMeTellingYou,AndToolsYouCanUse
EncryptionandKeyManagementOptionsforIaaS/PaaS
KeyManagementforSaaS
BYOK101
SmartQuestions
HowtoApply
#RSAC
DataProtectionSharedResponsibilityModel
3
#RSAC
DataProtectionSharedResponsibilityModel
4
Infrastructure as a Service (laaS)
Application
Data
Runtime
Middleware
O/S
Virtualization
Servers
Storage
Networking
Platform as a Service (PaaS)
Software as a Service (SaaS)
Application
Data
Runtime
Middleware
O/S
Virtualization
Servers
Storage
Networking
Data
Runtime
Middleware
O/S
Virtualization
Servers
Storage
Networking
Application
Customer Responsibility
Provider Responsibility
#RSAC
CloudSecurityAlliance– YourAlly
• Global, nonprofit• Building security best practices for
next generation IT• The globally authoritative source for
trust in the cloud
5
#RSAC
KeyCSAResourcestoMakeYouSmarter
6
#RSAC
• Cloud supply chain risk managementDelineates control ownership— Provider, Customer
Ranks applicability to cloud provider type — SaaS vs PaaS vs IaaS
Anchor for security and compliance posture measurement
• Maps to global regulations and standardsNIST, ISO 27001, COBIT, PCI, HIPAA, FISMA, FedRAMP – mappings always growing
CloudControlsMatrix
7
#RSAC
• Cloud Controls Matrix companion• Binary questions assess CCM compliance
Narrative explanations permitted
• Create consistent cloud provider assessment processes
• Enables cloud providers to self-assess security posture
ConsensusAssessmentInitiativeQuestionnaire
8
#RSAC
EncryptionintheCCM/CAI
Encryption&KeyManagementPlatformanddata-appropriateencryption…shallberequired.— [Encryption]Keys
¡ Shallnotbestoredinthecloudbut¡ Shallbemaintainedbythecloudconsumerortrustedkeymanagementprovider.
We’recomingbacktothispointinamoment…
Yes
Yes
9
#RSAC
EncryptionOptions
#RSAC
DataProtectionwithEncryption
Varies by Cloud Model
IaaS
PaaSSaaS
Cloud Model
Native or Bring Your Own
§Native§CASB
Encryption Mechanism
If native, seek BYOK
If native, seek BYOK
Considerations
Youcan’tbringyourown
11
#RSAC
NativeorBringYourOwnEncryptiontoIaaS?
BYOEAdvantages• Samearchitectureacrossmultiplecloudproviders
• Youalwayscontrolyourkeys
NativeDisadvantages• Block-level/FDEonly• Noprotectionfordatainuse
12
#RSAC
BringingYourOwnKeyToIaaSNativeEncryption,andPaaSandSaaS
#RSAC
BYOK’sorigins
BYOKwasbornoutofnecessityCloudProvidersuse/create/storeyourdataYouwantyourdataprotectedCloudProvidersarestartingtoofferencryption,yetmostholdthekeysCustomerswant/needtocontroltheirkeys— Regulatory— Bestpractices(CSA,etc.)
14
#RSAC
UnderstandingBringYourOwnKey
15
A customersuppliedormanagedmasterkey,orderivedkeyThereareafewarchitecturetrendstounderstandCustomerMasterKeyImport— Customercreateskeys— Exportskeystocloudproviderasmasterkeytoprotecteitherdata,ordatakeysDerivedKeyCreation— CustomerdeliversMasterkeytrustedbytheprovidertocreatederivedkeysfor
usageintheprovidersencryptionHoldYourOwnKey(HYOK)— Providercallscustomer-hostedserviceforencryption,keydecryptionorkey
provisioningservices
#RSAC
CustomerMasterKeyImport
16
1. Create”ImportKey”incloud2. ImportPublicKeytoyourHSMorOpenSSL3. CreateAESMasterKeyinHSM/OpenSSL4. ExportMasterKeywrappedwithPublicImportKey5. ImportWrappedCKMtocloud
IaaS/PaaS/SaaSProviders
ImportKey
WrappedMasterKey
Hardware Security Module (HSM) Open SSL
YourPremises/YourControl
EncryptionEngine
#RSAC
DerivedKeyCreation
1. CloudProvider’sKeyisencrypting2. YoucreateyourkeyinHSMorOpenSSL3. Wrapandsendtoyourcloudprovider4. Keyscombinedmathematically5. NewkeyyoucontrolYourPremises/YourControl
Hardware Security Module (HSM) Open SSL
IaaS/PaaS/SaaSProviders
OriginalKey
YourKey
EncryptionEngine
CryptographicMath DerivedKey
17
#RSAC
HoldYourOwnKey– Scenario1
• Encryptionengineandkeysinyourpossession§ Onyourpremisesorelsewhere
• Cloudprovidersendsandreceivesyourdata§ Sendsdatafordecryption/receivesclear§ Sendsclear/receivedencrypted
YourPremises/YourControl
Hardware Security Module (HSM) Open SSL
IaaS/PaaS/SaaSProviders
YourKeysEncryptionEngine
DatabasesFileSystems
18
#RSAC
HoldYourOwnKey– Scenario2
• Encryptionengineandencryptedkeyatcloudprovider• Cloudproviderrequestskeydecryptionforuse
YourPremises/YourControl
Hardware Security Module (HSM) Open SSL
IaaS/PaaS/SaaSProviders
EncryptionEngine
DatabasesFileSystems
19
#RSAC
HoldYourOwnKey– Scenario3
• Encryptionengineincloud• Cloudproviderrequestskeysforen- anddecryption• KeyshaveTTL’s
YourPremises/YourControl
Hardware Security Module (HSM) Open SSL
IaaS/PaaS/SaaSProviders
EncryptionEngine
DatabasesFileSystems
20
#RSAC
Thingstoconsider
DerivedKeyandMasterKeyImport
Keysare”imported”intothecloudprovider
Authorizationofthekeysusageisdependentontheprovidersmodel
Doesn’timpactSLAs.Providermustguaranteekeyavailability
HoldYourOwnKey
Masterkeysremaininthehandsofthecustomer
Authorizationofthekeysusageisgovernedbythecustomer
CouldimpactSLAs.Customermustguaranteekeyavailability
21
#RSAC
BYOKvsBYOE
22
#RSAC
DifferencesbetweenBYOEandBYOK
BYOECustomerbringstheirownencryptionandkeymanagement.
WorksgreatinIaaSworkloadsIt’sjustanotherVMafterall…
CASBforSaaSandPaaSbutprovidercan’tseedatanorindexitnoranalyzeitnoraddvaluetoitandcouldbreakit…
BYOKCSPprovidesnativeorapplicationencryption
Customerbrings/imports/managestheirownkey
WorksgreatinSaaS/PaaSworkloadsDesignedinencryptionwithcustomermanagingthekeys
IaaSusuallyprovidesonlyblocklevelencryptionDoesn’treducerisktodatainuse
23
#RSAC
SmartQuestions
24
#RSAC
SmartQuestionsforIaaS
DotheyofferBYOK?Whatisencryptedandhowisitencrypted?DoIimportkeys,derivekeys,saltkeycreation,orreplytoakeyrequest?CanIcancontrolwherethekey,orderivedkeysareused,andwhocanauthorizeusageofthekey?HowdoIrevokeandrotatethekey(s)?Ifmykeysexpire… whathappens?Doesitprotectfromremotedatabreach?Whichusersandprocesses,haveaccesstothekeymaterial?
25
#RSAC
“Apply”Slide
26
WhenyougethomeDetermineyourorganizationsriskappetiteisforcloudhosteddata
Within30daysConsultyourCSPstofindoutwhatBYOKapproachtheyofferAsksmartquestionsabouthowBYOKworkswithintheiroffering
Within60daysTargetaCSPtoeitherBYOKorBYOEtogetcomfortablewithcloudencryption
#RSAC
Questions?
top related