byok: leveraging cloud encryption without … id: #rsac sol cates byok: leveraging cloud encryption...
TRANSCRIPT
![Page 1: BYOK: Leveraging Cloud Encryption Without … ID: #RSAC Sol Cates BYOK: Leveraging Cloud Encryption Without Compromising Control VP of Technical Strategy, CTO -Thales e …](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ae3af077f8b9a097a8e792f/html5/thumbnails/1.jpg)
SESSIONID:SESSIONID:
#RSAC
SolCates
BYOK:LeveragingCloudEncryptionWithoutCompromisingControl
VPofTechnicalStrategy,CTO- Thalese-SecurityCSO– Thalese-Security@solcates
CSV-F03
![Page 2: BYOK: Leveraging Cloud Encryption Without … ID: #RSAC Sol Cates BYOK: Leveraging Cloud Encryption Without Compromising Control VP of Technical Strategy, CTO -Thales e …](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ae3af077f8b9a097a8e792f/html5/thumbnails/2.jpg)
#RSAC
Let’sBegin
2
SoManyClouds
WhoDoesWhatandWhereItGetsMurky
It’sNotJustMeTellingYou,AndToolsYouCanUse
EncryptionandKeyManagementOptionsforIaaS/PaaS
KeyManagementforSaaS
BYOK101
SmartQuestions
HowtoApply
![Page 3: BYOK: Leveraging Cloud Encryption Without … ID: #RSAC Sol Cates BYOK: Leveraging Cloud Encryption Without Compromising Control VP of Technical Strategy, CTO -Thales e …](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ae3af077f8b9a097a8e792f/html5/thumbnails/3.jpg)
#RSAC
DataProtectionSharedResponsibilityModel
3
![Page 4: BYOK: Leveraging Cloud Encryption Without … ID: #RSAC Sol Cates BYOK: Leveraging Cloud Encryption Without Compromising Control VP of Technical Strategy, CTO -Thales e …](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ae3af077f8b9a097a8e792f/html5/thumbnails/4.jpg)
#RSAC
DataProtectionSharedResponsibilityModel
4
Infrastructure as a Service (laaS)
Application
Data
Runtime
Middleware
O/S
Virtualization
Servers
Storage
Networking
Platform as a Service (PaaS)
Software as a Service (SaaS)
Application
Data
Runtime
Middleware
O/S
Virtualization
Servers
Storage
Networking
Data
Runtime
Middleware
O/S
Virtualization
Servers
Storage
Networking
Application
Customer Responsibility
Provider Responsibility
![Page 5: BYOK: Leveraging Cloud Encryption Without … ID: #RSAC Sol Cates BYOK: Leveraging Cloud Encryption Without Compromising Control VP of Technical Strategy, CTO -Thales e …](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ae3af077f8b9a097a8e792f/html5/thumbnails/5.jpg)
#RSAC
CloudSecurityAlliance– YourAlly
• Global, nonprofit• Building security best practices for
next generation IT• The globally authoritative source for
trust in the cloud
5
![Page 6: BYOK: Leveraging Cloud Encryption Without … ID: #RSAC Sol Cates BYOK: Leveraging Cloud Encryption Without Compromising Control VP of Technical Strategy, CTO -Thales e …](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ae3af077f8b9a097a8e792f/html5/thumbnails/6.jpg)
#RSAC
KeyCSAResourcestoMakeYouSmarter
6
![Page 7: BYOK: Leveraging Cloud Encryption Without … ID: #RSAC Sol Cates BYOK: Leveraging Cloud Encryption Without Compromising Control VP of Technical Strategy, CTO -Thales e …](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ae3af077f8b9a097a8e792f/html5/thumbnails/7.jpg)
#RSAC
• Cloud supply chain risk managementDelineates control ownership— Provider, Customer
Ranks applicability to cloud provider type — SaaS vs PaaS vs IaaS
Anchor for security and compliance posture measurement
• Maps to global regulations and standardsNIST, ISO 27001, COBIT, PCI, HIPAA, FISMA, FedRAMP – mappings always growing
CloudControlsMatrix
7
![Page 8: BYOK: Leveraging Cloud Encryption Without … ID: #RSAC Sol Cates BYOK: Leveraging Cloud Encryption Without Compromising Control VP of Technical Strategy, CTO -Thales e …](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ae3af077f8b9a097a8e792f/html5/thumbnails/8.jpg)
#RSAC
• Cloud Controls Matrix companion• Binary questions assess CCM compliance
Narrative explanations permitted
• Create consistent cloud provider assessment processes
• Enables cloud providers to self-assess security posture
ConsensusAssessmentInitiativeQuestionnaire
8
![Page 9: BYOK: Leveraging Cloud Encryption Without … ID: #RSAC Sol Cates BYOK: Leveraging Cloud Encryption Without Compromising Control VP of Technical Strategy, CTO -Thales e …](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ae3af077f8b9a097a8e792f/html5/thumbnails/9.jpg)
#RSAC
EncryptionintheCCM/CAI
Encryption&KeyManagementPlatformanddata-appropriateencryption…shallberequired.— [Encryption]Keys
¡ Shallnotbestoredinthecloudbut¡ Shallbemaintainedbythecloudconsumerortrustedkeymanagementprovider.
We’recomingbacktothispointinamoment…
Yes
Yes
9
![Page 10: BYOK: Leveraging Cloud Encryption Without … ID: #RSAC Sol Cates BYOK: Leveraging Cloud Encryption Without Compromising Control VP of Technical Strategy, CTO -Thales e …](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ae3af077f8b9a097a8e792f/html5/thumbnails/10.jpg)
#RSAC
EncryptionOptions
![Page 11: BYOK: Leveraging Cloud Encryption Without … ID: #RSAC Sol Cates BYOK: Leveraging Cloud Encryption Without Compromising Control VP of Technical Strategy, CTO -Thales e …](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ae3af077f8b9a097a8e792f/html5/thumbnails/11.jpg)
#RSAC
DataProtectionwithEncryption
Varies by Cloud Model
IaaS
PaaSSaaS
Cloud Model
Native or Bring Your Own
§Native§CASB
Encryption Mechanism
If native, seek BYOK
If native, seek BYOK
Considerations
Youcan’tbringyourown
11
![Page 12: BYOK: Leveraging Cloud Encryption Without … ID: #RSAC Sol Cates BYOK: Leveraging Cloud Encryption Without Compromising Control VP of Technical Strategy, CTO -Thales e …](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ae3af077f8b9a097a8e792f/html5/thumbnails/12.jpg)
#RSAC
NativeorBringYourOwnEncryptiontoIaaS?
BYOEAdvantages• Samearchitectureacrossmultiplecloudproviders
• Youalwayscontrolyourkeys
NativeDisadvantages• Block-level/FDEonly• Noprotectionfordatainuse
12
![Page 13: BYOK: Leveraging Cloud Encryption Without … ID: #RSAC Sol Cates BYOK: Leveraging Cloud Encryption Without Compromising Control VP of Technical Strategy, CTO -Thales e …](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ae3af077f8b9a097a8e792f/html5/thumbnails/13.jpg)
#RSAC
BringingYourOwnKeyToIaaSNativeEncryption,andPaaSandSaaS
![Page 14: BYOK: Leveraging Cloud Encryption Without … ID: #RSAC Sol Cates BYOK: Leveraging Cloud Encryption Without Compromising Control VP of Technical Strategy, CTO -Thales e …](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ae3af077f8b9a097a8e792f/html5/thumbnails/14.jpg)
#RSAC
BYOK’sorigins
BYOKwasbornoutofnecessityCloudProvidersuse/create/storeyourdataYouwantyourdataprotectedCloudProvidersarestartingtoofferencryption,yetmostholdthekeysCustomerswant/needtocontroltheirkeys— Regulatory— Bestpractices(CSA,etc.)
14
![Page 15: BYOK: Leveraging Cloud Encryption Without … ID: #RSAC Sol Cates BYOK: Leveraging Cloud Encryption Without Compromising Control VP of Technical Strategy, CTO -Thales e …](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ae3af077f8b9a097a8e792f/html5/thumbnails/15.jpg)
#RSAC
UnderstandingBringYourOwnKey
15
A customersuppliedormanagedmasterkey,orderivedkeyThereareafewarchitecturetrendstounderstandCustomerMasterKeyImport— Customercreateskeys— Exportskeystocloudproviderasmasterkeytoprotecteitherdata,ordatakeysDerivedKeyCreation— CustomerdeliversMasterkeytrustedbytheprovidertocreatederivedkeysfor
usageintheprovidersencryptionHoldYourOwnKey(HYOK)— Providercallscustomer-hostedserviceforencryption,keydecryptionorkey
provisioningservices
![Page 16: BYOK: Leveraging Cloud Encryption Without … ID: #RSAC Sol Cates BYOK: Leveraging Cloud Encryption Without Compromising Control VP of Technical Strategy, CTO -Thales e …](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ae3af077f8b9a097a8e792f/html5/thumbnails/16.jpg)
#RSAC
CustomerMasterKeyImport
16
1. Create”ImportKey”incloud2. ImportPublicKeytoyourHSMorOpenSSL3. CreateAESMasterKeyinHSM/OpenSSL4. ExportMasterKeywrappedwithPublicImportKey5. ImportWrappedCKMtocloud
IaaS/PaaS/SaaSProviders
ImportKey
WrappedMasterKey
Hardware Security Module (HSM) Open SSL
YourPremises/YourControl
EncryptionEngine
![Page 17: BYOK: Leveraging Cloud Encryption Without … ID: #RSAC Sol Cates BYOK: Leveraging Cloud Encryption Without Compromising Control VP of Technical Strategy, CTO -Thales e …](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ae3af077f8b9a097a8e792f/html5/thumbnails/17.jpg)
#RSAC
DerivedKeyCreation
1. CloudProvider’sKeyisencrypting2. YoucreateyourkeyinHSMorOpenSSL3. Wrapandsendtoyourcloudprovider4. Keyscombinedmathematically5. NewkeyyoucontrolYourPremises/YourControl
Hardware Security Module (HSM) Open SSL
IaaS/PaaS/SaaSProviders
OriginalKey
YourKey
EncryptionEngine
CryptographicMath DerivedKey
17
![Page 18: BYOK: Leveraging Cloud Encryption Without … ID: #RSAC Sol Cates BYOK: Leveraging Cloud Encryption Without Compromising Control VP of Technical Strategy, CTO -Thales e …](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ae3af077f8b9a097a8e792f/html5/thumbnails/18.jpg)
#RSAC
HoldYourOwnKey– Scenario1
• Encryptionengineandkeysinyourpossession§ Onyourpremisesorelsewhere
• Cloudprovidersendsandreceivesyourdata§ Sendsdatafordecryption/receivesclear§ Sendsclear/receivedencrypted
YourPremises/YourControl
Hardware Security Module (HSM) Open SSL
IaaS/PaaS/SaaSProviders
YourKeysEncryptionEngine
DatabasesFileSystems
18
![Page 19: BYOK: Leveraging Cloud Encryption Without … ID: #RSAC Sol Cates BYOK: Leveraging Cloud Encryption Without Compromising Control VP of Technical Strategy, CTO -Thales e …](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ae3af077f8b9a097a8e792f/html5/thumbnails/19.jpg)
#RSAC
HoldYourOwnKey– Scenario2
• Encryptionengineandencryptedkeyatcloudprovider• Cloudproviderrequestskeydecryptionforuse
YourPremises/YourControl
Hardware Security Module (HSM) Open SSL
IaaS/PaaS/SaaSProviders
EncryptionEngine
DatabasesFileSystems
19
![Page 20: BYOK: Leveraging Cloud Encryption Without … ID: #RSAC Sol Cates BYOK: Leveraging Cloud Encryption Without Compromising Control VP of Technical Strategy, CTO -Thales e …](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ae3af077f8b9a097a8e792f/html5/thumbnails/20.jpg)
#RSAC
HoldYourOwnKey– Scenario3
• Encryptionengineincloud• Cloudproviderrequestskeysforen- anddecryption• KeyshaveTTL’s
YourPremises/YourControl
Hardware Security Module (HSM) Open SSL
IaaS/PaaS/SaaSProviders
EncryptionEngine
DatabasesFileSystems
20
![Page 21: BYOK: Leveraging Cloud Encryption Without … ID: #RSAC Sol Cates BYOK: Leveraging Cloud Encryption Without Compromising Control VP of Technical Strategy, CTO -Thales e …](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ae3af077f8b9a097a8e792f/html5/thumbnails/21.jpg)
#RSAC
Thingstoconsider
DerivedKeyandMasterKeyImport
Keysare”imported”intothecloudprovider
Authorizationofthekeysusageisdependentontheprovidersmodel
Doesn’timpactSLAs.Providermustguaranteekeyavailability
HoldYourOwnKey
Masterkeysremaininthehandsofthecustomer
Authorizationofthekeysusageisgovernedbythecustomer
CouldimpactSLAs.Customermustguaranteekeyavailability
21
![Page 22: BYOK: Leveraging Cloud Encryption Without … ID: #RSAC Sol Cates BYOK: Leveraging Cloud Encryption Without Compromising Control VP of Technical Strategy, CTO -Thales e …](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ae3af077f8b9a097a8e792f/html5/thumbnails/22.jpg)
#RSAC
BYOKvsBYOE
22
![Page 23: BYOK: Leveraging Cloud Encryption Without … ID: #RSAC Sol Cates BYOK: Leveraging Cloud Encryption Without Compromising Control VP of Technical Strategy, CTO -Thales e …](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ae3af077f8b9a097a8e792f/html5/thumbnails/23.jpg)
#RSAC
DifferencesbetweenBYOEandBYOK
BYOECustomerbringstheirownencryptionandkeymanagement.
WorksgreatinIaaSworkloadsIt’sjustanotherVMafterall…
CASBforSaaSandPaaSbutprovidercan’tseedatanorindexitnoranalyzeitnoraddvaluetoitandcouldbreakit…
BYOKCSPprovidesnativeorapplicationencryption
Customerbrings/imports/managestheirownkey
WorksgreatinSaaS/PaaSworkloadsDesignedinencryptionwithcustomermanagingthekeys
IaaSusuallyprovidesonlyblocklevelencryptionDoesn’treducerisktodatainuse
23
![Page 24: BYOK: Leveraging Cloud Encryption Without … ID: #RSAC Sol Cates BYOK: Leveraging Cloud Encryption Without Compromising Control VP of Technical Strategy, CTO -Thales e …](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ae3af077f8b9a097a8e792f/html5/thumbnails/24.jpg)
#RSAC
SmartQuestions
24
![Page 25: BYOK: Leveraging Cloud Encryption Without … ID: #RSAC Sol Cates BYOK: Leveraging Cloud Encryption Without Compromising Control VP of Technical Strategy, CTO -Thales e …](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ae3af077f8b9a097a8e792f/html5/thumbnails/25.jpg)
#RSAC
SmartQuestionsforIaaS
DotheyofferBYOK?Whatisencryptedandhowisitencrypted?DoIimportkeys,derivekeys,saltkeycreation,orreplytoakeyrequest?CanIcancontrolwherethekey,orderivedkeysareused,andwhocanauthorizeusageofthekey?HowdoIrevokeandrotatethekey(s)?Ifmykeysexpire… whathappens?Doesitprotectfromremotedatabreach?Whichusersandprocesses,haveaccesstothekeymaterial?
25
![Page 26: BYOK: Leveraging Cloud Encryption Without … ID: #RSAC Sol Cates BYOK: Leveraging Cloud Encryption Without Compromising Control VP of Technical Strategy, CTO -Thales e …](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ae3af077f8b9a097a8e792f/html5/thumbnails/26.jpg)
#RSAC
“Apply”Slide
26
WhenyougethomeDetermineyourorganizationsriskappetiteisforcloudhosteddata
Within30daysConsultyourCSPstofindoutwhatBYOKapproachtheyofferAsksmartquestionsabouthowBYOKworkswithintheiroffering
Within60daysTargetaCSPtoeitherBYOKorBYOEtogetcomfortablewithcloudencryption
![Page 27: BYOK: Leveraging Cloud Encryption Without … ID: #RSAC Sol Cates BYOK: Leveraging Cloud Encryption Without Compromising Control VP of Technical Strategy, CTO -Thales e …](https://reader034.vdocuments.us/reader034/viewer/2022051601/5ae3af077f8b9a097a8e792f/html5/thumbnails/27.jpg)
#RSAC
Questions?