trust that your data is secure in the cloud€¦ · trust that your data is secure in the cloud...
TRANSCRIPT
www.ncipher.com
Trust that your data is secure in the CloudKevin McKeogh
Director, Product Management
Securing Data
Crypto Engine Crypto Engine01001010001010111
01110101001001001
10101010100010101
01101011101011100
10010011110100101
01011000010010010
10101010010110101
Ciphertext or Signed Data
Your Data Your Data
Your Keys
Keys are the SECRETS
that underpin the security
of the whole system
01001010001010111
01110101001001001
10101010100010101
01101011101011100
10010011110100101
01011000010010010
10101010010110101
A safe place for your keys
3
How does an HSM help
In the Enterprise, using an HSM ensures that you can:
− Protect the asymmetric private keys that Identify people and devices
− Protect the symmetric keys that secure (encrypts) your data
To do this, an HSM;
− Generates strong keys to make it infeasible for an adversary to guess
− Provides a safe place to use keys to ensure that they cannot be snooped on
− Protects keys from theft when not in use
4
Its not just about the use of an HSM
5
To be effective, adopt good supporting policies
Controlling access to the HSM is as
important as the decision to use an
HSM
− Controlling access to HSMs and key
management is vital
Know your environment and
understand the threat landscape
− Who requires access to the keys
− Use authorization schemes
− Protect against unauthorised
recording/capture
− Manage your HSMs - Recording
transactions they undertake, key use
6
What can happen!?
7
DigiNotar used HSMs, but had poor credential
management
− Lacked even basic security safeguards, such as
strong passwords
Attackers were able to steal users’ logon
credentials and intercept traffic
Hundreds of certificates impersonating
legitimate internet entities were fraudulently
issued.
Logs of activities were erased
www.ncipher.com
Control in the Cloud
8
How does moving to the cloud affect your solution
In your own environment you are in control
− They are your systems, your personnel
− You can set your own policies
However for many reasons moving to the cloud is
attractive
− But you don’t own the environment in the cloud
− You don’t own the HSMs
− You’re sharing the infrastructure
− And your credentials are passing through systems
you don’t control
9
Can you satisfy your Auditors?
Is there an irrefutable auditable log of all
transactions
Are your credentials adequately protected
against misuse?
Are you in control of when and who can use
your keys?
10
How can you regain control
Its not unsafe to use the HSMs
belonging to the cloud provider
Cloud Providers systems are not
intrinsically insecure
…. but you may want to consider
whether you want more control than
you get when using HSMs offered by
the Cloud Providers
− Sharing a common infrastructure means
giving up control
…. So how can you regain control
11
1. Bring your own Key : Controlling your keys availability in the cloud
nShield securely
wraps and exports
keys to the cloud
High-assurance nShield HSMs generate
keys on customer premises
Keys are available for use with sensitive
cloud applications
Use on-premise HSMs to
generate keys
Retain the master copy within
your enterprise perimeter
Export to your Cloud
Provider(s) ‘as needed’ basis
− Supports multi-cloud
solutions
2. Isolate your keys from the Public Cloud Providers service
Your
App
Cloud apps call home for
crypto and keys
IaaS
Model
HSM
Service cloud based
workloads from HSMs on
which you have full
administrative rights
Use on-premise HSMs
Retain full control within
enterprise perimeter
− Keys never leave ‘your’ HSMs
Enterprise Application running in the cloud
− Data available in the cloud
3. Isolate your data from the Public Cloud Providers service
Your App
Encrypt data at app level
before it goes to cloud
IaaS modelYour App
Your App Encryption
gateway Their App SaaS
model
Transparent encryption
before data goes to cloud
HSM
HSM
Service cloud based
workloads from HSMs on
which you have full
administrative rights
Use on-premise HSMs
Retain full control within
enterprise perimeter
− Keys never leave ‘your’ HSMs
Enterprise or SaaS Application running in the
cloud
− Plaintext data never
available in the cloud
4. Using a third party hosting service
15
• Uses HSM services as normal:
• Manages HSMs remotely
• Runs workloads in the cloud or on premise
• Remotely manages HSMs
• Commission new customers
• Decommission old customers
End user
Service Provider
££ Pay to rent HSMs
Direct connection
service provider
Cloud Apps use 3rd
party HSM hosting
service for crypto
Your App
Their App
Conclusions
Use HSMs to protect your keys
− Both when in use and when not in use
Adopt good security practices
− Control access to your HSMs
Understand your environment
− In the Enterprise
− In the Cloud
Control in the Cloud
− Retain control of your keys and data
- Bring your own key
- Isolate your keys from the Cloud
- Isolate your data from the Cloud
- Use a 3rd party hosting service16
17
Come and see us at Stand R540