www.ncipher.com

Trust that your data is secure in the CloudKevin McKeogh

Director, Product Management

Securing Data

Crypto Engine Crypto Engine01001010001010111

01110101001001001

10101010100010101

01101011101011100

10010011110100101

01011000010010010

10101010010110101

Ciphertext or Signed Data

Your Data Your Data

Your Keys

Keys are the SECRETS

that underpin the security

of the whole system

01001010001010111

01110101001001001

10101010100010101

01101011101011100

10010011110100101

01011000010010010

10101010010110101

A safe place for your keys

3

How does an HSM help

In the Enterprise, using an HSM ensures that you can:

− Protect the asymmetric private keys that Identify people and devices

− Protect the symmetric keys that secure (encrypts) your data

To do this, an HSM;

− Generates strong keys to make it infeasible for an adversary to guess

− Provides a safe place to use keys to ensure that they cannot be snooped on

− Protects keys from theft when not in use

4

Its not just about the use of an HSM

5

To be effective, adopt good supporting policies

Controlling access to the HSM is as

important as the decision to use an

HSM

− Controlling access to HSMs and key

management is vital

Know your environment and

understand the threat landscape

− Who requires access to the keys

− Use authorization schemes

− Protect against unauthorised

recording/capture

− Manage your HSMs - Recording

transactions they undertake, key use

6

What can happen!?

7

DigiNotar used HSMs, but had poor credential

management

− Lacked even basic security safeguards, such as

strong passwords

Attackers were able to steal users’ logon

credentials and intercept traffic

Hundreds of certificates impersonating

legitimate internet entities were fraudulently

issued.

Logs of activities were erased

www.ncipher.com

Control in the Cloud

8

How does moving to the cloud affect your solution

In your own environment you are in control

− They are your systems, your personnel

− You can set your own policies

However for many reasons moving to the cloud is

attractive

− But you don’t own the environment in the cloud

− You don’t own the HSMs

− You’re sharing the infrastructure

− And your credentials are passing through systems

you don’t control

9

Can you satisfy your Auditors?

Is there an irrefutable auditable log of all

transactions

Are your credentials adequately protected

against misuse?

Are you in control of when and who can use

your keys?

10

How can you regain control

Its not unsafe to use the HSMs

belonging to the cloud provider

Cloud Providers systems are not

intrinsically insecure

…. but you may want to consider

whether you want more control than

you get when using HSMs offered by

the Cloud Providers

− Sharing a common infrastructure means

giving up control

…. So how can you regain control

11

1. Bring your own Key : Controlling your keys availability in the cloud

nShield securely

wraps and exports

keys to the cloud

High-assurance nShield HSMs generate

keys on customer premises

Keys are available for use with sensitive

cloud applications

Use on-premise HSMs to

generate keys

Retain the master copy within

your enterprise perimeter

Export to your Cloud

Provider(s) ‘as needed’ basis

− Supports multi-cloud

solutions

2. Isolate your keys from the Public Cloud Providers service

Your

App

Cloud apps call home for

crypto and keys

IaaS

Model

HSM

Service cloud based

workloads from HSMs on

which you have full

administrative rights

Use on-premise HSMs

Retain full control within

enterprise perimeter

− Keys never leave ‘your’ HSMs

Enterprise Application running in the cloud

− Data available in the cloud

3. Isolate your data from the Public Cloud Providers service

Your App

Encrypt data at app level

before it goes to cloud

IaaS modelYour App

Your App Encryption

gateway Their App SaaS

model

Transparent encryption

before data goes to cloud

HSM

HSM

Service cloud based

workloads from HSMs on

which you have full

administrative rights

Use on-premise HSMs

Retain full control within

enterprise perimeter

− Keys never leave ‘your’ HSMs

Enterprise or SaaS Application running in the

cloud

− Plaintext data never

available in the cloud

4. Using a third party hosting service

15

• Uses HSM services as normal:

• Manages HSMs remotely

• Runs workloads in the cloud or on premise

• Remotely manages HSMs

• Commission new customers

• Decommission old customers

End user

Service Provider

££ Pay to rent HSMs

Direct connection

service provider

Cloud Apps use 3rd

party HSM hosting

service for crypto

Your App

Their App

Conclusions

Use HSMs to protect your keys

− Both when in use and when not in use

Adopt good security practices

− Control access to your HSMs

Understand your environment

− In the Enterprise

− In the Cloud

Control in the Cloud

− Retain control of your keys and data

- Bring your own key

- Isolate your keys from the Cloud

- Isolate your data from the Cloud

- Use a 3rd party hosting service16

17

Come and see us at Stand R540