where to store the cloud encryption keys - interop 2012
DESCRIPTION
Dave Asprey's presentation on "Where to Store the Cloud Encryption Keys" from InterOp 2012.TRANSCRIPT
![Page 1: Where to Store the Cloud Encryption Keys - InterOp 2012](https://reader033.vdocuments.us/reader033/viewer/2022061112/54563adfaf79597b578b46b9/html5/thumbnails/1.jpg)
Securing Your Journey to the Cloud
Dave Asprey, VP Cloud Security
@daveasprey
Where to Store Cloud Encryption Keys
1104/08/2023 Copyright 2012 Trend Micro Inc.
![Page 2: Where to Store the Cloud Encryption Keys - InterOp 2012](https://reader033.vdocuments.us/reader033/viewer/2022061112/54563adfaf79597b578b46b9/html5/thumbnails/2.jpg)
Focus
• State of encryption deployment
• Key management details of COBIT, PCI, HIPAA and SOX
• Best practices for cloud encryption key management
• Where to maintain encryption keys
![Page 3: Where to Store the Cloud Encryption Keys - InterOp 2012](https://reader033.vdocuments.us/reader033/viewer/2022061112/54563adfaf79597b578b46b9/html5/thumbnails/3.jpg)
# of Americans who are victims of reported data breaches
30
million
![Page 4: Where to Store the Cloud Encryption Keys - InterOp 2012](https://reader033.vdocuments.us/reader033/viewer/2022061112/54563adfaf79597b578b46b9/html5/thumbnails/4.jpg)
90% of enterprises encrypt in the
public cloud
![Page 5: Where to Store the Cloud Encryption Keys - InterOp 2012](https://reader033.vdocuments.us/reader033/viewer/2022061112/54563adfaf79597b578b46b9/html5/thumbnails/5.jpg)
• Increased amount of sensitive data in the cloud
• Risk of data loss caused by employees mishandling data
• More sharing of authorized data with external users
• Emerging marketplaces for stolen data
• New (crazy) regulatory requirements
Why key management matters now
![Page 6: Where to Store the Cloud Encryption Keys - InterOp 2012](https://reader033.vdocuments.us/reader033/viewer/2022061112/54563adfaf79597b578b46b9/html5/thumbnails/6.jpg)
Higher Risks
• Reputation and profitability
• Brand damage and potential loss of customers
• Litigation expenses and large fines
![Page 7: Where to Store the Cloud Encryption Keys - InterOp 2012](https://reader033.vdocuments.us/reader033/viewer/2022061112/54563adfaf79597b578b46b9/html5/thumbnails/7.jpg)
Breach notification is a
• Allowances if data was encrypted
• 44 states have independent data breach laws
• Nevada and Minnesota use PCI
disaster
![Page 8: Where to Store the Cloud Encryption Keys - InterOp 2012](https://reader033.vdocuments.us/reader033/viewer/2022061112/54563adfaf79597b578b46b9/html5/thumbnails/8.jpg)
The following need keys:
• Tokenization or data anonymization schemes
• Mounted storage volume encryption
• File encryption
• Native database encryption (transparent data encryption)
![Page 9: Where to Store the Cloud Encryption Keys - InterOp 2012](https://reader033.vdocuments.us/reader033/viewer/2022061112/54563adfaf79597b578b46b9/html5/thumbnails/9.jpg)
Key issues in key management
• Security of key management infrastructure Compromised key means compromised data
• Separation of dutiesACL so admins can backup files but not view sensitive data
• Availability If your key is lost, your data is cryptographically destroyed
• Legal issuesHidden law enforcement requests for keys and data
![Page 10: Where to Store the Cloud Encryption Keys - InterOp 2012](https://reader033.vdocuments.us/reader033/viewer/2022061112/54563adfaf79597b578b46b9/html5/thumbnails/10.jpg)
is an IT governance framework and supporting toolset
that allows managers to bridge the gap between
control requirements, technical issues and business risks.
-ISACA
“COBIT
”
![Page 11: Where to Store the Cloud Encryption Keys - InterOp 2012](https://reader033.vdocuments.us/reader033/viewer/2022061112/54563adfaf79597b578b46b9/html5/thumbnails/11.jpg)
COBIT Encryption Key Management Requirements
• transporting
• storage
• recovery
• retirement/destruction
• theft
• frequency of required use
*Included with these procedures should be requirements over securing the key and controlling the elevation of the key
![Page 12: Where to Store the Cloud Encryption Keys - InterOp 2012](https://reader033.vdocuments.us/reader033/viewer/2022061112/54563adfaf79597b578b46b9/html5/thumbnails/12.jpg)
“Keys should be maintained on a computer that is not
accessible by any programmers or users, such as router
controls for logical access and strong physical controls
with an air gap in a secured area/room.”
![Page 13: Where to Store the Cloud Encryption Keys - InterOp 2012](https://reader033.vdocuments.us/reader033/viewer/2022061112/54563adfaf79597b578b46b9/html5/thumbnails/13.jpg)
PCI
“Encryption keys used for encryption
Of cardholder data must be protected
against both disclosure and misuse.”
![Page 14: Where to Store the Cloud Encryption Keys - InterOp 2012](https://reader033.vdocuments.us/reader033/viewer/2022061112/54563adfaf79597b578b46b9/html5/thumbnails/14.jpg)
PCI Requirement
3.6
Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data
![Page 15: Where to Store the Cloud Encryption Keys - InterOp 2012](https://reader033.vdocuments.us/reader033/viewer/2022061112/54563adfaf79597b578b46b9/html5/thumbnails/15.jpg)
PCI Requirement
3.6.4
Mandates that encryption keys be rotated at least annually or vendor best practice (every 3 years)
Hardware security module (HSM) easily encrypts database columns and rotate keys on a per record basis, but won’t work for flat files or logs (extract-decrypt-re-encrypt)
![Page 16: Where to Store the Cloud Encryption Keys - InterOp 2012](https://reader033.vdocuments.us/reader033/viewer/2022061112/54563adfaf79597b578b46b9/html5/thumbnails/16.jpg)
PCI Requirement
3.6.8
Mandates documentation with formal key custodian forms & sign-off procedures
![Page 17: Where to Store the Cloud Encryption Keys - InterOp 2012](https://reader033.vdocuments.us/reader033/viewer/2022061112/54563adfaf79597b578b46b9/html5/thumbnails/17.jpg)
PCI Requirement
3.6.b
Service providers should provide key management guidance to customers covering transmission, storage, and update of customer keys (not just storage)
Split knowledge and dual control applies only for manual key management processesNotify customers of a data breach regardless of whether the data was encrypted or not.
![Page 18: Where to Store the Cloud Encryption Keys - InterOp 2012](https://reader033.vdocuments.us/reader033/viewer/2022061112/54563adfaf79597b578b46b9/html5/thumbnails/18.jpg)
HIPAA
Protected health information (PHI) is rendered unusable, unreadable, or indecipherable to unauthorized individuals if one or more of the following applies:
To avoid a breach of the confidential process or key, decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt.
The encryption processes should have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard.
Electronic PHI has been encrypted as specified in the HIPAA Security
![Page 19: Where to Store the Cloud Encryption Keys - InterOp 2012](https://reader033.vdocuments.us/reader033/viewer/2022061112/54563adfaf79597b578b46b9/html5/thumbnails/19.jpg)
SOX
• Sarbanes Oxley adheres to COBIT in section DS 5.7
“Accepted frameworks for use with SOX are COSO and COBIT“
• Section DS 5.8
“Dedicated key storage devices and application”-A separation of duties
![Page 20: Where to Store the Cloud Encryption Keys - InterOp 2012](https://reader033.vdocuments.us/reader033/viewer/2022061112/54563adfaf79597b578b46b9/html5/thumbnails/20.jpg)
COBIT, PCI, HIPAA, and SOX store encryption keys:
1. Securely
2. Separately from data
3.Under the control of the cloud consumer
![Page 21: Where to Store the Cloud Encryption Keys - InterOp 2012](https://reader033.vdocuments.us/reader033/viewer/2022061112/54563adfaf79597b578b46b9/html5/thumbnails/21.jpg)
Three Key Options
1. Enterprise data center
2. SaaS Key Management
3. laaS Key Management
![Page 22: Where to Store the Cloud Encryption Keys - InterOp 2012](https://reader033.vdocuments.us/reader033/viewer/2022061112/54563adfaf79597b578b46b9/html5/thumbnails/22.jpg)
Enterprise Datacenter
• Maximum control
• Potentially higher security and availability (DR possible)
• No risk of external party breach compromising your data • Virtual appliance vs. hardware appliance vs. software
![Page 23: Where to Store the Cloud Encryption Keys - InterOp 2012](https://reader033.vdocuments.us/reader033/viewer/2022061112/54563adfaf79597b578b46b9/html5/thumbnails/23.jpg)
SaaS Key Management
• SaaS vendor takes responsibility for the keys
• Cloud economics
• Availability of SaaS vendor is based on your data availability level
• Potential Security risks if SaaS vendor loses key
• Legal issues under Patriot Act
![Page 24: Where to Store the Cloud Encryption Keys - InterOp 2012](https://reader033.vdocuments.us/reader033/viewer/2022061112/54563adfaf79597b578b46b9/html5/thumbnails/24.jpg)
IaaS Key Management
• Use tokenization or encryption services from IaaS vendor
• Same security and availability problem as SaaS
• Effectively makes IaaS provider custodian of keys and data
• Some providers offer encryption so you can manage the keys yourself
• Enterprises must assess their risk tolerance and audit requirements before they can select a solution that best meets their encryption key management needs.
![Page 25: Where to Store the Cloud Encryption Keys - InterOp 2012](https://reader033.vdocuments.us/reader033/viewer/2022061112/54563adfaf79597b578b46b9/html5/thumbnails/25.jpg)
Which Secure Cloud Deployment Option?
Requirement
Download at: cloud.trendmicro.com
![Page 26: Where to Store the Cloud Encryption Keys - InterOp 2012](https://reader033.vdocuments.us/reader033/viewer/2022061112/54563adfaf79597b578b46b9/html5/thumbnails/26.jpg)
Dave Asprey, VP Cloud Security
@daveasprey
Thank you
262604/08/2023 Copyright 2012 Trend Micro Inc.