TMW04 Securing Cloud Servers and Services with PKI Certificates
Size: px
Start display at page:

Download "TMW04 Securing Cloud Servers and Services with PKI Certificates"

Transcription

1 TMW04 Securing Cloud Servers and Services with PKI Certificates Mark B. Cooper President & Founder PKI Solutions Inc. Level: Intermediate

2 About PKI Solutions Inc. 10 years as The PKI Microsoft Charter Microsoft Certified Master DS Numerous books and whitepapers Services include: ADCS Architecture, Deployment and Consulting Assessment and Remediation Services In-Depth PKI Training SFO January 2015, NYC February 2015 Retainer and Support Services

3 Agenda It s all about security Data and identity protection Hybrid PKI solutions Bring your own key Cloud-based solutions Security considerations

4 Security

5 Human nature and security Humans are inherently security conscience Information is not Technology can define procedures Human nature trumps every time Constant struggle to protect and assure Need to define methods to elevate security

6 The cloud Push to cloud changes paradigms Organizations moving data to the cloud Security needs to adapt and adopt Lock and keys in the same place

7 Data and identity protection

8 Public Key Infrastructure Increases assurance of data and identities Reduces ambiguity in the enterprise Information protection Signing/Assurance Encryption/Protection

9 The certificate Signing and/or encryption Unique identification of someone or something Limited in scope and use by an authority Principles of private key instance ownership Guaranteed uniqueness Non-Repudiation

10 Hybrid PKI solutions

11 Traditional PKIs Root CA Root CA Policy CA Issuing CA Issuing CA Three Tier Two Tier

12 Simple hybrid Easiest solution Subordinate role in the cloud Root secured on premise Greatest risk Unrestricted issuance Signing keys Remote administration Root CA Issuing CA

13 Dual hybrid Onsite and cloud Root CA Dynamic and elastic Preserves root Root secured on premise Same risks as simple Unrestricted issuance Signing keys Remote administration Issuing CA Issuing CA

14 Not in my cloud you don t Onsite and cloud Root CA Dynamic and elastic Preserves root Root secured on premise Same risks as simple Unrestricted issuance Signing keys Remote administration Issuing CA

15 The restricted approach True hybrid Policy restricts cloud issuance Compromises are limited Technically possible with 2-tier* Some risks remain Signing keys Remote administration Root CA Policy CA Issuing CA

16 Bring your own key

17 Trust but restrict Local key management Create and manage key locally Generally in a Hardware Security Module Key is restricted and placed in cloud Cradle to grace security is difficult Generate and then secure in transit to known service Few services ready today Microsoft Azure Rights Management Server

18 Cloud based solutions

19 Cloud all in It s all about the keys Adopt industry signing key practices to the cloud Not easy in VM environment either Physical controls removed between keys and attacker Your admin is their entry door Opposed to elastic concepts in cloud computing

20 Cloud PKI Soft keys Software key protection Limited isolation of root Risks shifted to provider Dynamic over secure It s cloud and not much else Root CA Issuing CA

21 Cloud PKI Hard keys Hardware key protection Virtualized HSM access Limited providers Co-Mingling of keys Root CA Key propagation Provider key protections Mitigates some key risks Issuing CA Risks remain

22 Bring your own HSM Theoretical concept Not for everyone or all circumstances Breaks many conventional security practices Shifts risks and manages exposure Hybrid concept of BYOK, Cloud and legacy Ask me next year how I feel Body of practices and security practices to be defined

23 Corporate Firewall Issuing CA Secure Connection Net HSM

24 Why Bother? Local key management Security defined around core risk Shifts service, but not risk Data and key are not stored near each other Compromise of one doesn t affect the other Still enables full cloud migration in the future

25 Ideal cloud architecture No one architecture works for everyone Cloud forces reconsideration of tier models Modern architecture moved to two-tier Cloud is begging for three-tier Combination of on premise and hybrid At least a starting point in the design discussion

26 HSM Root CA HSM Policy CA Explicit Issuance Policies Issuing CA HSM Issuing CA Cloud HSM Service

27 Security considerations

28 Follow the keys PKI keys are the core of trust and assurance Determine storage and access to keys Logical and physical Ensure policies and procedures define access Eliminate redundant and superfluous access Provider limitations and controls Determine acceptable risk levels and mitigate Security trumps rush to the cloud

29 Agile PKI PKI can be defined for future migrations Elastic design and agility are possible Reduces future migration effort Build today with an eye on tomorrow

30 Questions?

Similar documents
2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback | Do Not Sell My Personal Information