TMW04 Securing Cloud Servers and Services with PKI Certificates Mark B. Cooper President & Founder PKI Solutions Inc. Level: Intermediate
About PKI Solutions Inc. 10 years as The PKI Guy @ Microsoft Charter Microsoft Certified Master DS Numerous books and whitepapers Services include: ADCS Architecture, Deployment and Consulting Assessment and Remediation Services In-Depth PKI Training SFO January 2015, NYC February 2015 Retainer and Support Services
Agenda It s all about security Data and identity protection Hybrid PKI solutions Bring your own key Cloud-based solutions Security considerations
Security
Human nature and security Humans are inherently security conscience Information is not Technology can define procedures Human nature trumps every time Constant struggle to protect and assure Need to define methods to elevate security
The cloud Push to cloud changes paradigms Organizations moving data to the cloud Security needs to adapt and adopt Lock and keys in the same place
Data and identity protection
Public Key Infrastructure Increases assurance of data and identities Reduces ambiguity in the enterprise Information protection Signing/Assurance Encryption/Protection
The certificate Signing and/or encryption Unique identification of someone or something Limited in scope and use by an authority Principles of private key instance ownership Guaranteed uniqueness Non-Repudiation
Hybrid PKI solutions
Traditional PKIs Root CA Root CA Policy CA Issuing CA Issuing CA Three Tier Two Tier
Simple hybrid Easiest solution Subordinate role in the cloud Root secured on premise Greatest risk Unrestricted issuance Signing keys Remote administration Root CA Issuing CA
Dual hybrid Onsite and cloud Root CA Dynamic and elastic Preserves root Root secured on premise Same risks as simple Unrestricted issuance Signing keys Remote administration Issuing CA Issuing CA
Not in my cloud you don t Onsite and cloud Root CA Dynamic and elastic Preserves root Root secured on premise Same risks as simple Unrestricted issuance Signing keys Remote administration Issuing CA
The restricted approach True hybrid Policy restricts cloud issuance Compromises are limited Technically possible with 2-tier* Some risks remain Signing keys Remote administration Root CA Policy CA Issuing CA
Bring your own key
Trust but restrict Local key management Create and manage key locally Generally in a Hardware Security Module Key is restricted and placed in cloud Cradle to grace security is difficult Generate and then secure in transit to known service Few services ready today Microsoft Azure Rights Management Server
Cloud based solutions
Cloud all in It s all about the keys Adopt industry signing key practices to the cloud Not easy in VM environment either Physical controls removed between keys and attacker Your admin is their entry door Opposed to elastic concepts in cloud computing
Cloud PKI Soft keys Software key protection Limited isolation of root Risks shifted to provider Dynamic over secure It s cloud and not much else Root CA Issuing CA
Cloud PKI Hard keys Hardware key protection Virtualized HSM access Limited providers Co-Mingling of keys Root CA Key propagation Provider key protections Mitigates some key risks Issuing CA Risks remain
Bring your own HSM Theoretical concept Not for everyone or all circumstances Breaks many conventional security practices Shifts risks and manages exposure Hybrid concept of BYOK, Cloud and legacy Ask me next year how I feel Body of practices and security practices to be defined
Corporate Firewall Issuing CA Secure Connection Net HSM
Why Bother? Local key management Security defined around core risk Shifts service, but not risk Data and key are not stored near each other Compromise of one doesn t affect the other Still enables full cloud migration in the future
Ideal cloud architecture No one architecture works for everyone Cloud forces reconsideration of tier models Modern architecture moved to two-tier Cloud is begging for three-tier Combination of on premise and hybrid At least a starting point in the design discussion
HSM Root CA HSM Policy CA Explicit Issuance Policies Issuing CA HSM Issuing CA Cloud HSM Service
Security considerations
Follow the keys PKI keys are the core of trust and assurance Determine storage and access to keys Logical and physical Ensure policies and procedures define access Eliminate redundant and superfluous access Provider limitations and controls Determine acceptable risk levels and mitigate Security trumps rush to the cloud
Agile PKI PKI can be defined for future migrations Elastic design and agility are possible Reduces future migration effort Build today with an eye on tomorrow
Questions? pkisolutions.com mark@pkisolutions.com @pkisolutions