Key Management Issues in the Cloud Infrastructure

Similar documents
Cloud Computing Governance & Security. Security Risks in the Cloud

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

Securing the Cloud - Using Encryption and Key Management to Solve Today's Cloud Security Challenges

Key Management Interoperability Protocol (KMIP)

Key Management Best Practices

Data Protection: From PKI to Virtualization & Cloud

Security Issues in Cloud Computing

NISTIR 7956 Cryptographic Key Management Issues & Challenges in Cloud Services

A Draft Framework for Designing Cryptographic Key Management Systems

Alliance Key Manager Solution Brief

Secure Clouds - Secure Services Trend Micro best-in-class solutions enable data center to deliver trusted and secure infrastructures and services

RE Think. IT & Business. Invent. IBM SmartCloud Security. Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC

Cloud Database Storage Model by Using Key-as-a-Service (KaaS)

Applying Cryptography as a Service to Mobile Applications

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Chapter 10. Cloud Security Mechanisms

Chapter 1: Introduction

Key Management Interoperability Protocol (KMIP)

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

VICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui

10/25/2012 BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH Agenda. Security Cases What is Cloud? Road Map Security Concerns

Cloud Courses Description

Cloud Courses Description

Managing Cloud Computing Risk

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

A Secure Strategy using Weighted Active Monitoring Load Balancing Algorithm for Maintaining Privacy in Multi-Cloud Environments

A Survey on Cloud Security Issues and Techniques

Cloud Security: Evaluating Risks within IAAS/PAAS/SAAS

Cloud Computing Security Considerations

CompTIA Cloud+ Course Content. Length: 5 Days. Who Should Attend:

When Security, Privacy and Forensics Meet in the Cloud

TENDER NOTICE No. UGVCL/SP/III/608/GPRS Modem Page 1 of 6. TECHNICAL SPECIFICATION OF GPRS based MODEM PART 4

Cloud Computing Security: Public vs. Private Cloud Computing

DISTRIBUTED SYSTEMS [COMP9243] Lecture 9a: Cloud Computing WHAT IS CLOUD COMPUTING? 2

A Survey on Security Threats and Security Technology Analysis for Secured Cloud Services

DRAFT Standard Statement Encryption

Cloud Security Case Study Amazon Web Services. Ugo Piazzalunga Technical Manager, IT Security

Cloud Computing Standards: Overview and ITU-T positioning

Scientific Journal Impact Factor (SJIF): 1.711

Top 10 Cloud Risks That Will Keep You Awake at Night

CompTIA Cloud+ 9318; 5 Days, Instructor-led

Solution Brief for ISO 27002: 2013 Audit Standard ISO Publication Date: Feb 6, EventTracker 8815 Centre Park Drive, Columbia MD 21045

How to Turn the Promise of the Cloud into an Operational Reality

Computer Science. About PaaS Security. Donghoon Kim Henry E. Schaffer Mladen A. Vouk

CipherShare Features and Benefits

EXIN Cloud Computing Foundation

Security in the Sauce Labs Cloud. Practices and protocols used in Sauce s infrastructure and Sauce Connect

Cloud Computing. Chapter 10 Disaster Recovery and Business Continuity and the Cloud

SECURE AND TRUSTY STORAGE SERVICES IN CLOUD COMPUTING

Encrypt Your Cloud. Davi Ottenheimer flyingpenguin. Session Classification: Advanced

Data Security in Cloud

DEPARTMENT OF VETERANS AFFAIRS VA DIRECTIVE 6517 CLOUD COMPUTING SERVICES

Course 20533: Implementing Microsoft Azure Infrastructure Solutions

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption

CrashPlan Security SECURITY CONTEXT TECHNOLOGY

CLOUD COMPUTING SECURITY ARCHITECTURE - IMPLEMENTING DES ALGORITHM IN CLOUD FOR DATA SECURITY

Secure SSL, Fast SSL

Securing Data on Microsoft SQL Server 2012

Service Definition Document

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Cloudy with Showers of Business Opportunities and a Good Chance of. Security. Transforming the government IT landscape through cloud technology

An Introduction to Key Management for Secure Storage. Walt Hubis, LSI Corporation

The basic groups of components are described below. Fig X- 1 shows the relationship between components on a network.

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

Security and Privacy in Cloud Computing

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

A Nemaris Company. Formal Privacy & Security Assessment For Surgimap version and higher

Document TMIC-003-PD Version 1.1, 23 August

Best Practices at Research Level

Whitepaper. What You Need to Know About Infrastructure as a Service (IaaS) Encryption

MS-55096: Securing Data on Microsoft SQL Server 2012

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

Data Storage Security in Cloud Computing

Implementing Microsoft Azure Infrastructure Solutions

Cloud Essentials for Architects using OpenStack

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

Security Challenges of Cloud Providers ( Wie baue ich sichere Luftschlösser in den Wolken )

Network Access Control and Cloud Security

Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance

Tips For Buying Cloud Infrastructure

Sarbanes-Oxley Act. Solution Brief. Sarbanes-Oxley Act. Publication Date: March 17, EventTracker 8815 Centre Park Drive, Columbia MD 21045

Emerging Approaches in a Cloud-Connected Enterprise: Containers and Microservices

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

Asigra Cloud Backup V13 Delivers Enhanced Protection for Your Critical Enterprise Data

A Secure & Efficient Data Integrity Model to establish trust in cloud computing using TPA

Cloud Security:Threats & Mitgations

Security in the Sauce Labs Cloud

Transcription:

Key Management Issues in the Cloud Infrastructure Dr. R. Chandramouli (Mouli) mouli@nist.gov Dr. Michaela Iorga michaela.iorga@nist.gov (Information Technology Lab, NIST, USA) ARO Workshop on Cloud Computing March 11-12, 2013 George Mason University, Fairfax, VA, USA 1

Key Management - background u SP 800-57-part1 describes twenty different key types; Main Categories: encryption, authentication, authorization, signature, key wrapping, key transport, key agreement, master key, RNG. u SP 800-130: Key &Metadata Management Main Key Functions: generation, registration, storage, (de)activation, revocation, establishment, deletion, recovery, validation, archiving 2

Challenges in the Cloud u Data protection (confidentiality & integrity) and privacy in multi-tenancy environment requires encryption at rest & in transit u ID Authentication and Authorizations is as strong as Key Management is u Backup Data Protection (confidentiality & integrity) - encryption prevents data misuse & protects when media is lost or stolen 3

Challenges in the Cloud u Secure key stores u Access to key stores u Key backup and recoverability u Protecting the keys from theft when they are in use u Storing and managing the encryption keys u Managing the encryption process u Securing the data lifecycle Who can do it? 4

Cloud Service Models and Data Protection Courtesy of CIO Research Council (CRC) 5

Key Management Issues in Cloud Infrastructures Outline (Cloud Consumer Perspective) Cryptographic Operations within Overall Cloud Data Protection Encryption Requirements for Data in the Cloud Message Authentication Codes & Digital Signatures - Scope Common Cryptographic Operations in Cloud Use Cases Cryptographic Operations in SaaS, PaaS & IaaS Use Cases KM Issues for IaaS Cloud Consumers Contacts & Questions (?) 6

Cryptographic Operations within Overall Cloud Data Protection Cloud Data Protection Approaches (1) Network-Centric Approaches Firewalls, IDS/IPS etc (2) Data Encryption Making Data unreadable & unusable (3) Access Control Mechanisms MAC, DAC, RBAC etc (4) Security Monitoring Alert Generation & Log Analysis (DAP, SIEM etc) (5) Attaching Digital Signatures & Message Authentication Codes while delivering Data (sometimes not considered as part of Data Protection Approaches per se) 7

Encryption Requirements for Data in the Cloud Encryption should be applied to - Data at Rest (e.g., Encryption of Data in Virtual Disks used by Virtual Machines (VMs)) - Data in Transit (e.g., Encryption of Data while Cloud Consumers send data from their from in-house sources or download data from Cloud-based Servers) - Data that is backed up and Archived 8

Encryption Requirements for Data in the Cloud (Contd..) Encryption of Data at Rest should include - Structured Data (e.g., Transparent encryption within Databases) - Unstructured Data (e.g., Encryption of Files, File Folders, Disk Volumes, other forms of Data Repositories) 9

Message Authentication Codes & Digital Signatures - Scope Attached to Data transmitted over insecure communication channels Also needed for certain classes of stored data to obtain assurance about their source and integrity (e.g., Cloud Infrastructure Logs) - To ensure that log entries were generated by a certified Log Generation System - To ensure that log entries have not been tampered to obscure attack patterns or illegal insider access 10

Common Cryptographic Operations in Cloud Use Cases CCO-UC-1: Certificate-based Authentication of Cloud Clients to Cloud Servers Key Management not an Issue Private Keys Under the control of Cloud Customer CCO-UC-2: Setting up secure communication session between Cloud Clients and CSP-Managed Cloud Servers (Setting up Session Keys after one-way or two-way authentication using certificates e.g., SSL/TLS) Key Management not an Issue as the KMS is fully under the control of respective parties Cloud Consumer and CSP. 11

Cryptographic Operations in SaaS Use Cases SaaS-UC-1: Bulk Upload/Download feature provided by some SaaS providers - If this feature supported with encryption, long lived symmetric keys are needed (Joint KM responsibility) SaaS-UC-2: CSP uses database encryption for storing SaaS application Data - KMS processes (Quality of Keys, Key Storage & Key Recovery Mechanisms (customer data at stake) are of concern) CAN ONLY BE ADDRESSED USING SLAs 12

Cryptographic Operations in PaaS Use Cases PaaS-UC-1: Authenticated Access to CSP-Managed Cloud Servers used for Application Development - Certificatebased Authentication of Cloud Clients to Cloud Servers (CCO- UC-1) No KM Issues (Private keys under control of Cloud Consumer) PaaS-UC-2: Setting up a Secure Session with CSP-Managed Cloud Servers used for Application Development - Setting up secure communication session between Cloud Clients and CSP-Managed Cloud Servers (CCO-UC-2) No KM Issues 13

Cryptographic Operations in Platform as a Service Use Cases (contd..) PaaS-UC-3: Authenticated Access to Cloud Consumer s Development VM Instances - Certificate-based Authentication of Cloud Clients to Cloud Servers (CCO-UC-1) No KM Issues PaaS-UC-4: Setting up a Secure Session with Cloud Consumer s Development VM Instances KM is an Issue as the Cloud Consumer needs to run a KMS in the Cloud Infrastructure 14

Cryptographic Operations IaaS Use Cases IaaS-UC-1: Authenticated Access to Cloud Consumer s Running VM Instances - Certificate-based Authentication of Cloud Clients to Cloud Servers (CCO-UC-1) No KM Issues IaaS-UC-2: Encryption of Data traveling inside CSP network (between a Web Server VM and Database Server VM) IaaS-UC-3: Encryption of Data for storage in a Database IaaS-UC-4: Digitally signing a data sent as response to a Query from Cloud Customer (For the last three Use Cases, KM is an Issue as the Cloud Consumer needs to run a KMS in the Cloud Infrastructure) 15

Common Cryptographic Related Operation in all IaaS Use Cases IaaS-UC-O: Cloud Consumer Programs retrieve Keys from Key Store for use in all Cryptographic Operations (e.g., Encrypting/Decrypting Data, Generating Digital Signature) - KM is an Issue - How to counter the threat of Key Exposure when keys are retrieved, loaded and used in the memory of Cloud Consumer s VM Instances 16

KM Issues for IaaS Cloud Consumers It is obvious that IaaS Cloud Consumers need to run a KMS in the Cloud Infrastructure - Run a KMS version in each VM (where keys are used) OR Run a Centralized KMS in a dedicated VM - Where can the HSM support for KMS come from - If a Centralized KMS is run - VMs needing the keys become the client of KMS - Need for a standardized Key Management Interoperability Protocol (KMIP) that must be provably Secure 17

Contacts & Questions Contacts: Dr. Ramaswamy Chandramouli (mouli@nist.gov) Dr. Michaela Iorga (michaela.iorga@nist.gov) Computer Security Division Information Technology Lab National Institute of Standards and Technology Gaithersburg, MD, USA Questions (?): 18

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information