Securely Managing Cryptographic Keys used within a Cloud Environment



Similar documents
Cloud Services Frequently Asked Questions FAQ

State of Wisconsin. File Server Service Service Offering Definition

Version Date Comments / Changes 1.0 January 2015 Initial Policy Released

CLOUD COMPUTING: SECURITY THREATS AND MECHANISM

Have some knowledge of how queries execute. Must be able to read a query execution plan and understand what is happening.

HIPAA HITECH ACT Compliance, Review and Training Services

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

IMT Standards. Standard number A GoA IMT Standards. Effective Date: Scheduled Review: Last Reviewed: Type: Technical

GUIDANCE FOR BUSINESS ASSOCIATES

How Does Cloud Computing Work?

Course Outline (70-413)

Configuring, Monitoring and Deploying a Private Cloud with System Center 2012 Boot Camp

HIPAA Compliance 101. Important Terms. Pittsburgh Computer Solutions

CNS-205: Citrix NetScaler 11 Essentials and Networking

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy

Restricted Document. Pulsant Technical Specification

Session 9 : Information Security and Risk

BYOD and Cloud Computing

TrustED Briefing Series:

Skills for Employment Investment Project (SEIP)

GUIDELINES FOR SECURING SOCIAL MEDIA ACCOUNTS. Version 1.0

Network Defense Specialist. Course Title: Network Defense Specialist: Security and Vulnerability Assessment

Data classification for cloud readiness

Gateway Agent - First Amendment to the High Level Design Document

Name. Description. Rationale

Better Practice Guide Financial Considerations for Government use of Cloud Computing

Personal Data Security Breach Management Policy

Unified Communications

Serv-U Distributed Architecture Guide

Service Level Agreement Distributed Hosting and Distributed Database Hosting

A96 CALA Policy on the use of Computers in Accredited Laboratories Revision 1.5 August 4, 2015

In-House Counsel Day Priorities for Cloud Computing the benefits, potential risks and security for the future

Process of Setting up a New Merchant Account

1)What hardware is available for installing/configuring MOSS 2010?

Learn More Cloud Extender Requirements Cheat Sheet

Presentation: The Demise of SAS 70 - What s Next?

service description Colocation of Equipment Infrastructure as a Service

Understand Business Continuity

Agenda. PKI Defined Terminology Key Technical Concepts Key Infrastructure Concepts Practical Uses. o o o o o. Important Considerations of Being a CA

Appendix H. Annual Risk Assessment and Audit Plan 2013/14

Introduction to FedRAMP Abel Sussman. June, 2015

Serv-U Distributed Architecture Guide

Information Services Hosting Arrangements

The ADVANTAGE of Cloud Based Computing:

AMERITAS INFORMATION TECHNOLOGY DISASTER RECOVERY AND DATA CENTER STRATEGY

GUIDELINE INFORMATION MANAGEMENT (IM) PROGRAM PLAN

CPIT Aoraki ICT Asset and Media Security Standard

Cloud Application Risks You Can t Manage What You Can t See

University of Texas at Dallas Policy for Accepting Credit Card and Electronic Payments

Agenda. o Purpose of IT Assessment o Scope of IT Assessment o Deloitte Recommendations o IBM Discussions o Research Data Center o Open Season

System Business Continuity Classification

BLUE RIDGE COMMUNITY AND TECHNICAL COLLEGE BOARD OF GOVERNORS

Privacy Policy. The Central Equity Group understands how highly people value the protection of their privacy.

PROTIVITI FLASH REPORT

CSC 421 COURSE COMPACT

Basic concept of Cloud computing

CASSOWARY COAST REGIONAL COUNCIL POLICY ENTERPRISE RISK MANAGEMENT

Service Level Agreement

System Business Continuity Classification

GIS Service Provider. GIS Service Management

Comtrex Systems Corporation. CISP/PCI Implementation Guidance for Odyssey Suite

Identify Storage Technologies and Understand RAID

The Secret Life of Data: Protecting Sensitive Information, Mobile to Cloud

Hospital Information Management System Pro 2.1

Data Protection Policy & Procedure

Microsoft Certified Database Administrator (MCDBA)

Security Standard for General Information Systems

White Paper. SharePoint and the Consumerization of IT: Considerations for BYOD Success. Authors: Aseem Pandit and Prateek Bhargava

FUJITSU RUNMYPROCESS SECURITY WHITE PAPER.

State of Wisconsin Division of Enterprise Technology (DET) Distributed Database Hosting Service Offering Definition (SOD)

ITIL V3 Planning, Protection and Optimization (PPO) Certification Program - 5 Days

RUTGERS POLICY. Responsible Executive: Vice President for Information Technology and Chief Information Officer

Enterprise Security Management CIS 259

Best Practices for Optimizing Performance and Availability in Virtual Infrastructures

Help Desk Level Competencies

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1

LogMeIn Rescue Web SSO via SAML 2.0 Configuration Guide

CNS-205 Citrix NetScaler 10.5 Essentials and Networking

State of Wisconsin DET Agency Managed Virtual Services Service Offering Definition

Zimbra Professional Services Portfolio, Purchasing Guide & Price List

Plus500CY Ltd. Statement on Privacy and Cookie Policy

Installation Guide Marshal Reporting Console

CLOUD ENABLED CLOUD ENABLED

NERC-CIP Cyber Security Standards Compliance Documentation

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme. Validation Report

OCR LEVEL 2 CAMBRIDGE TECHNICAL

Vendor Management. Federal Deposit Insurance Corporation Division of Risk Management Supervision Atlanta Regional Office.

PCI DSS Cloud Computing Guidelines

ITIL Release Control & Validation (RCV) Certification Program - 5 Days

Introduction to Mindjet MindManager Server

MaaS360 Cloud Extender

Integrating With incontact dbprovider & Screen Pops

STANDARDISATION IN E-ARCHIVING

Cisco Backup as a Service with Commvault Simpana Business Decision Maker Presentation

G-CLOUD FRAMEWORK SERVICE DEFINITION. Solution Architecture for Cloud Service. Copyright: point6 Ltd

Installation Guide Marshal Reporting Console

Oracle Cloud Enterprise Hosting and Delivery Policies

In addition to assisting with the disaster planning process, it is hoped this document will also::

Corporate Profile, 2014

Transcription:

Securely Managing Cryptgraphic Keys used within a Clud Envirnment Dr. Sarbari Gupta sarbari@electrsft-inc.cm 703-437-9451 ext 12 2012 NIST Cryptgraphic Key Management Wrkshp September 10-11, 2012

Intrductin Federal gvernment mving cmputing/strage t Clud Vivek Kundra s Clud First Strategy OMB M-10-19 FY 2012 Budget Guidance Clud Cmputing has unique security challenges Remte peratins, C-tenancy, Distributed Management Cryptgraphy essential t secure clud peratins Use f sund Key Management Practices is critical Yet, limited visibility int Clud Key Management FedRAMP streamlines Clud Authrizatins Des it prvide enugh visibility r assurance fr Clud Key Management? Page 2

Clud Service Prvider (CSP) - Mdels Clud Service Mdels Sftware as a Service (SaaS) - Access t applicatins and services hsted in clud Platfrm as a Service (PaaS) - Building blcks t rapidly develp/hst clud applicatins Infrastructure as a Service (Iaas) - Netwrked access t prcessing pwer, strage Clud Deplyment Mdels Public Clud Private Clud Cmmunity Clud Hybrid Clud Nt all Cluds are created equal! Page 3

Clud Based Systems Uncertainties Prcessr Where is my prcess running? Am I sharing the prcessr with ther users/rganizatins? Data Strage Where des my data reside? Is my data c-resident with ther users data? Cmmunicatin Hw des my CSP knw wh I am? Hw is my cnnectin t clud cmpnents prtected? Administratin Wh administers the Clud Infrastructure? Wh has access t my data? My activity histry? Key Management Where and hw are keys: Generated? Stred? Hw are keys: Distributed? Prtected? Hw are keys and data recvered if lst? When and hw are keys destryed? Page 4

Clud Systems Dependence n Brwser Brwser is integral t Clud Systems User Interface Presentatin Data input and utput frm Clud Cmmunicatin with Clud Cmpnents Brwsers have significant vulnerabilities Weak implementatin f security prtcls Man-in-the-middle (MITM) and ther attacks Brwser cntaminatin frm ther websites Brwser represents inherent weakness! Page 5

Cryptgraphy Integral t Clud Operatins Supprts strng authenticatin f remte Users, Administratrs Implements strng cmmunicatin prtcls between User (brwser) and clud Partitins User data in c-tenancy envirnments Prvides data cnfidentiality (even frm Administratrs) Supprts data integrity (tamperdetectin) Page 6

Cryptgraphic Key Management Basics (I) Cryptgraphic Keys - Cre Functins Cnfidentiality Integrity Surce Authenticatin Key Management - Scpe Key Generatin Key Strage Key Distributin Key Recvery Key Destructin Page 7

Cryptgraphic Key Management Basics (II) Key Management - Critical Dimensins Key Type, Algrithms, Strength, Crypt-perid, Metadata Key Generatin, Acquisitin Key Use, Users, Applicatins Key Establishment, Agreement, Distributin Key Material Prtectin (strage, transit) Key Access Cntrl Key Backup, Recvery Key Renewal, Revcatin, Destructin Page 8

Clud Cryptgraphy Visibility and Cntrl Remte Authenticatin; Secure Cmmunicatin with Clud Sme Visibility Use f Third Party Credential Prviders; Standard Cmmunicatin Prtcls (TLS/SSL) Sme Cntrl User may select wn Credential Prvider, Cnfigure Brwser settings Clud Data Prtectin (Cnfidentiality, Integrity) SaaS - n visibility; n cntrl CSP implements all crypt paque t Clud User PaaS limited visibility; limited cntrl CSP implements crypt in lwer layers paque t Clud User May prvide tlset (building blcks) fr applicatin develpment Iaas limited visibility; mre cntrl CSP implements infrastructure level crypt paque t Clud User Clud User cntrls key management fr virtualized IT cmpnents Page 9

FedRAMP Cntrl fr Key Management (based n SP 800-53 R3) SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT Cntrl: The rganizatin establishes and manages cryptgraphic keys fr required cryptgraphy emplyed within the infrmatin system. Cntrl Enhancements fr MODERATE baseline: (2) The rganizatin prduces, cntrls, and distributes symmetric cryptgraphic keys using [NIST-apprved] key management technlgy and prcesses. (5) The rganizatin prduces, cntrls, and distributes asymmetric cryptgraphic keys using apprved PKI Class 3 r Class 4 certificates and hardware security tkens that prtect the user s private key. SC-13 USE OF CRYPTOGRAPHY Cntrl: The infrmatin system implements required cryptgraphic prtectins using cryptgraphic mdules that cmply with applicable federal laws, Executive Orders, directives, plicies, regulatins, standards, and guidance. Cntrl Enhancements fr MODERATE baseline: (1)The rganizatin emplys, at a minimum, FIPS-validated cryptgraphy t prtect unclassified infrmatin. Page 10

FedRAMP Weaknesses fr Key Management N minimum requirements fr key parameters N explicit requirement fr Key Management Plicy (KMP) N explicit requirement fr Key Management Practices Statement (KMPS) N requirement fr key recvery Result Clud User has: Little visibility int clud key management Limited assurance f sundness f key management plicies, practices and peratins Page 11

Way Frward Establish Federal Prfile fr Clud Key Management Based n SP 800-152 (being develped) Mre stringent requirements due t Clud Envirnment FedRAMP require that CSPs Fllw Federal Prfile fr Clud Key Management Develp Key Management Plan (KMP) and Key Management Practices Statements (KMPS) NIST SP 800-57 Part 2: Best Practices fr Key Management Organizatin Have Mandatry 3 rd Party Auditing against KMP/KMPS Page 12

Wrap-Up and Cntact Infrmatin Dr. Sarbari Gupta Electrsft Email: sarbari@electrsft-inc.cm Phne: 703-437-9451 ext 12 LinkedIn: http://www.linkedin.cm/prfile/view?id=8759633 Page 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information