Encryption for Cloud Services Security: Problem or Panacea? @Zulfikar_Ramzan / CTO / www.elastica.net

Similar documents
GLOBAL CLOUD DATA SECURITY REPORT Q2 2015: THE AUTHORITY ON HOW FINANCIAL SERVICES FIRMS ARE PROTECTING THEIR DATA IN THE CLOUD

1 Construction of CCA-secure encryption

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Tackling The Challenges of Big Data. Tackling The Challenges of Big Data Big Data Systems. Security is a Negative Goal. Nickolai Zeldovich

Microsoft Cloud Computing Research Centre

CPSC 467b: Cryptography and Computer Security

Privacy Patterns in Public Clouds

SECURITY ENHANCEMENT OF GROUP SHARING AND PUBLIC AUDITING FOR DATA STORAGE IN CLOUD

Content Teaching Academy at James Madison University

Lecture 9 - Message Authentication Codes

An Efficient and Secure Data Sharing Framework using Homomorphic Encryption in the Cloud

Associate Prof. Dr. Victor Onomza Waziri

Secure Computation Martin Beck

SECURITY THREATS AND BENEFITS OF CLOUD COMPUTING TRANSITIONING TO A NEW WAY OF DOING BUSINESS

Security for Cloud & Big Data

A NOVEL APPROACH FOR MULTI-KEYWORD SEARCH WITH ANONYMOUS ID ASSIGNMENT OVER ENCRYPTED CLOUD DATA

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

1 Message Authentication

Authenticated encryption

What You Need to Know About CLOUD INFORMATION PROTECTION SOLUTIONS

Lecture 3: One-Way Encryption, RSA Example

How To Teach A Cyber Security Course

AN OFFLINE CAPTURE THE FLAG-STYLE VIRTUAL MACHINE FOR CYBER SECURITY EDUCATION

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

Chapter 17. Transport-Level Security

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

NEW CRYPTOGRAPHIC CHALLENGES IN CLOUD COMPUTING ERA

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Sync Security and Privacy Brief

CLOUD ACCESS SECURITY BROKERS

How To Get To A Cloud Storage And Byod System

A Secure Decentralized Access Control Scheme for Data stored in Clouds

Restructuring the NSA Metadata Program

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

Center for Internet Security. INTEGRATED INTELLIGENCE CENTER Technical White Paper William F. Pelgrin, CIS President and CEO

Survey on Securing Data using Homomorphic Encryption in Cloud Computing

Professor Radha Poovendran EE Department, University of Washington, Seattle, WA & Professor Dawn Song EECS Department, University of California,

A Survey of Cloud Storage Security Research. Mar Kheng Kok Nanyang Polytechnic

WHITE PAPER

Common Pitfalls in Cryptography for Software Developers. OWASP AppSec Israel July The OWASP Foundation

Client Server Registration Protocol

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Integrating Single Sign-on Across the Cloud By David Strom

Encrypting Data at Rest

Overview of Public-Key Cryptography

Network Security. Chapter 3 Symmetric Cryptography. Symmetric Encryption. Modes of Encryption. Symmetric Block Ciphers - Modes of Encryption ECB (1)

Lecture 17: Re-encryption

How To Encrypt With A 64 Bit Block Cipher

Princeton University Computer Science COS 432: Information Security (Fall 2013)

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

SECURITY FOR ENCRYPTED CLOUD DATA BY USING TOP-KEY TREE TECHNOLOGIES

Chapter 3. Network Domain Security

The Netskope Active Platform

Full Drive Encryption Security Problem Definition - Encryption Engine

Counter Expertise Review on the TNO Security Analysis of the Dutch OV-Chipkaart. OV-Chipkaart Security Issues Tutorial for Non-Expert Readers

Message Authentication Codes

Independent Security. Prepared for:

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

A CLOUD SECURITY APPROACH FOR DATA AT REST USING FPE

WHITEPAPER SAML ALONE IS NOT SECURE - HERE S HOW TO FIX IT

Office 365 Cloud App Security MARKO DJORDJEVIC CLOUD BUSINESS LEAD EE TREND MICRO EMEA LTD.

A Secure RFID Ticket System For Public Transport

Key Management. CSC 490 Special Topics Computer and Network Security. Dr. Xiao Qin. Auburn University

A Fully Homomorphic Encryption Implementation on Cloud Computing

How To Encrypt Data With Encryption

Information Security

BMC s Security Strategy for ITSM in the SaaS Environment

Big Data - Security and Privacy

Cryptography & Network Security. Introduction. Chester Rebeiro IIT Madras

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Computing on Encrypted Data

Data Privacy & Compliance in the Cloud

WHITE PAPER AUGUST 2014

BBM Protected: Secure enterprise- GrAde MoBIle MeSSAGING

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

KEYS TO CLOUD APP SECURITY

How SSL-Encrypted Web Connections are Intercepted

Secure Network Communications FIPS Non Proprietary Security Policy

Looking Ahead The Path to Moving Security into the Cloud

Securing the Database Stack

BBM Protected Secure mobile

I D C V E N D O R S P O T L I G H T. S e c u r i n g Cloud and Mobile W h i le Keeping E m p l o ye e s H a ppy

Fully homomorphic encryption equating to cloud security: An approach

An Efficient Multi-Keyword Ranked Secure Search On Crypto Drive With Privacy Retaining

Adopting Cloud Apps? Ensuring Data Privacy & Compliance. Varun Badhwar Vice President of Product Strategy CipherCloud

Security Analysis for Order Preserving Encryption Schemes

Secure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment

CSCE 465 Computer & Network Security

CIS 5371 Cryptography. 8. Encryption --

Key Management Interoperability Protocol (KMIP)

SECURITY ANALYSIS OF A SINGLE SIGN-ON MECHANISM FOR DISTRIBUTED COMPUTER NETWORKS

Lecture 6 - Cryptography

Keywords: cloud computing, multiple keywords, service provider, search request, ranked search

3-6 Toward Realizing Privacy-Preserving IP-Traceback

Cryptographic Data Security over Cloud

Data Protection: From PKI to Virtualization & Cloud

Taking a Data-Centric Approach to Security in the Cloud

Attestation and Authentication Protocols Using the TPM

Arnab Roy Fujitsu Laboratories of America and CSA Big Data WG

Transcription:

Encryption for Cloud Services Security: Problem or Panacea? @Zulfikar_Ramzan / CTO / www.elastica.net

Tectonic Shift in the Market SaaS On-Premise Many pieces to Buy, Assemble & Operate No visibility / control 2

NOT SURE WHY PEOPLE THINK SAAS SECURITY IS HARD! WE LL JUST ENCRYPT OUR DATA! PROBLEM SOLVED!

TENOR OF THIS TALK ACADEMIC PERSPECTIVE BROADLY ACCESSIBLE NOT AN ACADEMIC TALK

OUTLINE WHAT IS ENCRYPTION AND HOW MIGHT IT BE USED TO SECURE SAAS APPLICATIONS? CHALLENGES, WORKAROUNDS, LIMITATIONS TO WORKAROUNDS MARKETING MYTHBUSTERS BROADER PERSPECTIVES ON SAAS SECURITY

WHAT IS ENCRYPTION? PLAINTEXT CIPHERTEXT PLAINTEXT Keyed transformation that converts plaintext to ciphertext Transformation should look random to any computationally bounded adversary with extensive black-box access to encryption / decryption routines Security predicated on secrecy of the key (and not on secrecy of algorithm) Kerchoff s Principle

ENCRYPTION FOR SaaS SaaS Attempt to encrypt data en-route to SaaS Provider (e.g., via forward proxy, reverse proxy, etc.). Decrypt traffic en-route from SaaS provider back to user.

Key SaaS Encryption Hurdles SaaS is not just storage! Need search, sort, analytics! Preserve Format? Manage Keys

Approaches HOMOMORPHIC ENCRYPTION SEARCHABLE ENCRPYPTION ORDER- PRESERVING ENCRPYPTION FORMAT- PRESERVING ENCRYPTION SELECTIVE TOKENIZATION

Fully Homomorphic Encryption [Gentry et al.] 7 10 3 Allows arbitrary computation on encrypted data Permits search, sort, SQL queries, etc., on cloud encrypted data Still very impractical Have to relax security (being able to manipulate encrypted data can be a big deal) Newer (and less well studied) assumptions

Searchable Symmetric Encryption aardvark bobcat camel camel camel dingo Permits keyword search on encrypted data Much faster than fully homomorphic encryption Works by having a separate encrypted index Only permits very basic keyword search Information leaks (deterministic encryption) Scale issues as index gets bigger

Order-Preserving Symmetric Encryption Alice A0FD41. Bob C373BA2 Carol Dave D6FF132 FF12A28 Encrypts data, while retaining sorted order Much faster than fully homomorphic encryption Still significant performance overhead Weaker security since information leaks

Format-Preserving Encryption DE19AFBCC2. 123-456-7890 VS 931-38-7622 Able to preserve format needed by SaaS application Fairly efficient (practical) Weak security especially if final format must be short General security of schemes not as well vetted

Tokenization 123-456-7890 931-38-7622 Look-up Table... 123-456-7890 <-> 931-38-7622... SaaS Elegant way to handle format preservation Fairly efficient (practical) Provides compliance boundary Only selective protection (fewer use cases) Might inhibit analytics New burden of maintaining look-up table Have to worry about scale

Mythbusters (SaaS Encryption Edition!) We use AES for encryption therefore we are secure! AES isn t a security panacea. It s a tool. Perfectly good tools can be used in completely bad ways.

Mythbusters (SaaS Encryption Edition!) We use are FIPS 140-x certified therefore we are secure! FIPS Certification is usually limited to one aspect of system security. Different types of certification have different implications (algorithm vs. library) May have perfectly valid algorithm, but used in an insecure way.

Mythbusters (SaaS Encryption Edition!) We use proprietary, home-grown methods Cryptographic algorithms and protocols should only be designed by people who really know what they are doing Even experts get it wrong sometimes, so you need extensive peer review

The SaaS Security Landscape SINGLE SIGN ON CONTINUOUS MONITORING CLOUD IDS/IPS MALWARE DETECTION ENCRYPTION SHADOW IT DISCOVERY SAAS AUDIT / RISK ASSESSMENT CLOUD DLP POLICY ENFORCEMENT For each security capability needed in the context of on-premises applications, analogous functionality is needed for SaaS applications

Revisiting Original Question Is good encryption / tokenization a panacea for SaaS Security? SaaS is more than storage (search, sort, analytics) Promising research, but fundamental limitations Important to avoid getting caught up in the hype Encryption: just one piece of security stack

Further Info: Search: {Elastica} + (SOC Talks Blog) @zulfikar_ramzan, @elasticainc Thank you

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information