Risk
10/10/2013
07:54 PM
Elad Yoran
Elad Yoran
Commentary
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Don't Let 'Spooks' Get Your Cloud Data

Lesson from National Cyber Security Awareness Month: Keys are the key, and keep it simple.

This is the 10th anniversary of the Department of Homeland Security's National Cyber Security Awareness Month. Is it coincidence, or did DHS choose October on purpose? I ask because security has certainly gotten scary lately. Whether it's attackers stealing Adobe's customer data in a series of sophisticated assaults or the NSA gaining access to cloud data, it seems each day we're reminded that protecting our information and privacy from cyber threats demands constant vigilance. While security is a complex system, like most everything else in life, if you can keep it simple, it's easier to manage.

With the current slate of headlines putting the spotlight on cloud data security, two prominent organizations in that sphere recently issued updated best practices for protection of data stored and processed in third-party clouds. The common link: encryption.

In both the Cloud Security Alliance's updated Cloud Control Matrix and the National Institute of Standards and Technology (NIST) September Interagency Report, encryption key management, in particular, features prominently:


"Strong encryption (e.g., AES-256) in open/validated formats and standard algorithms shall be required. Keys shall not be stored in the cloud (i.e. at the cloud provider in question), but maintained by the cloud consumer or trusted key management provider." -- CSA CCM v3, Encryption & Key Management

"...in all architectural solutions where cryptographic keys are stored in the cloud, there is a limit to the degree of security assurance that the cloud Consumer can expect to get, due to the fact that the logical and physical organization of the storage resources are entirely under the control of the cloud Provider." -- NIST Interagency or Internal Report 7956 (September 2013)

[ Respondents to the InformationWeek 2013 Strategic Security Survey rate encryption the No. 2 most effective security practice, behind firewalls. See more here. ]

If you don't want "ghouls" stealing your customer data or government "spooks" twisting your cloud provider's arm to hand over information, it's crucial to retain ownership and control of encryption keys. In fact, while doing encryption key management in-house may seem down in the weeds, allowing someone else to hold your keys has direct consequences on the business. I argue that key management should be a priority agenda item not just for the chief security officer but also CEOs and boards of directors, especially for any company that stores or processes data in the cloud. What recent headlines have reinforced is the simple fact that the person or entity that controls and manages the encryption keys has effective control over the data. It really is that simple. When nobody else has the encryption keys, any entity seeking to decrypt data needs to demand the keys directly from the data owner.

chart: security practices

With direct control of encryption keys, businesses may also:

-- Maintain their compliance responsibility for adequate data protection safeguards

-- Address data residency and privacy regulations for data stored and processed in the cloud

-- Respond directly to government and law enforcement subpoenas for cloud data

-- Implement and enforce best practices for securing and governing cloud data

Three Data Security Tricks

While holding onto the keys is critical, any approach to protecting data in the cloud must incorporate three other elements to ensure its effectiveness:

-- First, encryption must be invisible to the end user, both to ensure that the business gains the full productivity benefit of the service and also to ensure that users aren't motivated to find ways around security measures because they get in the way of business processes. Simply, it needs to be a part of the existing workflow and remain frictionless for the user.

-- Second, data must be persistently encrypted throughout its life cycle, whether in transit, at rest or in use.

-- Third, the encryption scheme must be watertight. If the encryption itself is easily broken, who holds the keys no longer matters. The 256-AES algorithm should be non-negotiable. Anything else isn't strong enough.

So as October rolls on and we read more about cybersecurity issues, stay grounded in the fundamentals and control the things you can control. While it's impossible to guarantee you'll never be the target of a cyber attack, you can put yourself in the best position to defend, deflect or mitigate it. And with data, what you can control is encryption keys -- whether data is on-premises or in the cloud.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Eddie Mayan
50%
50%
Eddie Mayan,
User Rank: Apprentice
10/14/2013 | 11:34:16 AM
re: Don't Let 'Spooks' Get Your Cloud Data
Consult about Security for your product to cloudways here: http://www.cloudways.com/en/cl...
Ulf Mattsson
50%
50%
Ulf Mattsson,
User Rank: Apprentice
10/11/2013 | 9:49:27 PM
re: Don't Let 'Spooks' Get Your Cloud Data
I agree that "it's crucial to retain ownership and control of encryption keys", but sensitive data can still be exposed.
If you outsource to a public-cloud provider, they often have multiple data storage systems located in multiple data centers, which may often be in multiple countries or regions. Consequently, the client may not know the location of their data, or the data may exist in one or more of several locations at any particular time. Additionally, a client may have little or no visibility into the controls protecting their stored data. This can make validation of data security and access controls for a specific data set particularly challenging. In a public-cloud environment, one clientG«÷s data is typically stored with data belonging to multiple other clients. This makes a public cloud an attractive target for attackers, as the potential gain may be greater than that to be attained from attacking a number of organizations individually.
I think that the good news here is that strong data-level security can be enforced on all sensitive or potentially sensitive data before it is sent to the cloud.
I recently read an interesting report from the Aberdeen Group that revealed that G«£Over the last 12 months, tokenization users had 50% fewer security-related incidents (e.g., unauthorized access, data loss or data exposure than tokenization non-usersG«•. The name of the study, is G«£Tokenization Gets TractionG«•.
Ulf Mattsson, CTO Protegrity
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the ďsecurity connectedĒ approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-3828
Published: 2014-10-22
Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter to views/graphs/GetXmlTree.php, (3) the session_id...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.