Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Crypto In The Cloud Secures Data In Spite Of Providers
Newest First  |  Oldest First  |  Threaded View
Gerry Grealish
Gerry Grealish,
User Rank: Author
5/25/2012 | 2:58:37 PM
re: Crypto In The Cloud Secures Data In Spite Of Providers


JDoherty - you bring up a good point about the termination
of the SSL tunnel. -There is indeed a vulnerability once you get inside
the SSL terminator and not a lot of people appear to have given much thought to
this. Kudos to your team for developing a solution. The federal government
seems to be a good target market for your product.-However, even if you
address this SSL termination problem, don't you still need to encrypt the sensitive
data before it gets to the cloud to prevent access by unauthorized cloud
administrators or rogue access from malicious third parties?--For most
organizations, addressing the latter would seem to be of great importance, for
regulatory compliance as well as and brand preservation.

-

Quick question, for the Certes solution, are you using FIPS
140-2 crypto validation? That would seem to be the minimum requirement for the
federal government and any regulated industries.-

JDOHERTY9274
JDOHERTY9274,
User Rank: Apprentice
5/18/2012 | 7:06:53 PM
re: Crypto In The Cloud Secures Data In Spite Of Providers




Another issue is protection of data in motion both to and inside
IaaS cloud networks.-

Some providers offer a secure VPN but this is problematic
because the security keys are owned by the provider and the encryption tunnel
terminates at the Gǣfront doorGǥ leaving data exposed within the cloud network. This
protects the data across the WAN, but not within the shared cloud network, and
it leaves the information vulnerable to confidentiality and integrity breaches.
It also leaves virtual servers in the cloud potentially vulnerable to attacks
from other tenants in the cloud environment when the cloud providerGs logical
separation of tenants breaks down through misconfiguration or other failures. IPsec
tunnels would provide adequate protection but point-to-point tunnels simply
donGt work in the cloud. Applications architected for LAN environments often donGt
encrypt connections to other servers, so they often need to be rewritten to
operate securely in the cloud.

-

We (Certes Networks) have recently announced and launched a
cloud version of our tunnel-less group encryption solution that provides data
in motion encryption that can scale to cloud deployments.- This solution recently resulted in us being
included as a Gartner Cool Vendor for Cloud Security G so while Dan Blum is
right in that the IaaS Security market is less mature than other areas, there
is a technology available that has leapfrogged other modalities in it efficacy.

-

DSTOTT000
DSTOTT000,
User Rank: Apprentice
5/8/2012 | 7:58:07 PM
re: Crypto In The Cloud Secures Data In Spite Of Providers
I fully agree with Pravin Kothari on the need for enterprises to assume concern for data residency and privacy when using cloud applications and equally, on the issues that were framed regarding key management. -One way to circumvent these challenges is to evaluate tokenization as an option. With tokenization, clear text data is replaced by a surrogate value - the same sort of approach that has been used in PCI DSS space for years now. With tokens there are no keys to manage and the data truly remains resident behind the enterpriseGs firewall. -This is an added benefit when an organization is required to adhere to specific data residency regulations. -

In addition to the vendors cited here, readers may also want to evaluate PerspecSys. -While it offers SaaS functionality preservation when using various encryption approaches (including FIPS 140-2 validated modules) it also offers the use of tokenization as a means of securing data before it goes to the cloud. -
Kevin Bocek
Kevin Bocek,
User Rank: Apprentice
5/8/2012 | 6:08:19 PM
re: Crypto In The Cloud Secures Data In Spite Of Providers
To CJones concern over encryption key ownership: I've heard others concered about placing encryption keys in cloud along with data. Providers like CipherCloud let you keep encryption keys and crypto proceses behind your firewall. You own your keys and control over data.
Gerry Grealish
Gerry Grealish,
User Rank: Author
5/8/2012 | 2:15:16 PM
re: Crypto In The Cloud Secures Data In Spite Of Providers


Interesting article and
perspectives shared by Gartner.- PerspecSys is a leading solution provider
in this space.- While it offers SaaS functionality preservation when using
various encryption approaches, including FIPS 140-2 validated modules, it also
pioneered the use of tokenization as a means of securing data before it goes to
the cloud.- With tokenization, clear text data is replaced by a surrogate
token-- the same sort of approach that has been used in PCI DSS space for
years now. But the breakthrough is that the "sort" and full "search" capabilities
of the SaaS application are retained. --With tokens there are no Keys
to manage and the data truly remains resident behind the enterpriseGs firewall
G a real benefit when an organization needs to adhere to Data Residency
regulations. -Regardless of the protection method G via tokenization or
FIPS 140-2 certified encryption providers G the PerspecSys approach is one
where standard application functionality is preserved.- PerspecSys feels
that forcing an enterprise to choose either the functionality that users demand
or the protection that is required is an unfair proposition and our-design principle is to be able to-satisfy both needs of the organization.

CiscoJones
CiscoJones,
User Rank: Apprentice
5/8/2012 | 10:31:01 AM
re: Crypto In The Cloud Secures Data In Spite Of Providers
I see a catch 22 here.- Someone please explain if I missed something.- You put data in the cloud and you want to make sure that it is secure so you encrypt it with a key and move it to the cloud.- Now the data is in the cloud and secure; but, there is a problem because the data is not readable due to encryption.- So you have to push the key to the cloud to unencrypt the data.- When you are finished with the data, it is reencrypted with the key.- This is the same issue as hard drive encryption.- The most likely way someone is going to get your data is to exploit a vulnerability you should have patched on a server or one of your IT administrator's laptops.-

I agree that it is necessary and solves the problem of having someone at the cloud provider copying or removing a drive.- I just don't see this as a comprehensive solution.- How about encryption for the whole virtual cluster?- One key for everything.- Now there is a scary thought.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-48285
PUBLISHED: 2023-01-29
loadAsync in JSZip before 3.8.0 allows Directory Traversal via a crafted ZIP archive.
CVE-2023-0564
PUBLISHED: 2023-01-29
Weak Password Requirements in GitHub repository froxlor/froxlor prior to 2.0.10.
CVE-2021-4315
PUBLISHED: 2023-01-28
A vulnerability has been found in NYUCCL psiTurk up to 3.2.0 and classified as critical. This vulnerability affects unknown code of the file psiturk/experiment.py. The manipulation of the argument mode leads to improper neutralization of special elements used in a template engine. The exploit has be...
CVE-2023-0562
PUBLISHED: 2023-01-28
A vulnerability was found in PHPGurukul Bank Locker Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file index.php of the component Login. The manipulation of the argument username leads to sql injection. The attack may be launched re...
CVE-2023-0563
PUBLISHED: 2023-01-28
A vulnerability classified as problematic has been found in PHPGurukul Bank Locker Management System 1.0. This affects an unknown part of the file add-locker-form.php of the component Assign Locker. The manipulation of the argument ahname leads to cross site scripting. It is possible to initiate the...