Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Crypto In The Cloud Secures Data In Spite Of Providers
Newest First  |  Oldest First  |  Threaded View
Gerry Grealish
Gerry Grealish,
 User Rank: Author
5/25/2012 | 2:58:37 PM
re: Crypto In The Cloud Secures Data In Spite Of Providers


JDoherty - you bring up a good point about the termination
of the SSL tunnel. -áThere is indeed a vulnerability once you get inside
the SSL terminator and not a lot of people appear to have given much thought to
this. Kudos to your team for developing a solution. The federal government
seems to be a good target market for your product.-áHowever, even if you
address this SSL termination problem, don't you still need to encrypt the sensitive
data before it gets to the cloud to prevent access by unauthorized cloud
administrators or rogue access from malicious third parties?-á-áFor most
organizations, addressing the latter would seem to be of great importance, for
regulatory compliance as well as and brand preservation.



Quick question, for the Certes solution, are you using FIPS
140-2 crypto validation? That would seem to be the minimum requirement for the
federal government and any regulated industries.-á

JDOHERTY9274
JDOHERTY9274,
 User Rank: Apprentice
5/18/2012 | 7:06:53 PM
re: Crypto In The Cloud Secures Data In Spite Of Providers




Another issue is protection of data in motion both to and inside
IaaS cloud networks.-á

Some providers offer a secure VPN but this is problematic
because the security keys are owned by the provider and the encryption tunnel
terminates at the GÇ£front doorGÇ¥ leaving data exposed within the cloud network. This
protects the data across the WAN, but not within the shared cloud network, and
it leaves the information vulnerable to confidentiality and integrity breaches.
It also leaves virtual servers in the cloud potentially vulnerable to attacks
from other tenants in the cloud environment when the cloud providerGÇÖs logical
separation of tenants breaks down through misconfiguration or other failures. IPsec
tunnels would provide adequate protection but point-to-point tunnels simply
donGÇÖt work in the cloud. Applications architected for LAN environments often donGÇÖt
encrypt connections to other servers, so they often need to be rewritten to
operate securely in the cloud.



We (Certes Networks) have recently announced and launched a
cloud version of our tunnel-less group encryption solution that provides data
in motion encryption that can scale to cloud deployments.-á This solution recently resulted in us being
included as a Gartner Cool Vendor for Cloud Security GÇô so while Dan Blum is
right in that the IaaS Security market is less mature than other areas, there
is a technology available that has leapfrogged other modalities in it efficacy.



DSTOTT000
DSTOTT000,
 User Rank: Apprentice
5/8/2012 | 7:58:07 PM
re: Crypto In The Cloud Secures Data In Spite Of Providers
I fully agree with Pravin Kothari on the need for enterprises to assume concern for data residency and privacy when using cloud applications and equally, on the issues that were framed regarding key management. -áOne way to circumvent these challenges is to evaluate tokenization as an option. With tokenization, clear text data is replaced by a surrogate value - the same sort of approach that has been used in PCI DSS space for years now. With tokens there are no keys to manage and the data truly remains resident behind the enterpriseGÇÖs firewall. -áThis is an added benefit when an organization is required to adhere to specific data residency regulations. -á

In addition to the vendors cited here, readers may also want to evaluate PerspecSys. -áWhile it offers SaaS functionality preservation when using various encryption approaches (including FIPS 140-2 validated modules) it also offers the use of tokenization as a means of securing data before it goes to the cloud. -á
Kevin Bocek
Kevin Bocek,
 User Rank: Apprentice
5/8/2012 | 6:08:19 PM
re: Crypto In The Cloud Secures Data In Spite Of Providers
To CJones concern over encryption key ownership: I've heard others concered about placing encryption keys in cloud along with data. Providers like CipherCloud let you keep encryption keys and crypto proceses behind your firewall. You own your keys and control over data.
Gerry Grealish
Gerry Grealish,
 User Rank: Author
5/8/2012 | 2:15:16 PM
re: Crypto In The Cloud Secures Data In Spite Of Providers


Interesting article and
perspectives shared by Gartner.-á PerspecSys is a leading solution provider
in this space.-á While it offers SaaS functionality preservation when using
various encryption approaches, including FIPS 140-2 validated modules, it also
pioneered the use of tokenization as a means of securing data before it goes to
the cloud.-á With tokenization, clear text data is replaced by a surrogate
token-á- the same sort of approach that has been used in PCI DSS space for
years now. But the breakthrough is that the "sort" and full "search" capabilities
of the SaaS application are retained. -á-áWith tokens there are no Keys
to manage and the data truly remains resident behind the enterpriseGÇÖs firewall
GÇô a real benefit when an organization needs to adhere to Data Residency
regulations. -áRegardless of the protection method GÇô via tokenization or
FIPS 140-2 certified encryption providers GÇô the PerspecSys approach is one
where standard application functionality is preserved.-á PerspecSys feels
that forcing an enterprise to choose either the functionality that users demand
or the protection that is required is an unfair proposition and our-ádesign principle is to be able to-ásatisfy both needs of the organization.

CiscoJones
CiscoJones,
 User Rank: Apprentice
5/8/2012 | 10:31:01 AM
re: Crypto In The Cloud Secures Data In Spite Of Providers
I see a catch 22 here.-á Someone please explain if I missed something.-á You put data in the cloud and you want to make sure that it is secure so you encrypt it with a key and move it to the cloud.-á Now the data is in the cloud and secure; but, there is a problem because the data is not readable due to encryption.-á So you have to push the key to the cloud to unencrypt the data.-á When you are finished with the data, it is reencrypted with the key.-á This is the same issue as hard drive encryption.-á The most likely way someone is going to get your data is to exploit a vulnerability you should have patched on a server or one of your IT administrator's laptops.-á

I agree that it is necessary and solves the problem of having someone at the cloud provider copying or removing a drive.-á I just don't see this as a comprehensive solution.-á How about encryption for the whole virtual cluster?-á One key for everything.-á Now there is a scary thought.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-1142
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
CVE-2023-1143
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
CVE-2023-1144
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
CVE-2023-1145
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
CVE-2023-1655
PUBLISHED: 2023-03-27
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.