Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Crypto In The Cloud Secures Data In Spite Of Providers
Newest First  |  Oldest First  |  Threaded View
Gerry Grealish
Gerry Grealish,
 User Rank: Author
5/25/2012 | 2:58:37 PM
re: Crypto In The Cloud Secures Data In Spite Of Providers


JDoherty - you bring up a good point about the termination
of the SSL tunnel. -áThere is indeed a vulnerability once you get inside
the SSL terminator and not a lot of people appear to have given much thought to
this. Kudos to your team for developing a solution. The federal government
seems to be a good target market for your product.-áHowever, even if you
address this SSL termination problem, don't you still need to encrypt the sensitive
data before it gets to the cloud to prevent access by unauthorized cloud
administrators or rogue access from malicious third parties?-á-áFor most
organizations, addressing the latter would seem to be of great importance, for
regulatory compliance as well as and brand preservation.



Quick question, for the Certes solution, are you using FIPS
140-2 crypto validation? That would seem to be the minimum requirement for the
federal government and any regulated industries.-á

JDOHERTY9274
JDOHERTY9274,
 User Rank: Apprentice
5/18/2012 | 7:06:53 PM
re: Crypto In The Cloud Secures Data In Spite Of Providers




Another issue is protection of data in motion both to and inside
IaaS cloud networks.-á

Some providers offer a secure VPN but this is problematic
because the security keys are owned by the provider and the encryption tunnel
terminates at the GÇ£front doorGÇ¥ leaving data exposed within the cloud network. This
protects the data across the WAN, but not within the shared cloud network, and
it leaves the information vulnerable to confidentiality and integrity breaches.
It also leaves virtual servers in the cloud potentially vulnerable to attacks
from other tenants in the cloud environment when the cloud providerGÇÖs logical
separation of tenants breaks down through misconfiguration or other failures. IPsec
tunnels would provide adequate protection but point-to-point tunnels simply
donGÇÖt work in the cloud. Applications architected for LAN environments often donGÇÖt
encrypt connections to other servers, so they often need to be rewritten to
operate securely in the cloud.



We (Certes Networks) have recently announced and launched a
cloud version of our tunnel-less group encryption solution that provides data
in motion encryption that can scale to cloud deployments.-á This solution recently resulted in us being
included as a Gartner Cool Vendor for Cloud Security GÇô so while Dan Blum is
right in that the IaaS Security market is less mature than other areas, there
is a technology available that has leapfrogged other modalities in it efficacy.



DSTOTT000
DSTOTT000,
 User Rank: Apprentice
5/8/2012 | 7:58:07 PM
re: Crypto In The Cloud Secures Data In Spite Of Providers
I fully agree with Pravin Kothari on the need for enterprises to assume concern for data residency and privacy when using cloud applications and equally, on the issues that were framed regarding key management. -áOne way to circumvent these challenges is to evaluate tokenization as an option. With tokenization, clear text data is replaced by a surrogate value - the same sort of approach that has been used in PCI DSS space for years now. With tokens there are no keys to manage and the data truly remains resident behind the enterpriseGÇÖs firewall. -áThis is an added benefit when an organization is required to adhere to specific data residency regulations. -á

In addition to the vendors cited here, readers may also want to evaluate PerspecSys. -áWhile it offers SaaS functionality preservation when using various encryption approaches (including FIPS 140-2 validated modules) it also offers the use of tokenization as a means of securing data before it goes to the cloud. -á
Kevin Bocek
Kevin Bocek,
 User Rank: Apprentice
5/8/2012 | 6:08:19 PM
re: Crypto In The Cloud Secures Data In Spite Of Providers
To CJones concern over encryption key ownership: I've heard others concered about placing encryption keys in cloud along with data. Providers like CipherCloud let you keep encryption keys and crypto proceses behind your firewall. You own your keys and control over data.
Gerry Grealish
Gerry Grealish,
 User Rank: Author
5/8/2012 | 2:15:16 PM
re: Crypto In The Cloud Secures Data In Spite Of Providers


Interesting article and
perspectives shared by Gartner.-á PerspecSys is a leading solution provider
in this space.-á While it offers SaaS functionality preservation when using
various encryption approaches, including FIPS 140-2 validated modules, it also
pioneered the use of tokenization as a means of securing data before it goes to
the cloud.-á With tokenization, clear text data is replaced by a surrogate
token-á- the same sort of approach that has been used in PCI DSS space for
years now. But the breakthrough is that the "sort" and full "search" capabilities
of the SaaS application are retained. -á-áWith tokens there are no Keys
to manage and the data truly remains resident behind the enterpriseGÇÖs firewall
GÇô a real benefit when an organization needs to adhere to Data Residency
regulations. -áRegardless of the protection method GÇô via tokenization or
FIPS 140-2 certified encryption providers GÇô the PerspecSys approach is one
where standard application functionality is preserved.-á PerspecSys feels
that forcing an enterprise to choose either the functionality that users demand
or the protection that is required is an unfair proposition and our-ádesign principle is to be able to-ásatisfy both needs of the organization.

CiscoJones
CiscoJones,
 User Rank: Apprentice
5/8/2012 | 10:31:01 AM
re: Crypto In The Cloud Secures Data In Spite Of Providers
I see a catch 22 here.-á Someone please explain if I missed something.-á You put data in the cloud and you want to make sure that it is secure so you encrypt it with a key and move it to the cloud.-á Now the data is in the cloud and secure; but, there is a problem because the data is not readable due to encryption.-á So you have to push the key to the cloud to unencrypt the data.-á When you are finished with the data, it is reencrypted with the key.-á This is the same issue as hard drive encryption.-á The most likely way someone is going to get your data is to exploit a vulnerability you should have patched on a server or one of your IT administrator's laptops.-á

I agree that it is necessary and solves the problem of having someone at the cloud provider copying or removing a drive.-á I just don't see this as a comprehensive solution.-á How about encryption for the whole virtual cluster?-á One key for everything.-á Now there is a scary thought.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file