Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Crypto In The Cloud Secures Data In Spite Of Providers
Oldest First  |  Newest First  |  Threaded View
CiscoJones
CiscoJones,
User Rank: Apprentice
5/8/2012 | 10:31:01 AM
re: Crypto In The Cloud Secures Data In Spite Of Providers
I see a catch 22 here.- Someone please explain if I missed something.- You put data in the cloud and you want to make sure that it is secure so you encrypt it with a key and move it to the cloud.- Now the data is in the cloud and secure; but, there is a problem because the data is not readable due to encryption.- So you have to push the key to the cloud to unencrypt the data.- When you are finished with the data, it is reencrypted with the key.- This is the same issue as hard drive encryption.- The most likely way someone is going to get your data is to exploit a vulnerability you should have patched on a server or one of your IT administrator's laptops.-

I agree that it is necessary and solves the problem of having someone at the cloud provider copying or removing a drive.- I just don't see this as a comprehensive solution.- How about encryption for the whole virtual cluster?- One key for everything.- Now there is a scary thought.
Gerry Grealish
Gerry Grealish,
User Rank: Author
5/8/2012 | 2:15:16 PM
re: Crypto In The Cloud Secures Data In Spite Of Providers


Interesting article and
perspectives shared by Gartner.- PerspecSys is a leading solution provider
in this space.- While it offers SaaS functionality preservation when using
various encryption approaches, including FIPS 140-2 validated modules, it also
pioneered the use of tokenization as a means of securing data before it goes to
the cloud.- With tokenization, clear text data is replaced by a surrogate
token-- the same sort of approach that has been used in PCI DSS space for
years now. But the breakthrough is that the "sort" and full "search" capabilities
of the SaaS application are retained. --With tokens there are no Keys
to manage and the data truly remains resident behind the enterpriseGs firewall
G a real benefit when an organization needs to adhere to Data Residency
regulations. -Regardless of the protection method G via tokenization or
FIPS 140-2 certified encryption providers G the PerspecSys approach is one
where standard application functionality is preserved.- PerspecSys feels
that forcing an enterprise to choose either the functionality that users demand
or the protection that is required is an unfair proposition and our-design principle is to be able to-satisfy both needs of the organization.

Kevin Bocek
Kevin Bocek,
User Rank: Apprentice
5/8/2012 | 6:08:19 PM
re: Crypto In The Cloud Secures Data In Spite Of Providers
To CJones concern over encryption key ownership: I've heard others concered about placing encryption keys in cloud along with data. Providers like CipherCloud let you keep encryption keys and crypto proceses behind your firewall. You own your keys and control over data.
DSTOTT000
DSTOTT000,
User Rank: Apprentice
5/8/2012 | 7:58:07 PM
re: Crypto In The Cloud Secures Data In Spite Of Providers
I fully agree with Pravin Kothari on the need for enterprises to assume concern for data residency and privacy when using cloud applications and equally, on the issues that were framed regarding key management. -One way to circumvent these challenges is to evaluate tokenization as an option. With tokenization, clear text data is replaced by a surrogate value - the same sort of approach that has been used in PCI DSS space for years now. With tokens there are no keys to manage and the data truly remains resident behind the enterpriseGs firewall. -This is an added benefit when an organization is required to adhere to specific data residency regulations. -

In addition to the vendors cited here, readers may also want to evaluate PerspecSys. -While it offers SaaS functionality preservation when using various encryption approaches (including FIPS 140-2 validated modules) it also offers the use of tokenization as a means of securing data before it goes to the cloud. -
JDOHERTY9274
JDOHERTY9274,
User Rank: Apprentice
5/18/2012 | 7:06:53 PM
re: Crypto In The Cloud Secures Data In Spite Of Providers




Another issue is protection of data in motion both to and inside
IaaS cloud networks.-

Some providers offer a secure VPN but this is problematic
because the security keys are owned by the provider and the encryption tunnel
terminates at the Gǣfront doorGǥ leaving data exposed within the cloud network. This
protects the data across the WAN, but not within the shared cloud network, and
it leaves the information vulnerable to confidentiality and integrity breaches.
It also leaves virtual servers in the cloud potentially vulnerable to attacks
from other tenants in the cloud environment when the cloud providerGs logical
separation of tenants breaks down through misconfiguration or other failures. IPsec
tunnels would provide adequate protection but point-to-point tunnels simply
donGt work in the cloud. Applications architected for LAN environments often donGt
encrypt connections to other servers, so they often need to be rewritten to
operate securely in the cloud.

-

We (Certes Networks) have recently announced and launched a
cloud version of our tunnel-less group encryption solution that provides data
in motion encryption that can scale to cloud deployments.- This solution recently resulted in us being
included as a Gartner Cool Vendor for Cloud Security G so while Dan Blum is
right in that the IaaS Security market is less mature than other areas, there
is a technology available that has leapfrogged other modalities in it efficacy.

-

Gerry Grealish
Gerry Grealish,
User Rank: Author
5/25/2012 | 2:58:37 PM
re: Crypto In The Cloud Secures Data In Spite Of Providers


JDoherty - you bring up a good point about the termination
of the SSL tunnel. -There is indeed a vulnerability once you get inside
the SSL terminator and not a lot of people appear to have given much thought to
this. Kudos to your team for developing a solution. The federal government
seems to be a good target market for your product.-However, even if you
address this SSL termination problem, don't you still need to encrypt the sensitive
data before it gets to the cloud to prevent access by unauthorized cloud
administrators or rogue access from malicious third parties?--For most
organizations, addressing the latter would seem to be of great importance, for
regulatory compliance as well as and brand preservation.

-

Quick question, for the Certes solution, are you using FIPS
140-2 crypto validation? That would seem to be the minimum requirement for the
federal government and any regulated industries.-



Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-1172
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
CVE-2023-1469
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
CVE-2023-1466
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
CVE-2023-1467
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
CVE-2023-1468
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...