Click here to close now.

Welcome!

Microservices Journal Authors: Liz McMillan, Pat Romanski, Elizabeth White, JP Morgenthal, Carmen Gonzalez

Related Topics: Cloud Expo, Microservices Journal, Virtualization, Security

Cloud Expo: Article

Cloud Security: Encryption Is Key

Cloud security should include a blend of traditional security elements combined with new “cloud-adjusted” security technologies

Today, with enterprises migrating to the cloud, the security challenge around protecting data is greater than ever before. Keeping data private and secure has always been a business imperative. But for many companies and organizations, it has also become a compliance requirement and a necessity to stay in business. Standards including HIPAA, Sarbanes-Oxley, PCI DSS and the Gramm-Leach-Bliley Act all require that organizations protect their data at rest and provide defenses against data loss and threats.

Public cloud computing is the delivery of computing as a service rather than as a product, and is usually categorized into three service models: Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). When it comes to public cloud security, all leading cloud providers are investing significant efforts and resources in securing and certifying their datacenters. However, as cloud computing matures, enterprises are learning that cloud security cannot be delivered by the cloud provider alone. In fact, cloud providers make sure enterprises know that security is a shared responsibility, and that cloud customers do share responsibility for data security, protection from unauthorized access, and backup of their data.

Actually, this "shared responsibility" makes sense most of the time. The responsibility of cloud providers offering Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) reasonably extends to the network and the infrastructure they provide. In fact, a typical agreement between you and your cloud provider will usually state that "...you acknowledge that you bear sole responsibility for adequate security..." So businesses hosting their applications in the cloud understand that they must share responsibility for ensuring the security of their data.

As cloud computing becomes increasingly more mainstream, it's harder to distinguish the generic security issues that an IT manager needs to tackle, from those that are specific to cloud computing. Issues such as roles and responsibilities, secure application development, least privilege and many more apply equally well in traditional on-premise environments as they do in the cloud.

When an IT application is moved to a public cloud, all of the old security risks associated with it in the past still exist but, in addition, there are new risk vectors. Previously your servers and your data were physically protected within your server room. Now the "virtual servers" and "virtual storage devices" are accessible to you, the customer, via a browser; raising the concern that hackers may attempt to access the same. Here are some new risks scenarios to consider when migrating to the cloud:

  1. Snapshotting your virtual storage by gaining access to your cloud console.
    A malicious user might gain access to your cloud console by stealing your credentials or by exploiting vulnerabilities in cloud access control. In any case, once inside your account, a "snapshot" of your virtual disks will allow an attacker to move a copy of your virtual storage to his or her preferred location and abuse the data stored on those virtual disks. This risk is in our opinion the most obvious reason to deploy data encryption in the cloud, but surprisingly enough, not all companies are aware of the threat and unknowingly expose their cloud-residing data to this significant risk.
  2. Gaining access from a different server within the same account.
    Gaining access to sensitive data from a different virtual server inside the same account can be achieved by an attacker exploiting a vulnerability on that other server (such as a misconfiguration), or by one of your other cloud system administrators (a "malicious insider" from a different project in your own organization) using credentials or exploiting one of many known web application vulnerabilities to launch an attack on your virtual server. Unencrypted data can be exposed and stolen using this method.
  3. The insider threat.
    Though this scenario gets mentioned a lot, it's unlikely that a cloud provider employee will be involved in data theft. The more realistic scenario is an accidental incident related to an insider with physical access to the data center. One well-known example is the HealthNet case where 1.9 million customer records of HealthNet, a major US health insurer, were lost after its IT vendor misplaced nine server drives following a move to a new data center. According to HIPAA rules, disk-level encryption would have negated the incident impact.

The industry consensus is that encryption is an essential first step in achieving cloud computing security. An effective solution needs to meet four critical needs: High security, convenient management, robust performance and regulatory compliance. Data at rest is no longer between the proverbial "four walls" of the enterprise; the data owner is managing their own data with browsers and cloud APIs, and the concern is that a hacker can do the same. As such, cloud encryption is recognized as a basic building block of cloud security, though one difficult question has remained - where to store the encryption keys, since the keys cannot safely be stored in the cloud along with the data.

Protecting Content with Cloud Encryption and Key Management
Encryption technology is only as secure as the encryption keys. You have to keep your keys in a safe place. You need a cloud key management solution that can support encryption of your data and should supply the encryption keys for files, databases (whether the complete database or at the column, table, or tablespace level), or disks. This is actually the trickiest security question when implementing encryption in the cloud and requires thought and expertise. For example, database encryption keys are often kept in a database "wallet," which is often a file on your virtual disk. The concern is that hackers will attack the virtual disk in the cloud, and from there get access to the wallet, and through the wallet access the data.

Conclusion
Encrypting sensitive data in the cloud is an absolute must. Cloud security should include a blend of traditional security elements combined with new "cloud-adjusted" security technologies. Encryption should be a key part of your cloud security strategy due to the new cloud threat vectors (but also due to regulations such as the Patriot Act), and you should pay specific attention to key management.

More Stories By Ariel Dan

Ariel Dan is co-founder and Executive Vice President at Porticor cloud security. Follow him on twitter: @ariel_dan

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@MicroservicesExpo Stories
Enterprises are fast realizing the importance of integrating SaaS/Cloud applications, API and on-premises data and processes, to unleash hidden value. This webinar explores how managers can use a Microservice-centric approach to aggressively tackle the unexpected new integration challenges posed by proliferation of cloud, mobile, social and big data projects. Industry analyst and SOA expert Jason Bloomberg will strip away the hype from microservices, and clearly identify their advantages and d...
The 5th International DevOps Summit, co-located with 17th International Cloud Expo – being held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the...
Over the years, a variety of methodologies have emerged in order to overcome the challenges related to project constraints. The successful use of each methodology seems highly context-dependent. However, communication seems to be the common denominator of the many challenges that project management methodologies intend to resolve. In this respect, Information and Communication Technologies (ICTs) can be viewed as powerful tools for managing projects. Few research papers have focused on the way...
As the world moves from DevOps to NoOps, application deployment to the cloud ought to become a lot simpler. However, applications have been architected with a much tighter coupling than it needs to be which makes deployment in different environments and migration between them harder. The microservices architecture, which is the basis of many new age distributed systems such as OpenStack, Netflix and so on is at the heart of CloudFoundry – a complete developer-oriented Platform as a Service (PaaS...
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo in Silicon Valley. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 17th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading in...
The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long development cycles that produce software that is obsolete at launch. DevOps may be disruptive, but it is essential. The DevOps Summit at Cloud Expo – to be held June 3-5, 2015, at the Javits Center in New York City – will expand the DevOps community, enable a wide...
There’s a lot of discussion around managing outages in production via the likes of DevOps principles and the corresponding software development lifecycles that does enable higher quality output from development, however, one cannot lay all blame for “bugs” and failures at the feet of those responsible for coding and development. As developers incorporate features and benefits of these paradigm shift, there is a learning curve and a point of not-knowing-what-is-not-known. Sometimes, the only way ...
There is no question that the cloud is where businesses want to host data. Until recently hypervisor virtualization was the most widely used method in cloud computing. Recently virtual containers have been gaining in popularity, and for good reason. In the debate between virtual machines and containers, the latter have been seen as the new kid on the block – and like other emerging technology have had some initial shortcomings. However, the container space has evolved drastically since coming on...
Cloud Expo, Inc. has announced today that Andi Mann returns to DevOps Summit 2015 as Conference Chair. The 4th International DevOps Summit will take place on June 9-11, 2015, at the Javits Center in New York City. "DevOps is set to be one of the most profound disruptions to hit IT in decades," said Andi Mann. "It is a natural extension of cloud computing, and I have seen both firsthand and in independent research the fantastic results DevOps delivers. So I am excited to help the great team at ...
The 17th International Cloud Expo has announced that its Call for Papers is open. 17th International Cloud Expo, to be held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, brings together Cloud Computing, APM, APIs, Microservices, Security, Big Data, Internet of Things, DevOps and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding bu...
How can you compare one technology or tool to its competitors? Usually, there is no objective comparison available. So how do you know which is better? Eclipse or IntelliJ IDEA? Java EE or Spring? C# or Java? All you can usually find is a holy war and biased comparisons on vendor sites. But luckily, sometimes, you can find a fair comparison. How does this come to be? By having it co-authored by the stakeholders. The binary repository comparison matrix is one of those rare resources. It is edite...
There is no doubt that Big Data is here and getting bigger every day. Building a Big Data infrastructure today is no easy task. There are an enormous number of choices for database engines and technologies. To make things even more challenging, requirements are getting more sophisticated, and the standard paradigm of supporting historical analytics queries is often just one facet of what is needed. As Big Data growth continues, organizations are demanding real-time access to data, allowing immed...
T-Mobile has been transforming the wireless industry with its “Uncarrier” initiatives. Today as T-Mobile’s IT organization works to transform itself in a like manner, technical foundations built over the last couple of years are now key to their drive for more Agile delivery practices. In his session at DevOps Summit, Martin Krienke, Sr Development Manager at T-Mobile, will discuss where they started their Continuous Delivery journey, where they are today, and where they are going in an effort ...
Container frameworks, such as Docker, provide a variety of benefits, including density of deployment across infrastructure, convenience for application developers to push updates with low operational hand-holding, and a fairly well-defined deployment workflow that can be orchestrated. Container frameworks also enable a DevOps approach to application development by cleanly separating concerns between operations and development teams. But running multi-container, multi-server apps with containers ...
SYS-CON Events announced today that EnterpriseDB (EDB), the leading worldwide provider of enterprise-class Postgres products and database compatibility solutions, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. EDB is the largest provider of Postgres software and services that provides enterprise-class performance and scalability and the open source freedom to divert budget from more costly traditiona...
Do you think development teams really update those BMC Remedy tickets with all the changes contained in a release? They don't. Most of them just "check the box" and move on. They rose a Risk Level that won't raise questions from the Change Control managers and they work around the checks and balances. The alternative is to stop and wait for a department that still thinks releases are rare events. When a release happens every day there's just not enough time for people to attend CAB meeting...
Buzzword alert: Microservices and IoT at a DevOps conference? What could possibly go wrong? In this Power Panel at DevOps Summit, moderated by Jason Bloomberg, the leading expert on architecting agility for the enterprise and president of Intellyx, panelists will peel away the buzz and discuss the important architectural principles behind implementing IoT solutions for the enterprise. As remote IoT devices and sensors become increasingly intelligent, they become part of our distributed cloud en...
I’ve been thinking a bit about microservices (μServices) recently. My immediate reaction is to think: “Isn’t this just yet another new term for the same stuff, Web Services->SOA->APIs->Microservices?” Followed shortly by the thought, “well yes it is, but there are some important differences/distinguishing factors.” Microservices is an evolutionary paradigm born out of the need for simplicity (i.e., get away from the ESB) and alignment with agile (think DevOps) and scalable (think Containerizati...
In this Power Panel at DevOps Summit, moderated by Jason Bloomberg, president of Intellyx, panelists Roberto Medrano, Executive Vice President at Akana; Lori MacVittie, IoT_Microservices Power PanelEvangelist for F5 Networks; and Troy Topnik, ActiveState’s Technical Product Manager; will peel away the buzz and discuss the important architectural principles behind implementing IoT solutions for the enterprise. As remote IoT devices and sensors become increasingly intelligent, they become part of ...
SYS-CON Media named Andi Mann editor of DevOps Journal. DevOps Journal is focused on this critical enterprise IT topic in the world of cloud computing. DevOps Journal brings valuable information to DevOps professionals who are transforming the way enterprise IT is done. Andi Mann, Vice President, Strategic Solutions, at CA Technologies, is an accomplished digital business executive with extensive global expertise as a strategist, technologist, innovator, marketer, communicator, and thought lea...