Microservices Expo Authors: Pat Romanski, Elizabeth White, Mehdi Daoudi, Flint Brenton, Gordon Haff

Related Topics: @CloudExpo, Microservices Expo, Containers Expo Blog, Cloud Security

@CloudExpo: Article

Cloud Security: Encryption Is Key

Cloud security should include a blend of traditional security elements combined with new “cloud-adjusted” security technologies

Today, with enterprises migrating to the cloud, the security challenge around protecting data is greater than ever before. Keeping data private and secure has always been a business imperative. But for many companies and organizations, it has also become a compliance requirement and a necessity to stay in business. Standards including HIPAA, Sarbanes-Oxley, PCI DSS and the Gramm-Leach-Bliley Act all require that organizations protect their data at rest and provide defenses against data loss and threats.

Public cloud computing is the delivery of computing as a service rather than as a product, and is usually categorized into three service models: Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). When it comes to public cloud security, all leading cloud providers are investing significant efforts and resources in securing and certifying their datacenters. However, as cloud computing matures, enterprises are learning that cloud security cannot be delivered by the cloud provider alone. In fact, cloud providers make sure enterprises know that security is a shared responsibility, and that cloud customers do share responsibility for data security, protection from unauthorized access, and backup of their data.

Actually, this "shared responsibility" makes sense most of the time. The responsibility of cloud providers offering Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) reasonably extends to the network and the infrastructure they provide. In fact, a typical agreement between you and your cloud provider will usually state that "...you acknowledge that you bear sole responsibility for adequate security..." So businesses hosting their applications in the cloud understand that they must share responsibility for ensuring the security of their data.

As cloud computing becomes increasingly more mainstream, it's harder to distinguish the generic security issues that an IT manager needs to tackle, from those that are specific to cloud computing. Issues such as roles and responsibilities, secure application development, least privilege and many more apply equally well in traditional on-premise environments as they do in the cloud.

When an IT application is moved to a public cloud, all of the old security risks associated with it in the past still exist but, in addition, there are new risk vectors. Previously your servers and your data were physically protected within your server room. Now the "virtual servers" and "virtual storage devices" are accessible to you, the customer, via a browser; raising the concern that hackers may attempt to access the same. Here are some new risks scenarios to consider when migrating to the cloud:

  1. Snapshotting your virtual storage by gaining access to your cloud console.
    A malicious user might gain access to your cloud console by stealing your credentials or by exploiting vulnerabilities in cloud access control. In any case, once inside your account, a "snapshot" of your virtual disks will allow an attacker to move a copy of your virtual storage to his or her preferred location and abuse the data stored on those virtual disks. This risk is in our opinion the most obvious reason to deploy data encryption in the cloud, but surprisingly enough, not all companies are aware of the threat and unknowingly expose their cloud-residing data to this significant risk.
  2. Gaining access from a different server within the same account.
    Gaining access to sensitive data from a different virtual server inside the same account can be achieved by an attacker exploiting a vulnerability on that other server (such as a misconfiguration), or by one of your other cloud system administrators (a "malicious insider" from a different project in your own organization) using credentials or exploiting one of many known web application vulnerabilities to launch an attack on your virtual server. Unencrypted data can be exposed and stolen using this method.
  3. The insider threat.
    Though this scenario gets mentioned a lot, it's unlikely that a cloud provider employee will be involved in data theft. The more realistic scenario is an accidental incident related to an insider with physical access to the data center. One well-known example is the HealthNet case where 1.9 million customer records of HealthNet, a major US health insurer, were lost after its IT vendor misplaced nine server drives following a move to a new data center. According to HIPAA rules, disk-level encryption would have negated the incident impact.

The industry consensus is that encryption is an essential first step in achieving cloud computing security. An effective solution needs to meet four critical needs: High security, convenient management, robust performance and regulatory compliance. Data at rest is no longer between the proverbial "four walls" of the enterprise; the data owner is managing their own data with browsers and cloud APIs, and the concern is that a hacker can do the same. As such, cloud encryption is recognized as a basic building block of cloud security, though one difficult question has remained - where to store the encryption keys, since the keys cannot safely be stored in the cloud along with the data.

Protecting Content with Cloud Encryption and Key Management
Encryption technology is only as secure as the encryption keys. You have to keep your keys in a safe place. You need a cloud key management solution that can support encryption of your data and should supply the encryption keys for files, databases (whether the complete database or at the column, table, or tablespace level), or disks. This is actually the trickiest security question when implementing encryption in the cloud and requires thought and expertise. For example, database encryption keys are often kept in a database "wallet," which is often a file on your virtual disk. The concern is that hackers will attack the virtual disk in the cloud, and from there get access to the wallet, and through the wallet access the data.

Encrypting sensitive data in the cloud is an absolute must. Cloud security should include a blend of traditional security elements combined with new "cloud-adjusted" security technologies. Encryption should be a key part of your cloud security strategy due to the new cloud threat vectors (but also due to regulations such as the Patriot Act), and you should pay specific attention to key management.

More Stories By Ariel Dan

Ariel Dan is co-founder and Executive Vice President at Porticor cloud security. Follow him on twitter: @ariel_dan

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

@MicroservicesExpo Stories
There is a huge demand for responsive, real-time mobile and web experiences, but current architectural patterns do not easily accommodate applications that respond to events in real time. Common solutions using message queues or HTTP long-polling quickly lead to resiliency, scalability and development velocity challenges. In his session at 21st Cloud Expo, Ryland Degnan, a Senior Software Engineer on the Netflix Edge Platform team, will discuss how by leveraging a reactive stream-based protocol,...
"We started a Master of Science in business analytics - that's the hot topic. We serve the business community around San Francisco so we educate the working professionals and this is where they all want to be," explained Judy Lee, Associate Professor and Department Chair at Golden Gate University, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
For over a decade, Application Programming Interface or APIs have been used to exchange data between multiple platforms. From social media to news and media sites, most websites depend on APIs to provide a dynamic and real-time digital experience. APIs have made its way into almost every device and service available today and it continues to spur innovations in every field of technology. There are multiple programming languages used to build and run applications in the online world. And just li...
The general concepts of DevOps have played a central role advancing the modern software delivery industry. With the library of DevOps best practices, tips and guides expanding quickly, it can be difficult to track down the best and most accurate resources and information. In order to help the software development community, and to further our own learning, we reached out to leading industry analysts and asked them about an increasingly popular tenet of a DevOps transformation: collaboration.
We call it DevOps but much of the time there’s a lot more discussion about the needs and concerns of developers than there is about other groups. There’s a focus on improved and less isolated developer workflows. There are many discussions around collaboration, continuous integration and delivery, issue tracking, source code control, code review, IDEs, and xPaaS – and all the tools that enable those things. Changes in developer practices may come up – such as developers taking ownership of code ...
The dynamic nature of the cloud means that change is a constant when it comes to modern cloud-based infrastructure. Delivering modern applications to end users, therefore, is a constantly shifting challenge. Delivery automation helps IT Ops teams ensure that apps are providing an optimal end user experience over hybrid-cloud and multi-cloud environments, no matter what the current state of the infrastructure is. To employ a delivery automation strategy that reflects your business rules, making r...
Cloud Governance means many things to many people. Heck, just the word cloud means different things depending on who you are talking to. While definitions can vary, controlling access to cloud resources is invariably a central piece of any governance program. Enterprise cloud computing has transformed IT. Cloud computing decreases time-to-market, improves agility by allowing businesses to adapt quickly to changing market demands, and, ultimately, drives down costs.
Modern software design has fundamentally changed how we manage applications, causing many to turn to containers as the new virtual machine for resource management. As container adoption grows beyond stateless applications to stateful workloads, the need for persistent storage is foundational - something customers routinely cite as a top pain point. In his session at @DevOpsSummit at 21st Cloud Expo, Bill Borsari, Head of Systems Engineering at Datera, explored how organizations can reap the bene...
How is DevOps going within your organization? If you need some help measuring just how well it is going, we have prepared a list of some key DevOps metrics to track. These metrics can help you understand how your team is doing over time. The word DevOps means different things to different people. Some say it a culture and every vendor in the industry claims that their tools help with DevOps. Depending on how you define DevOps, some of these metrics may matter more or less to you and your team.
"CA has been doing a lot of things in the area of DevOps. Now we have a complete set of tool sets in order to enable customers to go all the way from planning to development to testing down to release into the operations," explained Aruna Ravichandran, Vice President of Global Marketing and Strategy at CA Technologies, in this SYS-CON.tv interview at DevOps Summit at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"We are an integrator of carrier ethernet and bandwidth to get people to connect to the cloud, to the SaaS providers, and the IaaS providers all on ethernet," explained Paul Mako, CEO & CTO of Massive Networks, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"Grape Up leverages Cloud Native technologies and helps companies build software using microservices, and work the DevOps agile way. We've been doing digital innovation for the last 12 years," explained Daniel Heckman, of Grape Up in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"NetApp's vision is how we help organizations manage data - delivering the right data in the right place, in the right time, to the people who need it, and doing it agnostic to what the platform is," explained Josh Atwell, Developer Advocate for NetApp, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"Outscale was founded in 2010, is based in France, is a strategic partner to Dassault Systémes and has done quite a bit of work with divisions of Dassault," explained Jackie Funk, Digital Marketing exec at Outscale, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"I focus on what we are calling CAST Highlight, which is our SaaS application portfolio analysis tool. It is an extremely lightweight tool that can integrate with pretty much any build process right now," explained Andrew Siegmund, Application Migration Specialist for CAST, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Let's do a visualization exercise. Imagine it's December 31, 2018, and you're ringing in the New Year with your friends and family. You think back on everything that you accomplished in the last year: your company's revenue is through the roof thanks to the success of your product, and you were promoted to Lead Developer. 2019 is poised to be an even bigger year for your company because you have the tools and insight to scale as quickly as demand requires. You're a happy human, and it's not just...
The enterprise data storage marketplace is poised to become a battlefield. No longer the quiet backwater of cloud computing services, the focus of this global transition is now going from compute to storage. An overview of recent storage market history is needed to understand why this transition is important. Before 2007 and the birth of the cloud computing market we are witnessing today, the on-premise model hosted in large local data centers dominated enterprise storage. Key marketplace play...
Cavirin Systems has just announced C2, a SaaS offering designed to bring continuous security assessment and remediation to hybrid environments, containers, and data centers. Cavirin C2 is deployed within Amazon Web Services (AWS) and features a flexible licensing model for easy scalability and clear pay-as-you-go pricing. Although native to AWS, it also supports assessment and remediation of virtual or container instances within Microsoft Azure, Google Cloud Platform (GCP), or on-premise. By dr...
With continuous delivery (CD) almost always in the spotlight, continuous integration (CI) is often left out in the cold. Indeed, it's been in use for so long and so widely, we often take the model for granted. So what is CI and how can you make the most of it? This blog is intended to answer those questions. Before we step into examining CI, we need to look back. Software developers often work in small teams and modularity, and need to integrate their changes with the rest of the project code b...
Kubernetes is an open source system for automating deployment, scaling, and management of containerized applications. Kubernetes was originally built by Google, leveraging years of experience with managing container workloads, and is now a Cloud Native Compute Foundation (CNCF) project. Kubernetes has been widely adopted by the community, supported on all major public and private cloud providers, and is gaining rapid adoption in enterprises. However, Kubernetes may seem intimidating and complex ...