SESSION ID: CPART4-W01 Should you trust your cloud providers with your encryption keys?
Sol Cates VP of Research & Technology Thales Group @solcates
#RSAC #RSAC Agenda
Cloud Trends
Cloud Security is a Shared Responsibility so you must encrypt
But Then The Keys
BYOK vs HYOK
HYOK Case Study – Google Cloud EKM
Attributes of a Cloud Key Management solution
2 #RSAC
Cloud Trends
From the 2019 Thales Cloud Security Report #RSAC
Businesses adopt a multi-cloud strategy when it comes their IT infrastructure and services needs 48%
of organizations have a multi-cloud strategy, with AWS, Microsoft Azure and IBM being the top three cited cloud providers
4 #RSAC
Businesses use 29 cloud applications on average, compared to 27two years ago
over 10% have more than 50 and the average US business has 41
5 #RSAC Cloud security responsibility is distributed
40% 35% 33% Who is most 31% 30% responsible for protecting 20% sensitive data stored in the 10% cloud? 1% 0% The cloud provider The cloud user Shared responsibility Not applicable
6 #RSAC
only 30 % of organizations have a unified system for secure access to both cloud and on-premise applications 32 % don’t employ a security- first approach to storing data in the cloud
7 #RSAC
Businesses are not applying adequate security measures to only 49% protect sensitive data in the cloud of organizations are encrypting sensitive data in the cloud
8 #RSAC Only half of businesses remain in control of the keys to their encrypted data stored in the cloud
despite 53% of businesses are 78% controlling the encryption saying it’s important keys when data is to retain ownership of encrypted in the cloud the encryption keys
9 #RSAC
“Cloud Security is a Shared Responsibility” #RSAC AWS on shared responsibility model
https://aws.amazon.co m/compliance/shared- responsibility-model/ As shown in the chart below, this differentiation of responsibility is commonly referred to as Security “of” the Cloud versus Security “in” the Cloud
11 #RSAC Microsoft Azure on shared responsibility model
https://blogs.msdn.microsoft.c om/azuresecurity/2016/04/18/w hat-does-shared-responsibility- in-the-cloud-mean/
The figure at right shows MSFT’s take on the shared responsibility model
12 #RSAC But you’re not doing it
71% 71% of enterprises But only 30% use use sensitive data in 30% encryption in these cloud environments environments Source: 2019 Thales Data Threat Report by IDC
13 #RSAC Cloud security alliance on cloud encryption keys
EKM-04 [Encryption] Keys shall not be stored in the cloud but maintained by the cloud consumer or trusted key management provider.
14 #RSAC CSA says maintain the keys
What part of the What does key do you maintain mean? maintain?
Do you create and upload the key? Is this full lifecycle management? Does the provider create the key, How is key lifecycle management and you manage it? shared?
15 #RSAC Sourcing your own keys
Generate and Securely store your keys
OpenSSL? HSM? Private KMS? High Entrophy for good key quality Where does the secret sauce sit?
Managing your keys
Rotate them? Remember each version’s key material? In a spreadsheet? How will you maintain them?
16 #RSAC BYOK vs HYOK
BYOK HYOK
Pluses Pluses Wide spread, all IaaSs have a KMS DEK material is protected by your KEK in Many solutions in the marketplace to your EKM service discover The provider has no direct access to your Data Key Pedigree - You generated the DEK/KEK DEK material Minuses Minuses Key is “granted” to the provider protected Potential SLA impact to provider with their KEK on your behalf Data Key Pedigree - provider generates the Must trust the tools to tell you what is DEK material happening with your keys
17 #RSAC
BYOK Requirements for Bring Your Own Encryption #RSAC Cloud key lifecycle management comparison
Automated Key Lifecycle Management Admin in the middle Lifestyle management
Create Create
Destroy Back Up Destroy Back Up
Archive/ Deploy Archive/ Deploy Suspend Suspend
Expire Monitor Expire Monitor
Rotate Rotate 19 #RSAC How to bring your own key
Small Scale High Scale Build-or-Buy decision
Major IaaS/PaaS providers enable you to Build and maintain a cloud key upload a key to their cloud management using each provider’s BYOK API High scale operations are cumbersome Buy a multi-cloud key management Major challenge: quality of imported keys, solution and potential for human error
20 #RSAC Requirements for multi-cloud key management Requirements for Efficiency & Most Common Clouds ROI
AWS Full key life cycle management MS Azure Create / upload / ROTATE / disable / delete MS Office365 Federated login and corresponding access to key rights Salesforce Google Cloud
Core Functionality Operational Requirements
Secure key source and storage GUI for understanding and regular use Manage existing keys in the cloud All clouds in one “pane of glass” Revoke and delete keys API for operating at scale
21 #RSAC
HYOK Case Study
Google Cloud Platform #RSAC HYOK
Differences in Some providers have approaches mean unique introduced a few solutions approaches to “HYOK” and implementations may be needed
Salesforce – Cache-Only Key Service Can this be consolidated? Azure – Synchronize keys from off- cloud to cloud Google – External Key Management with Wrapping/Unwrapping
23 #RSAC Google cloud - External key management
EKM wraps Crypto Keys with an EKM evaluates the context and externally managed key justification to see if authorized CloudKMS requests that the key be The EKM can be used to prevent unwrapped with context undesired requests for data access
24 #RSAC
So What Do You Do First?
How can you start your journey? #RSAC Questions to start your journey tomorrow
Questions to ask each of your Questions to cloud providers ask yourself
Support encryption? What is our cloud management strategy? If so, what kind of Key Management? How do we bridge that to our enterprise Can I manage the keys off-cloud? key management? Do you have the tools or the staff for cloud key lifecycle management?
26 SESSION ID: CPRT4-W01 Thank You
Sol Cates VP Research & Technology Thales Group @solcates
#RSAC