SESSION ID: CPART4-W01 Should you trust your cloud providers with your encryption keys? Sol Cates VP of Research & Technology Thales Group @solcates #RSAC #RSAC Agenda Cloud Trends Cloud Security is a Shared Responsibility so you must encrypt But Then The Keys BYOK vs HYOK HYOK Case Study – Google Cloud EKM Attributes of a Cloud Key Management solution 2 #RSAC Cloud Trends From the 2019 Thales Cloud Security Report #RSAC Businesses adopt a multi-cloud strategy when it comes their IT infrastructure and services needs 48% of organizations have a multi-cloud strategy, with AWS, Microsoft Azure and IBM being the top three cited cloud providers 4 #RSAC Businesses use 29 cloud applications on average, compared to 27two years ago over 10% have more than 50 and the average US business has 41 5 #RSAC Cloud security responsibility is distributed 40% 35% 33% Who is most 31% 30% responsible for protecting 20% sensitive data stored in the 10% cloud? 1% 0% The cloud provider The cloud user Shared responsibility Not applicable 6 #RSAC only 30 % of organizations have a unified system for secure access to both cloud and on-premise applications 32 % don’t employ a security- first approach to storing data in the cloud 7 #RSAC Businesses are not applying adequate security measures to only 49% protect sensitive data in the cloud of organizations are encrypting sensitive data in the cloud 8 #RSAC Only half of businesses remain in control of the keys to their encrypted data stored in the cloud despite 53% of businesses are 78% controlling the encryption saying it’s important keys when data is to retain ownership of encrypted in the cloud the encryption keys 9 #RSAC “Cloud Security is a Shared Responsibility” #RSAC AWS on shared responsibility model https://aws.amazon.co m/compliance/shared- responsibility-model/ As shown in the chart below, this differentiation of responsibility is commonly referred to as Security “of” the Cloud versus Security “in” the Cloud 11 #RSAC Microsoft Azure on shared responsibility model https://blogs.msdn.microsoft.c om/azuresecurity/2016/04/18/w hat-does-shared-responsibility- in-the-cloud-mean/ The figure at right shows MSFT’s take on the shared responsibility model 12 #RSAC But you’re not doing it 71% 71% of enterprises But only 30% use use sensitive data in 30% encryption in these cloud environments environments Source: 2019 Thales Data Threat Report by IDC 13 #RSAC Cloud security alliance on cloud encryption keys EKM-04 [Encryption] Keys shall not be stored in the cloud but maintained by the cloud consumer or trusted key management provider. 14 #RSAC CSA says maintain the keys What part of the What does key do you maintain mean? maintain? Do you create and upload the key? Is this full lifecycle management? Does the provider create the key, How is key lifecycle management and you manage it? shared? 15 #RSAC Sourcing your own keys Generate and Securely store your keys OpenSSL? HSM? Private KMS? High Entrophy for good key quality Where does the secret sauce sit? Managing your keys Rotate them? Remember each version’s key material? In a spreadsheet? How will you maintain them? 16 #RSAC BYOK vs HYOK BYOK HYOK Pluses Pluses Wide spread, all IaaSs have a KMS DEK material is protected by your KEK in Many solutions in the marketplace to your EKM service discover The provider has no direct access to your Data Key Pedigree - You generated the DEK/KEK DEK material Minuses Minuses Key is “granted” to the provider protected Potential SLA impact to provider with their KEK on your behalf Data Key Pedigree - provider generates the Must trust the tools to tell you what is DEK material happening with your keys 17 #RSAC BYOK Requirements for Bring Your Own Encryption #RSAC Cloud key lifecycle management comparison Automated Key Lifecycle Management Admin in the middle Lifestyle management Create Create Destroy Back Up Destroy Back Up Archive/ Deploy Archive/ Deploy Suspend Suspend Expire Monitor Expire Monitor Rotate Rotate 19 #RSAC How to bring your own key Small Scale High Scale Build-or-Buy decision Major IaaS/PaaS providers enable you to Build and maintain a cloud key upload a key to their cloud management using each provider’s BYOK API High scale operations are cumbersome Buy a multi-cloud key management Major challenge: quality of imported keys, solution and potential for human error 20 #RSAC Requirements for multi-cloud key management Requirements for Efficiency & Most Common Clouds ROI AWS Full key life cycle management MS Azure Create / upload / ROTATE / disable / delete MS Office365 Federated login and corresponding access to key rights Salesforce Google Cloud Core Functionality Operational Requirements Secure key source and storage GUI for understanding and regular use Manage existing keys in the cloud All clouds in one “pane of glass” Revoke and delete keys API for operating at scale 21 #RSAC HYOK Case Study Google Cloud Platform #RSAC HYOK Differences in Some providers have approaches mean unique introduced a few solutions approaches to “HYOK” and implementations may be needed Salesforce – Cache-Only Key Service Can this be consolidated? Azure – Synchronize keys from off- cloud to cloud Google – External Key Management with Wrapping/Unwrapping 23 #RSAC Google cloud - External key management EKM wraps Crypto Keys with an EKM evaluates the context and externally managed key justification to see if authorized CloudKMS requests that the key be The EKM can be used to prevent unwrapped with context undesired requests for data access 24 #RSAC So What Do You Do First? How can you start your journey? #RSAC Questions to start your journey tomorrow Questions to ask each of your Questions to cloud providers ask yourself Support encryption? What is our cloud management strategy? If so, what kind of Key Management? How do we bridge that to our enterprise Can I manage the keys off-cloud? key management? Do you have the tools or the staff for cloud key lifecycle management? 26 SESSION ID: CPRT4-W01 Thank You Sol Cates VP Research & Technology Thales Group @solcates #RSAC.