Cloud Encryption and Key Management Considerations Daniel Cushieri Technical Report RHUL–MA–2014– 9 01 September 2014 Information Security Group Royal Holloway, University of London Egham, Surrey TW20 0EX, United Kingdom www.ma.rhul.ac.uk/tech Cloud Encryption and Key Management Considerations Daniel Cuschieri March 2013 Submitted as part of the requirements for the award of the Master of Science in Information Security Royal Holloway, University of London Egham, Surrey TW20 0EX, England Cloud Encryption and Key Management Considerations i Specially dedicated to my beloved family and close friends Cloud Encryption and Key Management Considerations ii Acknowledgments This work would not have been possible without the support and encouragement of my supervisor, Dr Po Wah Yau. My most grateful appreciation goes to him, for his patience and support through the entire supervision of this dissertation, and for taking time to answer queries related to this project. His enthusiasm on the subject was essential for successfully completing this dissertation. Last, but certainly not the least, I would also like to thank my family, especially my parents, on whose constant encouragement I have relied. Their support and encouragement was fundamental for completing the project, and it is to them that I dedicate this work. Cloud Encryption and Key Management Considerations iii Table of Contents 1 Introduction ............................................................................................................................... 1 1.1 Objectives ........................................................................................................................... 1 1.2 Methodology and Structure ............................................................................................... 2 2 Cloud Computing ........................................................................................................................ 4 2.1 Definition ............................................................................................................................ 4 2.2 Characteristics .................................................................................................................... 6 2.3 Service Models ................................................................................................................... 7 2.3.1 Software as a Service (SaaS) ....................................................................................... 7 2.3.2 Platform as a Service (PaaS) ....................................................................................... 8 2.3.3 Infrastructure as a Service (IaaS) ................................................................................ 9 2.4 Deployment Models ........................................................................................................... 9 2.5 Taxonomy of Cloud Computing Use Cases ....................................................................... 10 2.6 Conceptual Models .......................................................................................................... 12 2.6.1 Model A – Public SaaS .............................................................................................. 13 2.6.2 Model B – Hybrid SaaS ............................................................................................. 13 2.6.3 Model C – Public PaaS .............................................................................................. 14 2.6.4 Model D – Private IaaS ............................................................................................. 15 2.6.5 Model E – Public IaaS ............................................................................................... 15 2.6.6 Summary .................................................................................................................. 16 2.7 Benefits and Concerns of Cloud Computing .................................................................... 16 2.8 Conclusion ........................................................................................................................ 18 3 Cloud Security .......................................................................................................................... 20 3.1 Organisations Working on Cloud Security ........................................................................ 20 3.2 Cloud Security Threats ..................................................................................................... 22 3.2.1 Virtually Unlimited Compute Power ........................................................................ 22 3.2.2 Cloud Management .................................................................................................. 23 3.2.3 Cloud Provider Insiders ............................................................................................ 23 3.2.4 Shared Cloud Infrastructure ..................................................................................... 24 3.2.5 Data Security ............................................................................................................ 24 3.2.6 Access to Cloud Data ................................................................................................ 25 3.2.7 Unknown Risk Profile ............................................................................................... 26 3.2.8 Forensics ................................................................................................................... 27 3.3 Perception of Cloud Security ............................................................................................ 27 3.3.1 Survey Methodology ................................................................................................ 27 3.3.2 Survey Results .......................................................................................................... 28 3.4 Cloud Computing Risk Assessment Method .................................................................... 31 3.4.1 CC-RAM Design Decisions ........................................................................................ 34 3.5 Conclusion ........................................................................................................................ 36 4 Encryption and Key Management in the Cloud ....................................................................... 38 4.1 Cryptography Services Supporting the Cloud .................................................................. 38 4.2 Encryption as a Threat Countermeasure ......................................................................... 39 4.3 Where to Encrypt Data ..................................................................................................... 42 4.4 Encryption in Different Cloud Architectures .................................................................... 45 4.4.1 Encryption in SaaS .................................................................................................... 45 4.4.2 Encryption in PaaS .................................................................................................... 47 4.4.3 Encryption in IaaS ..................................................................................................... 48 4.5 Cloud Encryption Trends .................................................................................................. 50 4.6 Conclusion ........................................................................................................................ 51 5 Challenges of Cloud Encryption ............................................................................................... 53 Cloud Encryption and Key Management Considerations iv 5.1 Encryption Challenges ...................................................................................................... 53 5.1.1 Inherent Challenges ................................................................................................. 53 5.1.2 Challenges in Implementing Desirable Functionality ............................................... 54 5.1.3 Cloud Model Analysis ............................................................................................... 55 5.2 Key Management Challenges ........................................................................................... 57 5.2.1 Inherent Challenges ................................................................................................. 58 5.2.2 Cloud Model Analysis ............................................................................................... 59 5.3 Legislation and Compliance Challenges ........................................................................... 61 5.3.1 Legislation Which Affects Cloud Encryption ............................................................ 61 5.4 Information Security Standards ....................................................................................... 63 5.4.1 Generic Information Security Standards .................................................................. 64 5.4.2 Cloud Security Standards ......................................................................................... 66 5.5 Conclusion ........................................................................................................................ 68 6 Best Practices and Proposals for Cloud Key Management ...................................................... 69 6.1 Use of Key Management Standards ................................................................................