Providing Insight Into the Cloud Computing Security, Privacy and Related Threats

Cloud Security Journal

Subscribe to Cloud Security Journal : eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Cloud Security Journal : homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Cloud Security Authors: John Katrick, Mamoon Yunus, Ravi Rajamiyer, Liz McMillan, Elizabeth White

Related Topics: Cloud Computing, Cloud Security Journal

Blog Feed Post

Hardware-Based Key Managers By @GiladPN | @CloudExpo [#Cloud]

The consensus is that data encryption is a critical first step to migrating to the cloud

Cloud Key Management vs. Hardware-Based Key Managers

Cloud security is a top concern for any organization migrating to the cloud. The threats are many.

For example, the fact your data resides in a shared, multi-tenant environment is a threat that has become a reality with the latest Xen virtualization bug, which allowed a malicious fully virtualized server to read data about other virtualized systems running on the same physical hardware or the hypervisor).

Other threats to cloud security include internal employees and even governments.

The consensus is that data encryption is a critical first step to migrating to the cloud; but in fact, encryption is the easy part. The real challenge lies with the management of the encryption keys. Allowing your cloud provider to encrypt your data and manage the encryption keys is as secure as parking your car in a public parking space and leaving the car keys in the ignition.

The problem with cloud key management options
When reviewing cloud key management, options are quickly narrowed down to two major approaches: hardware security modules and cloud key management systems.

Hardware Security Modules (or HSMs) have been the traditional key management solution for many years. By storing encryption keys on anti tampered hardware, physically locked and, in many cases, on a dedicated secure card, encryption keys were securely stored and used from within a physical data center.

But cloud computing is adding more parameters to the equation.

  • Hardware is not well adapted to the cloud and disrupts the economics and scaling you want.
  • As soon as an encryption key leaves the secure hardware (to encrypt an object in the cloud), it is no longer secured by the HSM.
  • Real-time systems require encryption keys in real-time. To deal with this issue, some vendors have created a virtual version of their HSMs.

o   Unfortunately, such virtual systems are becoming a single point of attack, and your most sensitive secret (your encryption keys) is now in the cloud together with your data.

o   To add to the confusion, some key management vendors will add compliance language to such virtual offerings, making it feel secure and trusted. But, in fact, the certification is only valid for the physical hardware, not the virtualized key management solution.

Split-key encryption and homomorphic key management
To effectively manage keys in the cloud, there’s a need for a fundamentally new approach. The new approach needs to allow customers to encrypt data while maintaining control of their encryption keys. It needs to be a fully virtual key management system, which will not compromise the encryption keys’ security, and will be scalable in size and across regions.

Split-key encryption and homomorphic key management are two cloud key management technologies which successful address these issues.

Split-key encryption, as the name insinuates, splits encryption keys between the security provider and the end customer. This assures that encryption keys are never known to any single entity (the cloud provider or the security vendor can never see nor access any keys). Furthermore, control is eventually held by the end customer, who constantly owns half of the key – a master key.

The best analogy is that of a safety deposit box with two keys: one belongs to the banker, the second belongs to the customer and only the combination of both can open or lock the box (this video demonstrates the concept visually).

Homomorphic encryption is an exciting and relatively new field of encryption. It enables a system to compute on an encrypted object without ever decrypting it. Innovative cloud security companies leverage homomorphic encryption to encrypt the encryption keys themselves; thus assuring that customers’ keys are never available in clear in the cloud.

“Evolve or Die”
Over a year ago, PwC had issued a whitepaper titled “Evolve or Die: How the Cloud is Shaping the IT Organization.” The title summarizes the situation very accurately. The cloud is a reality, and as any CIO will tell you, the question of migrating to the cloud is “when” and no longer “why.”

When it comes to cloud security, encryption is critical, but trusted and virtual key management is the hardest challenge. As more and more organizations migrate to cloud computing, we expect the adoption of innovative technologies such as key-splitting and homomorphic key management will lead the cloud encryption era.

The post Cloud Key Management vs. Hardware-Based Key Managers (HSMs) appeared first on Porticor Cloud Security.

Read the original blog entry...

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.