COMPX527 Lecture 6.2
Cloud Data Security-2
1
Data Security Controls in Cloud
• Policies & Access Control
• Encryption
• Tokenization
2
Policies and Access Control
• Once Data Identification and Classification has been done,
high level policies need to defined to describe who has access
to what data
• Resource based policies and ACLs applied on data resources
provide one level of data security (sometimes called cloud
native data security)
• When access if requested by an entity the cloud provider
mediates the access and grants or denies the access according
to the policies defined
• In AWS for example policies can be written for s3 buckets that
control who will be able to access the data stored in the
buckets
3
Policies and Access Control
• Access controls should be implemented with a minimum of three layers:
• Management plane:
– These are your controls for managing access of users that directly access the cloud platform’s
management plane. For example, logging in to the web console of an IaaS service will allow that user
to access data in object storage.
• Public and internal sharing controls
– If data is shared externally to the public or partners that don’t have direct access to the cloud
platform, there will be a second layer of controls for this access.
• Application level controls
– As you build your own applications on the cloud platform you will design and implement your own
controls to manage access.
• Create an entitlement matrix
4
Encryption
• Encryption is the process of encoding data (plain-text) into random
data (cipher-text) using a key
– Symmetric key (secret key)
• Same key for encryption and decryption
• Smaller key sizes
• Faster
• Key management is hard
• AES, 3DES, Blowfish, etc.
• Typically used for data encryption
– Asymmetric key (public key)
• Separate keys for encryption and decryption
• Larger key sizes
• Slower
• Key management is easier
• RSA, EL gamal, etc.
• Typically used for managing data encryption keys, digital signatures etc.
5
Encryption
• Data At Rest Encryption
– Volume Level Encryption
• Handled by the User/CSP
• Only applicable for data on volume storage
• Instance-managed encryption: The encryption engine
runs within the instance, and the key is stored in the
volume but protected by a passphrase or keypair.
• Externally managed encryption: The encryption engine
runs in the instance, but the keys are managed
externally and issued to the instance on request.
6
Encryption
• Data At Rest Encryption
– Object Level Encryption
– Cloud handles encryption: Data is encrypted by the cloud after being
transferred in. The cloud provider has access to the key and runs the
encryption engine.
– Application handles encryption: When object storage is used as the
back-end for an application (including mobile applications), encrypt
the data using an encryption engine embedded in the application or
client.
• Also applicable for file level encryption on volumes
7
Encryption
• Data In Motion Encryption
– Most cloud providers’ APIs to interact with data natively
support DIM encryption through
• TLS/SSL
• IPsec
• VPN
• etc.
– Cloud Users and applications need to use DIM encryption
when data goes from the cloud to the user and vice versa.
– In hybrid architectures DIM encryption should be used
when data moves from in house storage to the cloud and
vice versa
8
Encryption
• DIU Encryption
– Ciphertext is random data. Before data can be
operated upon or is viewed by the user, it has to
be decrypted and stored in the RAM as plain text
– Maturity level – low
– Enclaves
• Create areas (enclaves) within RAM, where process
data will be stored encrypted
• Data is only decrypted when being used by the CPU
• Memory level isolation
• Example, Intel SGX, AMD SEV
9
Encryption
– Full memory encryption
• A key is generated at boot time. This key is not
accessible to hardware
• Data in RAM is encrypted usually on a per page basis
• Pages to be encrypted can be marked or the entire
RAM can be encrypted
• Pages are decrypted only when the data needs to go to
registers for processing
• Example, Intel TME, AMD SME
10
Encryption
• What if we never had to decrypt data?
– Homomorphic Encryption
• Allows a limited set of operations on encrypted data
(typically addition or/and multiplication, comparison or
search)
• Partially homomorphic encryption
– If only one operation is allowed
• Fully homomorphic encryption
– If both multiplication and addition are allowed
11
Partially homomorphic encryption
12
Examples: RSA, Elgamal etc.
Fully homomorphic encryption
• The holy grail of encryption
– Implications:
• + and x are operations commonly used in statistics and
many other complex computations (AES)
• Proliferation of clouds handling sensitive data, e.g.
banking clouds
– First fully homomorphic encryption scheme was
proposed by Craig Gentry in 2009
• Implementation of various FHE schemes available now
• Can perform AES in about 4 minutes (compared to a
few milliseconds)
13
Challenges of encryption in cloud
• Protection
– “Lets ensure that unauthorized people cannot
make sense of what we transmit”
• Protection and Utility
– “If only we can still process our data in the cloud,
but the cloud providers cannot see it”
• Protection + Utility + Performance
– “We can still process our data in the cloud, and it
is done efficiently”
14
Key Management
• You will be dealing with a number of keys when using Data at
rest and Data in Motion encryption.
• Key Management refers to an efficient solution to generate,
manage and store encryption keys.
• CSPs provide Key Management Systems to do this (e.g. AWS
KMS). Additionally, KMS can be used with an HSM (Hardware
Security Module) for additional security, that uses a single
tenant instance to launch the KMS
• Ensure that your KMS solution is protected through IAM
policies, least privilege and separation of duties principles.
• Ensure that the keys are rotated
15
Key Management
• There are four potential options for handling key management:
– HSM/appliance: Use a traditional hardware security module (HSM) or
appliance-based key manager, which will typically need to be on-premises,
and deliver the keys to the cloud over a dedicated connection.
– Virtual appliance/software: Deploy a virtual appliance or software-based key
manager in the cloud.
– Cloud provider service: This is a key management service offered by the cloud
provider. Before selecting this option, make sure you understand the security
model and SLAs to understand if your key could be exposed.
– Hybrid: You can also use a combination, such as using a HSM as the root of
trust for keys but then delivering application-specific keys to a virtual
appliance that’s located in the cloud and only manages keys for its particular
context.
16
Tokenization
17
• Tokenization is the process of turning a meaningful piece of data, such as an
account number, into a random string of characters called a token that has no
meaningful value if breached.
• Tokens serve as reference to the original data, but cannot be used to guess
those values.
• Tokenization does not use a mathematical process to transform the sensitive
information into the token.
https://www.mcafee.com/enterprise/en-us/security-awareness/cloud/tokenization-vs-encryption.html