Customer-Managed Encryption Keys: Controlling Your Data’s Privacy in the Cloud
Businesses put a lot of trust in the cloud, believing that, as paying customers, they will enjoy total protection from hackers and law enforcement agencies trying to access their private data.
But the majority of cloud providers who encrypt data have full control over encryption keys and could – if required to – access and share the data. This is a risk many businesses are unaware of. It also means CISOs in industries handling very sensitive data cannot take advantage of the benefits of cloud technology, as their enterprise policies and regulatory compliance requirements prohibit them from having implementations where providers have full access to their data. Customer-managed encrypted keys (CMKs) offer a solution to this problem, putting the data owner in full control of the encryption being used within the cloud service regardless of where it is stored.
This combined panel & presentation session will explore how implementing CMKs will give customers back the control of their data as well as promoting cloud adoption. You will become familiar with cryptography systems available now that use CMKs to protect data held by cloud vendors, how they work, when it is necessary to implement, and how it can enable highly regulated industries to operate securely beyond the firewall.
Best Practice: From Zero to Secure in 1 Minute
Cloud instances lifecycles are accelerating fast. Cloud providers are competing among them by switching to by-the-minute server billing instead of hourly billing. This means that servers should be installed, launched, process and terminate and all within a range of minutes. This new accelerated life cycle makes traditional security processes such as periodic patches, vulnerability scanning, hardening and forensics impossible. In this accelerated lifecycle, there are no maintenance windows for patches or ability to mitigate a vulnerability, so the security infrastructure must adapt into new thinking. In this new thinking we must adopt new methods for server’s security configuration, evaluation and termination. Servers must be patched before they boot up, security configuration and hardening procedures should be integrated with server installation, vulnerability scanning and mitigation process should be automatic and operating systems should not even include user’s ability to login directly. In the presentation we announce on a new open source tool named “Cloudefigo” and explain about techniques that enables this new accelerated security lifecycle. We demonstrate how to launch a pre-configured, already patched instances into encrypted storage environment automatically while evaluating their security and mitigating them automatically if a vulnerability is found. In the live demo we leverage Amazon Web Services EC2 Cloud-Init scripts and object storage for provisioning automated security configuration, integrating encryption, including secure encryption keys repositories for secure server’s communication. The result for those techniques are cloud servers that are resilient, automatically configured and secure without any attack surface for hacker to explore.