Beruflich Dokumente
Kultur Dokumente
year,
and we decided it was time to dedicate an entire issue to them. We have a great lineup of industry
leaders sharing their knowledge and exploring various areas.
As you’re reading this, I’m about to start my yearly trip to San Francisco for the madness known
as RSA Conference, without a doubt the most significant information security event of the year.
I’m looking forward to meeting many of you, discovering new companies and seeing innovative
technologies in action. A special issue of (IN)SECURE Magazine after the event will showcase the
best of what the show had to offer and put a spotlight on several companies. See you next week
in San Francisco!
Mirko Zorz
Editor in Chief
Distribution
(IN)SECURE Magazine can be freely distributed in the form of the original, non-modified PDF
document. Distribution of modified versions of (IN)SECURE Magazine content is prohibited
without the explicit permission from the editor.
www.insecuremag.com
Most organizations are unable to • Lack of timely compromise detection: 86%
of respondents say detection of a cyber-attack
resolve a cyber attack
takes too long
The lack of incident detection • Inability of point solutions to prioritize alerts
and investigation puts as they come in: 85% say they suffer from a
companies and their CISOs' lack of prioritization of incidents
jobs at significant risk,
according to a new Ponemon • Lack of integration between point solutions:
Institute study. 74% say poor or no integration between
security products negatively affects response
In fact, when a CEO and Board of Directors capabilities
ask a security team for a briefing immediately
following an incident, 65% of respondents • An overwhelming number of alerts
believe that the briefing would be purposefully paralyzing IR efforts: 61% say too many alerts
modified, filtered or watered down. from too many point solutions also hinders
investigations.
Additionally, 78% of respondents believe most
CISOs would make a “best effort guess” “When a cyber attack happens, immediate
based on limited information, and they would reaction is needed in the minutes that follow,
also take action prematurely and report that not hours or days,” said Dr. Larry Ponemon,
the problem had been resolved without this chairman and founder of the Ponemon
actually being the case. Institute. “It’s readily clear from the survey that
IR processes need to incorporate powerful,
This disconnect results from several critical intuitive technology that helps teams act
shortcomings in the current point solution quickly, effectively and with key evidence so
approach to cybersecurity and incident their companies’ and clients’ time, resources
response (IR), namely: and money are not lost in the immediate
aftermath of the event.”
www.insecuremag.com 5
The sad state of cybersecurity percent) US companies. Similarly, 86 percent
of US directors and senior decision makers
readiness
are given IT security training, compared to just
37 percent in the UK.
400Gbps NTP-based DDoS attack over 400 gigabits per second, that it probably
caused congestion on some peering
hits Cloudflare
exchanges (mostly in Europe), that (based on
sampled data) it misused just over 4,500
misconfigured NTP servers, and that the
customer initially wanted to pay with a stolen
credit card.
www.insecuremag.com 6
Intrinsic-ID enhances its Saturnus Saturnus software application runs on the
client device that will process the data. While
cloud security solution
working in the cloud, the Saturnus token is
connected to the USB port of a device. The
hardware-based security is augmented by a
second step, a username and password-
based login system. This combination is called
two-factor authentication and is based on two
unrelated factors: something known to the
user (username and password) and
something the user has (the hardware token).
The result of two-factor authentication based
on HIS is incredibly strong protection for all
data in the cloud.
Intrinsic-ID has released a new version of The USB token provides security based at the
Saturnus (www.intrinsic-id.com/saturnus), its client site. When the USB token is connected,
device-unique cloud security solution, that files are encrypted before they leave the
gives users total control over the protection of device on the way to the cloud. This
their data. The new version includes encryption is performed by using symmetric
enhanced usability features that make using key cryptography, which means files are
the cloud safer without compromising encrypted and decrypted using the same key.
flexibility, performance or ease of use. As part Since encryption and decryption are only
of the launch of this new version, the company performed on the client side and within the
is offering a money back guarantee. hardware of the token, the key never leaves
the user and is therefore completely secure
Saturnus is a hardware/software solution from malicious use.
based on proprietary and patented Hardware
Intrinsic Security (HIS) technology. The USB The GUI enables an intuitive use of the
token contains a smart-card chip embedded application. All functions are visible on the
with HIS, the strongest technology to generate application screen and files can be dragged
and store security keys. On top of this, the into the secure Saturnus environment.
www.insecuremag.com 7
IE 0-day used in watering hole attack identified campaigns (Operation DeputyDog
and Operation Ephemeral Hydra)," they
tied to previous campaigns
added.
Google offers five grants to women 28th, an invite to the Girl Geek Dinner
Amsterdam on the 29th and an invite to the
in security to attend HITB2014AMS
HITB Post Conference Reception sponsored
by Microsoft on the evening of the 30th.
Google is offering five grants
to women in security to attend
Winners of the grant will also receive up to
the Hack In The Box
1000 EUR towards travel costs (to be paid
Amsterdam conference in
after the conference).
May.
To find out more about the Google Women in
These grants include a VIP
Tech Travel and Conference Grant program,
ticket to the conference on the
see here - www.google.com/edu/students/
29th and 30th of May, an exclusive invite to
women-in-tech-conference-and-travel-grants/
the HITBSecConf Speakers Reception on the
www.insecuremag.com 8
As crimeware evolves, phishing The total number of unique phishing websites
observed rose to 143,353 in Q3, up from Q2’s
attacks increase
119,101. The increase is generally attributable
to rising numbers of attacks against money-
transfer and retail/e-commerce websites.
• Steady increase in the deployment of The survey also indicated that only 14% of
encryption with 35% of organizations having organizations surveyed do not have any
an enterprise wide encryption strategy encryption strategy compared with 22% last
year.
www.insecuremag.com 9
Mobility is the weakest security link percent will follow within 12 months, and
another 20 percent will follow within two years.
Surveying more than 750
security decision makers and Inadequate security investments. Although
practitioners, a CyberEdge 89 percent of respondents’ IT security budgets
Group report found that more are rising (48 percent) or holding steady (41
than 60 percent had been percent), one in four doubts whether their
breached in 2013 with a quarter employer has invested adequately in cyber
of all participants citing a lack of threat defenses.
employer investment in
adequate defenses. Malware and phishing causing headaches.
Of eight designated categories of cyber
Key findings include: threats, malware and phishing/spear-phishing
are top of mind and pose the greatest threat to
Concern for mobile devices. Participants responding organizations. Denial-of-service
were asked to rate — on a scale of 1 to 5, with (DoS) attacks are of least concern.
5 being highest — their organization’s ability
to defend cyber threats across nine IT Ignorance is bliss. Less than half (48
domains. Mobile devices (2.77) received the percent) of responding organizations conduct
lowest marks, followed by laptops (2.92) and full-network active vulnerability scans more
social media applications (2.93). Virtual frequently than once per quarter, while 21
servers (3.64) and physical servers (3.63) percent only conduct them annually.
were deemed most secure.
Careless employees are to blame. When
The BYOD invasion. By 2016, 77 percent of asked which factors inhibit IT security
responding organizations indicate they’ll have organizations from adequately defending
BYOD policies in place. 31 percent have cyber threats, “low security awareness among
already implemented BYOD policies, 26 employees” was most commonly cited, just
ahead of “lack of budget.”
www.insecuremag.com 10
How Edward Snowden's actions 75% of the respondents indicated that the
Edward Snowden incident has changed their
impacted defense contractors
companies' cybersecurity practices in one of
the following ways:
Lack of skills hindering appsec more than 37% have a program that has been
operating for more than five years," says
programs
SANS Analyst Frank Kim. "This indicates that
a lot of progress is being made, but it also
highlights that there is much more to do."
www.insecuremag.com 11
Windows, IE, Java are most 50 percent of the flaws were found in products
of only 10 vendors out of 760. The numbers
vulnerable
are both a testament to the number of
different offerings these big firms have and to
their popularity, which naturally points to the
conclusion that they are more often targeted
by hackers and analysed by security
researchers for security flaws.
USA still the global spam king to 8.2 percent, while Russia’s spam
contribution edged up from 3.0 percent in Q3
to 5.5 percent in Q4.
www.insecuremag.com 12
Amidst the rapid growth of cloud computing, in multiple studies over the past
several years security and privacy are commonly cited as top concerns. But
a look at the actual experiences of cloud customers finds that often, those
concerns are misplaced.
The existence of misconceptions about cloud It might seem understandable for consumers
computing is not necessarily surprising. The to have challenges describing a somewhat
industry is still evolving and the range of cloud intangible, technical concept like cloud com-
services continues to grow. Even the definition puting. But what about businesses?
remains unclear to many people. Try asking
several folks to explain “the cloud” and see Typically, business leaders seem aware of the
what you get. benefits touted by cloud providers -- reduced
capital costs, economies of scale, time sav-
Among consumers in particular, the cloud is ings, and flexibility. However, organizations
still a bit of a puzzle. Web hosting company that are considering cloud computing also
Webfusion surveyed over 1,000 people in the voice a number of apprehensions.
UK in 2013 and found that only 34 percent of
them claimed to understand what cloud com- To better understand the concerns that are
puting means. Even smaller percentages cor- acting as barriers to cloud adoption, and to
rectly identified services like Dropbox, iTunes, see whether those barriers matched the expe-
and Gmail as cloud services. A companion riences of actual cloud customers, in June of
survey conducted in the US turned up similar 2013 Microsoft commissioned an independent
results. study by comScore (bit.ly/1lorQzR), which
focused on SMBs.
www.insecuremag.com 13
Respondents were not aware of the connec- • 62 percent said that their levels of privacy
tion to Microsoft. Nor did comScore ask the protection increased as a result of moving to
respondents about specific offerings. The ob- the cloud
jective was to learn about their experiences • 75 percent said they experienced improved
with cloud services, regardless of the vendor. service availability since moving to the cloud.
Looking first at SMBs that had not yet adopted
the cloud, the study found: Clearly, the benefits of the cloud outweigh the
concerns. Improved reliability, security and
• 60 percent cited concerns around data secu- privacy protections help give back both time
rity as a barrier to adoption and money. For example, the study showed
• 45 percent said they were concerned that that, as a result of moving to the cloud:
using the cloud would result in a lack of con-
trol over their data privacy • 70 percent of SMBs were able to invest more
• 42 percent expressed concerns about the in product development and innovation, de-
reliability of the cloud. mand creation and expansion into new mar-
kets
Ensuing surveys have produced similar re- • 50 percent of SMBs have pursued new op-
sults. In fact, the headline “Security concerns portunities because of the time they saved
are still holding back cloud adoption” recently managing security.
appeared on Help Net Security (bit.ly/1drdyfp).
But even while cloud services are taking on
Perhaps we shouldn’t be surprised. Plenty has much of their customers’ security work, it’s
been written about these “barriers” to adop- important for businesses to remember they
tion. However, these perceptions are actually still have some responsibilities. For example,
strongly refuted by the realities (and benefits) cloud customers will still need to manage the
reported by companies that use cloud serv- security of their client devices – ensuring up-
ices. From the comScore survey, among to-date antivirus software, and educating em-
SMBs actually using the cloud: ployees on the importance of using strong
passwords.
• 94 percent said they had experienced secu-
rity benefits in the cloud that they didn’t have The chart on the following page illustrates the
with their former on-premises technology ap- mix of security responsibilities between cus-
proach. Benefits included more consistent tomer and provider, depending on the service
system updates, better spam email manage- model deployed.
ment and up-to-date antivirus protection
www.insecuremag.com 14
Employees in particular play an important role (bit.ly/1ehbdj3) on recognizing and avoiding
in protecting an organization’s data and other scams that come through email or web sites is
assets. Knowing how to spot phishing scams, also available.
and other types of social engineering is im-
perative. Employees should be trained to be For businesses that haven’t yet adopted cloud
alert for and to avoid bogus links in email and services, a good way to begin is by assessing
on suspicious web sites. the organization’s current level of prepared-
ness with the Cloud Security Readiness Tool
More and more people are also using their (bit.ly/M4O7WV), released by Microsoft’s
smartphones and other personal devices to Trustworthy Computing Group in 2012.
access company data and systems remotely.
To help organizations and their employees Knowing that the vast majority of customers
learn to defend against online fraud and other have experienced security improvements after
cybercrimes, Microsoft has published an moving to the cloud should help ease con-
“Internet Security at Work Toolkit” cerns among potential adopters. It’s time we
(bit.ly/1eNaXwL), with tips, fact sheets, videos busted the myth of the insecure cloud, and
and other information. IT Pros should consider remove that perceived barrier, once and for
downloading and sharing those resources all.
across their organization. Specific guidance
Jeff Jones is a 25-year security industry professional that has spent the last several years at Microsoft helping
drive security progress as part of the Trustworthy Computing initiative. In the role of Director, Jeff draws upon
his security experience to work with enterprise CSOs and Microsoft's internal security teams to drive practical
and measurable security improvements into Microsoft process and products.
www.insecuremag.com 15
For many years, Jim Reavis has worked in the information security industry
as an entrepreneur, writer, speaker, technologist and business strategist. Jim
is helping shape the future of information security and related technology in-
dustries as co-founder, CEO and driving force of the Cloud Security Alliance.
How has the cloud security landscape Cloud adoption is at an all-time high, yet
changed in the last five years? How ma- those that are not using it are still saying
ture is the cloud today? the biggest obstacle is security. What can
service providers do to earn customer
Cloud computing has matured dramatically trust? What should customers be on the
over the past five years, and the use cases lookout for?
are quite broad. Five years ago, many IaaS
offerings were very simple, with perhaps five Certainly the Snowden issue, which I will dis-
or so options. cuss later, is a factor. However, the majority of
customers I talk to say the main issue is com-
Today many of those same providers have pliance and governance. It is about showing
literally hundreds of offerings, management proof of security, rather than technical security
tools and product add-ons, and third party itself, which is a nuance to the issue that
providers have added many new security so- many surveys miss. Solving this is mostly an
lutions. Many of these offerings today are educational issue with the various players, I
purpose-built for securing cloud providers, think.
where five years ago they were often legacy
security products “tweaked” for the cloud. Policy makers and auditors need to under-
stand how the cloud really operates. Security
Some of the most interesting innovations are professionals need to understand that the
identity as a service, cloud aware encryption, risks are not black and white - you may actu-
cloud application control and log manage- ally reduce risks by using a public cloud pro-
ment. vider that has better firewalls and backup
www.insecuremag.com 16
systems. The big thing providers need to do to plify the adoption. SDP is a big idea that says
increase trust is to be transparent with their we are going to need to change our view of
security and governance practices. We think how we implement IP networks to decrease
the CSA Security, Trust and Assurance Regis- the global discovery and visibility of comput-
try Program (cloudsecurityalliance.org/star) ers. The IP-controlled thermostat in my home
provides the global model for trust in the is my business alone.
cloud. It is a control framework that is mapped
against key security standards and require- What trends do you expect to see in the
ments, it allows providers to publish their se- next 12 months? Do you expect to see a
curity practices for all to see, includes 3rd notable increase in cloud security
party certification where needed and will in automation?
the future provide continuous monitoring.
We see the growth in consumer-owned mo-
Last year you launched the Software De- bile devices and new generations of the Inter-
fined Perimeter Initiative, a project to de- net of Things creating a “force multiplier” that
velop an architecture for creating highly will lead to even more aggressive cloud adop-
secure and trusted end-to-end networks tion.
between any IP addressable entities, allow-
ing for systems that are highly resilient to As organizations lose control of the endpoint
network attacks. Are you satisfied with the device, they will have fewer options to prevent
response? What enterprises are working cloud usage, although solutions are coming to
with you on the development? market to help them manage this usage. We
do see a lot more automation in the entire
We are quite pleased with the response so lifecycle of acquisition, implementation and
far, and a few very large enterprises have im- management of cloud services. Whether it is
plemented prototypes and pilots with positive called cloud brokering or by another name,
results. We have much more work to do in or- we see a lot of this automation coming from
der to publish mature specifications and sim- intermediaries.
www.insecuremag.com 17
their information is being safeguarded from hypocrisy related to the Snowden revelations,
unwarranted government access. Many have given their own spying activities.
announced greater efforts at end to end en-
cryption. Some are even taking legal action The mature conclusion that is being arrived at
against the US federal government. To be is that an enterprise’s information must be
clear, the customers are telling us there is safeguarded against a whole host of threats:
work yet to be done, and are forcefully push- domestic, international, private sector, public
ing for greater transparency from the provid- sector, criminals, hacktivists, etc.
ers in their relationships with governments
and in their own management of customer in- The general consensus is that organizations
formation. need to take a holistic approach to increase
the baseline of their security, which includes
• Still other revelations have shown that coun- governance issues related to provider selec-
tries besides the US are conducting similar tion; technical architecture improvements,
options to acquire large consumer data sets. such as increased encryption and logfile
Some of these countries collaborate with the monitoring and several other practices. More
NSA. Very recently, EU Justice Commissioner and more, the CSA best practices are being
Viviane Redin was highly critical of European cited and used as the foundation of this in-
creased security baseline.
Mirko Zorz is the Editor in Chief of (IN)SECURE Magazine and Help Net Security (www.net-security.org).
www.insecuremag.com 18
This article is an attempt to perform an analysis of cloud security by taking
into consideration two aspects. The first one is related to the different cloud
security models (IaaS, PaaS, and SaaS), and we will attempt to assess some
of the security risks for each. The second is related to the uncertainty of such
assessments and the ways to deal with these uncertainties, in particular
based on Service Level Agreements (SLAs), insurance, and certifications.
The basic premise for our analysis is that you, and the customer for different cloud service
as a representative (CSO/CIO/…) of a com- models.
pany, are considering migrating to the cloud,
but are concerned about the security implica- IaaS and security
tions of such a move.
In the “Infrastructure as a Service” (IaaS)
It should be noted that our analysis is not in- world, a CSP usually provides you with a
tended for life-critical applications, or any in- number of virtual servers and other virtual ap-
dustry where a security breach is considered pliances that are essentially managed by
completely unacceptable - our analysis is for a yourself. One can reasonably argue that with
typical business application in a typical busi- IaaS, most of the security is still handled by
ness enterprise, where there is a need to find the customer. If an organization is switching a
the right balance between solution costs and part of its infrastructure to IaaS, it still needs to
solution risks. configure firewalls, IPSs, IDSs, etc. In this set
up, the customer is usually also responsible
Table 1 on the following page illustrates, more for OS patching and application security. In
or less, a typical split of security responsibili- theory, the CSP may provide help with setting
ties between a cloud service provider (CSP) the system up, but in practice that help is
www.insecuremag.com 20
Table 1.
rather limited, so the balance of responsibili- • Category 1: Attacks coming from some other
ties usually looks like this: the CSP provides customer of the same CSP. Anybody, includ-
the (usually virtualized) servers, the customer ing a hacker from some distant country, can
does the rest. (attempt to) crack the security that separates
virtual machines - yours and the attacker's - in
This approach can be either a blessing or a the cloud.
curse, depending on your point of view. If • Category 2: Attacks via cloud administrator.
you're looking to delegate to the cloud as
much as possible, it is not exactly good news: How big are these risks? In practice, we feel
you still need to run your own IT/security de- that the risk for attacks cracking the barrier
partment (in a cloud/IaaS setup, IT/security between two virtual machines is not that big.
department can be more easily outsourced to
the cloud, but this is beyond the scope of this We've taken a look at CVE vulnerabilities for
article). On the other hand, if you're more the last 3 months, and have found that only
concerned about migration to the cloud being about 20 of 1300 vulnerabilities (about 1.5 %)
smooth, out of all cloud migration scenarios are virtualization-related. It is also interesting
IaaS requires the least possible change, with to note that out of these 20 vulnerabilities, at
the logical part of your infrastructure kept least half are directly related to UI, so they're
more or less intact - or at least not that af- sitting somewhere in between the two risk
fected as it would be when migrating to the categories mentioned above. Of course, the
other cloud models. number of known vulnerabilities shouldn't be
confused with real risks, since a single vulner-
In a sense, IaaS is the closest you can get to ability can be enough to defeat security com-
managing your own infrastructure. From many pletely, but it still provides some information
points of view - including the security one - it about the attack surface. Let’s say that this
is very close to how traditional hosting ISPs risk is not too high, and can be assessed with
function, with the main differences being the some level of certainty.
following:
Unfortunately, the risk of being hit with an at-
1. You get “on-demand” scaling and the asso- tack via cloud administrator is much more dif-
ciated reduction in costs, which is usually the ficult to assess. Assuming that cloud adminis-
main reason why enterprises are switching to trators are running desktops/laptops (and they
the cloud in the first place. usually are), we need to recall that any system
is only as strong as its weakest link. So, to
2. In exchange for reduced costs, you need to break into your cloud (and to access your
deal with a set of cloud-specific security risks sensitive data) it is not necessary for the at-
which include at least two rather broad cate- tacker to break into a neighboring VM via a
gories: weakness in the hypervisor.
www.insecuremag.com 21
Instead, it is sufficient to break into the provider, risks related to attacks via cloud ad-
desktop/laptop that the cloud administrator ministrator depend on the practices of a spe-
uses to manage the cloud, including your VM. cific CSP, and this leads to uncertainty in se-
Normally, administrators have the option to curity assessments.
make an image of your VM while it is running.
Such an image is rarely encrypted, and is PaaS and security
even more rarely encrypted with a key that is
not available to the same cloud administrator. In the “Platform as a Service” (PaaS) world,
you normally get an application platform that
Also, such an image can be made without you your developers use for developing new appli-
noticing it, but even worse that that: even if cations – the migration of existing applications
you're using encryption, such an image will without rewriting them is usually not an option.
contain all your keys in unencrypted form. All PaaS usually provides APIs to access plat-
this combined together, it means that whoever form services, such as network and storage.
controls the desktop/laptop of the cloud ad- Unfortunately, for PaaS-based systems, secu-
ministrator (the one who can create an image rity is even more difficult to assess than for
of your VM) should be considered as a person IaaS-based ones. When using PaaS, you in-
who can access your data. herit all the security risks from IaaS, and face
additional ones specific to PaaS.
To make things worse, it is not only the cloud
administrator who has such powers, but also With PaaS, separation between customers is
any hacker that is sitting half-a-world away but handled by the PaaS provider. Database (or
has managed to convince the cloud adminis- any other storage) separation is normally a
trator to open a malicious e-mail attachment responsibility of the CSP, too.
several months ago. And as the March 2011
RSA breach (tinyurl.com/o6s3o3k) has dem- It leads us to the following categories of addi-
onstrated, such spear-phishing attacks are tional PaaS-specific risks:
extremely difficult to prevent even in the most
security-conscious environments. • Category 3: Risks related to holes in PaaS
API-based separation - unless the PaaS pro-
Compare it to the situation with more tradi- vider uses VMs to separate customers. APIs
tional ISP hosting: while the ISP administrator (especially higher-level APIs normally used in
can physically take your HDD and compro- PaaS) are notoriously buggy and insecure, so
mise your data, taking out your HDD cannot there is considerable uncertainty when it
be done remotely, and this makes a world of comes to security assessments of these risks.
difference. With traditional ISP hosting, a re-
mote attacker would need to bribe the ISP • Category 4: Risks related to database ac-
admin to obtain access to your sensitive data. cess separation. Data access separation is
This is theoretically possible, but not that tricky – for each way to do it right there are at
likely. With a CSP, all the remote attacker least several dozen ways to do it wrong. While
needs is to spear-phish the laptop of the CSP we're shouldn’t automatically assume that all
administrator, and that is a much more realis- PaaS providers are doing it wrong, we still
tic scenario. cannot rule it out; once again, it means that
risk assessment is not possible without a de-
The likelihood of such spear-phishing attacks tailed security analysis of the specific CSP.
being successful depends heavily on the se-
curity practices of a specific CSP, and may be SaaS and security
at any point of the spectrum between “security
as solid as rock” and “has holes large enough If you're dealing with the SaaS cloud model,
to let USS Enterprise through.” things can be a bit simpler for you. Usually,
SaaS CSPs are providing a very specialized
In practice, it means that while risks in the first environment for a very specific task, and there
category can be assessed with at least some is little pressure to go down the “slippery
level of confidence and without a deep analy- slope” of moving more and more data into the
sis of the security practices of a specific cloud cloud without understanding risks associated
www.insecuremag.com 22
with such a move. If the data that you have Summary of risk categories
moved into the cloud is not sensitive, you're
perfectly fine. Now let's summarize, in one table, all the
CSP-related risks mentioned above. While the
If, on the other hand, that data is sensitive, list of the risks represented by those four
from a security perspective most of the risk categories is by no means exhaustive, it is
categories listed above still apply. sufficient to illustrate the magnitude of security
uncertainties faced by enterprises planning a
migration to the cloud.
Table 2.
While uncertainty estimates in Table 2 are how secure your system is” is exactly what
subjective, we've discussed them with a few security uncertainty is about.
people from the security community and have
found that there is not much disagreement on The importance of security certainty
them. It should also be noted that for the fol-
lowing discussion we won't rely on specific The importance of being certain about the se-
uncertainties, but only on the assumption that curity of your system cannot be overesti-
for all cloud service models, there is substan- mated. Security is a very special entity com-
tial security uncertainty related to the specific pared to other technological issues busi-
security practices of a specific CSP. nesses need to deal with. If the system does
not do what is expected, or is not performing
When we take a look at Table 2, we can see well, it is usually highly visible so the problem
that even for IaaS, which has the lowest over- can be addressed right away. When it comes
all CSP-related uncertainty compared to the to security, you never know that the system is
other cloud service models, security uncer- broken until it is too late. And given the scale
tainty is high. In other words, without going of potential consequences arising from a se-
deep into the details of a specific CSP, we curity breach - which in worst case can easily
cannot be sure how good their security is. cost hundreds of millions or even billions - tak-
ing uninformed security risks is the last thing a
One (especially someone representing a CTO/CIO/CSO should do.
CSP) may say: “Hey, you're speaking about
security breaches affecting a CSP, but the Dealing with uncertainty: Audits, SLAs, in-
same types of breaches can happen in your surance, and certifications
own environment. So, what's the difference?”
Granted, most of the risk categories men- In business, there are four well-known ways to
tioned above also apply to your own environ- deal with similar uncertainties:
ment, but there is one fundamental difference:
in your own environment you can find out how 1. Perform a security audit of the CSP your-
risky it is (it will be very expensive and labor- self. Fortunately or not, in most cases this
intensive, but still possible). In a CSP envi- won't fly (unless, of course, you're that big that
ronment it is much more difficult, up to the you have your own cloud).
point of sometimes being next to impossible. 2. Rely on the guarantees that a CSP pro-
In a nutshell, this “how difficult is to find out vides in its Service Level Agreement (SLA).
www.insecuremag.com 23
3. Rely on insurance (provided by a third-party T. Somewhat similar to the failure rate from
insurance company) engineering. Under our conditions, 1/λ can be
4. Rely on a third-party security audit (ideally seen as “average time between security
by a reputable authority). breaches” (somewhat similar to MTBF)
ξ: Losses due to security breaches happened
Items 1, 3 and 4 on the list are rather obvious, during time period T; ξ = L* λ
but item 2 one may require a bit of explana-
tion. The mathematical expectation of security
breach losses ξ can be calculated as:
Service Level Agreements (SLAs) are a well-
known way for service providers to provide E[ξ] = E[L*λ] = L* λ
certain guarantees for difficult-to-estimate as-
pects of their service. In a sense, it is the pro- For the benefit arising from moving to the
verbial “putting your money where your mouth cloud to be positive, it is required that S >
is”. If an ISP says “I guarantee that your net- E[ξ], that is, S > E[ξ] = L * λ or, respectively, L
work will be up 99.99% of time, or it is money should be less than S / λ.
back for this month”, it increases the cus-
tomer's confidence that the ISP is able to If compensation C is provided (for example, in
achieve this target. Also, it creates a very spe- SLA, or by a cyber-insurance company) in
cific incentive for the ISP to make sure that case of a security breach, then losses includ-
the network is indeed up and running at least ing compensation L1, if security breach hap-
99.99% of time. These two sides of a SLA pens, become L1 = L – C and ξ1, security
combined explain the high popularity of SLAs breach losses including compensation, will
and SLA guarantees in the world of ISPs, have a mathematical expectation of
mitigating to a great extent the inherent uncer- E[ξ1] = E[(L-C)*λ] = (L-C) * λ
tainty of ISP service quality.
Respectively, for the benefit arising from mov-
Security guarantees in CSP SLAs ing to the cloud to be positive, it is required
that S > E[ξ1] = (L-C) * λ or L-C < S / λ [**]
You still want to migrate to the cloud, and
there is no reliable third-party security audit. The value of λ depends heavily on the secu-
What kind of security guarantees you need rity procedures adopted by the CSP. To ac-
from the CSP's SLA? count for the worst-case scenario, one may
assume that value of λ may happen to be ar-
Let's assume that we are considering whether bitrary high; then, taking a limit as λ ap-
a migration to cloud makes business sense, proaches infinity, [**] effectively becomes
and let's assume that the decision is purely L – C < 0, [***] which, in simple words, means
money-based (which implies, among other that the compensation per breach (from the
things, that the potential of a single breach is CSP provider or from the insurance company)
not prohibitively expensive for the company). should be greater than the losses from the
breach.
A bit of math
Back to business - SLAs
Let's define the following:
The formula above [***] can be summarized
S: Amount that could be saved due to transfer as follows: if considering the worst-case sce-
to the cloud during a certain time period T (S nario in presence of an arbitrarily high security
can be expressed, for example, in dollars/ uncertainty, the move to the cloud will be cost-
year) efficient only if the compensation in case of
L: Amount of loss if a security breach happens security breach (guaranteed by the SLA or by
(per security breach; L can be expressed, for an insurance company) will be more than cost
example, in dollars) of security breach to the company. Or in even
λ: Rate of security breaches - a frequency of simpler form: with the conservative assump-
security breaches expressed in terms of a tions above,
number of security breaches per time period
www.insecuremag.com 24
In the absence of reliable third-party certifica- In practice, there are indeed companies that
tions, putting data in the cloud only makes fi- provide cyber-insurance against security
nancial sense if the cost of the data trans- breaches. One such company is CloudInsure,
ferred into the cloud is less than the compen- which has been reported to provide insurance
sation provided by the SLA or by cyber- with compensations up to $1 million (and in-
insurance in case of a security breach. surance costs in the range from $5K to $10K
per year). It has also been reported that
It is interesting to note that the clause in the CloudInsure is ready to insure CSPs (as de-
SLA you should be looking for doesn't depend scribed in second insurance model above),
on the type of the CSP (being IaaS, PaaS or though as of now it is not clear if any CSP is
SaaS); it is more a question of if the CSP will including their (or anybody else's) insurance
be willing to provide a compensation guaran- against security breaches in their SLAs. In any
tee good enough for your migration. case, even with current pricing, cloud insur-
ance may easily allow migration of the data
In practice, we wouldn't expect CSPs provid- worth on the order of $1M to the cloud (though
ing SLA guarantees themselves in case of a you need to account for insurance cost when
security breach on the order of millions; the calculating cost efficiency of such a move).
reason being that a CSP breach is likely to
affect many (if not all) of its customers, and The maze of certifications: Compliance
paying more than few months worth of their and risks as two sides of the same coin
fees would be way too risky for the CSP. Still,
having clauses in the SLA that guarantee you When you ask any sizable CSP about their
a few months worth of your CSP fees can al- security certifications, they will show you a
low you to move the least sensitive part of very long list: HIPAA, SAS70, SSAE16 SOC1/
your expensive infrastructure to the cloud. SOC2, FIPS 140, ISO 27001, PCI DSS, and
so on. The sheer number of items in this al-
On the other hand, there is a possibility that phabet soup served by the CSP can be really
the CSPs may obtain cyber-insurance cover- impressive. Now, to understand the real value
ing security breaches, from independent in- that these certifications have for you as a CSP
surance companies; this may allow them to customer, we need to define what your goal
substantially increase the guarantees in the with certification is. There are two possible
SLAs. reasons why you may want a certification from
your CSP – compliance and risk assessment.
Back to business: Cyber-insurance
It should be understood that, strictly speaking,
As discussed above, CSPs themselves are being secure does not imply compliance with
not likely to provide compensation on the or- standards, and vice versa. While usually
der of millions in case of a security breach be- measures aimed at reaching compliance do
cause of risks being too high for a CSP. How- help security (and therefore reduce risks), and
ever, there are companies out there whose often measures aimed to improve security
whole business revolves around taking that help to reach compliance, the final states of
risk for others: insurance companies (in our “being secure” and “being compliant” are not
case – cyber-insurance companies). 100% the same, and separate analysis of
compliance and security may be necessary to
In theory, we could expect two different insur- ensure that the system is both compliant and
ance models for our case. In the first model, a secure.
cyber-insurance company could insure cus-
tomers against security breaches directly. In Certification and compliance
the second one, a cyber-insurance company
may insure a CSP against security breaches, The first reason for you to make sure that your
so that the CSP is able to put higher guaran- cloud provider does have certification is that
tees into their SLA. As it is usual with group you need to be compliant with a certain regu-
insurance, we could expect that the second lation. For example, if you need to store medi-
model would be more cost-efficient for the cal data and you're located in the US,
customer.
www.insecuremag.com 25
chances are that you need to be compliant Security-unrelated standards and certifica-
with HIPAA data protection requirements, with tions
no way around it. In a similar way, if you want
to process credit cards, you likely need to be There are many standards and certifications
compliant with PCI DSS. It means that if out there which are popular, but that have little
you're moving respective portion of your data to do with security. One such example is SAS
and/or processing to the cloud, you will very 70 (in fact, the misuse of SAS 70 as a security
likely need your CSP to be compliant with an certification was/is so frequent that Gartner
appropriate regulation and have appropriate has even issued a press release titled “Gart-
certification. We should note that this aspect ner Says SAS 70 Is Not Proof of Security,
of certification is not exactly the focus of the Continuity or Privacy Compliance”).
article, so we won't concentrate on it too
much. One word of caution though – even if Paper-only compliance and under-
your CSP is compliant with a certain regula- specification
tion, it doesn't mean that by using their serv-
ices you will be automatically compliant, too. A big problem with many certifications is that a
big part of them can be complied with without
Just one example – your CSP can be an IaaS making any changes to the system, but
cloud provider, and can be PCI DSS compliant merely by producing paperwork. While paper-
in a sense that they handle physical security work can have its own merits (for example,
according to PCI DSS, and that their own sys- very few people will argue about the useful-
tems are secure according to PCI DSS re- ness of security policy), certifications that as-
quirements; however, as they're IaaS, they sure very little beyond pure paperwork don't
can't make sure that your web server sits in really provide much in terms of risk assess-
the DMZ, or that your firewall (provided by ment. In other words, if the only thing a CSP
IaaS) is configured according to PCI DSS; it needs to do to comply is to produce a pile of
means that even if a CSP is perfectly PCI papers, the certification is not worth much for
DSS compliant, you as a merchant can be practical purposes (it may still be needed for
easily non-compliant with all the potentially compliance though).
unpleasant consequences. Or if we express it
in mathematical terms – as a rule of thumb, A close cousin of paper-only compliance is
CSP compliance is usually a necessary condi- under-specification. It happens when the
tion for you to be compliant, but not a suffi- standard to be complied with does provide
cient one. some value beyond paperwork, but the set of
security controls within is not sufficient to pro-
Certification as a way to assess security vide comprehensive coverage. For example, if
risks a certain standard specifies that passwords
need to be changed on regular basis, it is a
The second reason to choose a CSP with a good thing, but if the standard doesn't require
certification is to reduce security uncertainty using firewalls to protect certain parts of the
and therefore to allow you to move more sen- CSP infrastructure, it may allow fully compliant
sitive applications and/or data to the cloud. organizations to not use firewalls at all. Taking
into account the fact that a system is only as
Here, however, some understanding of the secure as its weakest link, this is clearly not
real meaning of various certifications is nec- enough to provide meaningful improvement in
essary. There are several problems with un- assessed risks.
derstanding and comparing the certifications
presented by most cloud providers. The very Lack of cloud specifics
first word of caution is that you should never
judge a CSP for risk accessing purposes The cloud environment has its own unique
based on the number of the certifications they challenges. For example, while Category 2
have. Certifications should be taken one by risks described earlier are not exactly unique
one, and the merits for risk assessment to the cloud, in practice there is a substantial
should be evaluated for each certification. increase in Category 2 risks in cloud environ-
ments.
www.insecuremag.com 26
In particular, consolidation of control on ad- cause its controls are (like those in SAS 70)
ministrative PCs used to control hundreds of self-defined, and therefore merely having a
CSP clients makes these PCs much more at- SOC 1 report does not provide enough infor-
tractive attack targets, which in turn makes mation about security properties of the sys-
attacks on them much more likely and much tem. SOC 2 reports, however, were received
more damaging. We strongly feel that to pro- more favorably, but with a reservation that
vide a meaningful capping of risks, such is- even SOC 2 is still underspecified with respect
sues need to be addressed in the standards to security details.
and certifications.
It is worth noting that both SAS 70 and SSAE
Navigating the alphabet soup of existing 16 are standards prepared by AICPA, which
certifications stands for “American Institute of Certified Pub-
lic Accountants” and, as we understand, the
Let's take a look at existing security-related reports are meant to be prepared by CPAs
certifications from the point of view of risk as- (Certified Public Accountants). We have no
sessment in general, and caveats listed above doubts that it has severely limited technical
in particular. details in these statements (one cannot rea-
sonably expect a CPA to know security at the
SAS 70 level of a (ISC)2 CISSP).
www.insecuremag.com 27
underspecified and lacking cloud specifics for on TLS), there is still a need for a more com-
the purposes of the risk assessment in the prehensive security standard covering the
cloud. While covering pretty well such areas whole stack of technology used, from high
as organizational security, human resources level to low level, including everything in be-
security, and physical security, the important tween.
fields of network security and encryption are
grossly underspecified (just as one example, PCI DSS
we weren't able to find in ISO 27001 or ISO
27002 any reference to a minimal strength of PCI DSS is, in our opinion, a very nicely writ-
encryption algorithms which are allowed to be ten standard, that doesn't suffer from the
used). under-specification that most of previously
discussed ones do. While it is reasonably de-
Based on this, our subjective opinion is that tailed, it’s still possible to comply with it in
the value of ISO 27001/27002 for practical practice.
purposes such as risk assessment is rather
limited, unless it is complemented by other The main problem we see with it for the pur-
means (such as the Cloud Control Matrix). pose of CSP risk assessment is that PCI DSS
has a very narrow scope. Everything that is
FIPS 140 not related to credit card numbers is out of
PCI DSS scope, so if you're absolutely inse-
FIPS 140 (Federal Information Protection cure but do not process credit cards at all,
Standard publication 140) is an interesting ex- technically you're still compliant with PCI DSS.
ample of a standard that is fully specified,
though, taken alone, it still cannot be used as On the other hand, if PCI DSS certification for
a reliable metric of CSP security. a CSP can be interpreted as “it is safe to
process credit card anywhere on this CSP”
Most of the standards mentioned before were (and our point of view is that this is the only
listing too few technical details, while staying reasonable interpretation of PCI DSS claims
at a level which is “too high” to provide neces- for the CSP, but it is better to ask your specific
sary coverage. In contrast, FIPS publications CSP about their interpretation) – it will say
tend to be very down-to-earth, and have all quite a lot about security processes of a spe-
the necessary technical details. cific CSP. While still lacking cloud-specific de-
tails, it is probably one of the most compre-
The problem with the application of FIPS hensive existing security standards.
standards (including, but not limited to, FIPS
140) to CSPs is that the scope of FIPS is lim- Our subjective opinion is that when we see
ited to cryptography. As it is well-known in the that certain CSP is PCI DSS certified (assum-
security industry, having good cryptography is ing that interpretation of being certified above
only one of many prerequisites to having a stands), it makes us a bit more assured about
secure system, so using only FIPS 140- this CSP’s security practices; still, due to the
compliant algorithms is clearly not enough to limited scope of PCI DSS, for the purposes of
achieve meaningful system-wide security. a risk assessment of a CSP we'd clearly pre-
fer to rely on some certification with much
Moreover, in many cases even combining wider scope.
FIPS 140 with higher-level standards like ISO
27001 may be insufficient to guarantee secu- New kids on the block: CCM and STAR
rity: the problem here is that between the
high-level view of ISO 27001 and the low-level Probably understanding the limitations of the
view of FIPS 140 there is still a substantial existing certifications, several years ago the
uncovered gap related in particular to security Cloud Security Alliance (CSA) has started the
protocols used within the system. development of a new industry guidance
framework, the Cloud Control Matrix (CCM).
As a big portion of security attacks comes ex- In September 2013, CCM 3.0 has been re-
actly from breaches in the protocols (see, for leased.
example, recently developed BREACH attack
www.insecuremag.com 28
The CCM specifically aims to provide security ish Standards Institute). The STAR certifica-
guidelines for CSPs to follow, and to provide a tion is based on ISO 27001, but is aided with
framework for assessment of security con- certain controls from the CCM (currently from
trols. It covers many of the gaps of the previ- CCM 1.4, though in the future support for later
ous standards; one of the most important ad- versions of CCM is planned), which allows it
vantages of the CCM is that it is cloud- both to deal with under-specification and to
specific, and as such, it addresses cloud- provide cloud-specific controls.
specific issues.
As of now, STAR layer 2 certification is proba-
Just as one example: based on the cloud bly the best single thing a CSP can show you
service model and the cloud being public or to demonstrate that they really care about se-
private, CCM suggests which controls might curity. At this time, STAR layer 2 certification is
fall under CSP responsibility versus the con- still so very new that no CSP has it yet; how-
suming organization; this delineation of re- ever, we could expect first STAR layer 2 certi-
sponsibility in the cloud is one major item fications by mid-2014.
desperately missing from previous standards.
While we feel that there is still a long way Conclusion
ahead for the CCM (in particular, covering
cloud-specific attack vectors, such as those We have performed an analysis of security
described in the described four categories), uncertainties inherent to cloud service provid-
we strongly feel that the CCM represents a ers (CSPs) and some possible ways to over-
desperately needed move in the right direction come these uncertainties. We have found that
(moreover, as far as we know, CSA's efforts while compensations for security breaches (in
are the only efforts in this area). SLAs and/or by cyber-insurance) can allow
enterprises to push some of the less sensitive
The STAR (CSA Security, Trust and Assur- data to the cloud, further reduction of security
ance Registry) is an initiative parallel to the uncertainty is still necessary. Such an uncer-
CCM, and is partially based on it. Up until re- tainty reduction can be achieved via cloud-
cently, only STAR layer 1 (self-assessment) specific efforts like the CCM and the STAR.
was available; as with any self-assessment,
its value for risk assessment was rather lim- We feel that such efforts are absolutely nec-
ited. However, in September 2013 it has been essary to deal with security uncertainty, which
announced that STAR certification layer 2, severely limits information being moved into
based on independent third-party assess- the cloud.
ments and audits, is available from BSI (Brit-
This article has been prepared based on cloud security research project conducted by authors at OLogN
Technologies AG, Liechtenstein.
Sergey Ignatchenko is a Security Researcher with security experience in various fields going back to 1996.
Among other things, he has designed a comprehensive and regulations-compliant security solution for one of
G8 stock exchanges, and a security architecture for a very large system with 100+ millions of users, 10+ thou-
sands of RSA SecurID tokens, and capable of processing billions transactions per day. His systems have
passed numerous security audits with flying colours. He can be reached at si@o-log-n.com
Dmytro Ivanchykhin is an Information Security Consultant with interests spanning areas from mathematical
aspects of cryptography (with an emphasis on abstract algebra and Galois fields) to applied cryptography and
secure protocols. He can be reached at di@o-log-n.com
www.insecuremag.com 29
The advent of cloud services can be referred to as one of the most serious
historical changes in the data storage and access model. Ease of deployment,
scalability and economic efficiency spurred a mass migration of businesses
from the standard CAPEX model to the cloud. In the rush of implementing
these new business practices, the crucial point of observing the privacy of
and controlling access to in-house data has somewhat fallen by the wayside.
Ironically, recent spy scandals revealed stage contacts with first-tier online service
through the efforts of Edward Snowden and providers such as Microsoft, Google and
the Wikileaks project made it clear that the Amazon. Despite the providers’ efforts to re-
question of privacy and data security has fute the collaboration claims by stating that no
never been as important as it is today. mass uncontrolled disclosures of private data
had taken place, the public continues to rail
Who is spying on me? against the connection and to call for the
companies to respect their customers’ right to
Revelations in information security lead us to privacy.
realize that the world of information is much
more dangerous than it appeared before. The On the other hand, it is important to remember
NSA is developing wide-scale global surveil- that while international cloud legislation is still
lance projects (tinyurl.com/okdes6f), and is quite immature, data centers and the data
already capable of silently capturing Internet they store are normally subject to the laws of
communication. At the same time, intelligence the country in which they physically reside.
bureaus are working on establishing back- Data privacy and protection laws in that
www.insecuremag.com 30
country may differ significantly from that of sure that none of the failed hard drives,
your homeland, and there’s always the possi- scrapped and sent to a landfill by the service
bility of natural disasters, revolutions, and lo- provider, won’t end up in the wrong hands at
cal wars creating a chaotic situation that can some stage of the disposal process?
result in your data being accessed by people
that should not have access to it. Cloud: A safe or a cloakroom?
Picture 1. Data flow between the customer’s premises and the cloud storage.
The TLS protocol secures data transfers be- stack. With the help of user authorization the
tween two peers, or, in our case, between the service identifies a particular account holder
customer’s computer and the cloud front end. and confirms his identity. The authorization is
The (correct) use of TLS gives the customer typically based on establishing the fact of
the ability to establish the genuineness of the ownership of an authorization token. The most
service endpoint and protect the data ex- widely used types of authorization tokens are
changed from passive or active interception. access keys, digital certificates and pass-
words. It is important to keep in mind that any
Each side of the protocol works like a black entity in possession of an authorization token
box, which takes plain data from the applica- can send authorized requests to the service
tion layer and sends encrypted output to the on behalf of the legitimate account holder.
network. When receiving data, the black box Therefore it is really important to keep authori-
applies a reverse permutation to the encrypted zation tokens safe.
data and passes the decrypted data up the
www.insecuremag.com 32
Server-side encryption (SSE) is an additional Finally, server-side encryption won’t protect
layer of security adopted by certain cloud the data from the eyes of intelligence agen-
service providers. Before sending the cus- cies.
tomer’s data to the data centre, the provider
encrypts it with a strong symmetric cipher. If Ready. Steady. Go.
an attacker gets access to the data centre,
they will be unable to decrypt the data without I hope I persuaded you that data of any posi-
having the encryption key. tive significance must always be covered with
an extra layer of protection in addition to the
The most critical point of this scheme is that security measures provided and adopted by
the key and the data encrypted with it reside in the service providers. One of the simplest yet
the same environment, the cloud provider’s effective methods of building such an extra
network. Even though it may be stored in a layer is to adopt client-side encryption (CSE)
completely isolated subnet whilst the data re- (in contrast to server-side encryption offered
mains in the data centre, the key still “meets” by the service providers).
the data at point B where the encryption or
decryption is performed. Besides, the data in The main idea behind CSE is that the cus-
unencrypted form is fed to the input of the TLS tomer encrypts their data before sending it
server endpoint A, which normally is a front- over to the service provider, and decrypts the
end web server, subject to the relevant attack data after downloading it back. With CSE, the
risks. In case an adversary gets access to one customer keeps the encryption key securely in
of those points, they will be able to read the his own environment rather than entrusting it
customer’s data in the clear without any need to the service provider. This way, the cus-
for the encryption key. tomer’s data goes through the A and B points
in customer-encrypted form and can’t be re-
It should be noted that if your authorization covered by an adversary who controls those
token is leaked, server side encryption won’t points.
prevent data theft. With the token in his pos-
session, an adversary can easily impersonate Even if a lucky attacker or intelligence person-
a legitimate user and get access to the data nel gain full control over the provider’s compu-
through the service’s public REST or SOAP tational infrastructure, they will be unable to
interface. recover the data.
Even if an adversary manages to steal the vic- A variety of encryption keys can be used with
tim customer’s authorization token and imper- the CSE scheme, from generic symmetric en-
sonates them to the service, the data returned cryption keys and asymmetric key pairs up to
by the service will still be in encrypted form, passwords and customer’s biometric informa-
and they will be unable to recover it without tion. This flexibility is achieved by separating
obtaining the CSE encryption key. customers’ encryption keys (“user keys”) from
object encryption keys (“session keys”).
www.insecuremag.com 33
The data is first encrypted with a randomly The session keys-based scheme has a num-
chosen session key (SK). The session key is ber of advantages, the most substantial of
then encrypted with a customer’s user key (for which is its ability to adopt user keys of virtu-
example, a public RSA key). The encrypted ally any nature and the uniqueness of per-
data together with the encrypted session key object encryption keys. The latter makes it im-
is then sent to the cloud service provider. possible for an attacker who recovers a single
When reading the data back, the customer session key to decrypt the rest of encrypted
first decrypts the session key with their user objects, as they are encrypted with different
key, and then uses the session key to decrypt session keys.
the data.
Aside from encryption, the customer may ac- Another attractive side of the CSE is that one
company protected objects with MDP (modifi- can actually encrypt data with several different
cation detection and prevention) records. An user keys at the same time. Objects encrypted
MDP record is basically a message digest in such way can be decrypted with any of the
computed by the writer over the unencrypted keys used for encrypting them. This feature
data and encrypted with it before sending it can effectively be used to set up flexible
over to the cloud service. When reading the access-rights schemes or establish secure
data back, the customer computes a message cloud-driven document flow within the organi-
digest over the decrypted data and compares zation.
it to the message digest attached to the en-
crypted object. If an MDP-ed object was al- “Wait a minute,” an attentive reader will say,
tered while residing in the cloud or in transit, “does it mean that the protection of my client-
the message digests won’t match. side encrypted data wholly depends on the
encryption key?” Correct. The encryption key
In certain scenarios it makes sense to use is a single point of access of the CSE scheme,
strong digital signatures instead of basic MDP just like it is in any other properly designed
records to provide for a higher level of modifi- encryption scheme. That’s why adequate pro-
cation detection in multi-user cloud environ- tection of encryption keys is a task of the
ments. In particular, strong signatures might highest importance.
be useful for addressing proof of authorship
and non-repudiation tasks. Per-object session keys are not an easy target
for attackers.
www.insecuremag.com 34
In fact, the only way for an attacker to recover procedures, and those should be chosen
the session key is to guess it by trying different based on the role of the cloud storage service
keys one by one. This task can be really in your infrastructure and the types of logical
tough; provided that the session key is of suf- links between the local environment and the
ficient length and a cryptographically strong service.
RNG is used for generating it, guessing the
session key is an infeasible task. That’s why The one-to-one links arise where access to
the attacker is most likely to concentrate on the storage is restricted to one or a fixed small
gaining access to the user key, which might be number of the customer’s computers. These
much easier to achieve. links can often be employed in scenarios
where the cloud is used for storing large
Operating systems and third-party vendors amounts of data in a centralized way, mainly
provide a variety of mechanisms for securing as a replacement for classic relational data-
user keys, from protected operating system bases. Typical examples of one-to-one links
areas to dedicated cryptographic hardware. are those used in personal backup and syn-
Some only give the key away after authenti- chronization tools and links between the
cating the user who requests it; the others do “worker” and “storage” roles within computa-
not export keys at all, instead performing the tional cloud environments.
decryption on board on behalf of the request-
ing user. In either case it is the responsibility Where the number of one-to-one links is
of the customer environment administrator to small, or where there is no need for an extra
define and adopt proper key usage and stor- database abstraction layer, the encryption
age policies in order to minimize the risk of keys can be stored directly on the computers
revealing the keys to unauthorized parties. that access the storage. In larger organiza-
Now that you understand the basics of client- tions, access to the storage can be organized
side encryption, we can consider the task of through a small set of “cloud gateways” that
integrating the mechanism into existing cloud- will be responsible for storing the keys and will
driven infrastructures. As I described above, optionally provide a standard interface (e.g.
this is mainly a matter of adopting appropriate ODBC) for outer data storage.
key management policies, techniques and
The many-to-one links arise in environments used for sharing or synchronizing data be-
characterized by widely decentralized access tween different company users or depart-
to the cloud storage and volatile structure, and ments. As the set of users approved to access
are typical for scenarios where the cloud is the storage is constantly changing with time,
www.insecuremag.com 35
encryption keys require a higher level of pro- enforcing individual access rights to them for
tection and manageability. This is where every user who needs to access the cloud.
enterprise-level hardware security modules Every change in a particular user’s position
may be of great help. HSMs can be effectively can be easily put in practice by altering the
used for storing encryption keys securely and corresponding key access record on the HSM.
The CSE scheme may effectively be used for virtually does not matter whether you work
managing access rights in environments with with protected or unprotected objects.
complex information access rules by adopting
multiple encryption keys procedures. Each Compensation of productivity decrease
logical group of users (e.g. “developers”, caused by extra computational burden on the
“colonels”, “board members”) is assigned a customer’s resources. In practice, the burden
dedicated encryption key. Every object is then is imperceptible. Modern processors provide
encrypted with keys of all groups whose encryption speeds of up to 8-10 MB/sec, much
members are allowed to access it. A multiple faster than an average speed the cloud stor-
keys approach can be flexibly integrated into age providers are capable of accepting or giv-
existing corporate group policy rules. ing away the data with. This means that a
computer that encrypts outgoing data on-the-
Dollars and cents fly will be idling for a certain amount of time
waiting for the preceding portion of encrypted
How much will it cost to deploy the CSE data to be delivered to the cloud front-end.
scheme in a live environment? The final bill
will depend on the size of your infrastructure Expenses related to key management can
and the chosen key management strategy. make a significant share of the migration
budget, especially if many-to-one links are
Extra traffic and cloud storage capacity present and HSMs are adopted to manage the
costs are floating somewhere around zero. A keys. The costs in this case directly depend on
protected object is only up to a kilobyte larger the size and complexity of the infrastructure,
than a matching unprotected object, so from a the type of encryption keys involved, and the
point of view of traffic and space economy it
www.insecuremag.com 36
expected frequency and number of read/write components themselves, SecureBlackbox of-
operations. The exact HSM to use should be fers out-of-the-box support for a variety of en-
chosen based on the key management re- cryption key types, from easy-to-use
quirements, and should be capable of han- password-based keys to cryptographically
dling the estimated operation load. strong symmetric and asymmetric keys resid-
ing on hardware security devices.
The cost of implementing the CSE protocol
may pose another unpleasant surprise. The The one-off asking price for the product is
current labour rate of qualified software devel- fairly competitive and equals to 3-4 hours of
opers, especially those with good knowledge work of a qualified security expert - a good
of cryptography, is not among the cheapest on bargain, taking into account that integrating
the software market, and a proper implemen- SecureBlackbox-driven CSE into an existing
tation of the CSE takes a significant amount of infrastructure is an easy-to-do task that only
time. Happily, the market offers some out-of- requires common programming skills.
the-box software products that can help adopt
the CSE in faster, cheaper and user-friendlier Client-side encryption is an inexpensive and
way. easy-to-integrate method that addresses the
risk of private data revelation, topped up with
Popular SecureBlackbox middleware from El- useful access control features. Even if
doS offers cloud storage access components adopted in its simplest form, CSE provides
that come with built-in support for CSE. The that extremely durable extra layer of protection
product supports the majority of popular cloud that your remotely deposited information
services, including S3, Azure, SkyDrive, Drop- needs in today’s world.
box and Google Drive. Besides the encryption
Ken Ivanov, PhD, is a Director and a Chief Security Expert at EldoS Corporation (UK), a provider of security
and file system solutions for software vendors. For more than 12 years Ken helped businesses, individuals
and governmental agencies all over the world to adopt information security measures. Being really passionate
about security and privacy, as well as liberal values, Ken is concerned about the increasing influence of inter-
national intelligence services. That’s why the question of privacy for data residing in the cloud is of particular
importance to him. He can be contacted at Ivanov@eldos.com.
www.insecuremag.com 37
Pim Tuyls is the Founder and CEO of Intrinsic-ID. Tuyls initiated work on
Hardware Intrinsic Security within Philips Research in 2002. As a principal
scientist, he managed the cryptography cluster in Philips Research in which
the initial research was carried out. Later he transferred this work to Intrinsic-
ID and headed the technology development.
Based on your experience, what strategic Currently, security does not play a big role in
errors do SMBs make when using/moving their decision-making process, but awareness
to the cloud? Does security play a big role is growing. The revelations made by Edward
in their decision-making? Snowden last year have clearly awakened
many people and organizations. In-house se-
SMBs mainly think about the benefits of the curity expertise is usually missing in small or-
cloud: scaling and elastic IT-enabled capabili- ganizations. It is important that they partner
ties, higher productivity, leveraging a mobile with a security expert in time to make sure that
workforce, to mention a few. But they don't their transition to the cloud goes smoothly and
make a proper risk analysis since they are not leads to success instead of a big headache.
aware of the possible consequences.
Breached customer data might lead to a law- What advice would you give to organiza-
suit. By storing data unprotected in the cloud tions that have mission-critical data in the
specific laws and regulation might be violated. cloud? What critical steps should they take
Recently, we encountered a few cases where in order to ensure ongoing security?
SMBs were not aware that their back-up sys-
tem stores their data unprotected in the cloud. My recommendation to organizations with
This can lead to huge fines that could have mission-critical data stored in the could is to
been avoided if an appropriate pre-study was conduct a risk and vulnerability profile to un-
done and security measures had been taken. derstand what kind of data they store in the
www.insecuremag.com 39
cloud; what type of cloud the data is stored in not be influenced nor known by any other
(private versus public), and what the conse- party, and should be generated within the de-
quences are if the data in the cloud gets ex- vice itself.
posed. In all cases, we recommend imple-
menting the best possible security solution Early in the process of moving to the cloud,
that the budget will allow. companies should evaluate cloud security so-
lutions that are best suited to their needs and
Once organizations understand what is at risk in line with their budget. In most cases,
they need to take measures to find and im- software-only solutions are not adequate be-
plement a security solution. We recommend a cause they have several weaknesses and the
solution that uses a two-factor authentication highest protection is usually achieved with
system based on an independent hardware hardware-based systems that offer client-side
root of trust, which will ensure that the data protection. Client-side protection means that
stored in the cloud is properly encrypted be- the keys are in the hands of the customer and
fore it leaves the device. By independent root cannot be learned by a “trusted party”.
of trust we mean that the security keys should
www.insecuremag.com 40
OUR VISION IS TO ELIMINATE DATA
SECURITY AND USER AUTHENTICATION
ISSUES IN THE CONNECTED WORLD
This year almost all organizations, both large On top of this, our approach makes sure that
and small, that we are in contact with are con- our clients have full control over their security
sidering how to improve their security against and don't have to be nervous about the fact
attacks and accidents. that a backdoor might be in place that allows
organizations to listen in or break in to their
Clearly, small companies are moving faster systems. Our secure cloud product not only
with implementations of systems to protect delivers security but also allows our customers
their data in the cloud, while large organiza- to work securely in the cloud. Therefore we
tions need more time to build a vulnerability have implemented a secure sharing mecha-
and risk profile and depend more on consen- nism: it allows users to share a document with
sus building. one or more colleagues without disclosing any
information to outsiders.
How does Intrinsic-ID enable organizations
to protect their cloud data? What makes Finally, our solutions have been developed by
you stand out in the marketplace? a team with in-depth security expertise in all
the aspects of a security system. The team
What Intrinsic offers customers is peace of consists of hardware security specialists,
mind knowing that they are getting the software security experts and system security
highest-level of security solution for the price architects. This combination of expertise al-
and in a way that is easy to implement. We lows us to build a strong, integrated security
offer our customers a full solution to authenti- product.
cate to the cloud and protect data in the cloud
based on an independent root of trust that is What are your plans for the rest of the
unique. It makes sure that nobody outside the year? What areas are you focusing on?
company can access the company’s data.
Our vision is to eliminate data security and
Our solutions consist of two components: user authentication issues in the connected
software that runs on PCs or mobile platforms world, and we will continue to work to simplify
and a physical token that implements the in- and improve methods for achieving that. We
dependent root of trust. This root of trust is intent to further extend our secure cloud offer-
based on HIS technology or the electronic fin- ing to other platforms and enhance it with
gerprint of a chip. Since all chips are unique more features that allow it to work together
due the deep-sub micron process variations, with various mobile and cloud services, thus
this guarantees unique, very high quality keys providing a complete solution to our custom-
to start with: the keys have full entropy or ran- ers.
domness and are therefore almost impossible
to guess even for governmental organizations.
Mirko Zorz is the Editor in Chief of (IN)SECURE Magazine and Help Net Security (www.net-security.org).
www.insecuremag.com 41
Adequate protection of your digital data can be very straightforward. Just like
your own house, the best way to secure it is with a unique physical key that
you keep in your own hands.
Our virtual world keeps expanding and the More and more, cloud providers, but also spe-
“anytime, anywhere” cloud is growing. More cialized companies, offer encryption/
and more, employees integrate their own de- authentication tools for data in or on the way
vices and favorite apps in their daily work. to the cloud. In Figure 1 I illustrate three cate-
gories of solutions: server-based, gateway-
Traditional security measures are no longer based and client-based encryption systems.
enough, and coming up with good security so-
lutions for the cloud has been challenging. a. Server-based encryption
CIOs realize that there is no single solution to In a server-based encryption system, the
curb the increasing risks, and that a layered server encrypts all data stored on the server.
approach is needed. This implies that a (master) key is hidden on
the server, too. Such a system offers a basic
Encryption systems in the cloud level of protection, but it does not solve the
problem of secure cloud storage.
An age-old method for preventing sensitive
information falling into the hands of unauthor- On the one hand, this system assumes im-
ized people is encryption. Also, concerning the plicit trust in the owner of the server encryp-
cloud, protection by encryption has become tion key. On the other hand, when the encryp-
an increasingly important activity, especially tion key is compromised in an attack, all the
when it comes to the mitigation of the risk of data of all the users of the system are ex-
breaches. posed simultaneously.
www.insecuremag.com 42
Figure 1. Encryption/authentication solutions for the cloud can be divided in three categories, according to who
controls the security keys.
www.insecuremag.com 43
Strongest (unclonable) key in the hand of The strength of this kind of hardware-based
the user key generation and storage can be combined
with a username and password-based login
Cryptographic keys used in electronic devices system. This combination is called two-factor
are traditionally stored in non-volatile memory authentication. This means that security is
(typically secure EEPROM or E-fuses). How- based on two unrelated factors - “something
ever, this approach is sensitive to specific se- you know” and “something you have”.
curity issues, like the eavesdropping and tam-
pering of the keys. Given that both of these factors are required
to access cloud data, it will become even
Instead of storing keys in non-volatile memory, more difficult for an attacker to gain unauthor-
it is nowadays possible to generate and store ized access to or manipulate the data. Two-
secure keys based on unique physical proper- factor authentication provides incredibly
ties of the underlying hardware. strong protection for all data in the cloud.
This approach is called Hardware Intrinsic Se- d. Secure data storage in the cloud
curity (HIS) and makes use of the concept of
Physical Unclonable Functions (PUFs). The Secure data storage in the cloud can be
principle of a PUF can best be described as achieved by using symmetric key cryptogra-
“biometrics for electronic devices” and is illus- phy based on, for example, AES. In symmetric
trated in Figure 2. key cryptography files are encrypted and de-
crypted using the same key. I strongly rec-
The different threshold voltages for the tran- ommend a key that is securely generated from
sistors in SRAM result in a cell-unique start-up and stored in the hardware. Since encryption
behavior. Start-up values establish a unique and decryption are only performed on the cli-
and robust fingerprint that is turned into a se- ent side, this key never leaves the user’s
cure secret key. Keys are not present in the hardware and is therefore completely secure
hardware when the device is not powered. from malicious use.
The fact that the keys are only generated
when they are required minimizes the “window Due to the client-side encryption, files inter-
of opportunity” for an attacker to compromise cepted during transmission or illegally ac-
them. cessed in storage are unusable.
Figure 2. The principle of Physical Unclonable Functions (PUFs): secret keys are extracted from the “biomet-
rics of an electronic device”.
www.insecuremag.com 44
Only the legitimate user (password) that is in curity risk involved for the user when publicly
possession of the key (hardware) can down- storing this key. Only with the securely-stored
load the files stored in the cloud onto his de- private key can data from the cloud be de-
vice, after which they can be automatically crypted.
decrypted in the background.
Before sharing a file with another user in the
e. Secure sharing of data in the cloud cloud, the public key of the receiving user
must be retrieved from the public key data-
Secure file sharing can be done using asym- base. The file is encrypted with the public key
metric cryptography, also known as public-key before it is stored in the cloud in a location
cryptography. In that case, a public/private that the recipient can access. After the recipi-
key-pair has to be generated during the instal- ent has been notified that a shared file is
lation of the hardware for each user. Although available, the file can be downloaded from the
different, the two parts of such a key pair are cloud onto the recipient’s device. On this de-
mathematically linked. The public key is used vice, where the recipient’s private key is avail-
to encrypt files, while the private key is used able, the downloaded file can be decrypted
to decrypt files. While the private key never and used. Since the private key of the recipi-
leaves the hardware token of the user, the ent is the only key that mathematically
public key should be stored in a public key da- matches the public key used for encryption,
tabase (see Figure 3). the recipient is the only person that can de-
crypt this file. In case attackers are able to in-
Since this public key cannot be used to de- tercept the file, they will not be able to decrypt
crypt data stored in the cloud, there is no se- it because they lack the private key.
Figure 3. The flow of information for sharing encrypted data in the cloud.
www.insecuremag.com 45
The future compromising flexibility, performance or ease
of use. Data can be safely available anytime,
The cloud is a blessing for the modern econ- anywhere from multiple devices.
omy, but recent events have also made it very
clear that it can easily turn into a nightmare if HIS-enabled chips and tokens have the poten-
security issues are not properly managed. In tial to offer top-level security and key man-
order to avoid disasters and enable the agement flexibility to protect a whole new
cloud’s true potential, security has to be an class of applications. Apart from securing
integral aspect of any cloud-based system. payment transactions and provisioning media
content, these applications may include
A strong two-factor authentication implemen- machine-to-machine, smart grid, track-and-
tation as described in this article provides the trace and many others as they emerge from
strongest security of data in the cloud without the rapidly developing Internet of Things.
Dr. Pim Tuyls is the CEO of Intrinsic-ID, a provider of security IP cores and applications based on patented
Hardware Intrinsic Security (HIS) technology.
Prior to Intrinsic-ID, Pim was at Philips Electronics where he initiated work on Hardware Intrinsic Security as a
principal scientist within Philips Research. Several of Pim's papers relating to secure implementations of
Physical Unclonable Functions (PUF) technology have been published at security conferences.
www.insecuremag.com 46
Thousands of FTP sites server, then embed direct links to them in
spam emails delivered to potential victims.
compromised to serve malware and
Access to an FTP server can also be
scams occasionally leveraged by the attackers to
compromise connected web services.
"The victim companies hosting exploited FTP
sites are spread across the spectrum – from
small companies and individual accounts with
ISPs to major multi-national corporations,"
noted the researchers.
www.insecuremag.com 47
PoC mobile malware records swipes not lend itself to industrial scale data
collection.
on touch screen smartphones
You see, this "touchlogger" is capable of
logging the coordinates of any swipe or touch,
and of taking screen captures, but it can't (yet)
distinguish between general use and use for
online payment and banking purposes.
Going through the swipe logs and screenshots
to search for relevant information is a very
time-consuming and labor-intensive task that's
difficult to automate, so using it against
A security researcher has developed proof-of-
specific targets seems more logical and more
concept malware capable of capturing
efficient than infecting a huge number of
screenshots and finger swipes on mobile
devices.
devices, and is set to demonstrate his creation
at the RSA Conference in San Francisco.
Hindocha has managed to make the PoC
code work on jailbroken iOS and rooted
As users inexorably switch from computers to
Android devices, but shared with Forbes that
mobile phones and tablets for their online
it's possible get it to work on non-rooted
shopping and banking needs, malware
Android devices as well - possibly by infecting
developers will surely set their sights on
the device when it's plugged into a PC.
creating financial malware adapted to the new
platforms.
The malware might be aimed at capturing
financial information, but since it records every
Neal Hindocha, senior security consultant for
touch, an attacker would also discover
Trustwave, has proved that the feat can be
additional relevant information such as the
done, but his proof-of-concept malware does
user's security code for unlocking the device,
image and alpha-numeric passwords, etc.
Java-based malware hits Windows, Update 45 and earlier, and 5.0 Update 45 and
earlier.
Mac and Linux
Once the malware is launched, it copies itself
into the user’s home directory and sets itself
to run every time the system is booted. It then
contacts the botmasters' IRC server via the
IRC protocol, and identifies itself via a unique
identifier it generated.
www.insecuremag.com 48
Sophisticated cyber-espionage tool RDP files (used by the Remote Desktop Client
to automatically open a connection to the
uncovered
reserved computer).
Fully functional trojanized FileZilla uses v2.45-Unicode. All other elements like
texts, buttons, icons and images are the
client steals FTP logins
same," Avast researchers warn.
"The installed malware FTP client looks like
the official version and it is fully functional! You
can’t find any suspicious behavior, entries in
the system registry, communication or
changes in application GUI."
www.insecuremag.com 49
Researchers uncover months-old IP address of the C&C server(s), encrypting
traffic, and avoiding network-level detection,"
POS malware botnet
they noted. "The server address uses the
pseudo-TLD '.onion' that is not resolvable
With the Target and Neiman
outside of a TOR network and requires a TOR
Marcus breaches, the topic of
proxy app which is installed by the bot on the
malware that collects card
infected machine."
data directly from Point-of-
Sale devices has received
"The ChewBacca Trojan appears to be a
renewed interest. The PoS
simple piece of malware that, despite its lack
malware used in the former has
of sophistication and defense mechanisms,
been identified as a modified version of the
succeeded in stealing payment card
BlackPOS malware, but there are other similar
information from several dozen retailers
ones currently in use out there.
around the world in a little more than two
months," the researchers noted.
RSA researchers have discovered the entire
server infrastructure used in a global PoS
"Retailers have a few choices against these
malware operation that targets retailers in the
attackers. They can increase staffing levels
US, Russia, Canada and Australia, and have
and develop leading-edge capabilities to
managed to access part of it. The malware in
detect and stop attackers (comprehensive
question is the ChewBacca Trojan, which is
monitoring and incident response), or they can
capable of logging keystrokes and scraping
encrypt or tokenize data at the point of
the memory of PoS systems and the card
capture and ensure that it is not in plaintext
magnetic stripe data they contain.
view on their networks, thereby shifting the
risk and burden of protection to the card
"RSA observed that communication is handled
issuers and their payment processors."
through the TOR network, concealing the real
www.insecuremag.com 50
Beware of malicious specialized for specialized (and expensive) engineering
(Aveva) and automotive repair (AllData)
software keygens
software, multimedia tools (Bigasoft),
benchmarking software (Geekbench),
software for chemists and biologists
(CambridgeSoft), computing software
(Wolfram Mathematica) and, yes, some
games.
www.insecuremag.com 51
The popularity of Bitcoin and other digital/cryptographic currency cannot be
denied. Different users like using it for different reasons, but many agree that
the question of keeping their stash safe is something that occasionally keeps
them up at night.
With the currency’s rising popularity, different recovery process can be relatively expensive,
services started popping up to help solve that but when Bitcoins are at stake, the value of
dilemma. Still, some chose to keep their digital the recovery makes it even more worthwhile.
money on their own devices. But what hap-
pens if these devices break down, get cor- So far, the company has had 8 requests for
rupted, or get accidentally erased? digital currency recovery, 7 for Bitcoin and 1
for Litecoin.
Chris Bross, Senior Enterprise Recovery En-
gineer at well-known data recovery firm “In general, hardware failures of the storage
DriveSavers, has recently been involved in a devices are more common, but in many of
few cases where customers needed their digi- these cases the users were completely at fault
tal currency recovered. because they deleted the data, and in two
cases, even overwrote it,” he explained.
“In the past, we have typically been asked to
recover user-created data files like photos, These two cases ended with the experts re-
QuickBooks, videos, etc. Now we are being covering the wallet.dat files, but the encrypted
asked to recovery digital currency,” he shared data was unfortunately corrupted beyond re-
with (IN)SECURE Magazine. “We did not par- pair.
ticularly start offering recovery services to Bit-
coin users, customers just came to us begging “Having said that, no situation is entirely hope-
for help.” less and we always want to attempt the data
recovery, as early as possible after the data
Usually, the value of the data on any device is loss event has occurred, to prevent the user
gauged by the user to whom it belongs. The from making a poor choice that leads to
www.insecuremag.com 52
additional loss," he notes. processes that would erase and sanitize the
missing data as a normal function of system
While the company usually deals more with maintenance. We needed to intercept and halt
companies needing to recover data, all of their those processes to mitigate any additional
requests for Bitcoin recovery so far have been loss of data," he shared.
from individuals.
"Do you also offer the service of tracing and
"In almost all cases, the user was keeping recovering stolen Bitcoin?" I asked, and re-
only a single copy of their wallet.dat file on a ceived a negative answer. "Although, we do
single storage device," says Bross. "Three of offer forensic data recovery services for any
the eight total cases were stored on a SSD case that may end up in litigation or prosecu-
(sold state drive), while the others were on tion," Bross noted.
HDDs. In all cases, the users did not trust the
available cloud backup or other options to rep- Finally, I asked him to share some tips on how
licate their critical Bitcoin data." to keep one's digital currency safe.
In one particular case where the customer "Print it on paper. Ironically, in these modern
stored his digital wallet on his Microsoft Sur- times of digital everything, paper and ink are
face Pro tablet, performed a number of steps more reliable and last longer than magnetic or
that led to data loss AND disabled the com- solid state storage," he offered.
puter's ability to boot up, they had to develop a
new method to be able to create an image of "In addition, keep multiple copies of the files
the SSD without physically removing it from on other secured and encrypted media that
the tablet. you personally control yourself. If you choose
to store this data in the cloud, be well aware of
"Since it was an SSD, there were concerns potential cloud security vulnerabilities and
about BGC (background garbage collection) risks."
Zeljka Zorz is the Managing Editor of (IN)SECURE Magazine and Help Net Security
(www.net-security.org).
www.insecuremag.com 53
Talk of Big Data seems to be everywhere these days. A simple web search
for the phrase returns countless vendors offering solutions to the challenge,
myriad events discussing the topic, and blogs, articles, and forums filled with
talking points.
Amidst this sea of information, organizations to the analysis component of this challenge,
are starved for practical knowledge they can but a brief discussion regarding collection is
leverage internally to make some sense of the helpful to frame the discussion. As the readers
Big Data puzzle in order to meet their chal- of this article are aware, the proper instrumen-
lenging operational requirements. tation of an enterprise network for network se-
curity monitoring soon results in both an over-
This article aims to provide some practical whelming variety of data sources and a nearly
guidance that organizations can leverage to unmanageable volume of total data.
begin to navigate their way through the Big
Data challenge. As one might expect, different data sources
carry different value for security operations.
Data value vs. data volume For example, proxy logs, with their rich meta-
data and relatively compact size provide high
Distilled to its essence, Big Data is about two value to security operations.
symbiotic, but somewhat diametrically op-
posed components: collection and analysis. Conversely, logs from routers or switches,
Both are equally important, but the more data though helpful for network operators, are sig-
one collects, the more difficult analysis be- nificantly more voluminous but provide less
comes due to the volume and variety of data. value for security operations purposes.
Much of this article will discuss ideas relating
www.insecuremag.com 56
When architecting a log collection strategy, • Performance slows down (e.g., queries re-
most organizations do not assess the value of turn less quickly), which in turn reduces pro-
each data source to security operations and ductivity and efficiency.
instead resort to collecting every data source
they can obtain from the enterprise. This ap- Additionally, regardless of the actual length of
proach produces a few cascading effects: the retention period, most organizations apply
a uniform retention period. In other words, the
• More data requires more storage, which policy is that after N days (whatever N is), all
adds cost. data rolls off to archive and ceases to be ac-
• In place of additional storage, organizations cessible as part of day to day operations.
typically cut the retention period of logs (e.g.,
from six months to three months), which hin- Another benefit of assessing data value is that
ders the ability to perform historical forensics organizations can better understand which
• The additional volume of data creates a data sources should be retained longer than
larger volume of noise, which in turn makes others.
identifying anomalous traffic more difficult
Streamlining workflow
In order for information to meet these re-
When attempting to manage enormous vol- quirements, it must have context and a use
umes of data effectively, it’s important to case. Organizations use the context and use
streamline and optimize workflow at every op- case to best leverage the intelligence. For ex-
portunity. It is most effective to facilitate the ample, integrating intelligence regarding mali-
organization’s human resources (most often cious email attachment MD5 hashes into the
the scarcest) working smarter, not harder. alerting stream requires a much different ap-
How to achieve this in practice requires more proach than integrating intelligence regarding
details than this article allows for, but some command and control (C2) URL patterns/
general guidelines are provided here: substrings.
• Develop efficient processes for all functions If the intelligence comes at a relevant time
(e.g., incident response for a malicious code (timely), does not produce high volumes of
incident) false positives (reliable), is of high quality
• Automate within the process where possible (high fidelity), and produces relevant alerting
(not for automation’s sake) (actionable), it can be leveraged according to
• Enrich data where possible to further opti- its specific context and use case.
mize the process (not for enrichment’s sake)
• Focus analysts on one centralized work Communal presence
queue/alerting stream
• Enable/facilitate rapid and efficient The security community is a relatively small
investigation/analysis with the end goal of and tight-knit community built almost entirely
resolution (no analysis for analysis’ sake). on trust. Many of the relationships and the
most trusted information-sharing exchanges
Integrating actionable intelligence within the industry are built on a strong foun-
dation of trust. These exchanges require a
Intelligence can greatly add to the both the de- give and take –sharing information and meth-
tection and response capabilities of the enter- ods, as well as receiving information and
prise. There are a lot of sources (whether free methods. The information and methods ex-
or by subscription) referring to themselves as changed this way are most often of extremely
security intelligence sources. In order for in- high quality. A strong presence in the commu-
formation to be intelligence, it must be timely, nity, particularly by the organization’s leader-
reliable, high fidelity, and actionable. ship can greatly aid in obtaining practical,
www.insecuremag.com 57
timely, and high quality information and meth- opposed to machines, it becomes much easier
ods to assist with the Big Data challenge. to analyze activity (both historically and in
Conversely, leadership that maintains a strong near real-time) to identify trends and depar-
presence in the community is more likely to tures from normal behavior. This enables the
motivate the organization to be an active par- enterprise to build richer analytical techniques
ticipant in trusted information sharing ex- and alerting.
changes.
Summary
Remembering the user
The challenge of Big Data is maturing from a
While systems get infected, users create, edit, marketing buzzword to a reality confronting
use, and share data. In many sophisticated large enterprises. The volume of data brings
attacks, the adversary is after the organiza- new challenges, but it also brings new tech-
tion’s sensitive, proprietary, and/or confidential nologies, opportunities, and capabilities. Big
data. With the volume of data (legitimately) Data reminds us to consider both aspects of
entering and leaving the network on a daily collection and analysis, where one necessi-
basis, it is quite difficult to identify anomalous / tates the other. As new technologies emerge,
malicious activity within this data. Most con- it is important to remember that they will help
temporary analysis techniques are IP (or do- with the challenge, but they alone cannot
main) centric. If the vantage point (for some solve the problem. Smooth and seamless in-
analytical techniques) is shifted to a user- tegration of people, process, and technology
based perspective, additional possibilities is just as important as always.
emerge. When examining human beings, as
Joshua Goldfarb (www.yourcyberanalyst.com) is a cyber security analyst with over a decade of experience
building, operating, and running SOCs. Before joining nPulse Technologies (www.npulsetech.com) as its CSO,
Goldfarb worked as an independent consultant, applying his analytical methodology to help enterprises build
and enhance their network traffic analysis, security operations, and incident response capabilities to improve
their information security postures. Earlier in his career Goldfarb served as the Chief of Analysis for US-CERT.
www.insecuremag.com 58
While Apache Hadoop and the craze around Big Data seem to have exploded
out into the market, there are still a lot more questions than answers about
this new environment. One of the biggest concerns, second perhaps only to
ROI, is security.
This is primarily due to the fact that many create an overall security architecture for the
have yet to grasp the paradigm shift from tra- entire Hadoop ecosystem as it continues to
ditional database platforms to Hadoop. Tradi- grow. However, some security tools have
tional security tools address a separation of been released over the last few years, includ-
duties, access control, encryption options, ing Kerberos, which provides strong authenti-
and more, but they are designed for a struc- cation. But Kerberos does little to protect data
tured, limited environment, where data is flowing in and out of Hadoop, or to prevent
carefully collected and cultivated. privileged users such as DBA’s or SA’s from
abusing the data. While authentication re-
Hadoop, on the other hand, is an environment mains an important part of the data security
with limited structure, high ingestion volume, structure in Hadoop, on its own it falls short of
massive scalability and redundancy, designed adequate data protection.
for access to a vast pool of multi-structured
data. What’s missing is new security tools to Another development was the addition of
match. coarse-grained volume or disk encryption,
usually provided by data security vendors.
Another challenge with securing Hadoop This solved one problem (protecting data at
comes from the rapid expansion of the envi- rest) but considering one of the primary goals
ronment itself. Since its initial development, behind Hadoop is using the data, one might
new tools and modules have been coming out suggest that it provided little in the grand
not only from Apache, but nearly every other scheme of Big Data security. Sensitive data in
third-party vendor as well. While security is use for analytics, traveling between nodes,
tested and implemented for one module, three sent to other systems, or even just being
more have come out and are waiting for the viewed is subject to full exposure.
same treatment. This makes it very difficult to
www.insecuremag.com 59
Up until recently, Big Data technology vendors values that are unreadable to the tools and
have often left it to customers to protect their modules in Hadoop, format-preserving en-
environments, and they, too, feel the burden cryption is typically much slower than masking
of limited options. or Vaultless Tokenization, and both require
complicated cryptographic key management
Today, vendors such as Teradata, Horton- across tens or even hundreds of nodes.
works, and Cloudera, have partnered with
data security vendors to help fill the security Masking was developed for non-production
gap. What they’re seeking is advanced func- systems and testing, and has found a home in
tionality equal to the task of balancing security Hadoop’s early, experimental phase. Individ-
and regulatory compliance with data insights ual data elements are either replaced with
and “big answers”. random values or generalized so that they are
no longer identifiable. It is fast, produces val-
The key to this balance lies not in protecting ues that are readable to systems and proc-
the growing ecosystem, or blanketing entire esses, and requires no key management.
nodes with volume encryption, but targeting However, because masking was designed for
the sensitive data itself at a very fine-grained non-production, it is usually not reversible,
level, with flexible, transparent security. Apply- and is therefore not ideal for any situations
ing this security through a comprehensive where the original data may be needed some-
policy-based system can provide further con- time after the data is masked.
trol and additional options to protect sensitive
data, including multiple levels of access to Vaultless Tokenization, similar to masking,
various users or processes. Once secured, also replaces data elements with random val-
the data can travel throughout the Hadoop ues of the same data type and length. It is
ecosystem and even to outside systems and also much faster than format-preserving en-
remain protected. cryption, virtually eliminates key management,
and is transparent to processes. The added
The options for fine-grained data security in benefit comes from the ability to perform both
Hadoop now include encryption (AES or one-way protection and reversible security.
format-preserving), masking, and Vaultless
Tokenization. This provides ideal protection for test/dev en-
vironments and can also allow retrieval of the
Typically, encryption is the least desirable op- original data when required by authorized
tion, as standard strong encryption produces users or processes.
Due to the read-only nature of the Hadoop a secured landing zone, which may be a node
environment (files cannot be updated, you or partition within Hadoop that is protected
can only create a file, read it and delete it), with coarse-grained encryption. Files arrive in
application of these fine-grained protection the landing zone, and are then parsed by one
methods requires a unique approach. of the processing applications in Hadoop
(MapReduce, Hive, Pig, etc.), identifying and
This is typically performed in one of two ways. protecting sensitive data elements before in-
The first is a secured gateway, situated in gesting the data into the main Hadoop cluster.
front of Hadoop, which parses incoming data This method utilizes the massively parallel
to identify sensitive data elements, and ap- processing of Hadoop to efficiently protect
plies the selected protection method before data.
passing the data on to Hadoop. The second is
www.insecuremag.com 60
In the next five years, the creation of data by without implementing comprehensive data
more and more people and devices will con- security - first in the area of industrial envi-
tinue to drive the companies towards Hadoop ronment (power grids, etc.) and later on con-
and other Big Data platforms. The require- sumer use (healthcare, etc.). Security will be
ments for handling extreme levels of volume, viewed not only in terms of loss-prevention,
velocity, variety, and veracity will only in- but value creation, enabling compliant data
crease, and Big Data will assume more and collection, use, analysis, and monetization.
more critical business functions.
Big Data security will evolve, becoming in-
As the environment becomes more estab- creasingly intelligent and data-driven in its
lished, usability and enterprise integration will own right. We will see more tools that can
improve, new data exchange protocols will be translate security event statistics into action-
used, and a set of security tools will be stan- able information. Data security policies will be
dardized and made native to platforms. intricately designed, and likely multi-layered,
utilizing a combination of coarse- and fine-
Laws and regulations relating to privacy and grained security methods, access control,
security will also continue to increase, and authentication, and monitoring.
security will become an even more vital com-
ponent in Big Data. Companies will be unable In the exciting near future, the data is only
to harness the massive amounts of machine- getting bigger, but we must not allow it to out-
generated data from the Internet of Things grow security.
Ulf T. Mattsson is the CTO of Protegrity. Ulf created the initial architecture of Protegrity’s database security
technology, for which the company owns several key patents. His extensive IT and security industry experi-
ence includes 20 years with IBM as a manager of software development and a consulting resource to IBM's
Research and Development organization, in the areas of IT Architecture and IT Security. Ulf holds a degree in
electrical engineering from Polhem University, a degree in Finance from University of Stockholm and a mas-
ter's degree in physics from Chalmers University of Technology.
www.insecuremag.com 61
Information security continues to be an increasing problem because of the
volume, velocity and variety associated with Big Data. This article summa-
rizes the nature of information security risks and describes how better infor-
mation stewardship based on information centric security is essential to
manage these risks.
The term “Big Data” is as much a reflection of To realize its potential value Big Data needs to
the limitations of the current technology as it is be transformed into Smart Information, which
a statement on the quantity, speed and variety can then be used to improve planning and in-
of data being generated. Big Data needs to be crease efficiency as well as to create new
understood as data that has greater volume, kinds of products.
variety or velocity than can be comfortably
processed using the technology that we al- Information security challenges
ready have.
The underlying information security chal-
Big Data comes from a number of sources, lenges of malice, misuse and mistake apply
both internal and external. Many organizations equally to Big Data. Big Data techniques can
have accumulated large amounts of data that also be used by criminals to improve their ex-
is not being exploited. ploits, provide insight that facilitates security
breaches, and aggregate data to assist with
There is an even larger amount of data that is identity theft. Big Data can be misused
held in publicly available sources, like gov- through abuse of privilege by those with ac-
ernment databases, and social media. In addi- cess to the data and analysis tools; curiosity
tion to this, the inbuilt instrumentation of smart may lead to unauthorized access and informa-
systems generates a massive amount of still tion may be deliberately leaked. Mistakes can
untapped data. also cause problems - corner cutting could
lead to disclosure or incorrect analysis.
www.insecuremag.com 63
There are three major risk areas that need to To achieve these objectives certain processes
be considered: and security elements must be in place. There
is a large overlap with the normal information
Information lifecycle: Big Data turns the security management processes, however
classical information lifecycle on its head. The specific attention is needed in the following
provenance of the data may be doubtful, the areas:
ownership of the data may be subject to dis-
pute, the classification of the information dis- Everyone is responsible: The unstructured
covered may not be feasible until after analy- nature of Big Data means that it is difficult to
sis. For all of these reasons the compliance assign the responsibility to a single person.
requirements and needed controls cannot Everyone in an organization needs to under-
easily be predetermined. stand their responsibility for the security of all
of the data they create or handle. This means
Data provenance: Big Data involves absorb- creating a culture of security.
ing and analyzing large amounts of data that
may have originated outside of the organiza- Verification of data source: Technical
tion that is using it. If you don’t control the mechanisms are needed to verify the source
data creation and collection process, how can of the external data used (for example, digital
you be sure of the source and the integrity of signatures).
the data? How do you know that you have the
right to use the data in the way that is being System integrity: Good oversight and control
planned? These points are defined very over the integrity of the systems used for
clearly in a UK report on the use of smart me- analysis is needed, and that also goes for
tering for power consumption by utility com- privilege management and change control. Be
panies. careful to validate conclusions – if you can’t
explain why the results make sense, they
Technology unknowns: The technology that probably don’t. Always build in a way to check
underlies the processing of Big Data was con- – don’t let Big Data lead you to stupid conclu-
ceived to provide massively scalable process- sions.
ing rather than to enforce security controls.
While this is not a new phenomenon in the IT Secure processing: Measures to secure the
industry, there has not been sufficient time for data within the analysis infrastructure are
the inherent vulnerabilities and security weak- needed to mitigate potential vulnerabilities and
nesses to become manifest. to secure against leakage. These could in-
clude disk level encryption and a high level of
Looking after property that is not your own is network isolation. Big Data should be secured
called stewardship. Information stewardship is in transit, preferably by using encryption, but
not a new term; it has been in use since the at minimum by using SSL/TLS. If the cloud is
1990s and covers a wide range of challenges being used to process Big Data, you must
involved in managing information as a key or- know how to verify that it is secured.
ganizational asset. These challenges include
the management of the whole information life- Access management: Access to the analysis
cycle from ownership to deletion, as well as infrastructure, the data being analyzed, and
aspects like business value, data architecture, the results should be subject to proper IAM
information quality, compliance and security. controls.
The basic objectives of information security for Audit: Logging and monitoring of activities on
Big Data are the same as for normal data: to the analysis infrastructure is crucial to proper
ensure its confidentiality, availability, and in- auditing.
tegrity.
Mike Small (CEng, FBCS, CITP) is a fellow of the BCS, a member of the London Chapter of ISACA Security
Advisory Group, and a senior analyst at KuppingerCole. Until 2009, Mike worked for CA where he developed
CA’s identity and access management product strategy. He is a frequent speaker at IT security events around
EMEA.
www.insecuremag.com 64
Traditional business intelligence has generally targeted structured data that
can be easily parsed and analyzed, but advances in analytics methods now
allow the examination of more varied data types. New analytics tools and
methods are expanding the possibilities for how enterprises can derive value
from existing data within their organizations and from freely available external
information sources, such as Software as a Service (SaaS), social media and
commercial data sources.
These advances allow enterprises to make • Anticipated returns and potential impacts to
better business decisions and increase com- competitiveness through adoption
petitive advantage. But this renaissance of • Potential impact to the current operational
analytics capability can also introduce addi- ecosystem
tional technical and operational risk, so enter- • Opportunity cost for the investment (i.e.,
prises must weigh the technical and opera- what else the enterprise might have invested
tional risk against the business risk that is as- in instead)
sociated with failure to adopt Big Data analyt- • Loss of value for investments already made.
ics.
Objective and systematic analysis of these
As with any potential investment that is in- factors becomes increasingly challenging as
tended to bring about an improvement in effi- the industry hype that surrounds a new tech-
cacy or efficiency of business activities, sev- nology or business trend increases: hype can,
eral key elements must be well understood to in some cases, create unfounded pressure to
enable systematic strategic planning: adopt, or create barriers to adoption in others.
www.insecuremag.com 65
For technologists, the potential technical, op- increase in overall profitability of six percent
erational and compliance risk that is associ- as a direct result of using Big Data effectively.
ated with maintaining and operating on a large That metric, while appealing in the abstract,
volume of potentially sensitive data is very ap- lacks sufficient underlying context and level of
parent; however, the business-relevant factors detail to be able to understand precisely how
that provided the initial impetus for adoption of that correlation is made. Specific case studies,
these analytics tools and methods may be by contrast, provide a clearer picture of how
less apparent. increases in competitiveness are achieved
and why these analytics techniques provide
However, understanding the business case - value. These studies show the imaginative
the rationale for adoption, the anticipated re- uses to which pre-existing data are leveraged
turn that the business hopes to achieve, and as a result of better analytics techniques, and
the competitiveness impact to the business if the transformative impacts that are achieved.
the enterprise chooses not to adopt while its
competitors do adopt - is equally important. What makes improvements for Big Data ana-
lytics particularly compelling from a business
For information security, audit and governance perspective is that the data already exists.
professionals, lack of clarity about the busi-
ness case may stifle organizational success Data exists about customers, such as pur-
and lead to role and responsibility confusion. chases they make and their receptiveness and
responsiveness to marketing efforts. During
Understanding the business case the normal course of business, many enter-
prises collect large volumes of data about their
Big Data refers to large, quickly growing or customers—their habits, preferences, the
varied types of information (“high volume, high specifics of individual transactions, fraud his-
velocity, and/or high variety information assets tory, etc. When analyzed, this data allow en-
that require new forms of processing to enable terprises to make changes and, subsequently,
enhanced decision making, insight discovery measure the performance of those changes.
and process optimization”). This allows those enterprises to dynamically
shift inventory and / or pricing in response to
Big Data analytics is the application of emerg- consumer demand.
ing statistical, processing and analytics tech-
niques for Big Data for the purpose of advanc- Furthermore, data analytics allows enterprises
ing the business— applying statistical models to create better-targeted marketing cam-
and techniques to business information to de- paigns, to better measure the efficacy of those
rive conclusions that are beneficial to that campaigns, and to launch new products and
business. service offerings in response to customer de-
mand. From a business standpoint, invest-
Big Data analytics is particularly appealing to ment in Big Data analytics is compelling be-
many enterprises because, in many cases, cause it leverages the otherwise latent or un-
they have already made some investment in used resource of already-collected data.
both business analytics and the collection of
large data sets, on which analysis can be ap- Not every enterprise will be equipped to make
plied. use of Big Data analytic techniques. Some en-
terprises may be missing key skills in their ex-
This means that the foundation from which to isting personnel, or they may be missing criti-
draw new conclusions, explore new ways of cal portions of the technological ecosystem.
doing business and open up new avenues of Also, the technical ecosystem may not be laid
competitive advantage may already be in out in a way that allows the techniques to op-
place. erate; and enterprises may lack the processes
to gain access to data and make use of the
What is this competitive advantage specifi- intelligence they collect as a result of the ap-
cally? Some data suggests a direct correlation plication of these methods.
between the use of Big Data analytics and
profitability. For example, one study cites an
www.insecuremag.com 66
It’s important to find out the exact current to productive use. Enterprises need to con-
situation, because investments made before sider that these areas may not share informa-
readiness is fully achieved may be inefficient, tion currently and may have a history (depend-
suboptimal in terms of the results they pro- ing on the culture) of competitiveness, an-
duce or, as a worst case, may represent need- tagonism, or resistance to outside influence.
less expense.
These cultural barriers can impede open and
From a process standpoint, existing silos collaborative exchange of important data ele-
should be evaluated to determine whether in- ments and act as a barrier to adaptation in re-
dividual business units, departments and per- sponse to conclusions drawn. This consensus
sonnel are willing and able to share informa- among silos can extend beyond the depart-
tion and act on information received. This con- ment level and down to the level of individual
sensus needs to happen so that analysis can personnel. For example, key stakeholders
be performed (disparate sources of data may may not know precisely where key data ele-
need to be consolidated to operate on them) ments reside or how to access those data
and so that the derived conclusions can be put elements.
www.insecuremag.com 67
Privacy (data collection)—Analytics tech- • Business value of adoption
niques can impact privacy; for example, indi- • Business risk of non-adoption
viduals whose data is being analyzed may feel • Technical/security/privacy risk that may in-
that the revealed information about them is crease depending on the implementation used
overly intrusive. to support the Big Data analytics approaches
at the technical level
Privacy (re-identification)—Likewise, when • Possible risk-offsetting benefits of the tech-
data is aggregated, semi-anonymous informa- nology at the technical level
tion or information that is not individually iden-
tifiable information might become non- A number of business dynamics make the ap-
anonymous or identifiable in the process. plication of new and better analytics appealing
to enterprises.
These risk areas can cause some practitio-
ners to be understandably wary. However, By looking at how these analytics techniques
analytics efforts can be used to offset risk by are transforming enterprises in real-world sce-
applying the tools and techniques to security- narios, the value becomes apparent as enter-
event information, to transaction information prises start to realize dramatic gains in the ef-
for the purpose of detecting fraud, or to other ficiency, efficacy and performance of mission-
technical information for risk-reduction pur- critical business processes.
poses.
The business case is made even more com-
Stockpiles of security-relevant information, pelling by the fact that most enterprises al-
such as user and system activity, can be ready have in place the foundation for analysis
logged and examined the same way as more in the form of more data than they can cur-
business-facing data can be logged and ex- rently use productively.
amined. The same analytics techniques and
tools that streamline and increase the quality Most enterprises already retain a large
of business processes can likewise streamline amount of data, such as information about
and increase the quality of other risk- their customers, metrics about the perform-
mitigation processes. ance of internal business processes, data
about information systems and their technol-
Tools purchased and analytics techniques that ogy ecosystem, transactional information
are acquired to help enable business-facing about sales and marketing and numerous
efforts can, with planning, be adopted by in- other data items about how they do business.
formation security and risk management areas
to help advance their goals as well. While some new areas of technical risk may
arise as a result of more voluminous and con-
The security and audit practitioners’ consid- centrated data, the business consequences of
eration of risk can and should be holistic. not adopting Big Data analytics may outweigh
If an enterprise elects not to employ these the technology risk.
techniques, there is a risk to the business, be-
cause competitors will capitalize on the oppor- Understanding this business case can help
tunity. security, audit and governance practitioners in
two ways: It helps them to understand the mo-
This result could have ramifications just as se- tivation and rationale driving their business
rious to the enterprise as a security or privacy partners who want to apply Big Data analytics
breach or dreaded business continuity implica- techniques within their enterprises, and it
tions. helps balance the risk equation so that techni-
cal risk and business risk are addressed.
A holistic view of the risk in an enterprise
should seek to account for all sides of the risk
equation, including the following:
www.insecuremag.com 68
As data grows exponentially, and with it the ability to use it effectively, how
can organizations ensure that the analysis of data sets containing sensitive
information doesn’t result in a costly data breach? If an organization can ac-
cess this data and analyze it, then who else can access it?
Organizations are struggling to understand use it. So, if Big Data is so large and complex,
how the collection of extremely large and how can it be protected?
complex structured and unstructured data sets
can be protected. And it is clear some tradi- The answer, as Google executive chairman
tional approaches to database and application Eric Schmidt recently said, is to “encrypt eve-
security are not well suited to Big Data de- rything.” Admittedly, Schmidt was responding
ployments. to the issue of government surveillance, but
he is nonetheless right. Encryption does pro-
Imagine a supercomputer available in sec- tect your data, big or small, when a breach
onds thanks to cloud computing where many occurs. Encryption ensures that your data re-
data sources are merged for analysis from mains secure, regardless of where it resides –
across an enterprise. It is easy to see how in the data center, the cloud, a mobile device
sensitive information could be exposed or or even in the hands of hackers from enemy
created in such a scenario. organizations, nation states or malicious in-
siders.
There is also a risk that human error could
combine the data or allow access by unau- The caveat here is that the encryption algo-
thorized users. It’s fair to say that by its very rithms need to be secured and the keys to de-
makeup – the aggregation of multiple informa- cipher the encryption need to be protected. In
tion sources – Big Data is sensitive informa- addition, Big Data processes expect data in
tion. Stakeholders expect this information to real world formats so a complete data protec-
be secure in the hands of organizations that tion strategy has to include format-preserving
www.insecuremag.com 69
approaches such as tokenization. A security strategy is only as strong as its
weakest link. Solutions must also protect data
Organizations must first understand what to efficiently. This means that the impact of the
protect (encrypt or tokenize) and then must encryption on business and cost must be
learn how to manage the encryption keys minimal. The solution should, preferably, be
used for this protection. Specifically, how are transparent, especially to the end users who
the keys generated? Where are they stored? are less likely to be concerned with security
What is the strength (or size) of keys? How and compliance issues.
often are keys changed? These are just some
of the questions that will help you build a Most users simply want to get their job done
strong encryption strategy for protecting data. quickly and without “technical” issues. So as
part of the protection approach and best prac-
A key management solution needs to allow a tices, authentication and access controls need
comprehensive data protection strategy. Seg- to be seamlessly integrated to ensure that
regating encryption and tokenization tech- only the correct users are accessing the right
nologies and managing them individually is a information.
recipe for failure.
Prakash Panjwani is Senior Vice President & General Manager, Data Protection Solutions at SafeNet
(www.safenet-inc.com).
www.insecuremag.com 70
RSA Conference 2014
www.rsaconference.com/helpnet
Moscone Center, San Francisco, CA, USA
24 February - 28 February 2014