Defined Categories of Service 2011 - Cloud Security Alliance

More documents

Recommendations

Info

Category #8: Encryption CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011 Description: Encryption is the process of obfuscating/encoding data (usually referred to as plain text) using cryptographic algorithms the product of which is encrypted data (usually referred to as ciphertext). Only the intended recipient or system that is in possession of the correct key can decode (unencrypt) this ciphertext. In the case of one-way cryptographic functions, a digest or hash is created instead. Encryption systems typically consist of an algorithm(s) that are computationally difficult (or infeasible) to break, along with the processes and procedures to manage encryption and decryption, hashing, digital signatures, certificate generation and renewal, key exchange, etc. Each part is effectively useless without the other, e.g. the best algorithm is easy to “crack” if an attacker can access the keys due to weak processes. Class: Protective CORE FUNCTIONALITIES Data protection (at rest and in motion) Data validation Message Authentication Message/data integrity Data Time-stamping (digital notary) Identity validation (certificates to identify IT assets/endpoints) Code Signing Forgery detection Identity validation (digital signatures) Digital Fingerprinting Forensic protection (hashing of log files and evidence) Pseudorandom number generation Data Destruction (throw away the key!) Key/certificate generation and management OPTIONAL FEATURES Searching encrypted data Sorting encrypted data Identity based encryption Data integrity Mechanism to ensure secure removal of customer data when term / contract terminated Identity assurance (e.g., the parties involved are who they claim to be) CHALLENGES Risk of compromised keys Searching and/or sorting of encrypted data Continued on the following page… SERVICES Includes: VPN services, Encryption Key Management, Virtual Storage Encryption, Communications Encryption, Application Encryption, Database Encryption, digital signatures, Integrity validation Related Services: VM Architecture, Hardware protection, Software-based protection, remote access validation Related Technologies and Standards: FIPS 140-2, IPSEC, SSL, Hashing, and algorithms , Symetric and Asymetric Cryptography Service Model: PaaS, SaaS, IaaS CSA Domains (v2.1): 11 THREATS ADDRESSED Failure to meet Regulatory Compliance requirements Mitigating insider and external threats to data Intercepted clear text network traffic Clear text data on stolen / disposed of hardware Reducing the risk or and potentially enabling crossborder business opportunities Copyright © 2011 Cloud Security Alliance 22
Continued from the previous page… CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE 2011 CHALLENGES Separation of duties between data owners, administrators and cloud service providers Legal issues Federated trust between providers REFERENCES / ADDITIONAL RESOURCES http://www.eweek.com/c/a/Security/IBM-Uncovers- Encryption-Scheme-That-Could-Improve-Cloud-Security- Spam-Filtering-135413/ https://cloudsecurityalliance.org/csaguide.pdf “Implementing and Developing Cloud Computing Applications” by David E.Y. Sarna http://www.ctoedge.com/content/new-approach-enteprisedata-security-tokenization http://arstechnica.com/tech-policy/news/2009/09/yoursecrets-live-online-in-databases-of-ruin.ars CSA discussion forums : “The Illegality of Exporting Personal Data into the Cloud. Is the following Hypothesis the Answer? Does the following Hypothesis Handle the Objection?” http://www.linkedin.com/e/-njv39egmdp90wv- 1m/vaq/23764306/1864210/36300812/view_disc/ “IETF RFC 5246”. The Transport Layer Security (TLS) Protocol Version 1.2: http://tools.ietf.org/rfc/rfc5246.txt “SP 800-57 Recommendation for Key Management” NIST, January 2011: http://csrc.nist.gov/publications/nistpubs/ 800-57/sp800-57-Part1-revised2_Mar08-2007.pdf http://csrc.nist.gov/publications/nistpubs/800-57/SP800- 57-Part2.pdf http://csrc.nist.gov/publications/nistpubs/800- 57/sp800-57_PART3_key-management_Dec2009.pdf “SP 800-131A Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths” NIST, January 2011: http://csrc.nist.gov/publications/nistpubs/800-131A/sp800- 131A.pdf ISO/TR (2010). “ISO TR-14742:2010 Financial Services - Recommendations on Cryptographic Algorithms and their Use.” ISO. Ferguson, N., Schneier, B., and Kohno T., (2010). “Cryptography Engineering: Design Principles and Practical Applications.” New York: John Wiley and Sons. THREATS ADDRESSED Reducing perceived risks and thus enabling Cloud's Adoption by government REFERENCE EXAMPLES (Products and vendors. Non-exhaustive list) Cloud Credant Cypher Cloud enStratus Novaho Perpecsys ProtectV SecureCloud SurePassID Vormetric Non-Cloud Crypo.com Sendinc Copyright © 2011 Cloud Security Alliance 23
Page 1 and 2: Defined Categories of Service 2011
Page 3 and 4: Table of Contents CLOUD SECURITY AL
Page 5 and 6: Acknowledgments Co-chairs Kevin Fie
Page 7 and 8: Executive Summary CLOUD SECURITY AL
Page 9 and 10: Continued from the previous page…
Page 21: Continued from the previous page…
Page 27: Continued from the previous page…

Defined Categories of Service 2011 - Cloud Security Alliance

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?