Welcome!

@CloudExpo Authors: Yeshim Deniz, Liz McMillan, Elizabeth White, Zakia Bouachraoui, Pat Romanski

Related Topics: @CloudExpo, Microservices Expo, Containers Expo Blog, Agile Computing, Cloud Security, @DXWorldExpo

@CloudExpo: Blog Feed Post

Cloud Encryption: How to Choose an IaaS Encryption Solution

Instance managed encryption means the encryption keys are kept on the virtual disk

During the past month or so, Rich Mogull, analyst and CEO of securosis has published multiple blogs on cloud encryption best practices, specifically in infrastructure clouds. The final blog IaaS Encryption: How to Choose, provides a good opportunity for us to touch and expand on some of the volume storage cloud security points highlighted on Rich’s article:

“Always use external key management. Instance-managed encryption is only acceptable for test/development systems you know will never go into production”

Instance managed encryption means the encryption keys are kept on the virtual disk. In other words, anyone with access to your cloud instance, has access to your encryption keys – hence to your data. In addition, specific cloud operations, such as disk snapshots, will snapshot the encryption keys with it.

Cloud Security Cloud Key Management Cloud Encryption  clouds 250X188 Cloud Encryption: How to choose an IaaS encryption solution“For sensitive data in public cloud computing choose a system with protection for keys in volatile memory (RAM). Don’t use a cloud’s native encryption capabilities if you have any concern that a cloud administrator is a risk”

As I see it, there are two great points here, one relates to cloud security concerns, the second is interesting for compliance reasons. Protecting keys in RAM (the security concern) is actually not a simple thing to achieve.  We have worked extremely hard to create a mechanism which keeps the encryption keys encrypted themselves, even while in use in RAM.  To do so, we have used partially homomorphic encryption techniques (fancy name, I know…), a world first implementation of such technology to a cloud security product (you can read more about it here, or download the Porticor white paper for additional information). Now for the second point; using the IaaS provider’s native cloud encryption capabilities means there’s a risk that someone (an employee) within the cloud data center can potentially read your data. While an obvious security risk, this is also a compliance issue as certain regulations (for example PCI) mention separation of duties as a core compliance requirement.

“Pick a product designed to handle the more dynamic cloud computing environment. Specifically one with workflow for rapidly provisioning keys to cloud instances and API support for the cloud platform you use”

I couldn’t agree more. Traditional, “on-premise” encryption and key management systems are not built for the cloud. As a result, many of the cloud most significant advantages, such as scalability and flexibility might not function well (dare I say not function at all) with such encryption systems. A cloud encryption system should seamlessly integrate with your cloud design, and integrate with any automation process you have in place. An API is important as an integration point between your cloud systems and (for example) an orchestration system.  In such scenario you can automate encryption together with the rest of the IaaS system, spin up new or down new encrypted disks, encrypt S3 objects, and even automatically feed encryption keys to specific SaaS applications (I will discuss cloud encryption keys security and split-key encryption in one of my next blogs).

Ariel Dan is co-founder at Porticor Cloud Security.

The post Cloud Encryption: How to choose an IaaS encryption solution appeared first on Porticor Cloud Security.

Read the original blog entry...

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.

CloudEXPO Stories
The now mainstream platform changes stemming from the first Internet boom brought many changes but didn’t really change the basic relationship between servers and the applications running on them. In fact, that was sort of the point. In his session at 18th Cloud Expo, Gordon Haff, senior cloud strategy marketing and evangelism manager at Red Hat, will discuss how today’s workloads require a new model and a new platform for development and execution. The platform must handle a wide range of recent developments, including containers and Docker, distributed resource management, and DevOps tool chains and processes. The resulting infrastructure and management framework must be optimized for distributed and scalable applications, take advantage of innovation stemming from a wide variety of open source projects, span hybrid environments, and be adaptable to equally fundamental changes happen...
For years the world's most security-focused and distributed organizations - banks, military/defense agencies, global enterprises - have sought to adopt cloud technologies that can reduce costs, future-proof against data growth, and improve user productivity. The challenges of cloud transformation for these kinds of secure organizations have centered around data security, migration from legacy systems, and performance. In our presentation, we will discuss the notion that cloud computing, properly managed, is poised to bring about a digital transformation to enterprise IT. We will discuss the trend, the technology and the timeline for adoption.
Bill Schmarzo, Tech Chair of "Big Data | Analytics" of upcoming CloudEXPO | DXWorldEXPO New York (November 12-13, 2018, New York City) today announced the outline and schedule of the track. "The track has been designed in experience/degree order," said Schmarzo. "So, that folks who attend the entire track can leave the conference with some of the skills necessary to get their work done when they get back to their offices. It actually ties back to some work that I'm doing at the University of San Francisco which creates an "Outcomes-Centric Business Analytics" degree." Bill Schmarzo, author of "Big Data: Understanding How Data Powers Big Business" and "Big Data MBA: Driving Business Strategies with Data Science" is responsible for guiding the technology strategy within Hitachi Vantara for IoT and Analytics. Bill brings a balanced business-technology approach that focuses on business ou...
CloudEXPO New York 2018, colocated with DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
Wooed by the promise of faster innovation, lower TCO, and greater agility, businesses of every shape and size have embraced the cloud at every layer of the IT stack – from apps to file sharing to infrastructure. The typical organization currently uses more than a dozen sanctioned cloud apps and will shift more than half of all workloads to the cloud by 2018. Such cloud investments have delivered measurable benefits. But they’ve also resulted in some unintended side-effects: complexity and risk. End users now struggle to navigate multiple environments with varying degrees of performance. Companies are unclear on the security of their data and network access. And IT squads are overwhelmed trying to monitor and manage it all.