Welcome!

@CloudExpo Authors: Elizabeth White, Mike Wood, Rajeev Kozhikkattuthodi, Yeshim Deniz, Liz McMillan

Related Topics: @CloudExpo, Cloud Security

@CloudExpo: Blog Feed Post

Securing Cloud Data from Cybercrime, Intrusion and Surveillance

When storing data in the cloud, key management becomes a critical aspect of data confidentiality

By John Sotiropoulos - In my previous post  (Cloud Data, Security, Privacy & Confidentiality/ The ISV Perspective) I talked about the increasing exposure of data, the changing landscape of data confidentiality and the need to shield data rather than retreat into – largely mythical  -“safe heavens” of on premise.  When storing data in the cloud, key management becomes a critical aspect of data confidentiality and a new crop of vendors are beginning to emerge simplifying encryption and key management.

Having looked at most of the new crop of cloud encryption vendors, we liked Porticor for its innovative application of homomorphic algorithm to split key encryption and its use of a customer-owned security appliance.   The combination of two eliminates the need to expose the encryption key and minimizes the risks offering a unique approach to comply with EU data protection legislation, not found elsewhere in the cloud.

The devil is always in the detail and we are currently evaluating the product in detail to include it as an option for our{elasticbigdata} service.  With Porticor offering a 30-day free trial and quite affordable rates afterwards, it’s easy to evaluate the service.

Porticor is currently available as service hosted either on AWS, IBM clouds, or any VMWare based cloud. There are no technical reasons why their offering cannot run on Azure or Openstack and I assume this is down to customer-driven prioritization.  With an easy to use REST API the service can actually be used as-is from other clouds (Azure, Openstack) whilst running on AWS. This is something we have explored and will post a step-by-step lab on how to use the API.

In this post we will walk though of how you can secure cloud data against hackers, the cloud vendor themselves and any surveillance snooping.

Setting up a Porticor Project

Once you’ve registered for the free trial, you can log on to the Porticor admin web site which allows you to set up the usual admin hygiene (user profiles,  reset passwords, add more users, etc) and  most importantly the core of Porticor’s offering the Virtual Appliance with its a set of  optional add-ons for seamless storage, database,  and network encryption. These are all grouped in what Porticor calls a project.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  porticorMain Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

A Porticor Virtual Appliance, is a sophisticated data encryption black box that the customer owns and it is an actual VM. In our case an AWS instance. Whilst experimenting, you can use a micro AWS instance and take advantage of the free-tier, Amazon offers.

The appliance is created by using a private key, that is only displayed at the end the set-up sequence and you are responsible for storing it securely on your own secure storage mechanism. It will only be used again to bootstrap an appliance.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  porticor archit 1024x746 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

The key used to bootstrap the appliance is split and homomorphically encrypted. Homomorphic encryption is something that everyone gets excited about, not least  DPARA investing  $20M in the homomorphic-related PROCEED initiative with $4.7M already awarded to Galois Inc to extenst its Cryptol toolsuit to be homomorphic. The algorithm allows encrypted data to be used without decryption and one day will probably make the whole key problem history but for now it’s not ready for prime time full-scale data encryption. What Porticor has done is to apply the algorithm – and they have a long formal mathematical proof paper – to the encryption of each part of the split key so that even if an intruder compromises the appliance, the key shares are there only in an encrypted form.  Even more, on each appliance the encryption is different, so this means that an encrypted key stolen from one appliance is useless to the thief.

The bottom line is that key is not lying around in any cloud storage. There is an option to store the key during reboots in the appliance’s instance storage but this is for development purposes. I store it on an encrypted USB key an never on the cloud.

The sequence is easy and straightforward.  It follows a wizard-style sequence, asking you to provide your AWS credentials. This is important because everything that is being generated is stored on your own AWS. This means your trust to the encryption vendor, Porticor, does not have to be blind, as you control access to your appliances. It also mean you are charged for the compute used, so include that in your costing model, especially when moving away from the free tier.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  newProjectStep0 1024x469 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  newProjectStep1 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  newProjectStep2 1024x378 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  newProjectStep3 1024x414 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

At the end of this process, Porticor will give you the Master-Key used to bootstrap the project. You need to save the key securely and make sure you don’t lose it, as this is the only instance of the key.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  keyGenerationPorticor 1024x406 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

Once the Virtual Appliance has been created you can manage it in Porticor’s web interface

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  ManageVirtualApplicances 1024x364 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

but you can also see it and manage it in your AWS Management console.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  PorticorApplianceinAWS 1024x498 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

The appliance can be now used with the project add-ons which do a good job in automating encryption seamlessly for files, S3, databases, and network traffic.  They act like code-less encryption channels to these resources. This eliminates the need for you to write encryption code and rely on the appliances encryption services. These use strong encryption algorithms such as AES-256 with the added benefit of the in memory split and homormorhically encrypted key.

The appliance can also be accessed via the Porticor API in which case, it will be used for secure storage and key management with custom code doing the encryption/decryption work.

Setting Up Encryption for the S3 bucket

There are two ways of using the Porticor Virtual Appliance 1. Via the REST API to manage the key and optionally perform encryption tasks. 2.  Use the S3 Add on as the encryption tunnel to proxy the S3 requests via the appliance so that they are seamlessly encrypted and decrypted.  Most users will prefer the second approach as it saves time.

This involves supplying your AWS credential to the Virtual Appliance via the Porticor configuration site. The screen above shows how this is configured and is described in detail Porticor’s Knowledge base item  S3 Encryption With Porticor.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  ConfigureS3Encryption Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

Once you have setup the Porticor site, there are two ways of accessing your encrypted S3 bucket.  You can specify the S3 endpoint using the appliance’s URL e.g. <appliance>.d.porticor.net; Porticor can simplify this further by allowing you to do a DNS mapping so that an individual bucket can be accessed as <bucketname>.d.porticor.net (mapped to the appliance DNS). In this case you need to specify the S3 bucket name in the Porticor S3 admin page.

In many cases, S3 clients and libraries do not provide the option to specify an S3 endpoint.  They will automatically construct it from the S3 bucket name and assume <bucket>.. In this case, you have no choice but to use the hosts file redirection Porticor offers as a second way of going through the Porticor virtual appliance.

This is fairly easy for MacOSX, Linux, and Windows (but requires admin access) and you need to edit to your hosts file and add a line that maps the external IP of your appliance to the buckets S3 URL. In my case the additional line for the bigdatatests bucket is

54.227.XX.XX   bigdatatests.s3.amazonaws.com

with 54.227.XX.XX is the obscured external IP address of my security appliance.

Once the hosts file is changed (and for Mac OSX  the change is activated with an additional command described in the link above) S3 client applications will now go through the appliance

I like the hosts redirection for its transparent way to call the Virtual Appliance; the use of the standard AWS convention in application configuration would not immediately reveal the use of the Virtual Appliance to an intruder.

Whether you use the endpoint explicitly or the hosts redirection you will need to add the Porticor-issued certificate to the trusted certificates your applications. This will vary depending what the actual client application or library.

You can download the certificate by enabling the Porticor Certificate Authority (PCA) option in the Project’ configuration page.  The screen advises – see screenshot –how to install the certificate in browsers.  You should also make sure you store a secure copy of this crt file to a secure location so that you can use it in different stores if needed. Alternatively, you can re-download the certificate from the project settings cog icon.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  loadPorticorCertificate Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

For native applications you would add it to the OS-level machine certificates store i.e. Windows Certificate Storesin Windows or KeyChain Access in MacOSX or typically in /etc/ssl/certs in Linux and use the applications configuration (e.g. httpd.conf for apache) or the OS API.

For Hadoop being a java stack and other java applications this will go to key store or the  default cacerts key store. We will see how to do this later on.

But to start with, I use the Firefox S3 Organizer add-on to test all works well.

I modify my hosts files as described and I download the certificate; I save it to a secure place then add it to Firefox’s certificate store, as described in Porticor’s KB item.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  firefoxcerts Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

With the hosts redirection I can access both my encrypted and unencrypted buckets and to test the encryption, I upload an image file to S3.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  uploadingImgToS3 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

Once the image is uploaded, I download it to a different location and verify it’s usable.

I then switch to my S3 admin page in the AWS console. This runs on AWS infrastructure, it is not governed by my hosts mapping and it does not go through the appliance.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  imageinS3browser Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

I see the file listed but when I try to download it I get an error, verifying the encryption tunnel works.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  dwonloadimagefromS3browser Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  encryptedImage Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

Setting up another client with Linux Ubuntu and CrossFTP validates the behavior. When the client’s hosts file is modified to go through the Porticor encryption tunnel, the image is valid, but otherwise it always returns an invalid (encrypted) file.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  Workspace0011 1024x575 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

This is reassuring: it doesn’t matter whether a cyber-criminal, hacker, Amazon, disgruntled admin, or NSA can get hold of my data or even my AWS credentials. The data is encrypted and the only way to decrypt is to use the secure tunneling through my Porticor encryption appliance.

Since I control the appliance VM, in an emergency – for instance, an intrusion detected – I can also shut it down when not needed. When the Porticor Virtual Appliance is turned back on, it requires a bootstrapping sequence using my private master-key. Remember, the master key has been stored on my encrypted USB key and no one else has access to it. Unless I create a new appliance instance, my data security is locked.

So far Porticor is meeting our requirements to provide a service for our elasticbigdata clients to use their data in the cloud whilst meeting the EU data protection requirements and protecting their confidential data from hacking or surveillance.

In the next post we will build on this lab on how this setup can be integrated in a BigData Hadoop environment for Map-Reduce queries via the secure encryption tunnel, the Porticor appliance provides.

About JOHN SOTIROPOULOS

John Sotiropoulos is the founder and CTO of Raythos Interactive, the Innovation Launchpad. Previously with Metastorm (now part of OpenText) he worked in a variety of roles – such as Chief Architect, Director of Product Development, and Head of Innovation – building development teams, shaping product and innovation strategy, and delivering award –winning products including social business process modeling on the cloud. In his new venture, John is working on elasticbigdata.com a cloud service to democratise Big Data and Machine Learning. He also advises and helps forward-looking companies develop product strategies, architectures, and teams that deliver business innovation and economic growth.

The post Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance appeared first on Porticor Cloud Security.

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@CloudExpo Stories
The Internet giants are fully embracing AI. All the services they offer to their customers are aimed at drawing a map of the world with the data they get. The AIs from these companies are used to build disruptive approaches that cannot be used by established enterprises, which are threatened by these disruptions. However, most leaders underestimate the effect this will have on their businesses. In his session at 21st Cloud Expo, Rene Buest, Director Market Research & Technology Evangelism at Ara...
It is ironic, but perhaps not unexpected, that many organizations who want the benefits of using an Agile approach to deliver software use a waterfall approach to adopting Agile practices: they form plans, they set milestones, and they measure progress by how many teams they have engaged. Old habits die hard, but like most waterfall software projects, most waterfall-style Agile adoption efforts fail to produce the results desired. The problem is that to get the results they want, they have to ch...
Cloud Expo, Inc. has announced today that Andi Mann and Aruna Ravichandran have been named Co-Chairs of @DevOpsSummit at Cloud Expo Silicon Valley which will take place Oct. 31-Nov. 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. "DevOps is at the intersection of technology and business-optimizing tools, organizations and processes to bring measurable improvements in productivity and profitability," said Aruna Ravichandran, vice president, DevOps product and solutions marketing...
Wooed by the promise of faster innovation, lower TCO, and greater agility, businesses of every shape and size have embraced the cloud at every layer of the IT stack – from apps to file sharing to infrastructure. The typical organization currently uses more than a dozen sanctioned cloud apps and will shift more than half of all workloads to the cloud by 2018. Such cloud investments have delivered measurable benefits. But they’ve also resulted in some unintended side-effects: complexity and risk. ...
"Loom is applying artificial intelligence and machine learning into the entire log analysis process, from start to finish and at the end you will get a human touch,” explained Sabo Taylor Diab, Vice President, Marketing at Loom Systems, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We are a monitoring company. We work with Salesforce, BBC, and quite a few other big logos. We basically provide monitoring for them, structure for their cloud services and we fit into the DevOps world" explained David Gildeh, Co-founder and CEO of Outlyer, in this SYS-CON.tv interview at DevOps Summit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
21st International Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Me...
With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend 21st Cloud Expo October 31 - November 2, 2017, at the Santa Clara Convention Center, CA, and June 12-14, 2018, at the Javits Center in New York City, NY, and learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.
SYS-CON Events announced today that Enzu will exhibit at SYS-CON's 21st Int\ernational Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Enzu’s mission is to be the leading provider of enterprise cloud solutions worldwide. Enzu enables online businesses to use its IT infrastructure to their competitive advantage. By offering a suite of proven hosting and management services, Enzu wants companies to focus on the core of their ...
In 2014, Amazon announced a new form of compute called Lambda. We didn't know it at the time, but this represented a fundamental shift in what we expect from cloud computing. Now, all of the major cloud computing vendors want to take part in this disruptive technology. In his session at 20th Cloud Expo, Doug Vanderweide, an instructor at Linux Academy, discussed why major players like AWS, Microsoft Azure, IBM Bluemix, and Google Cloud Platform are all trying to sidestep VMs and containers wit...
With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend 21st Cloud Expo October 31 - November 2, 2017, at the Santa Clara Convention Center, CA, and June 12-14, 2018, at the Javits Center in New York City, NY, and learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.
DevOps at Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to w...
Internet of @ThingsExpo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound change in personal and enterprise IT since the creation of the Worldwide Web more than 20 years ago. All major researchers estimate there will be tens of billions devic...
Amazon started as an online bookseller 20 years ago. Since then, it has evolved into a technology juggernaut that has disrupted multiple markets and industries and touches many aspects of our lives. It is a relentless technology and business model innovator driving disruption throughout numerous ecosystems. Amazon’s AWS revenues alone are approaching $16B a year making it one of the largest IT companies in the world. With dominant offerings in Cloud, IoT, eCommerce, Big Data, AI, Digital Assista...
The taxi industry never saw Uber coming. Startups are a threat to incumbents like never before, and a major enabler for startups is that they are instantly “cloud ready.” If innovation moves at the pace of IT, then your company is in trouble. Why? Because your data center will not keep up with frenetic pace AWS, Microsoft and Google are rolling out new capabilities. In his session at 20th Cloud Expo, Don Browning, VP of Cloud Architecture at Turner, posited that disruption is inevitable for comp...
SYS-CON Events announced today that Cloud Academy named "Bronze Sponsor" of 21st International Cloud Expo which will take place October 31 - November 2, 2017 at the Santa Clara Convention Center in Santa Clara, CA. Cloud Academy is the industry’s most innovative, vendor-neutral cloud technology training platform. Cloud Academy provides continuous learning solutions for individuals and enterprise teams for Amazon Web Services, Microsoft Azure, Google Cloud Platform, and the most popular cloud com...
For organizations that have amassed large sums of software complexity, taking a microservices approach is the first step toward DevOps and continuous improvement / development. Integrating system-level analysis with microservices makes it easier to change and add functionality to applications at any time without the increase of risk. Before you start big transformation projects or a cloud migration, make sure these changes won’t take down your entire organization.
When growing capacity and power in the data center, the architectural trade-offs between server scale-up vs. scale-out continue to be debated. Both approaches are valid: scale-out adds multiple, smaller servers running in a distributed computing model, while scale-up adds fewer, more powerful servers that are capable of running larger workloads. It’s worth noting that there are additional, unique advantages that scale-up architectures offer. One big advantage is large memory and compute capacity...
No hype cycles or predictions of zillions of things here. IoT is big. You get it. You know your business and have great ideas for a business transformation strategy. What comes next? Time to make it happen. In his session at @ThingsExpo, Jay Mason, Associate Partner at M&S Consulting, presented a step-by-step plan to develop your technology implementation strategy. He discussed the evaluation of communication standards and IoT messaging protocols, data analytics considerations, edge-to-cloud tec...
"When we talk about cloud without compromise what we're talking about is that when people think about 'I need the flexibility of the cloud' - it's the ability to create applications and run them in a cloud environment that's far more flexible,” explained Matthew Finnie, CTO of Interoute, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.