Welcome!

@CloudExpo Authors: Jyoti Bansal, Yeshim Deniz, Greg Schulz, ManageEngine IT Matters, William Schmarzo

Related Topics: @CloudExpo, Cloud Security

@CloudExpo: Blog Feed Post

Securing Cloud Data from Cybercrime, Intrusion and Surveillance

When storing data in the cloud, key management becomes a critical aspect of data confidentiality

By John Sotiropoulos - In my previous post  (Cloud Data, Security, Privacy & Confidentiality/ The ISV Perspective) I talked about the increasing exposure of data, the changing landscape of data confidentiality and the need to shield data rather than retreat into – largely mythical  -“safe heavens” of on premise.  When storing data in the cloud, key management becomes a critical aspect of data confidentiality and a new crop of vendors are beginning to emerge simplifying encryption and key management.

Having looked at most of the new crop of cloud encryption vendors, we liked Porticor for its innovative application of homomorphic algorithm to split key encryption and its use of a customer-owned security appliance.   The combination of two eliminates the need to expose the encryption key and minimizes the risks offering a unique approach to comply with EU data protection legislation, not found elsewhere in the cloud.

The devil is always in the detail and we are currently evaluating the product in detail to include it as an option for our{elasticbigdata} service.  With Porticor offering a 30-day free trial and quite affordable rates afterwards, it’s easy to evaluate the service.

Porticor is currently available as service hosted either on AWS, IBM clouds, or any VMWare based cloud. There are no technical reasons why their offering cannot run on Azure or Openstack and I assume this is down to customer-driven prioritization.  With an easy to use REST API the service can actually be used as-is from other clouds (Azure, Openstack) whilst running on AWS. This is something we have explored and will post a step-by-step lab on how to use the API.

In this post we will walk though of how you can secure cloud data against hackers, the cloud vendor themselves and any surveillance snooping.

Setting up a Porticor Project

Once you’ve registered for the free trial, you can log on to the Porticor admin web site which allows you to set up the usual admin hygiene (user profiles,  reset passwords, add more users, etc) and  most importantly the core of Porticor’s offering the Virtual Appliance with its a set of  optional add-ons for seamless storage, database,  and network encryption. These are all grouped in what Porticor calls a project.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  porticorMain Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

A Porticor Virtual Appliance, is a sophisticated data encryption black box that the customer owns and it is an actual VM. In our case an AWS instance. Whilst experimenting, you can use a micro AWS instance and take advantage of the free-tier, Amazon offers.

The appliance is created by using a private key, that is only displayed at the end the set-up sequence and you are responsible for storing it securely on your own secure storage mechanism. It will only be used again to bootstrap an appliance.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  porticor archit 1024x746 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

The key used to bootstrap the appliance is split and homomorphically encrypted. Homomorphic encryption is something that everyone gets excited about, not least  DPARA investing  $20M in the homomorphic-related PROCEED initiative with $4.7M already awarded to Galois Inc to extenst its Cryptol toolsuit to be homomorphic. The algorithm allows encrypted data to be used without decryption and one day will probably make the whole key problem history but for now it’s not ready for prime time full-scale data encryption. What Porticor has done is to apply the algorithm – and they have a long formal mathematical proof paper – to the encryption of each part of the split key so that even if an intruder compromises the appliance, the key shares are there only in an encrypted form.  Even more, on each appliance the encryption is different, so this means that an encrypted key stolen from one appliance is useless to the thief.

The bottom line is that key is not lying around in any cloud storage. There is an option to store the key during reboots in the appliance’s instance storage but this is for development purposes. I store it on an encrypted USB key an never on the cloud.

The sequence is easy and straightforward.  It follows a wizard-style sequence, asking you to provide your AWS credentials. This is important because everything that is being generated is stored on your own AWS. This means your trust to the encryption vendor, Porticor, does not have to be blind, as you control access to your appliances. It also mean you are charged for the compute used, so include that in your costing model, especially when moving away from the free tier.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  newProjectStep0 1024x469 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  newProjectStep1 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  newProjectStep2 1024x378 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  newProjectStep3 1024x414 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

At the end of this process, Porticor will give you the Master-Key used to bootstrap the project. You need to save the key securely and make sure you don’t lose it, as this is the only instance of the key.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  keyGenerationPorticor 1024x406 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

Once the Virtual Appliance has been created you can manage it in Porticor’s web interface

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  ManageVirtualApplicances 1024x364 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

but you can also see it and manage it in your AWS Management console.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  PorticorApplianceinAWS 1024x498 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

The appliance can be now used with the project add-ons which do a good job in automating encryption seamlessly for files, S3, databases, and network traffic.  They act like code-less encryption channels to these resources. This eliminates the need for you to write encryption code and rely on the appliances encryption services. These use strong encryption algorithms such as AES-256 with the added benefit of the in memory split and homormorhically encrypted key.

The appliance can also be accessed via the Porticor API in which case, it will be used for secure storage and key management with custom code doing the encryption/decryption work.

Setting Up Encryption for the S3 bucket

There are two ways of using the Porticor Virtual Appliance 1. Via the REST API to manage the key and optionally perform encryption tasks. 2.  Use the S3 Add on as the encryption tunnel to proxy the S3 requests via the appliance so that they are seamlessly encrypted and decrypted.  Most users will prefer the second approach as it saves time.

This involves supplying your AWS credential to the Virtual Appliance via the Porticor configuration site. The screen above shows how this is configured and is described in detail Porticor’s Knowledge base item  S3 Encryption With Porticor.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  ConfigureS3Encryption Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

Once you have setup the Porticor site, there are two ways of accessing your encrypted S3 bucket.  You can specify the S3 endpoint using the appliance’s URL e.g. <appliance>.d.porticor.net; Porticor can simplify this further by allowing you to do a DNS mapping so that an individual bucket can be accessed as <bucketname>.d.porticor.net (mapped to the appliance DNS). In this case you need to specify the S3 bucket name in the Porticor S3 admin page.

In many cases, S3 clients and libraries do not provide the option to specify an S3 endpoint.  They will automatically construct it from the S3 bucket name and assume <bucket>.. In this case, you have no choice but to use the hosts file redirection Porticor offers as a second way of going through the Porticor virtual appliance.

This is fairly easy for MacOSX, Linux, and Windows (but requires admin access) and you need to edit to your hosts file and add a line that maps the external IP of your appliance to the buckets S3 URL. In my case the additional line for the bigdatatests bucket is

54.227.XX.XX   bigdatatests.s3.amazonaws.com

with 54.227.XX.XX is the obscured external IP address of my security appliance.

Once the hosts file is changed (and for Mac OSX  the change is activated with an additional command described in the link above) S3 client applications will now go through the appliance

I like the hosts redirection for its transparent way to call the Virtual Appliance; the use of the standard AWS convention in application configuration would not immediately reveal the use of the Virtual Appliance to an intruder.

Whether you use the endpoint explicitly or the hosts redirection you will need to add the Porticor-issued certificate to the trusted certificates your applications. This will vary depending what the actual client application or library.

You can download the certificate by enabling the Porticor Certificate Authority (PCA) option in the Project’ configuration page.  The screen advises – see screenshot –how to install the certificate in browsers.  You should also make sure you store a secure copy of this crt file to a secure location so that you can use it in different stores if needed. Alternatively, you can re-download the certificate from the project settings cog icon.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  loadPorticorCertificate Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

For native applications you would add it to the OS-level machine certificates store i.e. Windows Certificate Storesin Windows or KeyChain Access in MacOSX or typically in /etc/ssl/certs in Linux and use the applications configuration (e.g. httpd.conf for apache) or the OS API.

For Hadoop being a java stack and other java applications this will go to key store or the  default cacerts key store. We will see how to do this later on.

But to start with, I use the Firefox S3 Organizer add-on to test all works well.

I modify my hosts files as described and I download the certificate; I save it to a secure place then add it to Firefox’s certificate store, as described in Porticor’s KB item.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  firefoxcerts Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

With the hosts redirection I can access both my encrypted and unencrypted buckets and to test the encryption, I upload an image file to S3.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  uploadingImgToS3 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

Once the image is uploaded, I download it to a different location and verify it’s usable.

I then switch to my S3 admin page in the AWS console. This runs on AWS infrastructure, it is not governed by my hosts mapping and it does not go through the appliance.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  imageinS3browser Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

I see the file listed but when I try to download it I get an error, verifying the encryption tunnel works.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  dwonloadimagefromS3browser Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  encryptedImage Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

Setting up another client with Linux Ubuntu and CrossFTP validates the behavior. When the client’s hosts file is modified to go through the Porticor encryption tunnel, the image is valid, but otherwise it always returns an invalid (encrypted) file.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  Workspace0011 1024x575 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

This is reassuring: it doesn’t matter whether a cyber-criminal, hacker, Amazon, disgruntled admin, or NSA can get hold of my data or even my AWS credentials. The data is encrypted and the only way to decrypt is to use the secure tunneling through my Porticor encryption appliance.

Since I control the appliance VM, in an emergency – for instance, an intrusion detected – I can also shut it down when not needed. When the Porticor Virtual Appliance is turned back on, it requires a bootstrapping sequence using my private master-key. Remember, the master key has been stored on my encrypted USB key and no one else has access to it. Unless I create a new appliance instance, my data security is locked.

So far Porticor is meeting our requirements to provide a service for our elasticbigdata clients to use their data in the cloud whilst meeting the EU data protection requirements and protecting their confidential data from hacking or surveillance.

In the next post we will build on this lab on how this setup can be integrated in a BigData Hadoop environment for Map-Reduce queries via the secure encryption tunnel, the Porticor appliance provides.

About JOHN SOTIROPOULOS

John Sotiropoulos is the founder and CTO of Raythos Interactive, the Innovation Launchpad. Previously with Metastorm (now part of OpenText) he worked in a variety of roles – such as Chief Architect, Director of Product Development, and Head of Innovation – building development teams, shaping product and innovation strategy, and delivering award –winning products including social business process modeling on the cloud. In his new venture, John is working on elasticbigdata.com a cloud service to democratise Big Data and Machine Learning. He also advises and helps forward-looking companies develop product strategies, architectures, and teams that deliver business innovation and economic growth.

The post Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance appeared first on Porticor Cloud Security.

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@CloudExpo Stories
All clouds are not equal. To succeed in a DevOps context, organizations should plan to develop/deploy apps across a choice of on-premise and public clouds simultaneously depending on the business needs. This is where the concept of the Lean Cloud comes in - resting on the idea that you often need to relocate your app modules over their life cycles for both innovation and operational efficiency in the cloud. In his session at @DevOpsSummit at19th Cloud Expo, Valentin (Val) Bercovici, CTO of Soli...
Almost two-thirds of companies either have or soon will have IoT as the backbone of their business. Though, IoT is far more complex than most firms expected with a majority of IoT projects having failed. How can you not get trapped in the pitfalls? In his session at @ThingsExpo, Tony Shan, Chief IoTologist at Wipro, will introduce a holistic method of IoTification, which is the process of IoTifying the existing technology portfolios and business models to adopt and leverage IoT. He will delve in...
Bert Loomis was a visionary. This general session will highlight how Bert Loomis and people like him inspire us to build great things with small inventions. In their general session at 19th Cloud Expo, Harold Hannon, Architect at IBM Bluemix, and Michael O'Neill, Strategic Business Development at Nvidia, discussed the accelerating pace of AI development and how IBM Cloud and NVIDIA are partnering to bring AI capabilities to "every day," on-demand. They also reviewed two "free infrastructure" pr...
Cloud Expo, Inc. has announced today that Aruna Ravichandran, vice president of DevOps Product and Solutions Marketing at CA Technologies, has been named co-conference chair of DevOps at Cloud Expo 2017. The @DevOpsSummit at Cloud Expo New York will take place on June 6-8, 2017, at the Javits Center in New York City, New York, and @DevOpsSummit at Cloud Expo Silicon Valley will take place Oct. 31-Nov. 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
In his session at @ThingsExpo, Steve Wilkes, CTO and founder of Striim, will delve into four enterprise-scale, business-critical case studies where streaming analytics serves as the key to enabling real-time data integration and right-time insights in hybrid cloud, IoT, and fog computing environments. As part of this discussion, he will also present a demo based on its partnership with Fujitsu, highlighting their technologies in a healthcare IoT use-case. The demo showcases the tracking of pati...
Tricky charts and visually deceptive graphs often make a case for the impact IT performance has on business. The debate isn't around the obvious; of course, IT performance metrics like website load time influence business metrics such as conversions and revenue. Rather, this presentation will explore various data analysis concepts to understand how, and how not to, assert such correlations. In his session at 20th Cloud Expo, Leo Vasiliou, Director of Web Performance Engineering at Catchpoint Sys...
The buzz continues for cloud, data analytics and the Internet of Things (IoT) and their collective impact across all industries. But a new conversation is emerging - how do companies use industry disruption and technology enablers to lead in markets undergoing change, uncertainty and ambiguity? Organizations of all sizes need to evolve and transform, often under massive pressure, as industry lines blur and merge and traditional business models are assaulted and turned upside down. In this new da...
Stratoscale, the software company developing the next generation data center operating system, exhibited at SYS-CON's 18th International Cloud Expo®, which took place at the Javits Center in New York City, NY, in June 2016.Stratoscale is revolutionizing the data center with a zero-to-cloud-in-minutes solution. With Stratoscale’s hardware-agnostic, Software Defined Data Center (SDDC) solution to store everything, run anything and scale everywhere, IT is empowered to take control of their data ce...
It is one thing to build single industrial IoT applications, but what will it take to build the Smart Cities and truly society changing applications of the future? The technology won’t be the problem, it will be the number of parties that need to work together and be aligned in their motivation to succeed. In his Day 2 Keynote at @ThingsExpo, Henrik Kenani Dahlgren, Portfolio Marketing Manager at Ericsson, discussed how to plan to cooperate, partner, and form lasting all-star teams to change the...
For organizations that have amassed large sums of software complexity, taking a microservices approach is the first step toward DevOps and continuous improvement / development. Integrating system-level analysis with microservices makes it easier to change and add functionality to applications at any time without the increase of risk. Before you start big transformation projects or a cloud migration, make sure these changes won’t take down your entire organization.
What are the new priorities for the connected business? First: businesses need to think differently about the types of connections they will need to make – these span well beyond the traditional app to app into more modern forms of integration including SaaS integrations, mobile integrations, APIs, device integration and Big Data integration. It’s important these are unified together vs. doing them all piecemeal. Second, these types of connections need to be simple to design, adapt and configure...
To manage complex web services with lots of calls to the cloud, many businesses have invested in Application Performance Management (APM) and Network Performance Management (NPM) tools. Together APM and NPM tools are essential aids in improving a business's infrastructure required to support an effective web experience... but they are missing a critical component - Internet visibility.
Both SaaS vendors and SaaS buyers are going “all-in” to hyperscale IaaS platforms such as AWS, which is disrupting the SaaS value proposition. Why should the enterprise SaaS consumer pay for the SaaS service if their data is resident in adjacent AWS S3 buckets? If both SaaS sellers and buyers are using the same cloud tools, automation and pay-per-transaction model offered by IaaS platforms, then why not host the “shrink-wrapped” software in the customers’ cloud? Further, serverless computing, cl...
Microservices are a very exciting architectural approach that many organizations are looking to as a way to accelerate innovation. Microservices promise to allow teams to move away from monolithic "ball of mud" systems, but the reality is that, in the vast majority of organizations, different projects and technologies will continue to be developed at different speeds. How to handle the dependencies between these disparate systems with different iteration cycles? Consider the "canoncial problem" ...
“We're a global managed hosting provider. Our core customer set is a U.S.-based customer that is looking to go global,” explained Adam Rogers, Managing Director at ANEXIA, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
The speed of software changes in growing and large scale rapid-paced DevOps environments presents a challenge for continuous testing. Many organizations struggle to get this right. Practices that work for small scale continuous testing may not be sufficient as the requirements grow. In his session at DevOps Summit, Marc Hornbeek, Sr. Solutions Architect of DevOps continuous test solutions at Spirent Communications, explained the best practices of continuous testing at high scale, which is rele...
Hardware virtualization and cloud computing allowed us to increase resource utilization and increase our flexibility to respond to business demand. Docker Containers are the next quantum leap - Are they?! Databases always represented an additional set of challenges unique to running workloads requiring a maximum of I/O, network, CPU resources combined with data locality.
"Matrix is an ambitious open standard and implementation that's set up to break down the fragmentation problems that exist in IP messaging and VoIP communication," explained John Woolf, Technical Evangelist at Matrix, in this SYS-CON.tv interview at @ThingsExpo, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
"A lot of times people will come to us and have a very diverse set of requirements or very customized need and we'll help them to implement it in a fashion that you can't just buy off of the shelf," explained Nick Rose, CTO of Enzu, in this SYS-CON.tv interview at 18th Cloud Expo, held June 7-9, 2016, at the Javits Center in New York City, NY.
As software becomes more and more complex, we, as software developers, have been splitting up our code into smaller and smaller components. This is also true for the environment in which we run our code: going from bare metal, to VMs to the modern-day Cloud Native world of containers, schedulers and micro services. While we have figured out how to run containerized applications in the cloud using schedulers, we've yet to come up with a good solution to bridge the gap between getting your contain...