Welcome!

@CloudExpo Authors: Elizabeth White, Rene Buest, Liz McMillan, Mehdi Daoudi, Astadia CloudGPS

Related Topics: @CloudExpo, Cloud Security

@CloudExpo: Blog Feed Post

Securing Cloud Data from Cybercrime, Intrusion and Surveillance

When storing data in the cloud, key management becomes a critical aspect of data confidentiality

By John Sotiropoulos - In my previous post  (Cloud Data, Security, Privacy & Confidentiality/ The ISV Perspective) I talked about the increasing exposure of data, the changing landscape of data confidentiality and the need to shield data rather than retreat into – largely mythical  -“safe heavens” of on premise.  When storing data in the cloud, key management becomes a critical aspect of data confidentiality and a new crop of vendors are beginning to emerge simplifying encryption and key management.

Having looked at most of the new crop of cloud encryption vendors, we liked Porticor for its innovative application of homomorphic algorithm to split key encryption and its use of a customer-owned security appliance.   The combination of two eliminates the need to expose the encryption key and minimizes the risks offering a unique approach to comply with EU data protection legislation, not found elsewhere in the cloud.

The devil is always in the detail and we are currently evaluating the product in detail to include it as an option for our{elasticbigdata} service.  With Porticor offering a 30-day free trial and quite affordable rates afterwards, it’s easy to evaluate the service.

Porticor is currently available as service hosted either on AWS, IBM clouds, or any VMWare based cloud. There are no technical reasons why their offering cannot run on Azure or Openstack and I assume this is down to customer-driven prioritization.  With an easy to use REST API the service can actually be used as-is from other clouds (Azure, Openstack) whilst running on AWS. This is something we have explored and will post a step-by-step lab on how to use the API.

In this post we will walk though of how you can secure cloud data against hackers, the cloud vendor themselves and any surveillance snooping.

Setting up a Porticor Project

Once you’ve registered for the free trial, you can log on to the Porticor admin web site which allows you to set up the usual admin hygiene (user profiles,  reset passwords, add more users, etc) and  most importantly the core of Porticor’s offering the Virtual Appliance with its a set of  optional add-ons for seamless storage, database,  and network encryption. These are all grouped in what Porticor calls a project.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  porticorMain Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

A Porticor Virtual Appliance, is a sophisticated data encryption black box that the customer owns and it is an actual VM. In our case an AWS instance. Whilst experimenting, you can use a micro AWS instance and take advantage of the free-tier, Amazon offers.

The appliance is created by using a private key, that is only displayed at the end the set-up sequence and you are responsible for storing it securely on your own secure storage mechanism. It will only be used again to bootstrap an appliance.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  porticor archit 1024x746 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

The key used to bootstrap the appliance is split and homomorphically encrypted. Homomorphic encryption is something that everyone gets excited about, not least  DPARA investing  $20M in the homomorphic-related PROCEED initiative with $4.7M already awarded to Galois Inc to extenst its Cryptol toolsuit to be homomorphic. The algorithm allows encrypted data to be used without decryption and one day will probably make the whole key problem history but for now it’s not ready for prime time full-scale data encryption. What Porticor has done is to apply the algorithm – and they have a long formal mathematical proof paper – to the encryption of each part of the split key so that even if an intruder compromises the appliance, the key shares are there only in an encrypted form.  Even more, on each appliance the encryption is different, so this means that an encrypted key stolen from one appliance is useless to the thief.

The bottom line is that key is not lying around in any cloud storage. There is an option to store the key during reboots in the appliance’s instance storage but this is for development purposes. I store it on an encrypted USB key an never on the cloud.

The sequence is easy and straightforward.  It follows a wizard-style sequence, asking you to provide your AWS credentials. This is important because everything that is being generated is stored on your own AWS. This means your trust to the encryption vendor, Porticor, does not have to be blind, as you control access to your appliances. It also mean you are charged for the compute used, so include that in your costing model, especially when moving away from the free tier.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  newProjectStep0 1024x469 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  newProjectStep1 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  newProjectStep2 1024x378 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  newProjectStep3 1024x414 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

At the end of this process, Porticor will give you the Master-Key used to bootstrap the project. You need to save the key securely and make sure you don’t lose it, as this is the only instance of the key.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  keyGenerationPorticor 1024x406 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

Once the Virtual Appliance has been created you can manage it in Porticor’s web interface

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  ManageVirtualApplicances 1024x364 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

but you can also see it and manage it in your AWS Management console.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  PorticorApplianceinAWS 1024x498 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

The appliance can be now used with the project add-ons which do a good job in automating encryption seamlessly for files, S3, databases, and network traffic.  They act like code-less encryption channels to these resources. This eliminates the need for you to write encryption code and rely on the appliances encryption services. These use strong encryption algorithms such as AES-256 with the added benefit of the in memory split and homormorhically encrypted key.

The appliance can also be accessed via the Porticor API in which case, it will be used for secure storage and key management with custom code doing the encryption/decryption work.

Setting Up Encryption for the S3 bucket

There are two ways of using the Porticor Virtual Appliance 1. Via the REST API to manage the key and optionally perform encryption tasks. 2.  Use the S3 Add on as the encryption tunnel to proxy the S3 requests via the appliance so that they are seamlessly encrypted and decrypted.  Most users will prefer the second approach as it saves time.

This involves supplying your AWS credential to the Virtual Appliance via the Porticor configuration site. The screen above shows how this is configured and is described in detail Porticor’s Knowledge base item  S3 Encryption With Porticor.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  ConfigureS3Encryption Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

Once you have setup the Porticor site, there are two ways of accessing your encrypted S3 bucket.  You can specify the S3 endpoint using the appliance’s URL e.g. <appliance>.d.porticor.net; Porticor can simplify this further by allowing you to do a DNS mapping so that an individual bucket can be accessed as <bucketname>.d.porticor.net (mapped to the appliance DNS). In this case you need to specify the S3 bucket name in the Porticor S3 admin page.

In many cases, S3 clients and libraries do not provide the option to specify an S3 endpoint.  They will automatically construct it from the S3 bucket name and assume <bucket>.. In this case, you have no choice but to use the hosts file redirection Porticor offers as a second way of going through the Porticor virtual appliance.

This is fairly easy for MacOSX, Linux, and Windows (but requires admin access) and you need to edit to your hosts file and add a line that maps the external IP of your appliance to the buckets S3 URL. In my case the additional line for the bigdatatests bucket is

54.227.XX.XX   bigdatatests.s3.amazonaws.com

with 54.227.XX.XX is the obscured external IP address of my security appliance.

Once the hosts file is changed (and for Mac OSX  the change is activated with an additional command described in the link above) S3 client applications will now go through the appliance

I like the hosts redirection for its transparent way to call the Virtual Appliance; the use of the standard AWS convention in application configuration would not immediately reveal the use of the Virtual Appliance to an intruder.

Whether you use the endpoint explicitly or the hosts redirection you will need to add the Porticor-issued certificate to the trusted certificates your applications. This will vary depending what the actual client application or library.

You can download the certificate by enabling the Porticor Certificate Authority (PCA) option in the Project’ configuration page.  The screen advises – see screenshot –how to install the certificate in browsers.  You should also make sure you store a secure copy of this crt file to a secure location so that you can use it in different stores if needed. Alternatively, you can re-download the certificate from the project settings cog icon.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  loadPorticorCertificate Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

For native applications you would add it to the OS-level machine certificates store i.e. Windows Certificate Storesin Windows or KeyChain Access in MacOSX or typically in /etc/ssl/certs in Linux and use the applications configuration (e.g. httpd.conf for apache) or the OS API.

For Hadoop being a java stack and other java applications this will go to key store or the  default cacerts key store. We will see how to do this later on.

But to start with, I use the Firefox S3 Organizer add-on to test all works well.

I modify my hosts files as described and I download the certificate; I save it to a secure place then add it to Firefox’s certificate store, as described in Porticor’s KB item.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  firefoxcerts Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

With the hosts redirection I can access both my encrypted and unencrypted buckets and to test the encryption, I upload an image file to S3.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  uploadingImgToS3 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

Once the image is uploaded, I download it to a different location and verify it’s usable.

I then switch to my S3 admin page in the AWS console. This runs on AWS infrastructure, it is not governed by my hosts mapping and it does not go through the appliance.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  imageinS3browser Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

I see the file listed but when I try to download it I get an error, verifying the encryption tunnel works.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  dwonloadimagefromS3browser Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  encryptedImage Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

Setting up another client with Linux Ubuntu and CrossFTP validates the behavior. When the client’s hosts file is modified to go through the Porticor encryption tunnel, the image is valid, but otherwise it always returns an invalid (encrypted) file.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  Workspace0011 1024x575 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

This is reassuring: it doesn’t matter whether a cyber-criminal, hacker, Amazon, disgruntled admin, or NSA can get hold of my data or even my AWS credentials. The data is encrypted and the only way to decrypt is to use the secure tunneling through my Porticor encryption appliance.

Since I control the appliance VM, in an emergency – for instance, an intrusion detected – I can also shut it down when not needed. When the Porticor Virtual Appliance is turned back on, it requires a bootstrapping sequence using my private master-key. Remember, the master key has been stored on my encrypted USB key and no one else has access to it. Unless I create a new appliance instance, my data security is locked.

So far Porticor is meeting our requirements to provide a service for our elasticbigdata clients to use their data in the cloud whilst meeting the EU data protection requirements and protecting their confidential data from hacking or surveillance.

In the next post we will build on this lab on how this setup can be integrated in a BigData Hadoop environment for Map-Reduce queries via the secure encryption tunnel, the Porticor appliance provides.

About JOHN SOTIROPOULOS

John Sotiropoulos is the founder and CTO of Raythos Interactive, the Innovation Launchpad. Previously with Metastorm (now part of OpenText) he worked in a variety of roles – such as Chief Architect, Director of Product Development, and Head of Innovation – building development teams, shaping product and innovation strategy, and delivering award –winning products including social business process modeling on the cloud. In his new venture, John is working on elasticbigdata.com a cloud service to democratise Big Data and Machine Learning. He also advises and helps forward-looking companies develop product strategies, architectures, and teams that deliver business innovation and economic growth.

The post Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance appeared first on Porticor Cloud Security.

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@CloudExpo Stories
"We're here to tell the world about our cloud-scale infrastructure that we have at Juniper combined with the world-class security that we put into the cloud," explained Lisa Guess, VP of Systems Engineering at Juniper Networks, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"With Digital Experience Monitoring what used to be a simple visit to a web page has exploded into app on phones, data from social media feeds, competitive benchmarking - these are all components that are only available because of some type of digital asset," explained Leo Vasiliou, Director of Web Performance Engineering at Catchpoint Systems, in this SYS-CON.tv interview at DevOps Summit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Your homes and cars can be automated and self-serviced. Why can't your storage? From simply asking questions to analyze and troubleshoot your infrastructure, to provisioning storage with snapshots, recovery and replication, your wildest sci-fi dream has come true. In his session at @DevOpsSummit at 20th Cloud Expo, Dan Florea, Director of Product Management at Tintri, provided a ChatOps demo where you can talk to your storage and manage it from anywhere, through Slack and similar services with...
As enterprise cloud becomes the norm, businesses and government programs must address compounded regulatory compliance related to data privacy and information protection. The most recent, Controlled Unclassified Information and the EU’s GDPR have board level implications and companies still struggle with demonstrating due diligence. Developers and DevOps leaders, as part of the pre-planning process and the associated supply chain, could benefit from updating their code libraries and design by in...
"Peak 10 is a hybrid infrastructure provider across the nation. We are in the thick of things when it comes to hybrid IT," explained Michael Fuhrman, Chief Technology Officer at Peak 10, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
SYS-CON Events announced today that Calligo, an innovative cloud service provider offering mid-sized companies the highest levels of data privacy and security, has been named "Bronze Sponsor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Calligo offers unparalleled application performance guarantees, commercial flexibility and a personalised support service from its globally located cloud plat...
"We are an IT services solution provider and we sell software to support those solutions. Our focus and key areas are around security, enterprise monitoring, and continuous delivery optimization," noted John Balsavage, President of A&I Solutions, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We were founded in 2003 and the way we were founded was about good backup and good disaster recovery for our clients, and for the last 20 years we've been pretty consistent with that," noted Marc Malafronte, Territory Manager at StorageCraft, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
There is a huge demand for responsive, real-time mobile and web experiences, but current architectural patterns do not easily accommodate applications that respond to events in real time. Common solutions using message queues or HTTP long-polling quickly lead to resiliency, scalability and development velocity challenges. In his session at 21st Cloud Expo, Ryland Degnan, a Senior Software Engineer on the Netflix Edge Platform team, will discuss how by leveraging a reactive stream-based protocol,...
"We are focused on SAP running in the clouds, to make this super easy because we believe in the tremendous value of those powerful worlds - SAP and the cloud," explained Frank Stienhans, CTO of Ocean9, Inc., in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"DivvyCloud as a company set out to help customers automate solutions to the most common cloud problems," noted Jeremy Snyder, VP of Business Development at DivvyCloud, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
DevOps at Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to w...
"As we've gone out into the public cloud we've seen that over time we may have lost a few things - we've lost control, we've given up cost to a certain extent, and then security, flexibility," explained Steve Conner, VP of Sales at Cloudistics,in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Internet of @ThingsExpo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound change in personal and enterprise IT since the creation of the Worldwide Web more than 20 years ago. All major researchers estimate there will be tens of billions devic...
"The Striim platform is a full end-to-end streaming integration and analytics platform that is middleware that covers a lot of different use cases," explained Steve Wilkes, Founder and CTO at Striim, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We want to show that our solution is far less expensive with a much better total cost of ownership so we announced several key features. One is called geo-distributed erasure coding, another is support for KVM and we introduced a new capability called Multi-Part," explained Tim Desai, Senior Product Marketing Manager at Hitachi Data Systems, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
21st International Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Me...
SYS-CON Events announced today that DXWorldExpo has been named “Global Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Digital Transformation is the key issue driving the global enterprise IT business. Digital Transformation is most prominent among Global 2000 enterprises and government institutions.
SYS-CON Events announced today that Datera, that offers a radically new data management architecture, has been named "Exhibitor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Datera is transforming the traditional datacenter model through modern cloud simplicity. The technology industry is at another major inflection point. The rise of mobile, the Internet of Things, data storage and Big...
Kubernetes is an open source system for automating deployment, scaling, and management of containerized applications. Kubernetes was originally built by Google, leveraging years of experience with managing container workloads, and is now a Cloud Native Compute Foundation (CNCF) project. Kubernetes has been widely adopted by the community, supported on all major public and private cloud providers, and is gaining rapid adoption in enterprises. However, Kubernetes may seem intimidating and complex ...