Welcome!

@CloudExpo Authors: Sematext Blog, Carmen Gonzalez, XebiaLabs Blog, Liz McMillan, Pat Romanski

Related Topics: @CloudExpo, Cloud Security

@CloudExpo: Blog Feed Post

Securing Cloud Data from Cybercrime, Intrusion and Surveillance

When storing data in the cloud, key management becomes a critical aspect of data confidentiality

By John Sotiropoulos - In my previous post  (Cloud Data, Security, Privacy & Confidentiality/ The ISV Perspective) I talked about the increasing exposure of data, the changing landscape of data confidentiality and the need to shield data rather than retreat into – largely mythical  -“safe heavens” of on premise.  When storing data in the cloud, key management becomes a critical aspect of data confidentiality and a new crop of vendors are beginning to emerge simplifying encryption and key management.

Having looked at most of the new crop of cloud encryption vendors, we liked Porticor for its innovative application of homomorphic algorithm to split key encryption and its use of a customer-owned security appliance.   The combination of two eliminates the need to expose the encryption key and minimizes the risks offering a unique approach to comply with EU data protection legislation, not found elsewhere in the cloud.

The devil is always in the detail and we are currently evaluating the product in detail to include it as an option for our{elasticbigdata} service.  With Porticor offering a 30-day free trial and quite affordable rates afterwards, it’s easy to evaluate the service.

Porticor is currently available as service hosted either on AWS, IBM clouds, or any VMWare based cloud. There are no technical reasons why their offering cannot run on Azure or Openstack and I assume this is down to customer-driven prioritization.  With an easy to use REST API the service can actually be used as-is from other clouds (Azure, Openstack) whilst running on AWS. This is something we have explored and will post a step-by-step lab on how to use the API.

In this post we will walk though of how you can secure cloud data against hackers, the cloud vendor themselves and any surveillance snooping.

Setting up a Porticor Project

Once you’ve registered for the free trial, you can log on to the Porticor admin web site which allows you to set up the usual admin hygiene (user profiles,  reset passwords, add more users, etc) and  most importantly the core of Porticor’s offering the Virtual Appliance with its a set of  optional add-ons for seamless storage, database,  and network encryption. These are all grouped in what Porticor calls a project.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  porticorMain Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

A Porticor Virtual Appliance, is a sophisticated data encryption black box that the customer owns and it is an actual VM. In our case an AWS instance. Whilst experimenting, you can use a micro AWS instance and take advantage of the free-tier, Amazon offers.

The appliance is created by using a private key, that is only displayed at the end the set-up sequence and you are responsible for storing it securely on your own secure storage mechanism. It will only be used again to bootstrap an appliance.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  porticor archit 1024x746 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

The key used to bootstrap the appliance is split and homomorphically encrypted. Homomorphic encryption is something that everyone gets excited about, not least  DPARA investing  $20M in the homomorphic-related PROCEED initiative with $4.7M already awarded to Galois Inc to extenst its Cryptol toolsuit to be homomorphic. The algorithm allows encrypted data to be used without decryption and one day will probably make the whole key problem history but for now it’s not ready for prime time full-scale data encryption. What Porticor has done is to apply the algorithm – and they have a long formal mathematical proof paper – to the encryption of each part of the split key so that even if an intruder compromises the appliance, the key shares are there only in an encrypted form.  Even more, on each appliance the encryption is different, so this means that an encrypted key stolen from one appliance is useless to the thief.

The bottom line is that key is not lying around in any cloud storage. There is an option to store the key during reboots in the appliance’s instance storage but this is for development purposes. I store it on an encrypted USB key an never on the cloud.

The sequence is easy and straightforward.  It follows a wizard-style sequence, asking you to provide your AWS credentials. This is important because everything that is being generated is stored on your own AWS. This means your trust to the encryption vendor, Porticor, does not have to be blind, as you control access to your appliances. It also mean you are charged for the compute used, so include that in your costing model, especially when moving away from the free tier.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  newProjectStep0 1024x469 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  newProjectStep1 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  newProjectStep2 1024x378 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  newProjectStep3 1024x414 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

At the end of this process, Porticor will give you the Master-Key used to bootstrap the project. You need to save the key securely and make sure you don’t lose it, as this is the only instance of the key.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  keyGenerationPorticor 1024x406 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

Once the Virtual Appliance has been created you can manage it in Porticor’s web interface

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  ManageVirtualApplicances 1024x364 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

but you can also see it and manage it in your AWS Management console.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  PorticorApplianceinAWS 1024x498 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

The appliance can be now used with the project add-ons which do a good job in automating encryption seamlessly for files, S3, databases, and network traffic.  They act like code-less encryption channels to these resources. This eliminates the need for you to write encryption code and rely on the appliances encryption services. These use strong encryption algorithms such as AES-256 with the added benefit of the in memory split and homormorhically encrypted key.

The appliance can also be accessed via the Porticor API in which case, it will be used for secure storage and key management with custom code doing the encryption/decryption work.

Setting Up Encryption for the S3 bucket

There are two ways of using the Porticor Virtual Appliance 1. Via the REST API to manage the key and optionally perform encryption tasks. 2.  Use the S3 Add on as the encryption tunnel to proxy the S3 requests via the appliance so that they are seamlessly encrypted and decrypted.  Most users will prefer the second approach as it saves time.

This involves supplying your AWS credential to the Virtual Appliance via the Porticor configuration site. The screen above shows how this is configured and is described in detail Porticor’s Knowledge base item  S3 Encryption With Porticor.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  ConfigureS3Encryption Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

Once you have setup the Porticor site, there are two ways of accessing your encrypted S3 bucket.  You can specify the S3 endpoint using the appliance’s URL e.g. <appliance>.d.porticor.net; Porticor can simplify this further by allowing you to do a DNS mapping so that an individual bucket can be accessed as <bucketname>.d.porticor.net (mapped to the appliance DNS). In this case you need to specify the S3 bucket name in the Porticor S3 admin page.

In many cases, S3 clients and libraries do not provide the option to specify an S3 endpoint.  They will automatically construct it from the S3 bucket name and assume <bucket>.. In this case, you have no choice but to use the hosts file redirection Porticor offers as a second way of going through the Porticor virtual appliance.

This is fairly easy for MacOSX, Linux, and Windows (but requires admin access) and you need to edit to your hosts file and add a line that maps the external IP of your appliance to the buckets S3 URL. In my case the additional line for the bigdatatests bucket is

54.227.XX.XX   bigdatatests.s3.amazonaws.com

with 54.227.XX.XX is the obscured external IP address of my security appliance.

Once the hosts file is changed (and for Mac OSX  the change is activated with an additional command described in the link above) S3 client applications will now go through the appliance

I like the hosts redirection for its transparent way to call the Virtual Appliance; the use of the standard AWS convention in application configuration would not immediately reveal the use of the Virtual Appliance to an intruder.

Whether you use the endpoint explicitly or the hosts redirection you will need to add the Porticor-issued certificate to the trusted certificates your applications. This will vary depending what the actual client application or library.

You can download the certificate by enabling the Porticor Certificate Authority (PCA) option in the Project’ configuration page.  The screen advises – see screenshot –how to install the certificate in browsers.  You should also make sure you store a secure copy of this crt file to a secure location so that you can use it in different stores if needed. Alternatively, you can re-download the certificate from the project settings cog icon.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  loadPorticorCertificate Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

For native applications you would add it to the OS-level machine certificates store i.e. Windows Certificate Storesin Windows or KeyChain Access in MacOSX or typically in /etc/ssl/certs in Linux and use the applications configuration (e.g. httpd.conf for apache) or the OS API.

For Hadoop being a java stack and other java applications this will go to key store or the  default cacerts key store. We will see how to do this later on.

But to start with, I use the Firefox S3 Organizer add-on to test all works well.

I modify my hosts files as described and I download the certificate; I save it to a secure place then add it to Firefox’s certificate store, as described in Porticor’s KB item.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  firefoxcerts Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

With the hosts redirection I can access both my encrypted and unencrypted buckets and to test the encryption, I upload an image file to S3.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  uploadingImgToS3 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

Once the image is uploaded, I download it to a different location and verify it’s usable.

I then switch to my S3 admin page in the AWS console. This runs on AWS infrastructure, it is not governed by my hosts mapping and it does not go through the appliance.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  imageinS3browser Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

I see the file listed but when I try to download it I get an error, verifying the encryption tunnel works.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  dwonloadimagefromS3browser Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  encryptedImage Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

Setting up another client with Linux Ubuntu and CrossFTP validates the behavior. When the client’s hosts file is modified to go through the Porticor encryption tunnel, the image is valid, but otherwise it always returns an invalid (encrypted) file.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  Workspace0011 1024x575 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

This is reassuring: it doesn’t matter whether a cyber-criminal, hacker, Amazon, disgruntled admin, or NSA can get hold of my data or even my AWS credentials. The data is encrypted and the only way to decrypt is to use the secure tunneling through my Porticor encryption appliance.

Since I control the appliance VM, in an emergency – for instance, an intrusion detected – I can also shut it down when not needed. When the Porticor Virtual Appliance is turned back on, it requires a bootstrapping sequence using my private master-key. Remember, the master key has been stored on my encrypted USB key and no one else has access to it. Unless I create a new appliance instance, my data security is locked.

So far Porticor is meeting our requirements to provide a service for our elasticbigdata clients to use their data in the cloud whilst meeting the EU data protection requirements and protecting their confidential data from hacking or surveillance.

In the next post we will build on this lab on how this setup can be integrated in a BigData Hadoop environment for Map-Reduce queries via the secure encryption tunnel, the Porticor appliance provides.

About JOHN SOTIROPOULOS

John Sotiropoulos is the founder and CTO of Raythos Interactive, the Innovation Launchpad. Previously with Metastorm (now part of OpenText) he worked in a variety of roles – such as Chief Architect, Director of Product Development, and Head of Innovation – building development teams, shaping product and innovation strategy, and delivering award –winning products including social business process modeling on the cloud. In his new venture, John is working on elasticbigdata.com a cloud service to democratise Big Data and Machine Learning. He also advises and helps forward-looking companies develop product strategies, architectures, and teams that deliver business innovation and economic growth.

The post Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance appeared first on Porticor Cloud Security.

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@CloudExpo Stories
NHK, Japan Broadcasting, will feature the upcoming @ThingsExpo Silicon Valley in a special 'Internet of Things' and smart technology documentary that will be filmed on the expo floor between November 3 to 5, 2015, in Santa Clara. NHK is the sole public TV network in Japan equivalent to the BBC in the UK and the largest in Asia with many award-winning science and technology programs. Japanese TV is producing a documentary about IoT and Smart technology and will be covering @ThingsExpo Silicon Val...
The 20th International Cloud Expo has announced that its Call for Papers is open. Cloud Expo, to be held June 6-8, 2017, at the Javits Center in New York City, brings together Cloud Computing, Big Data, Internet of Things, DevOps, Containers, Microservices and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportunity. Submit your speaking proposal ...
SYS-CON Events announced today that CollabNet, a global leader in enterprise software development, release automation and DevOps solutions, will be a Bronze Sponsor of SYS-CON's 20th International Cloud Expo®, taking place from June 6-8, 2017, at the Javits Center in New York City, NY. CollabNet offers a broad range of solutions with the mission of helping modern organizations deliver quality software at speed. The company’s latest innovation, the DevOps Lifecycle Manager (DLM), supports Value S...
Building a cross-cloud operational model can be a daunting task. Per-cloud silos are not the answer, but neither is a fully generic abstraction plane that strips out capabilities unique to a particular provider. In his session at 20th Cloud Expo, Chris Wolf, VP & Chief Technology Officer, Global Field & Industry at VMware, will discuss how successful organizations approach cloud operations and management, with insights into where operations should be centralized and when it’s best to decentraliz...
With billions of sensors deployed worldwide, the amount of machine-generated data will soon exceed what our networks can handle. But consumers and businesses will expect seamless experiences and real-time responsiveness. What does this mean for IoT devices and the infrastructure that supports them? More of the data will need to be handled at - or closer to - the devices themselves.
@DevOpsSummit at Cloud taking place June 6-8, 2017, at Javits Center, New York City, is co-located with the 20th International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long developm...
Cloud Expo, Inc. has announced today that Aruna Ravichandran, vice president of DevOps Product and Solutions Marketing at CA Technologies, has been named co-conference chair of DevOps at Cloud Expo 2017. The @DevOpsSummit at Cloud Expo New York will take place on June 6-8, 2017, at the Javits Center in New York City, New York, and @DevOpsSummit at Cloud Expo Silicon Valley will take place Oct. 31-Nov. 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo 2016 in New York. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place June 6-8, 2017, at the Javits Center in New York City, New York, is co-located with 20th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry p...
Grape Up is a software company, specialized in cloud native application development and professional services related to Cloud Foundry PaaS. With five expert teams that operate in various sectors of the market across the USA and Europe, we work with a variety of customers from emerging startups to Fortune 1000 companies.
Financial Technology has become a topic of intense interest throughout the cloud developer and enterprise IT communities. Accordingly, attendees at the upcoming 20th Cloud Expo at the Javits Center in New York, June 6-8, 2017, will find fresh new content in a new track called FinTech.
SYS-CON Events announced today that Interoute, owner-operator of one of Europe's largest networks and a global cloud services platform, has been named “Bronze Sponsor” of SYS-CON's 20th Cloud Expo, which will take place on June 6-8, 2017 at the Javits Center in New York, New York. Interoute is the owner-operator of one of Europe's largest networks and a global cloud services platform which encompasses 12 data centers, 14 virtual data centers and 31 colocation centers, with connections to 195 add...
Multiple data types are pouring into IoT deployments. Data is coming in small packages as well as enormous files and data streams of many sizes. Widespread use of mobile devices adds to the total. In this power panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists will look at the tools and environments that are being put to use in IoT deployments, as well as the team skills a modern enterprise IT shop needs to keep things running, get a handle on all this data, and deli...
Automation is enabling enterprises to design, deploy, and manage more complex, hybrid cloud environments. Yet the people who manage these environments must be trained in and understanding these environments better than ever before. A new era of analytics and cognitive computing is adding intelligence, but also more complexity, to these cloud environments. How smart is your cloud? How smart should it be? In this power panel at 20th Cloud Expo, moderated by Conference Chair Roger Strukhoff, pane...
@ThingsExpo has been named the Most Influential ‘Smart Cities - IIoT' Account and @BigDataExpo has been named fourteenth by Right Relevance (RR), which provides curated information and intelligence on approximately 50,000 topics. In addition, Right Relevance provides an Insights offering that combines the above Topics and Influencers information with real time conversations to provide actionable intelligence with visualizations to enable decision making. The Insights service is applicable to eve...
SYS-CON Events announced today that Grape Up will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct. 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Grape Up is a software company specializing in cloud native application development and professional services related to Cloud Foundry PaaS. With five expert teams that operate in various sectors of the market across the U.S. and Europe, Grape Up works with a variety of customers from emergi...
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm.
In his keynote at 19th Cloud Expo, Sheng Liang, co-founder and CEO of Rancher Labs, discussed the technological advances and new business opportunities created by the rapid adoption of containers. With the success of Amazon Web Services (AWS) and various open source technologies used to build private clouds, cloud computing has become an essential component of IT strategy. However, users continue to face challenges in implementing clouds, as older technologies evolve and newer ones like Docker c...
Cloud promises the agility required by today’s digital businesses. As organizations adopt cloud based infrastructures and services, their IT resources become increasingly dynamic and hybrid in nature. Managing these require modern IT operations and tools. In his session at 20th Cloud Expo, Raj Sundaram, Senior Principal Product Manager at CA Technologies, will discuss how to modernize your IT operations in order to proactively manage your hybrid cloud and IT environments. He will be sharing be...
As DevOps methodologies expand their reach across the enterprise, organizations face the daunting challenge of adapting related cloud strategies to ensure optimal alignment, from managing complexity to ensuring proper governance. How can culture, automation, legacy apps and even budget be reexamined to enable this ongoing shift within the modern software factory?
SYS-CON Events announced today that T-Mobile will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. As America's Un-carrier, T-Mobile US, Inc., is redefining the way consumers and businesses buy wireless services through leading product and service innovation. The Company's advanced nationwide 4G LTE network delivers outstanding wireless experiences to 67.4 million customers who are unwilling to compromise on ...