Home » Inside SafeNet » The Cloud Advocate: Dallas ISSA & Cloud Encryption Discussion
The Cloud Advocate: Dallas ISSA & Cloud Encryption Discussion
April 22, 2011, 12:22 pm EDT
Yesterday I had the chance to present and speak at an ISSA chapter event in Dallas, TX. Attendance was good; we had about 70 folks from the ISSA group, which I’m told it about the full group. I speak on a regular basis, many of them to ISSA groups, and these guys had some good questions. So let me try and cluster one topic for this blog: Encryption focusing your security and audit efforts.
First of all, in every ISSA group I poll the group on what departments are represented, in this case the group skewed a bit more towards Audit/Compliance than other ISSA events I’ve spoken at. In general (approximations from what I could see from a show of hands): 1/3 came group the Audit/Compliance group, 2/3 from a dedicated IT security group, and only a couple from General IT with security as a partial responsibility. What was interesting is that one of the members pointed out at the end of the event, “I don’t know if you noticed, but most of the questions were coming out of the Audit/Compliance group.” So let’s hit one topic we discussed, exploring the boundaries of data encryption in the cloud:
1. “I get encryption for servers in the cloud, but I still have to worry about running servers where things are being run in clear text.” Sure, there never is a magic bullet in security, anyone who tells you so is either a fool or a crook. But let’s step back and explore two fundamental points a) encrypting the server instance isolates it in the cloud from other tenants in the common hypervisor from stealing a copy of your instances, much like full disk encryption protects data on laptops out in the wild and b) the encryption act enables you to introduce a check point for requiring authentication and authorization of an instance with the ability to then track that act so you have visibility into how/when/where your instance is running. With encryption, the scope of your problem is much smaller. And that’s the point, now you have a set definition of a definable boundary that you can now ask specific questions, require answers, and set audit procedures around controls for set use cases. In particular, your questions now become specific rather than vague:
a. What monitoring controls do you give me for access and traffic analysis for server X (your server)?
b. What patch management and host security controls are in place to maintain the integrity of server X and protect it from active threats?
c. Do you have IPS controls I can use around Server X to defend against and detect more sophisticated breaches?
d. Do you have a SIEM infrastructure I can use around Server X to detect possible breaches? What is the workflow process within your SOC to work these problems? What SLA do you have to notify me of the problem so I can take action?
2. “Assuming my servers are encrypted and running in the cloud, in the case of a cloud provider complying with a lawful order won’t the Feds (U.S. slang for our federal government) still have access to data in running servers? Couldn’t they just show up with power and cart away the servers running?” First of all, I think that’s cute that you think the federal government is both tech savvy enough to try and preserve the running memory state of a server and organized enough to bring it when they are serving a warrant. I had the chance to sit in a class on cloud security and the law given by a former federal prosecutor. And I’m pretty sure SOP is to show up with some guys, unplug the servers, and throw them into the back of the truck to get evidence into custody as quick as possible, establish chain of evidence required for court, and limit tampering of the evidence by the target host. No, encryption is not perfect, but I have a hard time seeing that a lawful order scenario will result in the federal government preserving running servers. The most likely case is the feds start running forensics on restarted servers, they find your data encrypted and either a) won’t care because they know you aren’t the target of their investigation so no need to go through a long process of trying to compel you to give up your encryption key or b) if they want to, they’d have to go through the courts and give you the opportunity to “lawyer up” and invoke your constitutional rights.
Lastly, this is for another blog, but the cloud providers have also thought about this issues and I can tell you a) either their infrastructure handles this case when instances are saved and/or b) have specific APIs to address this. But that will have to wait for another blog.
-Dean (The Cloud Advocate)This entry was posted in Cloud Security, Data Center and tagged Cloud Audit, Cloud Encryption, cloud security, Lawful Order by Dean Ocampo. Bookmark the permalink.
SafeNet October 6, 2011, 11:35 am UTC
SafeNet October 4, 2011, 03:03 pm UTC
SafeNet September 13, 2011, 04:40 pm UTC
SafeNet October 6, 2011, 11:35 am UTC