Welcome!

Linux Authors: Peter Silva, Lori MacVittie, Elizabeth White, Jnan Dash, Martin Etmajer

Blog Feed Post

Securing Data at Rest is not Enough

securing data at rest Cloud Security Cloud Encryption  securing data at rest Securing Data at Rest is not EnoughData encryption in a cloud environment is a no-brainer: the new security threats in a world without physical walls mean that the data is now at risk from snoopy employees of the cloud provider, from insiders who might have access to the cloud environment but still are not welcome to all sensitive data, from people who have obtained your cloud credentials and are now trying to get a snapshot of your sensitive disks, and on and on.
Clearly, you need to encrypt the data as it is stored (data at rest). And it makes no difference whether the data is stored as files on a disk, as records in a database, or as “objects” in an object store such as Amazon’s Simple Storage Service (S3).

Is protecting data at rest sufficient?

The same network threats that exist in the physical world are still important in the virtual world. Data in motion must also be protected, that is just as important as protecting data at rest.
For example, if you are using shared disks in the cloud, data traffic is typically unencrypted, whether you’re using NFS, Windows CIFS or iSCSI. All of these protocols can be protected but only with a significant amount of integration effort. And so an attacker who breaks into your cloud environment can gain access to data flowing between your servers and their disks.

In a public cloud such snooping attacks can be in the form of unexplained changes to the route table and like most things in the cloud, can be automated for the attacker’s convenience. In a private cloud, good old ARP spoofing is always a real threat, allowing an attacker with physical or virtual access to insert himself between pairs of servers.

Protecting Data at Rest

At Porticor, we focus on protecting data at rest. However we are fully aware that this does not cover all bases. So in addition to making protection at rest extremely easy to use, we also make it easy to protect data in transit. It is a matter of a single Linux shell command to deploy IPsec between your server and the Porticor appliance that protects your data. This ensures that your data is never exposed, even while it is transmitted over the network.
The appliance handles your most sensitive data, data that it is your duty to your customers and partners to protect as well as technically possible. The appliance also protects security metadata, in particular the encryption keys that encrypt the data, and the master key that is used to protect all other encryption keys. Which brings up a third mode of data, and a third mode of protection: data in use protection.
Encryption keys are never maintained on disk, and are obscured even in memory. The master key, due to its extreme sensitivity, enjoys some extra “heavy duty” protection. Porticor’s patented Homomorphic Key Management technology ensures that the master key can be used even when it is encrypted. So the master key is strongly encrypted at all times, with a different encrypted form on each of the appliances where it is used. In other words, each appliance in the project has its own variant of the master key. The mathematical transforms used in the process guarantee that even a rogue appliance cannot discover the plaintext master key, and that no appliance can masquerade for another one.

 

Read more about it on our white paper.

The post Securing Data at Rest is not Enough appeared first on Porticor Cloud Security.

Read the original blog entry...

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.