Cryptography and Key Management

Cryptography

NIST defines cryptography as:

The discipline that embodies the principles, means, and methods for the transformation of data in order to hide their semantic content, prevent their unauthorized use, or prevent their undetected modification.

Cryptography is the method by which data at rest and in motion is securely encrypted.

Key Management

NIST defines Keys as:

A numerical value used to control cryptographic operations, such as decryption, encryption, signature generation, or signature verification. Usually a sequence of random or pseudorandom bits used initially to set up and periodically change the operations performed in cryptographic equipment for the purpose of encrypting or decrypting electronic signals, or for determining electronic counter-countermeasures (ECCM) patterns, or for producing other key.

Keys are essential to cryptography, properly managing the keys are critical to maintaining the security of data in the cloud. Many cloud service providers offer a key management service (KMS) to properly store and protect keys.

Access Control

In the cloud model there are three types of access controls: physical, technical, and administrative. Depending on the control the CSP and customer have different responsibilities.

Physical access controls are the actual physical access to the hardware, servers and data centers, that run the cloud. The responsibility falls entirely to the CSP for providing the controls for physical access.

Technical access controls fall under the responsibility of both the customer and the CSP depending on which model is used. For instance, reviewing logs for unusual activity can be a shared responsibility by both the customer and the CSP.

Administrative access controls are the policies and procedures a customer uses for access to the cloud resources. The responsibility falls under the custody of the customer.

Data and Media Sanitization

Data on-prem is easily securely sanitized. In the cloud it is more difficult because you don't have physical access to the hard drives to remove the data. Data in the cloud is additionally backed-up and stored in other locations. To overcome these obstacles, businesses can encrypt the data at rest and crypto-shred.

Overwriting data happens when deleted areas are marked for reuse. This data will then be overwritten by new data. The problem is, you cannot control how fast the data will be overwritten and the data will persist on disk.

Cryptographic erase is when the cryptographic keys for the encrypted data at rest is destroyed rendering the data unreadable.

Network Security

A key component for cloud computing is broad network access, this means that malicious actors also have access to the cloud services you are using showing the importance for network security.

A Network Security Group provides rules or a virtual firewall to a group of cloud resources. The rules can be applied to a VM, subnet, or other cloud resource.

Another method for network security is limiting the number of ingress and egress points and then monitoring them. Rules can be applied to who can connect into the cloud and what the resources in the cloud can connect out to.

Virtualization Security

The two most common methods of virtualization are either through a hypervisor or through containers.

There are 2 types of hypervisors, a type 1 hypervisor and a type 2 hypervisor. Type 1, or native, hypervisors run on the bare metal, like ESXI. Type 1 hypervisors are more secure and faster. Type 2 hypervisors are software based and are installed on top of another OS, like VMware Workstation or VirtualBox. Type 2 hypervisors rely on the underlying OS and are therefore susceptible to some of it's vulnerabilities

Containerization, such as Docker or LXC, provides a layer of abstraction between the OS and the container. Security risks occur with misconfigured containers or poor identity and access management.

Common Threats

Some of the most common threats to the security of data in the cloud include:

• Poor Access Management
• Insecure APIs
• Data Leaks
• Misconfigured Cloud Storage
• Data Loss
• DoS