IaaS, PaaS and SaaS Encryption

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Transcription
00:01
>> We'll continue our conversation on data encryption in
00:01
this video and see how to apply it
00:01
to the different service model paradigms,
00:01
IaaS, PaaS, and SaaS.
00:01
When using IaaS model,
00:01
there are two major options for
00:01
encrypting the volumes of your virtual servers.
00:01
These are the virtual hard drives we're talking about.
00:01
There's the Instance Managed Encryption.
00:01
This is where the encryption engine
00:01
runs inside the instance itself.
00:01
An example of this is the Linux Unified Key Setup.
00:01
The issue with Instance Managed Encryption
00:01
is that the key itself
00:01
is stored on the instance
00:01
and protected with a passphrase.
00:01
In other words, you can have
00:01
a powerful encryption algorithm like AES-256,
00:01
but that key is secured
00:01
with a passphrase that's highly simplistic,
00:01
like a 1, 2, 3 or even passphrase.
00:01
When you take this approach,
00:01
be sure to understand how safe
00:01
the passphrases are from brute-force hacking.
00:01
Alternatively, there's externally
00:01
managed encryption keys.
00:01
In this approach,
00:01
the encryption keys are managed externally and
00:01
a key to unlock the data is
00:01
issued to the instance on request.
00:01
As there's Disk Encryption
00:01
stores the keys on a Key Vault,
00:01
which itself is a service built using
00:01
Phipps Validated Hardware Security Modules.
00:01
When the instance has started,
00:01
it retrieves a copy of the key and holds that in memory.
00:01
If the instance is powered down or
00:01
somebody takes a snapshot of the disk or that instance,
00:01
the key itself is not included.
00:01
Keep in mind the object and file storage scenario
00:01
is set up in such a way that the storage
00:01
itself is not directly
00:01
bound to any particular compute machine.
00:01
It's like a shared network storage location.
00:01
To handle encryption of data in that storage module,
00:01
there are a few options.
00:01
Client-side encryption, in this case,
00:01
data is encrypted using an encryption engine
00:01
embedded in the application or the client.
00:01
With this approach, you are in control of
00:01
the encryption keys used by
00:01
the application to encrypt the data
00:01
before it is persisted to the storage account.
00:01
Proxy encryption is like a Hybrid Storage Gateway.
00:01
This approach can work well with object
00:01
and file storage in an IaaS environment,
00:01
as the provider is not required to
00:01
access your data in order to deliver services.
00:01
In this scenario, the proxy intercepts data flowing
00:01
through the network handles all cryptography operations.
00:01
The encryption keys may be held within
00:01
the proxy appliance or by
00:01
an external Key Management Service.
00:01
Finally, server-side encryption is
00:01
supplied by the Cloud Service Provider.
00:01
They have access to the encryption keys and
00:01
they run the encryption engine themselves.
00:01
Although this is the easiest way to encrypt data,
00:01
this approach requires the highest level
00:01
of trust in a provider.
00:01
If the provider holds the encryption keys,
00:01
they may be forced or using legal terms,
00:01
they may be compelled by a government agency to
00:01
unencrypt and supply your data
00:01
that is residing on these storage accounts.
00:01
Unlike IaaS where there are a few dominant players,
00:01
there are numerous pass providers,
00:01
all with different options for data encryption.
00:01
The CSA guidance calls out three areas where
00:01
encryption can be used in a PaaS environment.
00:01
Start out at the application layer.
00:01
With this approach, the encryption
00:01
is performed within the application
00:01
itself and that encrypted data
00:01
goes to the platform service.
00:01
Past database offerings generally provide
00:01
a built-in encryption capabilities that
00:01
are supported by the database platform.
00:01
Examples of common encryption capabilities
00:01
include Transparent Data Encryption,
00:01
which encrypts the entire database
00:01
and field level encryption,
00:01
which encrypts only sensitive portions of the database.
00:01
One thing to keep in mind about
00:01
Transparent Data Encryption is
00:01
that the data at rest is encrypted,
00:01
but the data loaded in memory in
00:01
the database itself is not encrypted.
00:01
If somebody gains access to
00:01
the database itself, establishes a connection,
00:01
starts running some queries against the data,
00:01
the data returned will not be encrypted.
00:01
Finally, there's the other bucket
00:01
where the encryption gets
00:01
integrated into the past service
00:01
by the platform provider.
00:01
The specific approaches on this vary quite dramatically.
00:01
Certain PaaS services give you
00:01
the capability for customer managed keys,
00:01
and we'll talk more about customer managed keys.
00:01
But you essentially give
00:01
the key that's used for the encryption.
00:01
But at the same time, there are many others where
00:01
the providers PaaS service assumes
00:01
that the encryption itself and the keys for
00:01
that encryption need to be managed by the provider.
00:01
In the SaaS model, you have two major options,
00:01
you can rely on your providers supported encryption,
00:01
or you can use a third party encryption proxy
00:01
that sits as a man in the middle and
00:01
it intercepts the network traffic coming from
00:01
the client and going to the SaaS provider.
00:01
To support provider managed encryption,
00:01
many CSPs implement per customer keys.
00:01
This improves the enforcement of multi-tenant isolation.
00:01
Every tenants data is encrypted using a different key.
00:01
Even if somebody breaks the tenant isolation,
00:01
they still need to get the key of that tenant to make
00:01
any sense of the persistent data
00:01
that they've been able to obtain.
00:01
SaaS encryption proxies main
00:01
produced new security concerns because it needs to
00:01
decrypt the encrypted network traffic
00:01
and sits between the client and the Cloud provider.
00:01
This may also break application functionality
00:01
since data going into the provider is already encrypted.
00:01
However, there are limited use cases
00:01
for applying this strategy.
00:01
Customers often and choose encryption
00:01
supplied by the provider for many reasons.
00:01
For example, using the Proxy approach,
00:01
the SaaS provider may not be able to
00:01
process the encrypted data that is handed to them.
00:01
Let's quiz a little bit about encryption or
00:01
maybe even reach back a little bit further.
00:01
Which is the primary mechanism to protect data?
00:01
Encryption, logging,
00:01
access controls, data sovereignty laws.
00:01
I know we've been talking
00:01
>> about encryption in this video,
00:01
>> but I wanted to squeeze in
00:01
this quiz question just to make sure you didn't get
00:01
too fixated on encryption
00:01
because it does have its own vulnerabilities.
00:01
Access controls, keep in mind
00:01
this is where things start.
00:01
This is your primary method to protect data.
00:01
From there if you can also encrypt the data when it's
00:01
at rest and of course when it is in transit,
00:01
that's additional things that you can do.
00:01
Logging is also great for security,
00:01
but it is not the answer.
00:01
C, access controls is the answer.
00:01
Data sovereignty laws really
00:01
aren't going to protect your data.
00:01
They're going to create constraints as to how you can use
00:01
the data and where the data can be physically located.
00:01
In this video, we went over
00:01
different methods to deal with
00:01
encryption based on the different service model: IaaS,
00:01
PaaS, and SaaS.
Up Next