1. O WN Y OUR D ATA . R ENT THE C LOUD .
Top 10 Cloud Encryption Myths
March 2013
2. Myth 1: Encryption Degrades System Performance
Reality
▶ Implemented correctly, impact is
minimal
▶ Crypto should leverage hardware:
Intel and AMD processors support
AES-NI, giving hardware speed
▶ Cloud CPU is cheap: add
processing power as needed
▶ Look for caching capabilities that increase read performance
▶ Ensure storage is tuned – it’s the usual culprit for bottlenecks
2
3. Myth 2: Crypto Terminology is Cryptic
Blowfish
AES
Reality 3DES NIST
Key Management
KMIP
▶ The right encryption and key management
solution should remove this complexity
▶ Encryption based on policy, vs managing individual keys, is
easier and more intuitive
▶ Only consider solutions with NIST- approved algorithms
3
4. Myth 3: Key Management is a Nightmare
Reality
• You shouldn’t have to
manage ‘keys’ at all. A
system should do it for you.
• Password-based key
management doesn’t scale
• The right system is highly-
available and transparent.
• Value add: the system should "Key management is the hardest
support key rotation with no part of cryptography and often the
downtime Achilles' heel of an otherwise secure
system.”
- Bruce Schneier
4
5. Myth 4: It’s Too Easy to Lose My Keys
Reality
• Use a layered, highly
available key management
system
• Ensure no one person has
complete control over keys
• Cluster your key
management servers in
redundant locations
• Don’t keep your keys and
your data in the same place
• Ensure key backups are also
encrypted
5
6. Myth 5: Encryption is Hard to Deploy
Reality
• Encryption can happen
transparently. You use SSL daily
• Modern crypto systems can be
installed in minutes
• Key management can run in
locked down virtual appliances
for fast configuration
• The days of lengthy, complex professional services
engagements are over
6
7. Myth 6: Encryption Only Secures the App
Reality
• It depends on the encryption
system
• VM snapshot and suspend
files can contain sensitive
data. Make sure your system
can encrypt them.
• VM backups should also be
encrypted
• You can encrypt VMs in
public cloud, even without
administrative privilege
High Cloud Security Inc. Confidential 7
8. Myth 7: Key Rotation Means Downtime
Reality
• Many regulations and security policies require periodic key
rotation
• Swapping keys has traditionally meant taking applications
and data offline
• Modern systems don’t require downtime and can do this
transparently
Initial Key 6 Month PCI Rotation Administrator Leaves
K0 K1 K2
8
9. Myth 8: Enterprise-Grade Crypto is Expensive
Reality
• Avoid a hardware-based key
management system
• Modern encryption systems
are equally secure, and install
quickly and easily
• Look for a system that lets
you purchase encryption as a
service, like you do for cloud
• Your security system can and
should scale with your needs
High Cloud Security Inc. Confidential 9
10. Myth 9: Encryption in the Cloud isn’t Secure
Reality
• No system protects against
every threat, but find a system
that protects against most of
your concerns
• Many organizations don’t like
that CSPs offer encryption,
but also manage your keys
• Encrypted data is more secure than leaving it in cleartext
• Find a crypto system that can encrypt your data in any public
cloud, that also lets you manage your keys
10
11. Myth 10: Solutions Don’t Support All Platforms
Reality
• Most organizations leverage
virtualization platforms from
different vendors, especially if
they use IaaS
• Find a system that will work
across hypervisor
platforms, or at the storage
layer, giving you flexibility
• In the public cloud, encrypt
within the guest OS of the
VM, so you are independent
of CSP infrastructure
11
12. Learn More About Cloud Encryption
Visit http://www.highcloudsecurity.com
Download a whitepaper on Virtualization Security
Try HighCloud Security Software for Free!
Own Your Data. Rent the Cloud.
12