SlideShare une entreprise Scribd logo

SSL Europa Cloud Security 2013

S
ssleuropa

Cloud Security: the rules and best practices by SSL Europa

TechnologieFormation
1  sur  27
Télécharger pour lire hors ligne
Cloud Security: Rules and Best Practices patrick.duboys@ssl-europa.com 20/11/2013 Autorité d’Enregistrement
Agenda       Seven Cloud Computing Risks Asymmetric encryption Electronic signature Strong authentication Rules Best Practices Autorité d’Enregistrement
Cloud-Computing Security Risks (1) Risk Assessment • • • Data integrity, recovery privacy Evaluation of legal issues, regulatory compliance, auditing Etc… Transparency • • • • • Qualification of policy makers, architects, coders, operators Risk-control processes and technical mechanisms Level of testing How unanticipated vulnerabilities are identified Etc… Autorité d’Enregistrement
Seven Cloud-Computing Risks (1) 1. Privileged user access • • • 2. Regulatory compliance • • 3. Customers are responsible Check external audits and security certifications Data location • • 4. Physical, logical and personnel control Ask about hiring and oversight of administrators What control there is ? Commitment to storing and processing data in specific jurisdictions Contractual commitment Data segregation • • Data at rest and in use ? Encryption designed and tested by experienced specialist Autorité d’Enregistrement
Seven Cloud-Computing Risks (2) 5. Recovery • • • What happens in case of a disaster? Replication of data and application across multiple sites? Ability to do a complete restoration ? how long would it take? 6. Investigative support • • • • How to trace inappropriate or illegal activities? Logging and data may be for multiple customers Contractual commitment to support specific forms of investigation Get evidence that the vendor has already supported such activities 7. Long-term viability • • What if your Cloud provider goes broke or gets acquired? How could you get your data back? In which format? Replacement application? Autorité d’Enregistrement
Asymmetric Encryption  Symmetric Encryption  Asymmetric Encryption Autorité d’Enregistrement
Symmetric Encryption Message in clear Encryption Encrypted Message Decryption Message in clear Autorité d’Enregistrement
Symmetric Encryption Autorité d’Enregistrement
Symmetric Encryption Advantages – Fast – Relatively simple to implement – Very efficient in particular when the key is used only once Drawbacks – A different key by pair of users • The major issue : Keys management (as many keys to exchange as there are users) • How do Alice and Bob get the key without anybody else having access to it ? • The key must follow a different channel (phone, fax, …) Autorité d’Enregistrement
Symmetric Encryption Internet & Cloud Applications Authentication Confidentiality Authorization Integrity (applicative) � Security Infrastructure Security Policy Autorité d’Enregistrement Non repudiation
Asymmetric Encryption Invented in 1975 by Whitfield Diffie and Martin Hellman Each user owns a pair of key – The public key that is used to encrypt and which is known by everybody – The private key that is used to decrypt and which is only known by the owner Autorité d’Enregistrement
Asymmetric Encryption Encryption Symmetric Key Decryption = = Asymmetric Key Autorité d’Enregistrement
Asymmetric Encryption Autorité d’Enregistrement
Asymmetric Encryption: Signature Autorité d’Enregistrement
Symmetric Encryption Internet & Cloud Applications Authentication Confidentiality Authorization Integrity Non repudiation (applicative) � � Security Infrastructure Security Policy Autorité d’Enregistrement �
Example : SSL Server Client Server Send a message A Verification of the certificate and of the signature Negotiation of the encryption algorithm Send the certificate and the message A signed Negotiation of the encryption algorithm Generation of a session key Encryption of the session Key with the server public key Send the session key Encrypted Decryption of the session key with the private key The session key is shared Autorité d’Enregistrement
Symmetric Encryption Internet & Cloud Applications Authentication Confidentiality Authorization Integrity Non repudiation (applicative) � � � Security Infrastructure Security Policy Autorité d’Enregistrement � �
Examples of Solutions Autorité d’Enregistrement
Rules of thumbs  Use encryption   For exchanges of data with the Cloud For data in the Cloud  Use strong authentication   To connect to the Cloud To identify the Cloud server  Use signature  For exchanges of data in the Cloud Autorité d’Enregistrement
Best Practices (1)        Protect data transfer but also data in the cloud Use data-centric encryption & encryption embedded in the file format Understand how the keys will be managed (avoid reliance on cloud providers) Include files such as logs and metadata in encryption Use strong standard algorithm (such as AES-256) Use open validated formats Avoid proprietary encryption Autorité d’Enregistrement
Best Practices (2)  Content aware Encryption  Format-preserving Encryption  Use Data Leak Prevention (DLP) solutions Autorité d’Enregistrement
Best Practices (3. Data Base)  Be aware of performances issues  Use object security  Store a secure hash Autorité d’Enregistrement
Best Practices (4) Use a Key Management Software Use group levels keys Maintain keys within the Enterprise Revoking keys Define and enforce strong Key management processes and practices  Implement segregation of duties      Autorité d’Enregistrement
Recommendations (1)  Use best practices key management practices  Use off-the-shelf products from credible sources  Maintain your own trusted cryptographic source  Key scoping at the individual or group level  Use DRM systems Autorité d’Enregistrement
Recommendations (2)  Use standard algorithm  Avoid old ones such as DES  Use central and internal key management (with your own HSM, etc.)  Use segregation of duties Autorité d’Enregistrement
Reference http://www.cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf Autorité d’Enregistrement
Thank you for your attention SSL EUROPA 8 chemin des escargots 18200 Orval - France +33 (0)9 88 99 54 09 www.ssl-europa.com Autorité d’Enregistrement

Recommandé

Security chapter6
Security chapter6Security chapter6
Security chapter6
FLYMAN TECHNOLOGY LIMITED
 
Storage on cloud using dynamic encryption
Storage on cloud using dynamic encryptionStorage on cloud using dynamic encryption
Storage on cloud using dynamic encryption
Mphasis
 
CISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access ManagementCISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access Management
Sam Bowne
 
Edge pereira oss304 tech ed australia regulatory compliance and microsoft off...
Edge pereira oss304 tech ed australia regulatory compliance and microsoft off...Edge pereira oss304 tech ed australia regulatory compliance and microsoft off...
Edge pereira oss304 tech ed australia regulatory compliance and microsoft off...
Edge Pereira
 
Current & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsCurrent & Emerging Cyber Security Threats
Current & Emerging Cyber Security Threats
NCC Group
 
Protecting Sensitive Data using Encryption and Key Management
Protecting Sensitive Data using Encryption and Key ManagementProtecting Sensitive Data using Encryption and Key Management
Protecting Sensitive Data using Encryption and Key Management
Stuart Marsh
 
Proprietary Information
Proprietary InformationProprietary Information
Proprietary Information
hypknight
 
Arjun it
Arjun itArjun it
Arjun it
Thakur Prasad
 

Recommandé

Security chapter6
Security chapter6Security chapter6
Security chapter6
FLYMAN TECHNOLOGY LIMITED
 
Storage on cloud using dynamic encryption
Storage on cloud using dynamic encryptionStorage on cloud using dynamic encryption
Storage on cloud using dynamic encryption
Mphasis
 
CISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access ManagementCISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access Management
Sam Bowne
 
Edge pereira oss304 tech ed australia regulatory compliance and microsoft off...
Edge pereira oss304 tech ed australia regulatory compliance and microsoft off...Edge pereira oss304 tech ed australia regulatory compliance and microsoft off...
Edge pereira oss304 tech ed australia regulatory compliance and microsoft off...
Edge Pereira
 
Current & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsCurrent & Emerging Cyber Security Threats
Current & Emerging Cyber Security Threats
NCC Group
 
Protecting Sensitive Data using Encryption and Key Management
Protecting Sensitive Data using Encryption and Key ManagementProtecting Sensitive Data using Encryption and Key Management
Protecting Sensitive Data using Encryption and Key Management
Stuart Marsh
 
Proprietary Information
Proprietary InformationProprietary Information
Proprietary Information
hypknight
 
Arjun it
Arjun itArjun it
Arjun it
Thakur Prasad
 
NIC - Securing one drive and its content
NIC - Securing one drive and its contentNIC - Securing one drive and its content
NIC - Securing one drive and its content
Olav Tvedt
 
Unit 3
Unit 3Unit 3
Unit 3
abhishek srivastav
 
Brochure Imperva Vormetric
Brochure Imperva VormetricBrochure Imperva Vormetric
Brochure Imperva Vormetric
Michelle Guerrero Montalvo
 
Securing Data in MongoDB with Gazzang and Chef
Securing Data in MongoDB with Gazzang and ChefSecuring Data in MongoDB with Gazzang and Chef
Securing Data in MongoDB with Gazzang and Chef
MongoDB
 
IACP 2011
IACP 2011IACP 2011
IACP 2011
gnichols_interdev
 
FinalCode-At-A-Glance-Webcopy-Optimized
FinalCode-At-A-Glance-Webcopy-OptimizedFinalCode-At-A-Glance-Webcopy-Optimized
FinalCode-At-A-Glance-Webcopy-Optimized
Phillip Stalnaker
 
CISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityCISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical security
Karthikeyan Dhayalan
 
Next-Generation Cybersecurity for the Globally Connected Enterprise with Telos
Next-Generation Cybersecurity for the Globally Connected Enterprise with TelosNext-Generation Cybersecurity for the Globally Connected Enterprise with Telos
Next-Generation Cybersecurity for the Globally Connected Enterprise with Telos
Amazon Web Services
 
In data security
In data securityIn data security
In data security
adithdev
 
The security story behind critical industrial networks
The security story behind critical industrial networks The security story behind critical industrial networks
The security story behind critical industrial networks
odix (ODI LTD)
 
Crypto academy
Crypto academyCrypto academy
Crypto academy
Paul Gillingwater, MBA
 
6. Security Assessment and Testing
6. Security Assessment and Testing6. Security Assessment and Testing
6. Security Assessment and Testing
Sam Bowne
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
Sam Bowne
 
odix introduction ransomware prevention in WFH reality 2020
odix introduction ransomware prevention in WFH reality 2020odix introduction ransomware prevention in WFH reality 2020
odix introduction ransomware prevention in WFH reality 2020
odix (ODI LTD)
 
Honeypots for proactively detecting security incidents
Honeypots for proactively detecting security incidentsHoneypots for proactively detecting security incidents
Honeypots for proactively detecting security incidents
APNIC
 
CNIT 125 7. Security Assessment and Testing
CNIT 125 7. Security Assessment and TestingCNIT 125 7. Security Assessment and Testing
CNIT 125 7. Security Assessment and Testing
Sam Bowne
 
7. Security Operations
7. Security Operations7. Security Operations
7. Security Operations
Sam Bowne
 
CNIT 125: Ch 4. Security Engineering (Part 1)
CNIT 125: Ch 4. Security Engineering (Part 1)CNIT 125: Ch 4. Security Engineering (Part 1)
CNIT 125: Ch 4. Security Engineering (Part 1)
Sam Bowne
 
CISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and TestingCISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and Testing
Sam Bowne
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Falgun Rathod
 
Judgment Debtors
Judgment DebtorsJudgment Debtors
Judgment Debtors
navneetrai
 
2 ПАТ Черкассыоблэнерго sml
2 ПАТ Черкассыоблэнерго sml2 ПАТ Черкассыоблэнерго sml
2 ПАТ Черкассыоблэнерго sml
Oleksander Prudkoy
 

Contenu connexe

Tendances

FinalCode-At-A-Glance-Webcopy-Optimized
FinalCode-At-A-Glance-Webcopy-OptimizedFinalCode-At-A-Glance-Webcopy-Optimized
FinalCode-At-A-Glance-Webcopy-Optimized
Phillip Stalnaker
 
Next-Generation Cybersecurity for the Globally Connected Enterprise with Telos
Next-Generation Cybersecurity for the Globally Connected Enterprise with TelosNext-Generation Cybersecurity for the Globally Connected Enterprise with Telos
Next-Generation Cybersecurity for the Globally Connected Enterprise with Telos
Amazon Web Services
 

Tendances (20)

NIC - Securing one drive and its content
NIC - Securing one drive and its contentNIC - Securing one drive and its content
NIC - Securing one drive and its content
 
Unit 3
Unit 3Unit 3
Unit 3
 
Brochure Imperva Vormetric
Brochure Imperva VormetricBrochure Imperva Vormetric
Brochure Imperva Vormetric
 
Securing Data in MongoDB with Gazzang and Chef
Securing Data in MongoDB with Gazzang and ChefSecuring Data in MongoDB with Gazzang and Chef
Securing Data in MongoDB with Gazzang and Chef
 
IACP 2011
IACP 2011IACP 2011
IACP 2011
 
FinalCode-At-A-Glance-Webcopy-Optimized
FinalCode-At-A-Glance-Webcopy-OptimizedFinalCode-At-A-Glance-Webcopy-Optimized
FinalCode-At-A-Glance-Webcopy-Optimized
 
CISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical securityCISSP - Chapter 3 - Physical security
CISSP - Chapter 3 - Physical security
 
Next-Generation Cybersecurity for the Globally Connected Enterprise with Telos
Next-Generation Cybersecurity for the Globally Connected Enterprise with TelosNext-Generation Cybersecurity for the Globally Connected Enterprise with Telos
Next-Generation Cybersecurity for the Globally Connected Enterprise with Telos
 
In data security
In data securityIn data security
In data security
 
The security story behind critical industrial networks
The security story behind critical industrial networks The security story behind critical industrial networks
The security story behind critical industrial networks
 
Crypto academy
Crypto academyCrypto academy
Crypto academy
 
6. Security Assessment and Testing
6. Security Assessment and Testing6. Security Assessment and Testing
6. Security Assessment and Testing
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
 
odix introduction ransomware prevention in WFH reality 2020
odix introduction ransomware prevention in WFH reality 2020odix introduction ransomware prevention in WFH reality 2020
odix introduction ransomware prevention in WFH reality 2020
 
Honeypots for proactively detecting security incidents
Honeypots for proactively detecting security incidentsHoneypots for proactively detecting security incidents
Honeypots for proactively detecting security incidents
 
CNIT 125 7. Security Assessment and Testing
CNIT 125 7. Security Assessment and TestingCNIT 125 7. Security Assessment and Testing
CNIT 125 7. Security Assessment and Testing
 
7. Security Operations
7. Security Operations7. Security Operations
7. Security Operations
 
CNIT 125: Ch 4. Security Engineering (Part 1)
CNIT 125: Ch 4. Security Engineering (Part 1)CNIT 125: Ch 4. Security Engineering (Part 1)
CNIT 125: Ch 4. Security Engineering (Part 1)
 
CISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and TestingCISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and Testing
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
 

En vedette

2 ПАТ Черкассыоблэнерго sml
2 ПАТ Черкассыоблэнерго sml2 ПАТ Черкассыоблэнерго sml
2 ПАТ Черкассыоблэнерго sml
Oleksander Prudkoy
 

En vedette (9)

Judgment Debtors
Judgment DebtorsJudgment Debtors
Judgment Debtors
 
2 ПАТ Черкассыоблэнерго sml
2 ПАТ Черкассыоблэнерго sml2 ПАТ Черкассыоблэнерго sml
2 ПАТ Черкассыоблэнерго sml
 
Personal SWOT
Personal SWOTPersonal SWOT
Personal SWOT
 
การเขียนโปรแกรมโดยใช้ Net beans
การเขียนโปรแกรมโดยใช้ Net beansการเขียนโปรแกรมโดยใช้ Net beans
การเขียนโปรแกรมโดยใช้ Net beans
 
8051 Microcontroller Tutorial and Architecture with Applications
8051 Microcontroller Tutorial and Architecture with Applications8051 Microcontroller Tutorial and Architecture with Applications
8051 Microcontroller Tutorial and Architecture with Applications
 
Enfermedad trofoblastica gestacional
Enfermedad trofoblastica gestacionalEnfermedad trofoblastica gestacional
Enfermedad trofoblastica gestacional
 
Aguilas enero del 2016
Aguilas enero del 2016Aguilas enero del 2016
Aguilas enero del 2016
 
Harvey Nichols Dubai - by www.aramanstudio.com
Harvey Nichols Dubai - by www.aramanstudio.comHarvey Nichols Dubai - by www.aramanstudio.com
Harvey Nichols Dubai - by www.aramanstudio.com
 
Levítico santidad practica xxiv ibe callao
Levítico santidad practica xxiv ibe callaoLevítico santidad practica xxiv ibe callao
Levítico santidad practica xxiv ibe callao
 

Similaire à SSL Europa Cloud Security 2013

Key Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i DataKey Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i Data
Precisely
 
Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...
MongoDB
 
MOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITY
MOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITYMOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITY
MOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITY
DEEPAK948083
 
Ch8ed12romney
Ch8ed12romneyCh8ed12romney
Ch8ed12romney
woyaoni
 

Similaire à SSL Europa Cloud Security 2013 (20)

Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
Track 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesTrack 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practices
 
Key Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i DataKey Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i Data
 
The day when 3rd party security providers disappear into cloud bright talk se...
The day when 3rd party security providers disappear into cloud bright talk se...The day when 3rd party security providers disappear into cloud bright talk se...
The day when 3rd party security providers disappear into cloud bright talk se...
 
Web-of-Things and Services Security
Web-of-Things and Services SecurityWeb-of-Things and Services Security
Web-of-Things and Services Security
 
Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...
 
MOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITY
MOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITYMOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITY
MOBILE & WIRELESS SECURITY And MOBILE & WIRELESS SECURITY
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
Ch8ed12romney
Ch8ed12romneyCh8ed12romney
Ch8ed12romney
 
Cloud Security and some preferred practices
Cloud Security and some preferred practicesCloud Security and some preferred practices
Cloud Security and some preferred practices
 
Encryption in the enterprise
Encryption in the enterpriseEncryption in the enterprise
Encryption in the enterprise
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection FrameworkAlex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
 
CLOUD SECURITY.pptx
CLOUD SECURITY.pptxCLOUD SECURITY.pptx
CLOUD SECURITY.pptx
 
Cisco cybersecurity essentials chapter 4
Cisco cybersecurity essentials chapter 4Cisco cybersecurity essentials chapter 4
Cisco cybersecurity essentials chapter 4
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)
 
apsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLPapsec 7 Golden Rules Data Leakage Prevention / DLP
apsec 7 Golden Rules Data Leakage Prevention / DLP
 
Praetorian secure encryption_services_overview
Praetorian secure encryption_services_overviewPraetorian secure encryption_services_overview
Praetorian secure encryption_services_overview
 
Praetorian_Secure_EncryptionServices_Overview
Praetorian_Secure_EncryptionServices_OverviewPraetorian_Secure_EncryptionServices_Overview
Praetorian_Secure_EncryptionServices_Overview
 
Praetorian secure encryption_services_overview
Praetorian secure encryption_services_overviewPraetorian secure encryption_services_overview
Praetorian secure encryption_services_overview
 

Plus de ssleuropa

Secure your digital world v01
Secure your digital world v01Secure your digital world v01
Secure your digital world v01
ssleuropa
 
Sécurité du monde numérique v01
Sécurité du monde numérique v01Sécurité du monde numérique v01
Sécurité du monde numérique v01
ssleuropa
 

Plus de ssleuropa (7)

Comment obtenir une clé de signature RGS avec SSL Europa?
Comment obtenir une clé de signature RGS avec SSL Europa? Comment obtenir une clé de signature RGS avec SSL Europa?
Comment obtenir une clé de signature RGS avec SSL Europa?
 
Comment obtenir un certificat SSL pour sécuriser son site internet?
Comment obtenir un certificat SSL pour sécuriser son site internet? Comment obtenir un certificat SSL pour sécuriser son site internet?
Comment obtenir un certificat SSL pour sécuriser son site internet?
 
Digital signature by SSL Europa
Digital signature by SSL EuropaDigital signature by SSL Europa
Digital signature by SSL Europa
 
Signature électronique par SSL Europa
Signature électronique par SSL EuropaSignature électronique par SSL Europa
Signature électronique par SSL Europa
 
Comment choisir son certificat ssl fr v01
Comment choisir son certificat ssl fr v01Comment choisir son certificat ssl fr v01
Comment choisir son certificat ssl fr v01
 
Secure your digital world v01
Secure your digital world v01Secure your digital world v01
Secure your digital world v01
 
Sécurité du monde numérique v01
Sécurité du monde numérique v01Sécurité du monde numérique v01
Sécurité du monde numérique v01
 

Dernier

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 

Dernier (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 

SSL Europa Cloud Security 2013

  • 1. Cloud Security: Rules and Best Practices patrick.duboys@ssl-europa.com 20/11/2013 Autorité d’Enregistrement
  • 2. Agenda       Seven Cloud Computing Risks Asymmetric encryption Electronic signature Strong authentication Rules Best Practices Autorité d’Enregistrement
  • 3. Cloud-Computing Security Risks (1) Risk Assessment • • • Data integrity, recovery privacy Evaluation of legal issues, regulatory compliance, auditing Etc… Transparency • • • • • Qualification of policy makers, architects, coders, operators Risk-control processes and technical mechanisms Level of testing How unanticipated vulnerabilities are identified Etc… Autorité d’Enregistrement
  • 4. Seven Cloud-Computing Risks (1) 1. Privileged user access • • • 2. Regulatory compliance • • 3. Customers are responsible Check external audits and security certifications Data location • • 4. Physical, logical and personnel control Ask about hiring and oversight of administrators What control there is ? Commitment to storing and processing data in specific jurisdictions Contractual commitment Data segregation • • Data at rest and in use ? Encryption designed and tested by experienced specialist Autorité d’Enregistrement
  • 5. Seven Cloud-Computing Risks (2) 5. Recovery • • • What happens in case of a disaster? Replication of data and application across multiple sites? Ability to do a complete restoration ? how long would it take? 6. Investigative support • • • • How to trace inappropriate or illegal activities? Logging and data may be for multiple customers Contractual commitment to support specific forms of investigation Get evidence that the vendor has already supported such activities 7. Long-term viability • • What if your Cloud provider goes broke or gets acquired? How could you get your data back? In which format? Replacement application? Autorité d’Enregistrement
  • 6. Asymmetric Encryption  Symmetric Encryption  Asymmetric Encryption Autorité d’Enregistrement
  • 7. Symmetric Encryption Message in clear Encryption Encrypted Message Decryption Message in clear Autorité d’Enregistrement
  • 9. Symmetric Encryption Advantages – Fast – Relatively simple to implement – Very efficient in particular when the key is used only once Drawbacks – A different key by pair of users • The major issue : Keys management (as many keys to exchange as there are users) • How do Alice and Bob get the key without anybody else having access to it ? • The key must follow a different channel (phone, fax, …) Autorité d’Enregistrement
  • 10. Symmetric Encryption Internet & Cloud Applications Authentication Confidentiality Authorization Integrity (applicative) � Security Infrastructure Security Policy Autorité d’Enregistrement Non repudiation
  • 11. Asymmetric Encryption Invented in 1975 by Whitfield Diffie and Martin Hellman Each user owns a pair of key – The public key that is used to encrypt and which is known by everybody – The private key that is used to decrypt and which is only known by the owner Autorité d’Enregistrement
  • 15. Symmetric Encryption Internet & Cloud Applications Authentication Confidentiality Authorization Integrity Non repudiation (applicative) � � Security Infrastructure Security Policy Autorité d’Enregistrement �
  • 16. Example : SSL Server Client Server Send a message A Verification of the certificate and of the signature Negotiation of the encryption algorithm Send the certificate and the message A signed Negotiation of the encryption algorithm Generation of a session key Encryption of the session Key with the server public key Send the session key Encrypted Decryption of the session key with the private key The session key is shared Autorité d’Enregistrement
  • 17. Symmetric Encryption Internet & Cloud Applications Authentication Confidentiality Authorization Integrity Non repudiation (applicative) � � � Security Infrastructure Security Policy Autorité d’Enregistrement � �
  • 18. Examples of Solutions Autorité d’Enregistrement
  • 19. Rules of thumbs  Use encryption   For exchanges of data with the Cloud For data in the Cloud  Use strong authentication   To connect to the Cloud To identify the Cloud server  Use signature  For exchanges of data in the Cloud Autorité d’Enregistrement
  • 20. Best Practices (1)        Protect data transfer but also data in the cloud Use data-centric encryption & encryption embedded in the file format Understand how the keys will be managed (avoid reliance on cloud providers) Include files such as logs and metadata in encryption Use strong standard algorithm (such as AES-256) Use open validated formats Avoid proprietary encryption Autorité d’Enregistrement
  • 21. Best Practices (2)  Content aware Encryption  Format-preserving Encryption  Use Data Leak Prevention (DLP) solutions Autorité d’Enregistrement
  • 22. Best Practices (3. Data Base)  Be aware of performances issues  Use object security  Store a secure hash Autorité d’Enregistrement
  • 23. Best Practices (4) Use a Key Management Software Use group levels keys Maintain keys within the Enterprise Revoking keys Define and enforce strong Key management processes and practices  Implement segregation of duties      Autorité d’Enregistrement
  • 24. Recommendations (1)  Use best practices key management practices  Use off-the-shelf products from credible sources  Maintain your own trusted cryptographic source  Key scoping at the individual or group level  Use DRM systems Autorité d’Enregistrement
  • 25. Recommendations (2)  Use standard algorithm  Avoid old ones such as DES  Use central and internal key management (with your own HSM, etc.)  Use segregation of duties Autorité d’Enregistrement
  • 27. Thank you for your attention SSL EUROPA 8 chemin des escargots 18200 Orval - France +33 (0)9 88 99 54 09 www.ssl-europa.com Autorité d’Enregistrement