![Page 1: Encryption for Cloud Services Security: Problem or Panacea?...Encryption for Cloud Services Security: Problem or Panacea? @Zulfikar_Ramzan / CTO / . Tectonic Shift in the Market 2](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16a5a2081e792739358265/html5/thumbnails/1.jpg)
Encryption for Cloud Services Security:
Problem or Panacea?
@Zulfikar_Ramzan / CTO / www.elastica.net
![Page 2: Encryption for Cloud Services Security: Problem or Panacea?...Encryption for Cloud Services Security: Problem or Panacea? @Zulfikar_Ramzan / CTO / . Tectonic Shift in the Market 2](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16a5a2081e792739358265/html5/thumbnails/2.jpg)
Tectonic Shift in the Market
2
No visibility / control
On-Premise Many pieces to Buy, Assemble & Operate SaaS
![Page 3: Encryption for Cloud Services Security: Problem or Panacea?...Encryption for Cloud Services Security: Problem or Panacea? @Zulfikar_Ramzan / CTO / . Tectonic Shift in the Market 2](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16a5a2081e792739358265/html5/thumbnails/3.jpg)
NOT SURE WHY PEOPLE THINK SAAS SECURITY IS HARD!
WE’LL JUST ENCRYPT OUR DATA!
PROBLEM SOLVED!
![Page 4: Encryption for Cloud Services Security: Problem or Panacea?...Encryption for Cloud Services Security: Problem or Panacea? @Zulfikar_Ramzan / CTO / . Tectonic Shift in the Market 2](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16a5a2081e792739358265/html5/thumbnails/4.jpg)
ACADEMIC
PERSPECTIVE
NOT AN
ACADEMIC
TALK
BROADLY
ACCESSIBLE
TENOR OF THIS TALK
![Page 5: Encryption for Cloud Services Security: Problem or Panacea?...Encryption for Cloud Services Security: Problem or Panacea? @Zulfikar_Ramzan / CTO / . Tectonic Shift in the Market 2](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16a5a2081e792739358265/html5/thumbnails/5.jpg)
WHAT IS ENCRYPTION AND HOW MIGHT IT BE USED TO SECURE SAAS APPLICATIONS?
CHALLENGES, WORKAROUNDS, LIMITATIONS TO WORKAROUNDS
MARKETING MYTHBUSTERS
BROADER PERSPECTIVES ON SAAS SECURITY
OUTLINE
![Page 6: Encryption for Cloud Services Security: Problem or Panacea?...Encryption for Cloud Services Security: Problem or Panacea? @Zulfikar_Ramzan / CTO / . Tectonic Shift in the Market 2](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16a5a2081e792739358265/html5/thumbnails/6.jpg)
WHAT IS ENCRYPTION?
PLAINTEXT CIPHERTEXT PLAINTEXT
• Keyed transformation that converts plaintext to ciphertext • Transformation should look “random” to any computationally
bounded adversary with extensive black-box access to encryption / decryption routines
• Security predicated on secrecy of the key (and not on secrecy of algorithm) – Kerchoff’s Principle
![Page 7: Encryption for Cloud Services Security: Problem or Panacea?...Encryption for Cloud Services Security: Problem or Panacea? @Zulfikar_Ramzan / CTO / . Tectonic Shift in the Market 2](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16a5a2081e792739358265/html5/thumbnails/7.jpg)
ENCRYPTION FOR SaaS
SaaS
• Attempt to encrypt data en-route to SaaS Provider (e.g., via forward proxy, reverse proxy, etc.).
• Decrypt traffic en-route from SaaS provider back to user.
![Page 8: Encryption for Cloud Services Security: Problem or Panacea?...Encryption for Cloud Services Security: Problem or Panacea? @Zulfikar_Ramzan / CTO / . Tectonic Shift in the Market 2](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16a5a2081e792739358265/html5/thumbnails/8.jpg)
Key SaaS Encryption Hurdles
SaaS is not
just storage!
Need search,
sort,
analytics!
Manage Keys
Preserve
Format?
![Page 9: Encryption for Cloud Services Security: Problem or Panacea?...Encryption for Cloud Services Security: Problem or Panacea? @Zulfikar_Ramzan / CTO / . Tectonic Shift in the Market 2](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16a5a2081e792739358265/html5/thumbnails/9.jpg)
Approaches
HOMOMORPHIC
ENCRYPTION
SEARCHABLE
ENCRPYPTION
ORDER-
PRESERVING
ENCRPYPTION
FORMAT-
PRESERVING
ENCRYPTION
SELECTIVE
TOKENIZATION
![Page 10: Encryption for Cloud Services Security: Problem or Panacea?...Encryption for Cloud Services Security: Problem or Panacea? @Zulfikar_Ramzan / CTO / . Tectonic Shift in the Market 2](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16a5a2081e792739358265/html5/thumbnails/10.jpg)
7
3
10
Fully Homomorphic Encryption [Gentry et al.]
Allows arbitrary computation on encrypted data Permits search, sort, SQL queries, etc., on cloud encrypted data
Still very impractical Have to relax security (being able to manipulate encrypted data can be a big deal) Newer (and less well studied) assumptions
![Page 11: Encryption for Cloud Services Security: Problem or Panacea?...Encryption for Cloud Services Security: Problem or Panacea? @Zulfikar_Ramzan / CTO / . Tectonic Shift in the Market 2](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16a5a2081e792739358265/html5/thumbnails/11.jpg)
… aardvark…
camel
Searchable Symmetric Encryption
Permits keyword search on encrypted data Much faster than fully homomorphic encryption Works by having a separate encrypted index
Only permits very basic keyword search Information leaks (deterministic encryption) Scale issues as index gets bigger
… bobcat…
… camel…
… dingo…
… camel…
![Page 12: Encryption for Cloud Services Security: Problem or Panacea?...Encryption for Cloud Services Security: Problem or Panacea? @Zulfikar_Ramzan / CTO / . Tectonic Shift in the Market 2](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16a5a2081e792739358265/html5/thumbnails/12.jpg)
Alice
Order-Preserving Symmetric Encryption
Encrypts data, while retaining sorted order Much faster than fully homomorphic encryption
Still significant performance overhead Weaker security since information leaks
Bob
Carol
Dave
A0FD41….
C373BA2…
D6FF132…
FF12A28…
![Page 13: Encryption for Cloud Services Security: Problem or Panacea?...Encryption for Cloud Services Security: Problem or Panacea? @Zulfikar_Ramzan / CTO / . Tectonic Shift in the Market 2](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16a5a2081e792739358265/html5/thumbnails/13.jpg)
123-456-7890
Format-Preserving Encryption
Able to preserve format needed by SaaS application Fairly efficient (practical)
Weak security especially if final format must be short General security of schemes not as well vetted
DE19AFBCC2….
931-38-7622
VS
![Page 14: Encryption for Cloud Services Security: Problem or Panacea?...Encryption for Cloud Services Security: Problem or Panacea? @Zulfikar_Ramzan / CTO / . Tectonic Shift in the Market 2](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16a5a2081e792739358265/html5/thumbnails/14.jpg)
123-456-7890
Tokenization
Elegant way to handle format preservation Fairly efficient (practical) Provides compliance boundary
Only selective protection (fewer use cases) Might inhibit analytics New burden of maintaining look-up table Have to worry about scale
Look-up Table
. . . 123-456-7890 <-> 931-38-7622
. . .
931-38-7622
SaaS
![Page 15: Encryption for Cloud Services Security: Problem or Panacea?...Encryption for Cloud Services Security: Problem or Panacea? @Zulfikar_Ramzan / CTO / . Tectonic Shift in the Market 2](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16a5a2081e792739358265/html5/thumbnails/15.jpg)
Mythbusters (SaaS Encryption Edition!)
AES isn’t a security panacea. It’s a tool. Perfectly good tools can be used in completely bad ways.
We use AES for encryption …therefore we are secure!
![Page 16: Encryption for Cloud Services Security: Problem or Panacea?...Encryption for Cloud Services Security: Problem or Panacea? @Zulfikar_Ramzan / CTO / . Tectonic Shift in the Market 2](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16a5a2081e792739358265/html5/thumbnails/16.jpg)
Mythbusters (SaaS Encryption Edition!)
FIPS Certification is usually limited to one aspect of system security. Different types of certification have different implications (algorithm vs. library) May have perfectly valid algorithm, but used in an insecure way.
We use are FIPS 140-x certified …therefore we are secure!
![Page 17: Encryption for Cloud Services Security: Problem or Panacea?...Encryption for Cloud Services Security: Problem or Panacea? @Zulfikar_Ramzan / CTO / . Tectonic Shift in the Market 2](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16a5a2081e792739358265/html5/thumbnails/17.jpg)
Mythbusters (SaaS Encryption Edition!)
Cryptographic algorithms and protocols should only be designed by people who really know what they are doing Even experts get it wrong sometimes, so you need extensive peer review
We use proprietary, home-grown methods…
![Page 18: Encryption for Cloud Services Security: Problem or Panacea?...Encryption for Cloud Services Security: Problem or Panacea? @Zulfikar_Ramzan / CTO / . Tectonic Shift in the Market 2](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16a5a2081e792739358265/html5/thumbnails/18.jpg)
The SaaS Security Landscape
ENCRYPTION
SINGLE SIGN ON
CONTINUOUS
MONITORING
CLOUD DLP
POLICY
ENFORCEMENT
SHADOW IT
DISCOVERY
SAAS AUDIT / RISK
ASSESSMENT
MALWARE
DETECTION
CLOUD IDS/IPS
For each security capability needed in the context of on-premises
applications, analogous functionality is needed for SaaS applications
![Page 19: Encryption for Cloud Services Security: Problem or Panacea?...Encryption for Cloud Services Security: Problem or Panacea? @Zulfikar_Ramzan / CTO / . Tectonic Shift in the Market 2](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16a5a2081e792739358265/html5/thumbnails/19.jpg)
Revisiting Original Question
Is good encryption / tokenization a panacea for SaaS Security?
Encryption: just one piece of
security stack
SaaS is more than storage (search, sort,
analytics)
Promising research, but fundamental
limitations
Important to avoid getting caught up in
the hype
![Page 20: Encryption for Cloud Services Security: Problem or Panacea?...Encryption for Cloud Services Security: Problem or Panacea? @Zulfikar_Ramzan / CTO / . Tectonic Shift in the Market 2](https://reader033.vdocuments.site/reader033/viewer/2022052801/5f16a5a2081e792739358265/html5/thumbnails/20.jpg)
Thank you
Further Info:
Search: {Elastica} + (SOC Talks | Blog)
@zulfikar_ramzan, @elasticainc