[CSA Guidance]Domain 12: Encryption and Key Management
14 views
Skip to first unread message
Hoff
May 3, 2009, 9:38:18 PM5/3/09
to Cloud Security Alliance
Please use this discussion thread to discuss anything related to the
CSA Security Guidance for Critical Areas of Focus in Cloud Computing -
Domain 12: Encryption and Key Management
CSA Security Guidance for Critical Areas of Focus in Cloud Computing -
Domain 12: Encryption and Key Management
Jim Reavis
May 5, 2009, 7:20:04 PM5/5/09
to Cloud Security Alliance
I liked this domain for as far as Jon took it. I would like to see
several areas expanded upon, here is one:
Guidance for SaaS developers on best practices to deploy encryption &
key mgt. This may be a collaboration with the Application Security
working group and even other areas. We have to decrypt data for it be
useful. We have to assume that applications will be compromised,
although we want to minimize this. So, how can we structure
applications so that key mgt, encryption, XACML, etc, minimize what
gets exposed to authorized and unauthorized persons - one SQL
injection should not equal a database of 1000 customers getting
compromised, along with the customers' customers records.
several areas expanded upon, here is one:
Guidance for SaaS developers on best practices to deploy encryption &
key mgt. This may be a collaboration with the Application Security
working group and even other areas. We have to decrypt data for it be
useful. We have to assume that applications will be compromised,
although we want to minimize this. So, how can we structure
applications so that key mgt, encryption, XACML, etc, minimize what
gets exposed to authorized and unauthorized persons - one SQL
injection should not equal a database of 1000 customers getting
compromised, along with the customers' customers records.
Sergio
May 22, 2009, 11:24:21 AM5/22/09
to Cloud Security Alliance
Hello,
I think there is a focus on public clouds. I agree that these clouds
are the most challenging but shouldn't we try to be comprehensive and
include private and hybrid clouds as well. My remark comes from the
fact that it is clearly stated that it is not possible to establish a
perimeter. I believe that building a perimeter is possible on private
clouds for instance.
Anyway, I agree that encryption and key management are the answers for
the confidentiality of data (in transit and at rest) but in the case
of private and hybrid clouds as well.
We should protect the confidentiality of data from external and
internal sources.
Then there is a paragraph on integrity. This is a very important
problem that i did not clearly find in the other domains but I was not
expecting to find it here because I tend to think about Message
Authentication Codes (MACs) and hash functions and not encryption.
Finally, we need keys to perform all these techniques. In my opinion
this is the field where we're missing solutions and that we should
focus on. Cloud computing brings scalability and the opportunity of
separation of roles as stated in the document. We should open the
discussion and i hope not fall on discussion about the pros and cons
of PKIs. A good starting point to understand obstacles to PKI adoption
can be found in :http://www.oasis-open.org/committees/tc_home.php?
wg_abbrev=pki
To conclude, some of the questions I would like to see adressed:
-Are PKIs the answer to key management? If not, why and is there any
alternatives?
-How do we manage separation of roles and trust within the same
company or between partners or other scenarios including third party
service providers?
-How to deal with geolocalization of data and legal restrictions to
encryption?
-How do we manage key escrow?
Thanks
Sergio
http://elastic-security.com/
I think there is a focus on public clouds. I agree that these clouds
are the most challenging but shouldn't we try to be comprehensive and
include private and hybrid clouds as well. My remark comes from the
fact that it is clearly stated that it is not possible to establish a
perimeter. I believe that building a perimeter is possible on private
clouds for instance.
Anyway, I agree that encryption and key management are the answers for
the confidentiality of data (in transit and at rest) but in the case
of private and hybrid clouds as well.
We should protect the confidentiality of data from external and
internal sources.
Then there is a paragraph on integrity. This is a very important
problem that i did not clearly find in the other domains but I was not
expecting to find it here because I tend to think about Message
Authentication Codes (MACs) and hash functions and not encryption.
Finally, we need keys to perform all these techniques. In my opinion
this is the field where we're missing solutions and that we should
focus on. Cloud computing brings scalability and the opportunity of
separation of roles as stated in the document. We should open the
discussion and i hope not fall on discussion about the pros and cons
of PKIs. A good starting point to understand obstacles to PKI adoption
can be found in :http://www.oasis-open.org/committees/tc_home.php?
wg_abbrev=pki
To conclude, some of the questions I would like to see adressed:
-Are PKIs the answer to key management? If not, why and is there any
alternatives?
-How do we manage separation of roles and trust within the same
company or between partners or other scenarios including third party
service providers?
-How to deal with geolocalization of data and legal restrictions to
encryption?
-How do we manage key escrow?
Thanks
Sergio
http://elastic-security.com/
Michael
Jun 4, 2009, 12:09:07 AM6/4/09
to Cloud Security Alliance
Encryption will ruin usability, both usability of the data and
usability of the Cloud.
Even if the usability challenge is tackled or mitigated, key
management may be so painful that ruins usability once more.
usability of the Cloud.
Even if the usability challenge is tackled or mitigated, key
management may be so painful that ruins usability once more.
Reply all
Reply to author
Forward
0 new messages