Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Key management

3 simple tips to improve security in the cloud

In Sophos’s 2013 Security Threat Report they provided 3 tips on how to be more secure when using the cloud.

The tips are simple but straight to the point so I thought I would share them.

  1. Apply web-based policies using URL filtering, controlling access to public cloud storage websites and preventing users from browsing to sites you’ve declared off-limits. 
  2. Use application controls to block or allow particular applications, either for the entire company or for specific groups. 
  3. Automatically encrypt files before they are uploaded to the cloud from any managed endpoint. An encryption solution allows users to choose their preferred cloud storage services, because the files are always encrypted and the keys are always your own. And because encryption takes place on the client before any data is synchronized, you have full control of the safety of your data. You won’t have to worry if the security of your cloud storage provider is breached. Central keys give authorized users or groups access to files and keep these files encrypted for everyone else. Should your web key go missing for some reason, maybe the user simply forgot the password, the security officer inside the enterprise would have access to the keys in order to make sure the correct people have access to that file.

.

 

Who is responsible for data protection in the cloud?

Encryption in the Cloud is a Ponemon Institute report sponsored by Thales.

The study considers how encryption is used to ensure sensitive or confidential data is kept safe and secure when transferred to external-based cloud service providers. 4,140 business and IT managers in the United States, United Kingdom, Germany, France, Australia, Japan and Brazil were surveyed.

Following is a summary of key findings relating to data protection, encryption and key management activities in the cloud.

  1. Currently, about half of all respondents say their organizations transfer sensitive or confidential data to the cloud environment. Within the next two years, another one-third of respondents say their organizations are very likely to transfer sensitive or confidential to the cloud. At 56%, German companies appear to have the highest rate of sensitive or confidential data transferred to the cloud.
  2. 39% of respondents believe cloud adoption has decreased their companies’ security posture. However, 44% of respondents believe the adoption of cloud services has not increased or decreased their organization’s security posture. Only 10% of respondents believe the move to the cloud has increased their organization’s security posture. With respect to country differences, results suggest that French organizations are most likely to view cloud deployment as diminishing the effectiveness of data protection efforts.
  3. 44% of respondents believe the cloud provider has primary responsibility for protecting sensitive or confidential data in the cloud environment and 30% believe it is the cloud consumer. There are also differences among countries as to who is most responsible. 67% of French companies appear to be the most likely to hold the cloud provider responsible for data protection activities. In contrast, 48% of Japanese companies hold the cloud consumer primarily responsible for data protection.
  4. Companies that currently transfer sensitive or confidential data to the cloud are much more likely to hold the cloud provider primarily responsible for data protection. In contrast, companies that do not transfer sensitive or confidential information to the cloud are more likely to hold the cloud consumer with primary responsibility for data protection.
  5. 63% of respondents say they do not know what cloud providers are doing to protect the sensitive or confidential data entrusted to them. Once again, French respondents (76%) are least likely to say they know what their cloud providers do to safeguard their organization’s information assets.
  6. In general, respondents who select the cloud provider as the most responsible party for protecting data are more confident in their cloud provider’s actual ability to do so (51%) compared to only 32% of respondents who report confidence in their own abilities to protect data even though they consider their own organization to be primarily responsible for protecting data.
  7. Where is data encryption applied? According to 38% of respondents, their organizations rely on encryption of data as it is transferred over the network (typically the internet) between the organization and the cloud. Another 35% say the organization applies persistent encryption data before it is transferred to the cloud provider. Only 27% say they rely on encryption that is applied within the cloud environment.
  8. Among the companies that encrypt data inside the cloud, nearly 74% believe the cloud provider is most responsible for protecting that data. However, only 34% of organizations that encrypt data inside their organization prior to sending it to the cloud hold the cloud provider primarily responsible for data protection.
  9. Who manages the encryption keys when sensitive or confidential data is transferred to the cloud? 36% of respondents say their organization is most responsible for managing the keys. 22% say the cloud provider is most responsible for encryption key management. Another 22% says a third party (i.e. another independent service provider) is most responsible for managing the keys. Even in cases where encryption is performed outside the cloud, more than half of respondents hand over control of the keys. With respect to country differences, German organizations appear to be the least likely to relinquish control of encryption keys to the cloud provider. Companies in Australia and Brazil appear to be the most likely to transfer control of encryption keys to the cloud provider.
  10. Companies with the characteristics that indicate a strong overall security posture appear to be more likely to transfer sensitive or confidential information to the cloud environment than companies that appear to have a weaker overall security posture. In other words, companies that understand security appear to be willing and able to take advantage of the cloud. This finding appears to be at odds with the common suggestion that more security aware organizations are the more skeptical of cloud security and that it is the less security aware organizations are willing to overlook a perceived lack of security. Here, we use the Security Effectiveness Score (SES) as an objective measure of each organization’s security posture.

Larry Ponemon, chairman and founder, Ponemon Institute, says:

“It’s a rather sobering thought that nearly half of respondents say that their organization already transfers sensitive or confidential data to the cloud even though thirty-nine percent admit that their security posture has been reduced as a result. This clearly demonstrates that for many organizations the economic benefits of using the cloud outweigh the security concerns. However, it is particularly interesting to note that it is those organizations that have a strong overall security posture that appear to be more likely to transfer this class of information to the cloud environment – possibly because they most understand how and where to use tools such as encryption to protect their data and retain control . What is perhaps most surprising is that nearly two thirds of those that move sensitive data to the cloud regard their service providers as being primarily responsible for protecting that data, even though a similar number have little or no knowledge about what measures their providers have put in place to protect data. This represents an enormous opportunity for cloud providers to articulate what they are doing to secure data in the cloud and differentiate themselves from the competition.”

Richard Moulds, vice president, strategy, Thales e-Security, says:

“Staying in control of sensitive or confidential data is paramount for most companies today. For any organization that is still weighing the advantages of using cloud computing with the potential security risks of doing so, it is important to know that encryption is one of the most valuable tools for protecting data. However, just as with any type of encryption, it only delivers meaningful value if deployed correctly and with encryption keys that are managed appropriately. Effective key management is emblematic of control and the need for centralized and automated key management integrated with existing IT business processes is a necessity. Even if you allow your data to be encrypted in the cloud, it’s important to know you can still keep control of your keys. If you control the keys, you control the data.”

.

PCI Point-to-Point Encryption Solution Requirements and Testing Procedures v1.1

The Payments Security Standards Council (PCI SSC) have released their solutions Requirements and Testing Procedures version 1.1 for Point-to-Point Encryption (P2PE).

The press release can be found here.

The main document is 210 pages long but for those who have looked into this before there is a short four page summary of changes from version 1.0 to version 1.1 here.

The document covers many things but the five main scope assessments for P2PE Solutions are

  1. Network Segmentation
  2. Third Parties/Outsourcing
  3. Sampling of System Components
  4. Multiple Acquirers
  5. P2PE Program Guide

Scope of Assessment for P2PE Solutions

The first step of a P2PE solution assessment is to accurately determine the scope of the solution. At least annually and prior to each assessment, the solution provider should confirm the accuracy of their solution scope by identifying all devices, P2PE data flows and processes, key-management functions and account-data stores, and ensure they are included in the solution scope. To ensure the accuracy of the solution scope is maintained on an on going basis, the solution provider must have processes in place that ensure the following:

  • Any changes are implemented in a manner that ensures continued adherence to P2PE requirements for the entire solution.
  • Any new rollouts/additions adhere to all P2PE solution requirements.
  • Any new rollouts/additions are included in the next P2PE assessment.

Network Segmentation

The solution provider must ensure that network segmentation is in place between any systems owned or managed by the solution provider that are used in the P2PE solution, and any that are not included in their PCI DSS compliant environment. The QSA (P2PE) must validate that the network segmentation is adequate to isolate the P2PE environment from out-of-scope networks and systems.

Third Parties/Outsourcing

A given P2PE solution may be entirely performed and managed by a single solution provider, or the solution provider may outsource certain functions (for example, loading keys into POIs) to third parties who perform these functions on behalf of the solution provider. All third parties that perform P2PE functions on behalf of the assessed P2PE solution provider, including POI vendors, KIFs, CAs, etc., must be validated per P2PE solution requirements.

There are two options for third-party entities performing functions on behalf of solution providers to validate compliance:

  1. They can undergo a P2PE assessment of relevant P2PE requirements on their own and provide evidence to their customers to demonstrate their compliance; or
  2. If they do not undergo their own P2PE assessment, they will need to have their services reviewed during the course of each of their solution provider customers’ P2PE assessments.

Multiple Acquirers

The P2PE standard outlines the technology and processes needed to ensure the security of a solution that protects account data from the point of interaction to the solution provider. In some instances, multiple acquirers or multiple solution providers may manage one or more P2PE solutions on the same merchant POI device. P2PE does not preclude these scenarios, as the business processes which govern this shared environment are outside the responsibility of the PCI SSC.

P2PE Program Guide

Please refer to the P2PE Program Guide for information about the P2PE program, including the following topics:

  • P2PE Report on Validation submission and acceptance processes
  • Annual renewal process for solutions included on the list of Validated P2PE Solutions
  • Notification responsibilities in the event a listed P2PE solution is determined to be at fault in a compromise

Third Parties/Outsourcing

A given P2PE solution may be entirely performed and managed by a single solution provider, or the solution provider may outsource certain functions (for example, loading keys into POIs) to third parties who perform these functions on behalf of the solution provider. All third parties that perform P2PE functions on behalf of the assessed P2PE solution provider, including POI vendors, KIFs, CAs, etc., must be validated per P2PE solution requirements.

There are two options for third-party entities performing functions on behalf of solution providers to validate compliance:

  1. They can undergo a P2PE assessment of relevant P2PE requirements on their own and provide evidence to their customers to demonstrate their compliance; or
  2. If they do not undergo their own P2PE assessment, they will need to have their services reviewed during the course of each of their solution provider customers’ P2PE assessments.

At-a-Glance – Steps Required to Create and Validate a P2PE Solution

The process for developing and validating a P2PE solution that uses SCDs for encryption, decryption, and cryptographic key management is provided below. This flow chart and the following table illustrate the parties responsible for implementing requirements and validating compliance with each domain, the high-level purpose of controls for each domain, and how validation of each domain can ultimately lead to a P2PE solution validation.

Like a lot of people I shall be looking into the details to see where existing and planned solutions meet the standard. The full 210 page document can be found here.

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: