[dm-crypt] Blog post on FDE and integrity protection
Robert.Heinzmann at deutschepost.de
Robert.Heinzmann at deutschepost.de
Thu Sep 1 19:37:06 CEST 2011
But this actually means:
"Multi Tenant Cloud Environments and Security are mutual exclusive"
I kind of disagree.
I look at cloud security and encryption like this:
- You can not protect against attacks if a major instituation with unlimited power is behind an attack (e.g. a government - as seen with Iran and the tuxnet attack). The only defense against this kind of attacks is don't store the data it in the first place and address the issue with or have a good insurance plan.
... another more idealistic alternative is to try not to have too many enemies :)
- Make sure you can trust your cloud provider. Does the cloud provider use it's own product ? If so - there is motivation to make this thing secure. Does the provider have the experience in an internetworked world ? Does he have the resources to address global DDoS etc. - practially speaking: does he have the biggest pipes ? - There are some.
- Use encryption all the time for everything. Encryption adds new limitations to the operations you perform in cloud environments. There is a operational impact on availability, DR, backup & recovery and provisioning (loosing the salt, loosing the key, or silent block error escalation due to the chaining mode etc.). Solve it for all your machines and you gain routine for the operating guys. If you only encrypt sensitive data, as you say, you draw attention and reduce the attack effort, because you practially label your honeyspot. Also routine tasks become risky, if you do not train them all the time.
- For practiall security - other factors are much more important. Establishing a real security policy on the logical level helps much more then encryption. Once a attacker is in the machine, encryption is useless. Here a good isolation policy is required (no cross machine passwords, strong firewalling, unique encryption keys etc.) Encryption can really only protect data at rest at 100% once the encryption key is out of memory. Make sure no-one can read this memory.
- Make sure that you understand your encryption technology in the cloud. Understand the difference between an encryption key and a wrapping key. Understand that the key is ALWAYS readable by someone with physical access to the computer - deal with it (e.g. Split sensitive across cloud providers data to make it useless - aka PCI standard). Understand the difference between pre provisioning encryption and post provisioning encryption and the operational impact of the two. Make sure you establish security escalation zones - think about the worst case and assume that a machine will highjacked. Make sure you notice this (Intrustion Detection) and have a pre-prepared plan on how to deal with this issue then.
.. Those are just some thoughts.
I agree that cloud is a challenge for security - just as accidents are a challenge for traffic. As car's had to learn how to protect the owner once the streets got fuller and fuller, IT has to learn how to address security in a inter networked world. There is no way back - I guess ...
(... This seems to have gotten a little off the track in regards to disk encryption and even more in regards to the blog - so sorry for this :)
Von: dm-crypt-bounces at saout.de [mailto:dm-crypt-bounces at saout.de] Im Auftrag von Arno Wagner
Gesendet: Donnerstag, 1. September 2011 18:46
An: dm-crypt at saout.de
Betreff: Re: [dm-crypt] Blog post on FDE and integrity protection
I do not dispute your statements. Encryption can indeed help to
deal with some problems causes by defective cloud access rights
management. However this fix is in the wrong place and only
partial at best. If it is a realistic assumption that somebody
can access your private storage in the cloud, you should not
put anything of value in there anyways. If the data has no
value, then encrypting it just cause cost and effort and very
little securit gain. This makes encryption not "completely"
pointless, but "pretty" pointless. (Sorry for nit-picking...)
Encryption does cause new problems: For one, you cannot start
your cloud instances manually anymore, as the attacker may well
get access to the wrong image in addition. And if that decrypts
the block storage automatically, then you are screwed,
encryption or no.
But the thing is this: If you start encrypting in the cloud,
you have no clear protection or attacker model. This makes
encryption worthless from a risk management perspective, as
you cannot quantify what you gain at all and cannot trust
the encrypted variant more than the plain one. You may even
lose some degree of protection, as you are potentially drawing
attention to your data. Sure,encryption can still make you
feel better. But that is not risk management.
Now the thing that is really pointless is integrity protection
for encrypted data in the cloud, as you do not get a security
level high enough for it to make a difference.
And the Blog posts fails to discuss these aspects.
More information about the dm-crypt