[dm-crypt] Blog post on FDE and integrity protection
arno at wagner.name
Thu Sep 1 18:45:41 CEST 2011
I do not dispute your statements. Encryption can indeed help to
deal with some problems causes by defective cloud access rights
management. However this fix is in the wrong place and only
partial at best. If it is a realistic assumption that somebody
can access your private storage in the cloud, you should not
put anything of value in there anyways. If the data has no
value, then encrypting it just cause cost and effort and very
little securit gain. This makes encryption not "completely"
pointless, but "pretty" pointless. (Sorry for nit-picking...)
Encryption does cause new problems: For one, you cannot start
your cloud instances manually anymore, as the attacker may well
get access to the wrong image in addition. And if that decrypts
the block storage automatically, then you are screwed,
encryption or no.
But the thing is this: If you start encrypting in the cloud,
you have no clear protection or attacker model. This makes
encryption worthless from a risk management perspective, as
you cannot quantify what you gain at all and cannot trust
the encrypted variant more than the plain one. You may even
lose some degree of protection, as you are potentially drawing
attention to your data. Sure,encryption can still make you
feel better. But that is not risk management.
Now the thing that is really pointless is integrity protection
for encrypted data in the cloud, as you do not get a security
level high enough for it to make a difference.
And the Blog posts fails to discuss these aspects.
On Thu, Sep 01, 2011 at 02:34:21PM +0200, Robert.Heinzmann at deutschepost.de wrote:
> I read this discussion and I find this very interesting, especially the
> cloud discussion.
> The point here is that I don't think that it is a useless approach to
> encrypt disks in the cloud.
> The question is what do you want to protect from ? In the cloud there are
> several risks due to the multi tenancy and shared approach.
> Of course there is the "The cloud provider is bad and want's my data".
> However - as you say - you can only protect from this by chosing the right
> cloud provider (e.g. within your legal system, trustworthy etc). Also
> certifications of the cloud provider ensuring operational safety help
> here. In this regards cloud computing is "just outsourcing".
> If you want to use the benefits of IaaS cloud computing, this is the risk
> you have to live with finally - as with traditional hosting and
> outsourcing. For PaaS and SaaS there are solutions where only encrypted
> data is leaving the company (e.g. CipherCloud).
> On the other hand there are much more real problems caused by the shared
> tenancy and high automation in the cloud.
> - What if the automation system of the cloud provider fails and mapps
> volumes to wrong hosts ?
> - What if the secure deletetion / disk wipe procedure fails for volumes on
> the cloud provider ?
> - What if your snapshots of your EBS volumes leak somewhere due to
> improper security ?
> For all of this encryption is a good idea. It helps - it is not 100% but
> it helps. Basically it solves the secure delete problem for the "curious
> professional" - it does not help against motivated hackers.
> If you combine encryption this with a proper security policy (patching,
> firewalling, access control, VPN access) you can do quite a lot in the
> cloud - quite secure.
> -----Urspr?ngliche Nachricht-----
> Von: dm-crypt-bounces at saout.de [mailto:dm-crypt-bounces at saout.de] Im Auftrag von Arno Wagner
> Gesendet: Donnerstag, 1. September 2011 13:27
> An: dm-crypt at saout.de
> Betreff: Re: [dm-crypt] Blog post on FDE and integrity protection
> Disk encryption in a non-private cloud is pretty pointless.
> The cloud provider can access everything. An attacker should
> reliably be kept from accessing your storage, otherwise you are
> screwed anyways. I know, people are doing this, but they are
> kidding themselves.
> For your EBS scenario, true, block-level encryption
> can be done, but it is irrelevant. Encryption is not the
> right way to fix a broken cloud permission system. Critical
> encrypted data should never be decrypted in the cloud. It
> is just not secure. On the other hand, attacks that
> manipulate encrypted images are not relevant for lower
> security requirements, as they are very hard (expensive)
> to do.
> This makes integtity protection of encrypted data in the cloud
> a complete non-issue. This is a solution without a problem.
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno at wagner.name
GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
More information about the dm-crypt