Category Archives: encryption

BitLocker or Parallels encryption? Encryption solutions for your Windows virtual machine

When you store sensitive data on your computer, it’s crucial that you take the necessary steps to protect that data. You can protect your data by using encryption. Unlike a physical Windows PC, Windows virtual machines afford more encryption options, as there is the macOS® host operating system and Parallels Desktop® for Mac virtualization. Enterprise […]

The post BitLocker or Parallels encryption? Encryption solutions for your Windows virtual machine appeared first on Parallels Blog.

Bring Your Own Encryption: The case for standards

BYOE is the new black

BYOE is the new black

Being free to choose the most suitable encryption for your business seems like a good idea. But it will only work in a context of recognised standards across encryption systems and providers’ security platforms. Since the start of the 21st century, security has emerged from scare-story status to become one of IT users’ biggest issues – as survey after survey confirms. Along the way a number of uncomfortable lessons are still being learned.

The first lesson is that security technology must always be considered in a human context. No one still believes in a technological fix that will put an end to all security problems, because time and again we hear news of new types of cyber attack that bypass sophisticated and secure technology by targeting human nature – from alarming e-mails ostensibly from official sources, to friendly social invitations to share a funny download; from a harmless-looking USB stick ‘accidentally’ dropped by the office entrance, to the fake policeman demanding a few personal details to verify that you are not criminally liable.

And that explains the article’s heading: a balance must be struck between achieving the desired level of protection against keeping all protection procedures quick and simple. Every minute spent making things secure is a minute lost to productivity – so the heading could equally have said “balancing security with efficiency”.

The second lesson still being learned is never to fully trust to instinct in security matters. It is instinctive to obey instructions that appear to come from an authoritative source, or to respond in an open, friendly manner to a friendly approach – and those are just the sort of instincts that are exploited by IT scams. Instincts can open us to attack, and they can also evoke inappropriate caution.

In the first years of major cloud uptake there was the oft-repeated advice to business that the sensible course would be to use public cloud services to simplify mundane operations, but that critical or high priority data should not be trusted to a public cloud service but kept under control in a private cloud. Instinctively this made sense: you should not allow your secrets to float about in a cloud where you have no idea where they are stored or who is in charge of them.

The irony is that the cloud – being so obviously vulnerable and inviting to attackers – is constantly being reinforced with the most sophisticated security measures: so data in the cloud is probably far better protected than any SME could afford to secure its own data internally. It is like air travel: because flying is instinctively scary, so much has been spent to make it safe that you are

less likely to die on a flight than you are driving the same journey in the “safety” of your own car. The biggest risk in air travel is in the journey to the airport, just as the biggest risk in cloud computing lies in the data’s passage to the cloud – hence the importance of a secure line to a cloud service.

So let us look at encryption in the light of those two lessons. Instinctively it makes sense to keep full control of your own encryption and keys, rather than let them get into any stranger’s hands – so how far do we trust that instinct, bearing in mind the need also to balance security against efficiency?

BYOK

Hot on the heels of BYOD – or “Bring Your Own Device” to the workplace – come the acronym for Bring Your Own Key (BYOK).

The idea of encryption is as old as the concept of written language: if a message might fall into enemy hands, then it is important to ensure that they will not be able to read it. We have recently been told that US forces used Native American communicators in WW2 because the chances of anyone in Japan understanding their language was near zero. More typically, encryption relies on some sort of “key” to unlock and make sense of the message it contains, and that transfers the problem of security to a new level: now the message is secure, the focus shifts to protecting the key.

In the case of access to cloud services: if we are encrypting data because we are worried about its security in an unknown cloud, why then should we trust the same cloud to hold the encryption keys?

Microsoft for instance recently announced a new solution to this dilemma using HSMs (Hardware Security Modules) within their Windows Azure cloud – so that an enterprise customer can use its own internal HSM to produce a master key that is then transmitted to the HSM within the Windows Azure cloud. This provides secure encryption when in the cloud, but it also means that not even Microsoft itself can read it, because they do not have the master key hidden in the enterprise HSM.

It is not so much that the enterprise cannot trust Microsoft to protect its data from attack, it is more to do with growing legal complexities. In the wake of Snowden revelations, it is becoming known that even the most well protected data might be at risk from a government or legal subpoena demanding to reveal its content. Under this BYOK system, however, Microsoft cannot be forced to reveal the enterprise’s secrets because it cannot access them itself, and the responsibility lies only with the owner.

This is increasingly important because of other legal pressures that insist on restricting access to certain types of data. A government can, for example, forbid anyone from allowing data of national importance to leave the country – not a simple matter in a globally connected IP network. There are also increasing legal pressures on holders of personal data to guarantee levels of privacy.

Instinctively it feels a lot more secure to manage your own key and use BYOK instead of leaving it to the cloud provider. As long as that instinct is backed by a suitable and strict in-house HSM based security policy, these instincts can be trusted.

BYOE

BYOK makes the best of the cloud provider’s encryption offering, by giving the customer ultimate control over its key. But is the customer happy with the encryption provided?

Bearing in mind that balance between security and efficiency, you might prefer a higher level of encryption than that used by the cloud provider’s security system, or you might find the encryption mechanism is adding latency or inconvenience and would rather opt for greater nimbleness at the cost of lighter encryption. In this case you could go a step further and employ your own encryption algorithms or processes. Welcome to the domain of BYOE (Bring Your Own Encryption).

Again, we must balance security against efficiency. Take the example of an enterprise using the cloud for deep mining its sensitive customer data. This requires so much computing power that only a cloud provider can do the job, and that means trusting private data to be processed in a cloud service. This could infringe regulations, unless the data is protected by suitable encryption. But how can the data be processed if the provider cannot read it?

Taking the WW2 example above: if a Japanese wireless operator was asked to edit the Native American message so a shortened version could be sent to HQ for cryptanalysis, any attempt to edit an unknown language would create gobbledygook, because translation is not a “homomorphic mapping”.

Homomorphic encryption means that one can perform certain processes on the encrypted data, and the same processes will be performed on the source data without any need to de-crypt the encrypted data. This usually implies arithmetical processes: so the data mining software can do its mining on the encrypted data file while it remains encrypted, and the output data, when decrypted, will be the same output as if the data had been processed without any intervening encryption.

It is like operating one of those automatic coffee vendors that grinds the beans, heats the water and adds milk and sugar according to which button was pressed: you do not know what type of coffee bean is used, whether tap, filtered or spring water or whether the milk is whole cream, skimmed or soya. All you know is that what comes out will be a cappuccino with no sugar. In the data mining example: what comes out might be a neat spread-sheet summary of customers average buying habits based on millions of past transactions, without a single personal transaction detail being visible to the cloud’s provider.

The problem with the cloud provider allowing the users to choose their own encryption, is that the provider’s security platform has to be able to support the chosen encryption system. As an interim measure, the provider might offer a choice from a range of encryption offerings that have been tested for compatibility with the cloud offering, but that still requires one to trust another’s choice of encryption algorithms. A full homomorphic offering might be vital for one operation, but a waste of money and effort for a whole lot of other processes.

The call for standards

So what is needed for BOYE to become a practical solution is a global standard cloud security platform that any encryption offering can be registered for support by that platform. The customer chooses a cloud offering for its services and for its certified “XYZ standard” security platform, then the customer goes shopping for an “XYZ certified” encryption system that matches its particular balance between security and practicality.

Just as in the BYOD revolution, this decision need not be made at an enterprise level, or even by the IT department. BYOE, if sufficiently standardised, could become the responsibility of the department, team or individual user: just as you can bring your own device to the office, you could ultimately take personal responsibility for your own data security.

What if you prefer to use your very own implementation of your own encryption algorithms? All the more reason to want a standard interface! This approach is not so new for those of us who remember the Java J2EE Crypto library – as long as we complied with the published interfaces, anyone could use their own crypto functions. This “the network is the computer” ideology becomes all the more relevant in the cloud age. As the computer industry has learned over the past 40 years, commonly accepted standards and architecture (for example the Von Neumamm model or J2EE Crypto) play a key role in enabling progress.

BYOE could prove every bit as disruptive as BYOD – unless the industry can ensure that users choose their encryption from a set of globally sanctioned and standardised encryption systems or processes. If business is to reap the full benefits promised by cloud services, it must have the foundation of such an open cloud environment.

Written by Dr. Hongwen Zhang, chair security working group, CloudEthernet Forum.

Ovum: Cloud service providers need to double down on security

Enterprises would be more willing to use cloud if providers focused more on security, compliance

Enterprises would be more willing to use cloud if providers focused more on security, compliance

A recently published Vormetric survey suggests over half of enterprises globally are using cloud-based services to store sensitive data, and many of the IT decision makers polled by the firm said they felt pressured into using cloud services over legacy alternatives. But respondents also showed an overwhelming willingness to use cloud services to store or analyse sensitive data if service providers could guarantee some essential security and information governance capabilities and measures.

Vormetric, which worked with Ovum to petition 818 ITDMs globally on their use of cloud and big data platforms, said about 54 per cent of respondents globally were keeping sensitive information in the cloud. Interestingly, 46 per cent of all respondents expressed concerns that market pressures are forcing them to use cloud services.

And though databases and file servers were typically rated by respondents as top risks for storage of sensitive information, they are now also joined by big data environments – with big data (31 per cent) seen by ITDMs as slightly more at risk than file servers (29 per cent).

In the US specifically, respondents seemed most concerned about lack of control over the location of data (82 per cent), increased vulnerability of shared infrastructure (79 per cent), and “privileged user” abuse of the cloud service provider (78 per cent).

“The data shows that US IT decision makers are conflicted about their cloud deployments,” said Alan Kessler, chief executive officer of Vormetric. “Market pressures and the benefits of cloud service use are strong, but enterprises have serious security concerns around these environments. There is enormous anxiety over how sensitive data and systems can best be protected, with lack of control listed as the number one worry among US respondents.”

“For cloud service providers to increase their footprint in the enterprise, they must address enterprise requirements around security, data protection and data management. More specifically, cloud service providers need to provide better protection and visibility to their customers,” Kessler said.

Andrew Kellett, lead analyst for Ovum and author of the 2015 Vormetric Insider Threat Report said the results demonstrate “both hope and fear” when it comes to cloud and big data technologies, which could slow the pace at which enterprises refresh their technology platforms.

“But, there are steps enterprises can take and changes providers can make that will increase adoption. For example, more than half of global respondents would be more willing to use cloud services if the provider offers data encryption with key access control,” he said.

About 52 per cent also said they would be more likely to use cloud services if service level commitments and liability terms for a data breach were established, 48 per cent said the same if explicit security descriptions and compliance commitment were established.

Ovum: Cloud service providers need to double down on security

Enterprises would be more willing to use cloud if providers focused more on security, compliance

Enterprises would be more willing to use cloud if providers focused more on security, compliance

A recently published Vormetric survey suggests over half of enterprises globally are using cloud-based services to store sensitive data, and many of the IT decision makers polled by the firm said they felt pressured into using cloud services over legacy alternatives. But respondents also showed an overwhelming willingness to use cloud services to store or analyse sensitive data if service providers could guarantee some essential security and information governance capabilities and measures.

Vormetric, which worked with Ovum to petition 818 ITDMs globally on their use of cloud and big data platforms, said about 54 per cent of respondents globally were keeping sensitive information in the cloud. Interestingly, 46 per cent of all respondents expressed concerns that market pressures are forcing them to use cloud services.

And though databases and file servers were typically rated by respondents as top risks for storage of sensitive information, they are now also joined by big data environments – with big data (31 per cent) seen by ITDMs as slightly more at risk than file servers (29 per cent).

In the US specifically, respondents seemed most concerned about lack of control over the location of data (82 per cent), increased vulnerability of shared infrastructure (79 per cent), and “privileged user” abuse of the cloud service provider (78 per cent).

“The data shows that US IT decision makers are conflicted about their cloud deployments,” said Alan Kessler, chief executive officer of Vormetric. “Market pressures and the benefits of cloud service use are strong, but enterprises have serious security concerns around these environments. There is enormous anxiety over how sensitive data and systems can best be protected, with lack of control listed as the number one worry among US respondents.”

“For cloud service providers to increase their footprint in the enterprise, they must address enterprise requirements around security, data protection and data management. More specifically, cloud service providers need to provide better protection and visibility to their customers,” Kessler said.

Andrew Kellett, lead analyst for Ovum and author of the 2015 Vormetric Insider Threat Report said the results demonstrate “both hope and fear” when it comes to cloud and big data technologies, which could slow the pace at which enterprises refresh their technology platforms.

“But, there are steps enterprises can take and changes providers can make that will increase adoption. For example, more than half of global respondents would be more willing to use cloud services if the provider offers data encryption with key access control,” he said.

About 52 per cent also said they would be more likely to use cloud services if service level commitments and liability terms for a data breach were established, 48 per cent said the same if explicit security descriptions and compliance commitment were established.

Virtustream Adds Cloud Database Encryption, Key Management

Virtustream today added software-based “data at rest” encryption to its cloud services portfolio through a partnership with Vormetric, a leader in enterprise encryption and key management. With this extra protection, Virtustream’s xStream cloud management software and Virtustream cloud IaaS services provide highly secure and compliant solutions that enable enterprises, governments and service providers to safely run mission-critical applications in private, public and hybrid clouds.

The company will now offer Vormetric’s database and file encryption solution to customers needing an additional layer of security to satisfy internal sensitive data policies and compliance mandates regarding business data. For enterprises required to comply with regulatory guidelines and compliance frameworks such as NIST 800-53, DIACAP, FedRAMP, FISMA, ICD503, G-Cloud, CSA Recommendations, ISO27001, HIPAA/HITECH, PCI, SSAE16/SAS70 and other industry standards, this new service provides a sophisticated approach to protecting highly sensitive data in the cloud. Virtustream’s new data encryption offering allows enterprises mandating full data life cycle encryption to take advantage of the cloud.

The addition of Vormetric Data Security adds to the enhanced security measures in Virtustream clouds which include layered physical/virtual security, cloud-to-cloud encryption, core servers equipped with new Intel CPUs that support Advanced Encryption Standard New Instruction Set (AES-NI) for optimal encryption efficiency, hardware-level authentication (Intel TXT), encrypted VPN (IPSEC and SSL), Key Escrow using Data Security Modules (DSMs), encryption in archive, GRC tools, two-factor authentication, and various additional security and compliance measures and reporting.

“File-level encryption is the most effective and flexible approach to cloud data security for enterprises concerned with regulatory compliance, protecting their IP and meeting contractual obligations around customer data,” said Bruce Johnson, vice president for worldwide sales and service operations at Vormetric. “By offering Vormetric Encryption through a pay-as-you-go model, Virtustream is providing comprehensive, built-in and transparent security for any database, that can follow customer data—whether it is in the cloud or a datacenter.”

As the Virtustream team evaluated security and encryption software to pair with its cloud solution, it found that many of the larger vendors focus primarily on end-user computing and encrypting whole drives, which only protects against specific threats and could not support a variety of deployment modes. Vormetric’s solution quickly emerged as the leader in enterprise class security, as it emphasized encryption at the file/folder level, transparently across all major database platforms. It also enables very granular separation of duties to allow for a variety of support models from zero client touch, to co-managed operations, to full key management by clients. Vormetric encryption ensures that there is no unauthorized data access from inside or outside an organization. In stress testing, Vormetric exceeded Virtustream’s performance expectations with a virtually indiscernible impact on application response time, excellent manageability and detailed logging of file access for Database Access Monitoring requirements (DAM) and Data Leakage Prevention (DLP) reporting.

Virtustream now stands as the first cloud provider to offer the Vormetric solution in a SaaS model with elastic, consumption-based pricing—services are priced per virtual CPU of each database server, as opposed to traditional perpetual licensing models.

“It can be challenging to get large enterprises to trust the cloud, so this partnership with Vormetric provides a significant security measure required to overcome that concern,” said Pete Nicoletti, director of security and compliance at Virtustream. “With Vormetric’s solution, we now have a database encryption security option suitable for customers who are required to comply with executive mandates or compliance frameworks but have not yet deployed encryption at their database or application layer. Adding this capability will make moving mission-critical data to the cloud a more feasible option for any enterprise looking for immediate risk reduction and cost savings.”

With this encryption service, Virtustream also offers and manages encryption of client databases at their location in the client’s datacenter before they even move the workload to the Virtustream cloud. This is a unique capability and allows customers that are concerned with protecting personally identifiable information (PII) and other sensitive information to achieve regulatory compliance and avoid potential data breach costs.

“By partnering with Vormetric, we are able to combine its nimble and powerful security solution with our cloud solution for increased data protection with high performance and low overhead,” said Mike Olson, vice president of operations and service delivery for Virtustream. “Together we offer customers a more secure, compliant cloud environment with reduced infrastructure costs, and increased performance and uptime.”

When Encryption Doesn’t Mean More Secure

By Ken Smith

I have had a number of clients reach out to me about how to implement whole disk encryption, SQL transparent data encryption, and encryption of VMware VMDK files in order to satisfy “data at rest” security requirements. My response is usually something like “Say that again?”

These types of encryption approaches are designed to better protect data at rest on media that may be accessible to individuals who are not authorized to access such data. This is usually some form of portable media such as a hard drive in the notebook computer, a portable USB hard drive, a USB stick, a backup tape, etc. And by “at rest” we are talking about files that have been saved to media and are not currently open or active. So to summarize, these types of encryption solutions are intended to protect data at rest on some form of portable media or media that is generally accessible to individuals that should not have access to sensitive data stored on that media. What I’m seeing, however, is that this type of encryption is being adopted to address “encrypt sensitive data” compliance requirements such as PCI DSS.

The intent of such “encryption of data at rest” requirements is to protect specific data from unauthorized access whether it be via application access, network file system access, or physical access. If the sensitive information is on storage media that is physically secured in a data center and this data is protected with appropriate network file system access controls, then the only thing remaining is to render the data unreadable to any unauthorized party at the application access level. This is where column or field level encryption comes in. Only authorized individuals or processes have access to the sensitive information in unencrypted form, and only authorized individuals or processes have access to the decryption keys that allow such access.

Let’s switch back to whole disk encryption and SQL transparent data encryption. When a system that’s running either of these is brought online, all users of the system have access to unencrypted data. Not just specific users who have been authorized to access specific sensitive information, but all users. When a server running BitLocker has finished booting, every process and user running on that host has access to data that BitLocker is decrypting for them on the fly every time it’s read from disk. A SQL database server running TDE makes all of its data accessible to all processes and users that have access to the database. While the database is running, the encrypted data is decrypted on-the-fly for all to see. The decryption keys are automatically presented regardless of who is requesting them. This isn’t really “protecting specific data from unauthorized access with encryption” is it?

With the proliferation of virtualization and cloud-based systems, we are now seeing this same thinking applied to protecting sensitive virtual systems. For a VMware environment, VMDK files can be encrypted to protect them from unauthorized access and use, but this is also a method that’s identical to solutions like whole disk encryption and SQL TDE. The data is only protected after it’s been written to disk, the VM is not actually running, and the decryption keys are only accessible to specific services and users that require access to the sensitive data. In most environments, this is not the case.

This type of encryption does have its place. For example, in multi-tenant or public cloud environments, it may be desirable to only allow specific authorized hypervisors to use certain virtual instances. It may make sense for SQL TDE to encrypt every database write to disk if you are using a public cloud providers’ storage and backup solutions. It might be a good idea to use whole disk encryption on a system that is physically at risk of being stolen. But just throwing these types of solutions at a system because they have the word encryption in them and they are easy doesn’t always mean that you’re actually doing a better job protecting sensitive information.