Welcome!

Government Cloud Authors: Pat Romanski, Elizabeth White, Liz McMillan, Dana Gardner, Gopala Krishna Behara

Related Topics: Cloud Security, @CloudExpo, Government Cloud

Cloud Security: Blog Feed Post

Cloud Encryption and PCI Thoughts

The tricky issues of PCI compliance, encryption and key management in the cloud are soluble

There is a lot of guidance and expertise on achieving PCI compliance. In virtualized and cloud computing environments it is trickier, yet a lot of expertise is building up there as well. Witness the venerable PCI Security Standards organization and its guideline for virtualization, which includes a section on cloud computing as well.

Yet in some areas, answers are still sketchy. Some of the most important is cloud encryption and key management.

Cloud encryption is obvious – or is it?

Everyone understands that achieving PCI DSS requires encryption or tokenization of sensitive data, such as credit card numbers or personal details. This is even true in physical data centers; it is certainly true for virtualized and cloud computing environments.

So cloud encryption is an obvious necessity. Case closed.

But it is not so simple.

One issue is that any encryption scheme requires encryption keys; and keeping those encryption keys secure in the cloud is not easy.

A second point is that servers working in the cloud (and providing a service) have memory in the cloud. Data in memory also needs to be secured.

Cloud key management

Where to save encryption keys? The best practice for securing encryption keys available today is split-key management. This means that every encryption key is split in two; the first part, a “master key” remains the sole possession of the application owner and is unknown to anyone else. The second part is different for each data object and is stored by a dedicated cloud key management service (read more about it on this white paper).

Such techniques provide a solution to securing the encryption keys, which provides security on a par with physical data centers.

Memory protection and users permissions is critical in the cloud

Protecting the RAM of a server is something that is (almost) never seen as an issue in physical data centers. In the cloud, it is increasingly discussed.

The best modern clouds allow memory access to be tightly controlled. Here are some tips on how to control access to memory.

First and most basic rule: by default, no human has permission to do anything in memory. In practical terms, this means there is no access at all to the virtual box. In techie terms, this means protocols like SSH or RDP are disabled by default.

Starting from that, you add on permissions in a very limiting way. There are three classes of people worth considering: “super” administrators, regular administrators, and end-users of the system.

“Super” administrators need not always exist (analyze your own system to decide if you need them). If they do, they should be very few, and ideally only two people together (for example, each of them knows one half of a password). “Super” admins, if they exist, can make major changes in permissions of the system. Make sure you trust them.

Most of the everyday technical work on a system is done by regular administrators. These essential people should not be all powerful. In fact, in some important ways they should be “weaker” than end- users. In particular:

  • They do not have any master passwords or “root” user access; rather they access systems with admin rights which are limited in scope
  • Some of the important limitations: they cannot change permissions on the system (including their own permissions), they cannot see any end-user data (e.g. in a database system, they cannot do regular ‘select’ statements)
  • Every access is logged and audited
  • The logging and auditing sub-system is not accessible to them (and cannot be changed by them); typically the logging and auditing sub-system will be under ”root” control, and these users do not have root access

End-users, on the other hand, do have access to their own data. In that sense they are more powerful than admins. But they do not have any access to the virtual server “box”, only to the application. They are purely application users.

The tricky issues of PCI compliance, encryption and key management in the cloud are soluble. Feel free to contact us for a deeper discussion.

The post Cloud Encryption and PCI thoughts appeared first on Porticor Cloud Security.

Read the original blog entry...

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


IoT & Smart Cities Stories
The platform combines the strengths of Singtel's extensive, intelligent network capabilities with Microsoft's cloud expertise to create a unique solution that sets new standards for IoT applications," said Mr Diomedes Kastanis, Head of IoT at Singtel. "Our solution provides speed, transparency and flexibility, paving the way for a more pervasive use of IoT to accelerate enterprises' digitalisation efforts. AI-powered intelligent connectivity over Microsoft Azure will be the fastest connected pat...
There are many examples of disruption in consumer space – Uber disrupting the cab industry, Airbnb disrupting the hospitality industry and so on; but have you wondered who is disrupting support and operations? AISERA helps make businesses and customers successful by offering consumer-like user experience for support and operations. We have built the world’s first AI-driven IT / HR / Cloud / Customer Support and Operations solution.
Codete accelerates their clients growth through technological expertise and experience. Codite team works with organizations to meet the challenges that digitalization presents. Their clients include digital start-ups as well as established enterprises in the IT industry. To stay competitive in a highly innovative IT industry, strong R&D departments and bold spin-off initiatives is a must. Codete Data Science and Software Architects teams help corporate clients to stay up to date with the mod...
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
Druva is the global leader in Cloud Data Protection and Management, delivering the industry's first data management-as-a-service solution that aggregates data from endpoints, servers and cloud applications and leverages the public cloud to offer a single pane of glass to enable data protection, governance and intelligence-dramatically increasing the availability and visibility of business critical information, while reducing the risk, cost and complexity of managing and protecting it. Druva's...
BMC has unmatched experience in IT management, supporting 92 of the Forbes Global 100, and earning recognition as an ITSM Gartner Magic Quadrant Leader for five years running. Our solutions offer speed, agility, and efficiency to tackle business challenges in the areas of service management, automation, operations, and the mainframe.
The Jevons Paradox suggests that when technological advances increase efficiency of a resource, it results in an overall increase in consumption. Writing on the increased use of coal as a result of technological improvements, 19th-century economist William Stanley Jevons found that these improvements led to the development of new ways to utilize coal. In his session at 19th Cloud Expo, Mark Thiele, Chief Strategy Officer for Apcera, compared the Jevons Paradox to modern-day enterprise IT, examin...
With 10 simultaneous tracks, keynotes, general sessions and targeted breakout classes, @CloudEXPO and DXWorldEXPO are two of the most important technology events of the year. Since its launch over eight years ago, @CloudEXPO and DXWorldEXPO have presented a rock star faculty as well as showcased hundreds of sponsors and exhibitors! In this blog post, we provide 7 tips on how, as part of our world-class faculty, you can deliver one of the most popular sessions at our events. But before reading...
DSR is a supplier of project management, consultancy services and IT solutions that increase effectiveness of a company's operations in the production sector. The company combines in-depth knowledge of international companies with expert knowledge utilising IT tools that support manufacturing and distribution processes. DSR ensures optimization and integration of internal processes which is necessary for companies to grow rapidly. The rapid growth is possible thanks, to specialized services an...
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...