Amazon has made many changes lately to provide encryption for its Relational Database Service (RDS), adding the ability to encrypt existing RDS instances and shared data between partners. Database encryption, specifically for sharing, is very important, as is encryption at rest, which Amazon and other cloud service providers also provide. If you wish to control everything, you can use tools like HyTrust DataControl and other encrypted file systems, services, and storage appliances. So, why is there always a debate about encryption, who controls the keys, and privacy?
There are two general debates going on at this time:
- Law enforcement wants to be able to see anything and everything if a warrant or national security letter is presented. This raises the public policy debate over privacy.
- Hackers can see individuals’ data. Issues arise based on horrible handling of encryption, ownership of keys, and faulty protocols.
I laud any company that is trying to do encryption properly. The keys, so to speak, to properly handling encryption follow:
- Good hygiene: Properly maintaining keys, certificates, revocation lists, etc.
- Good practices: Using mutual authentication, such as pre-shared certificates, wherever possible
- Not encrypting everything and anything, but only that which is needed
The last one is probably the hardest to implement; because of all the breaches, everyone is in an encrypt-all mood. I would instead recommend digitally signing everything, but encrypting only as needed. For example, if we went down the encrypt-all path, that would include public information. However, public information should be public and thus should not be encrypted. Instead, it should be digitally signed to alleviate possible defacement and replacement-style attacks.
The questions then become “Where do we encrypt?” “At rest or in motion?” and “Where does ‘motion’ start?” Think about it this way: Data is constantly moving within a cloud. If data is written to disk, it is at rest; once it is read from disk, it is in motion. If that is the case, disk-level encryption is great for encryption at rest.
If we look at Figure 1, we can see there are multiple levels at which we can encrypt. The higher up the stack, the later the decryption takes place and the less decrypted motion there is. The same diagram is representative of most clouds as well, as they use hypervisors. Where the encryption takes place will tell you if there are any risks, where those risks exist, and whether they need to be handled in some fashion.
For example, if we encrypt within a virtual machine, AMI instance, etc., any data read into that instance is decrypted and placed in memory. Therefore, the biggest threat is access to the system. If we decrypt below the hypervisor, within the storage layers, then anyone sniffing the traffic above the encryptor or within the hypervisor can see the data. If we encrypt within the application, the system may not normally be able to see the data, unless someone has a root kit or that level of access.
Good encryption requires an understanding of other compensating controls that are necessary to prevent unauthorized reading of data. Such compensating controls include proxies, SELinux, and even Symantec’s Data Center Security. Sandboxing technology aside, the key to good encryption is good analytics and logging, so that unauthorized access can be detected as quickly as possible.
This is the crux of the matter with encryption. Too many companies are encrypting everything, but not necessarily beefing up the other aspects of their security and compliance to detect unauthorized access outside of the normal means (such as firewalls, IDS, IPS, etc.) If an attack is successful, it is possible that all those things will be bypassed, leaving us with the defenses sitting on the system or just those around the system. Put defenses too far away, and there is an open window for attackers. Yet, defenses within a system can be circumvented. So, we need defenses just around the system. This solution is easier with virtual machines; with physical machines, it is quite a bit harder.
With some systems, like Skyport Systems and LynxSecure, monitoring tools are provided as part of how the systems are put together. Yet, not everyone uses these systems, and when they do, it is generally for very sensitive information. These systems start to approach mandatory access controls, but that is perhaps the real solution to this dilemma.
How do you monitor encryption and other systems for unauthorized access?