Key Management in the Cloud
“I have made a living as a cryptography consultant: designing and analyzing security systems. To my initial surprise, I found that the weak points had nothing to do with the mathematics. They were in the hardware, the software, the networks, and the people.”
— Bruce Schneier, Secrets and Lies
Encryption is fantastic for data security. It offers mathematically provable assurance that your data is able to be read only by you. It offers the assurance for most CIOs and CSOs to be able to get a good night’s sleep. While this is true in a narrow scope, many of us are aware that typically, breaches of data don’t occur because a brilliant mathematician developed an earth-shattering new backdoor to defeating AES-256. Rather, it’s the attacks that compromise other weak points in systems, people, and processes that tend to create breaches. The notorious breach that compromised the SecurID hardware token seeds at EMC’s RSA Security division in 2011 began, by most accounts, via an email phishing campaign against small groups of rank-and-file employees.
While employee security awareness training is a component of any healthy information security program, encryption key security is not to be overlooked. As with the hardware token seeds, the encryption keys are, well, the key security mechanism for any encryption scheme. Their security is paramount; key storage, retrieval, and usage are areas of potential weakness for any system purporting to be ‘secure by default.’
Clumio has built key security into its core platform. First, a Customer Master Key (CMK) can reside in the customer’s own KMS. CMKs are compounded with Data Encryption Keys (DEKs), and their ciphertext is stored together with customer encrypted data. The plaintext CMK is never stored; it is only present in memory during encryption operations.
For data retrieval (restore) operations, temporary keys are generated and downloaded securely to the customer premise. The data is decrypted in the Clumio service, then re-encrypted with the temporary keys before transmission. This process ensures that the CMK remains in the cloud and doesn’t need to be transmitted unnecessarily.
Of course, these transactions are also protected at the outer layer via Transport Layer Security (TLS). IAM roles and policies are applied using the principle of least privilege. Permissions are governed to provide the minimum rights required for components to perform their required functions. Additionally, all AWS-provided services for data security, such as server-side encrypted SQS queues, encrypted EBS volumes, and encrypted S3 buckets, are also utilized. These mechanisms use additional encryption keys in Clumio’s KMS for enhanced protection.
The point of using multiple encryption keys for different purposes is to address some of the core weak points of security: the software and the network. This doesn’t negate the need to address other weak points, but it creates a solid foundation for secure data protection that should satisfy both IT departments and CSOs.
Clumio leverages the scale and elasticity of the public cloud to dynamically meet the changing needs of the enterprise. Security is incorporated at the core of its design to provide a secure backup and recovery service. This empowers the IT team to focus on strategic business priorities, instead of the mundane tasks of managing backup and restore infrastructure.