Nagib AouiniHead of Division Cyber Security Services
« Migration in die Cloud mit Schutz Ihrer sensibler Daten »
#ESSP17Salons eCom | Swiss IT Business | SMARC | POS
30 & 31 mai 2017 – Palexpo Genève
Table of contents
― Move to cloud inhibitor
― CloudTrust vision
― How to migrate to cloud with CloudTrust with strong security
― Common enterprise use cases : Azure , Office365 and CRM Online,
Anyapp
― Questions & Answers
2
Let’s move to cloud
copyright 2017
–
Salons eCom | ELCA - ESSP17 - CloudTrust
« Are you sure »
Growth of B2B collaboration is a challenge for cloud
Legal and regulatory
compliance is alsochallenging with
cloudSwiss data protection law (LPD)
• Control of data and data portability
• Right to erasure of data
European General Data Protection Regulation (GDPR)
• Right to modify and remove data «right to be forgotten»
• Clear consent to process personal data
• Public disclosure of data breaches
©copyright 2017
Inhibitors to cloud adoption: case study international financial institution
Salons eCom | ELCA - ESSP17 - CloudTrust
Challenge: Use the Microsoft Office365 suite for business solution to store online documents and improve collaboration across subsidiaries
Problem: Compliance with regulations in the financial industry regarding personal information and location of this information (PCI-DSS / FINMA) and Personal Data (GDPR / LPD). Data might be hosted in Europe but on the IT view outside Europe
Data center in the US
Main office in Switzerland
Users in subsidiaries worldwide
©copyright 2017
Inhibitors to cloud adoption: case study medical information system
Salons eCom | ELCA - ESSP17 - CloudTrust
Problem: privacy and control of data shall beensured and data center hosted outsideSwitzerland is a serious risk for suchinformation
?
Challenge: Development of a medical portal across Switzerland allowing hospitals, doctorsand patients to access medical information hosted on Microsoft Dynamics CRM online
©copyright 2017
Inhibitors to cloud adoption: case study manufacturing company / Aerospace and Defence
Salons eCom | ELCA - ESSP17 - CloudTrust
Challenge: Use the Azure IaaS and PaaS services (VMs, Storage, Web …) for custom business solution to ease collaboration and productivityacross subsidiaries which are located worldwide
Problem: Some IP/Business sensitive data and export control (ITAR / FedRamp …) require somedata to be encrypted using strong key controls and encryption techniques because of juridiction
Data center in the US
Main office in Switzerland
Users in subsidiaries worldwide
copyright 2017 Salons eCom | ELCA - ESSP17 - CloudTrust
Key inhibitors and pain points to cloud adoption
©copyright 2017
What is a CASB ?
Salons eCom | ELCA - ESSP17 - CloudTrust
…
copyright 2017
Who control your encryption keys and your identities ?
Salons eCom | ELCA - ESSP17 - CloudTrust
Source : Data Encryption Technologies in Office 365
copyright 2017
CloudTrust Swiss HSM and KeyVault powered by Quantum Cryptography
Salons eCom | ELCA - ESSP17 - CloudTrust
Nagib Aouini, Ave de la Harpe
Birth : 01.01.74, Male
City : Geneva
Credit Card : 4111-456-432-789
જFଡ#るKM回5ঘKઋ]今6} ,જFଡ#るKM回5ঘKઋ]今6} VT, 입 ણ=时@間%ଯV.তଌK5
VBত2ଌKuঘ5시, 4K8G-E69N-03WD-7297
ढଯVBতଌમK5시5ਲ間મऑપ ఌખ7gଌਲ6H
Name
Card #
City
4K8G-E69N-03WD-789
WOOWPP OOCMCMCII
OPwC;MWOOC
Name
Card #
City
Email X78789’@opopo.com
Nagib Aouini
4111-1111-1111-789
Geneva
CloudTrust Proxy
Hardware
Security Module
We protect all keys within a Swiss vault which prevent keys to be exported and leaked and based on QRNG (Quantum Random Number Generator)
*HSM : Hardware Security Module
TRUST & ZERO KNOWLEDGE ENCRYPTION APPROACH
PRIVACY USING STRONG ENCRYPTION AND QRNG
REMOTE CONTROL & USABILITY
HSM Remote control device
Swiss HSM
Quantum Random Generator Source
copyright 2017
CloudTrust aims to be the first open source CASB solution
Salons eCom | ELCA - ESSP17 - CloudTrust
copyright 2017
The CASB Market is changing and actors evolving
Salons eCom | ELCA - ESSP17 - CloudTrust
copyright 2017
SaaS solution by ELCA
Salons eCom | ELCA - ESSP17 - CloudTrust
- ELCA is a Leading Swiss software implementation and integration firm
- Existing team of highly-skilled security specialists
- Data center in Switzerland
- Strong experience in developing IT products
Overload trafficand extraordinaryeventsmanagement
Strong multi-factor authentication
Application-layer encryption
SaaS Ticketingsolution
copyright 2017
OverviewCloudTrust solution
■ ELCA developed CloudTrust, the first Open Source (OSS) CASB solution :
• Providing a CASB OSS product covering the features for visibility, data loss prevention, threatprotection and access control
• Offering advanced configuration via user friendly interface
• Hosted in Switzerland (or sovereign country) or installed on-premise. Customer can access source code to review key and encryption protocol thus providing «trust» in software. Running on OpenShift stack.
Salons eCom | ELCA - ESSP17 - CloudTrust
copyright 2017
CloudTrust powered by RedHat stack (current state)
Salons eCom | ELCA - ESSP17 - CloudTrust
GLusterFS
(Network Storage / File System)
OpenShift
(Container Platform)
Kubernetes
(Orchestration)
An
sib
le
(Man
ag
em
en
t &
Op
era
tio
ns)
CloudTrust Internal’s services KeyCloak
Federation
Plugin (WS-Fed,
SAML, OIDC …)
copyright 2017
Why Open Source CASB ?
Salons eCom | ELCA - ESSP17 - CloudTrust
First OSS based CASB provider
Strong Key Management with Zero Trust Knowledge approach
Flexible deployment powered by RedHat stack (OpenShift, Kubernetes and Ansible)
All in one product and fully auditable source code
No Vendor lock-in
Keep you own keys approach(KYOK)
Lower cost to maintain and support by large developerbase
Can be hosted in private cloud in sovereign country or provided as managed services
Strong R&D and collaboration with research in cryptography
Trust
copyright 2017
CloudTrust an all in one CASB solution
Salons eCom | ELCA - ESSP17 - CloudTrust
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
copyright 2017 Confidential do not distribute 23
copyright 2017
IGMSuite MFA
–Multi-factor authenticationprovided as service
24
copyright 2017 Salons eCom | ELCA - ESSP17 - CloudTrust
copyright 2017
CloudTrust for Office 365
Salons eCom | ELCA - ESSP17 - CloudTrust
With CloudTrust, company will have confidence
and control on how sensitive data is stored in
Office365
CloudTrust enables SymmetricSearchable Encryption (SSE) to document stored in Office365.
Each document is processed through a Keyword Extractor that run on-premiseand never leaves sensitive data goes to the cloud provider.
Only ciphered documents leave the enterprise while keeping the encryptionkey under control of the company.
Salons eCom | ELCA - ESSP17 - CloudTrust
ELCA R&D is developingadvanced algorithms for
searchable encryption allowingefficient search on encrypted data
copyright 2017
How CloudTrust performs Searchable Encryption
Salons eCom | ELCA - ESSP17 - CloudTrust
User saveWord
document in OneDrive
(Sharepoint)
copyright 2017
How CloudTrust performs Searchable Encryption
Salons eCom | ELCA - ESSP17 - CloudTrust
CloudTrust can perform some search in Office365 document. Each user generate a query that is intercepted by
CloudTrust gateway module. Then the CloudTrust search module generate an encrypted query to Office365.
This query is a result of the search module which passes DocID
User searchkeyword(s) in
Sharepoint
copyright 2017
References
– [CJ+2013] D. Cash, S. Jarecki, C. Jutla, H. Krawczyk, M.-C. Rosuk, and M. Steiner. Highly-Scalable Searchable Symmetric Encryption with Support for Boolean Queries. Cryptology ePrint Archive Report 2013/169.
– [CJ+2014] D. Cash, J. Jaeger, S. Jarecki, C. Jutla, H. Krawczyk, M.-C. Rosu, and M. Steiner. Dynamic Searchable Encryption in Very-Large Databases: Data Structures and Implementation. Proceedings of the 21st Annual Network and Distributed System Security Symposium – N DSS 2014.
– [GA+2017] M. Giraud, A. Anzala-Yamajako, O. Bernard, and P. Lafourcade. Practical Passive Leakage-Abuse Attacks Against Symmetric SearchableEncryption. Cryptology ePrint Archive Report 2017/046.
Confidential do not distribute 32
copyright 2017
References
– [HA+2014] W. He, D. Akhawe, S. Jain, E. Shi, and D. Xiaodong Song. ShadowCrypt: Encrypted Web Applications for Everyone. Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security.
– [LC+2014] B. Lau, S.P. Chung, C. Song, Y. Jang, W. Lee, and A. Boldyreva. Mimesis Aegis: A Mimicry Privacy Shield-A System's Approach to Data Privacy on Public Cloud. Proceedings of the 23rd USENIX Security Symposium. 2014.
– [ZK+2016] Y. Zhang, J. Katz, and C. Papamanthou. All Your Queries Are Belong to Us: The Power of File-Injection Attacks on Searchable Encryption. Cryptology ePrint Archive Report 2016/172.
Confidential do not distribute 33
copyright 2017
FPE from a Feistel Network – FF3
Confidential do not distribute
a d l o r s t u z A B C T Z 0 9
0 … 3 … 11 … 14 … 17 18 19 20 … 25 26 27 28 … 45 … 51 52 … 61
T r u s t…
6215 621 1622623624625625
C l o u d…
6215 621 1622623624625625
28 11 14 20 3… 45 17 20 18 19…
3 4 43 23 17… 18 11 31 8 11…
s l F i l…d e R x r…
Feistel Network
34
copyright 2017
•
•
Salons eCom | ELCA - ESSP17 - CloudTrust
copyright 2017
How data is saved encrypted in CRM online ?
Salons eCom | ELCA - ESSP17 - CloudTrust
1 - User save a new contact
2 – CASB intercept the request and encrypt
field before leaving the enteprise network 3 – Contact is
encrypted and stored in CRM
online. But user can still see it in
clear
copyright 2017 Salons eCom | ELCA - ESSP17 - CloudTrust
copyright 2017
Manage & ControlCloudTrust Identity as service (IDaaS)
■ Identities B2B, B2E, B2C can be managed centrally using the user friendly web interface
■ Specific users can be easily provided with access on specific cloud applications via central IDP Hub supporting federation standards (OIDC , OAUTH, SAML 2, WS-Fed)
Salons eCom | ELCA - ESSP17 - CloudTrust
OIDC
SAML
WS-FED
IDP
copyright 2017 Salons eCom | ELCA - ESSP17 - CloudTrust
Any app
copyright 2017
Custom made Single App App without CloudTrust
Salons eCom | ELCA - ESSP17 - CloudTrust
Web BrowserServer
Web App{ … }
JSON
AJAX
Application
AngularJS
Initial request
API
1
2
4
7
63
8
AngularJS App5
copyright 2017
App can be migrated in public/private cloud with CloudTrust
Salons eCom | ELCA - ESSP17 - CloudTrust
Web BrowserServer
Web App{ … }
JSON
AJAX
Application
AngularJS
Initial request
API
1
2
4
7
63
8
AngularJS App5
Any app
copyright 2017
How CloudTrust can protect Single Page App (Any App)
Salons eCom | ELCA - ESSP17 - CloudTrust
Any app
Web Browser1
{ … }JSON
copyright 2017
••••
•
•
•
•
•
•
•
•
••
•
•
Features and Benefits
copyright 2017
Gain a competitive edge by accessing our latest features prior to general availability
Experience hands-on, one-on-one learning of new features
Work closely with the CLOUDTRUST technical staff
Provide influential feedback
Access to source code if you provide developers
Salons eCom | ELCA - ESSP17 - CloudTrust
https://github.com/cloudtrust
Launching in Q4 2017
This program gives you early insight into CLOUDTRUST features and lets you influence product development and Gives access to GitHub repository
Register here
www.elca.ch/cloudtrust
copyright 2017
Top Related