Personal Security in the Cloud – The Basics Dr. Eugene W.P.

Transcription

Personal Security in the Cloud – The Basics
Dr. Eugene W.P. Bingue
U. S. Navy
[email protected]
Dr. David A. Cook
Stephen F. Austin State University
[email protected]
1
Caveat Emptor
[Latin: Let the buyer beware.]
Quidquid latine dictum sit, altum sonatur.
[Latin: Whatever is said in Latin sounds profound.]
Questions: How can we protect our sensitive and personal
information in the cloud? How much has the philosophy of
commercial best practice taken over from the basics of military
science and doctrine? Commercial Best Practices are aimed at
cost savings – but do these practices endanger DOD-specific
goals such as security?
The goal of this talk is to discuss how to intelligently use best
practices in the DOD.
This presentation will provide with ideas, tools and methods to
help protect your assets in the cloud. It might even help you
2
sleep better at night.
Personal Security in the Cloud
CIA Triad
3
Source – Unclassified IA Insecurities, Technical Security Solution Center,Diane Strohmer,
http://info.publicintelligence.net/NSA-COMSEC-SecurityIncidents.pdf
4
What you DO know
• Many (most?) vendors add a layer of encryption to
their services. How good is it? Do you trust it?
• Do you EVER use cloud services at locations that are
insecure? Coffee Shops? Airports?
• Are you accessing cloud services automatically and
“on the fly?”
• You probably need to add an additional layer to
protect your most sensitive data.
5
Any DOD use of the Cloud must be
measured again the CIA triad!
6
The Cloud is a HUGE security gap!
• Cloud services are frequently transparent and automatic.
• Cloud access exacerbate security – which is already problematic.
7
Securing Your ‘Data at Rest’ in the
Cloud
8
9
Basic Common Sense
Harris interactive poll (commissioned by Dashlane) found:
We make it EASY for hackers! Majority engage in activities
that place personal online information at risk
• 69% reuse password more then one site
• 50% of these do not regularly change password
• 36% of these store Personal Information - such as
credit cards or tax information - on websites for
convenience
• 72% of all users are worried about data compromise,
yet 64% of these same people also store Personal
Information online.
10
The Basics
•
•
•
•
•
•
Strong and unique passwords for every site
Avoid storing passwords in your browser
Employ a safe password manager
Do not open important accounts on open WiFi
Verify that email links are to legitimate sites
Be very wary of storing credit cards or personal data on
websites
• Have backups in case of cloud failure
• Change passwords as soon as you suspect a security
breach
11
How to Choose a Secure Password
1. Use length to your advantage
2. Form a "random" sequence of words and/or letters
3. Add numbers to the base-word to make it more secure
4. Use punctuation and symbols to "complicate" it further
5. Create complexity with upper and lowercase letters
6. Generate similar but altered passwords
Example: “LiveLongAndProsper, L1veaNDPr0s#p$ ”
12
Unfortunately, we’re not going to change human
nature. What can we do?
Before we start – one critical point.
Some cloud providers MOVE the data to the cloud.
Some COPY it.
Know which type you are using.
Prepare accordingly!
The Buck stops
with you!
13
File Sharing Cloud Services
File sharing tools/services are easy to use,
transparent, and provide some free services.
Some currently-used popular services are:
• Dropbox,
• Google Drive
• Live Mesh,
• SkyDrive
• Box.net
• …and the list goes on
14
The Basics
Well, why don’t I
encrypt everything
on my hard drive?
Encrypting a hard drive can make it much
more difficult – if not impossible – to recover
data if something goes wrong with the hard
drive. So, if you must encrypt, make sure you
are covered with multiple backups.
This is a “Danger, Danger Will
Robinson” moment!
15
File & Folder Encryption
Are there some publicly available tools I
can use to encrypt just the critical files
and folders I use? How good are they?
TrueCrypt
AxCrypt
AES Crypt
• We are NOT selling any of these – they are simply examples of publicly
available free encryption programs available.
• We are NOT recommending any of these tools – we are simply using these
tools to demonstrate security services available.
• This is NOT an exhaustive list – just three programs we are familiar with.
16
TrueCrypt
http://www.truecrypt.org/
Features:
• Creates a virtual encrypted disk within a file and mounts it as a disk.
• Encrypts an entire partition or storage device such as USB flash drive
or hard drive.
• Encrypts a partition or drive where OS is installed (pre-boot
authentication).
• Encryption is automatic, real-time (on-the-fly) and transparent.
• Parallelization and pipelining allow data to be read and written as
fast as if the drive was not encrypted.
• Encryption can be hardware-accelerated on modern processors.
• Provides plausible deniability, in case an adversary forces you to
reveal the password.
• Hidden volume (steganography) and hidden operating system.
• Runs on Windows, Mac, Linux. Vaults are transferable among OS.
17
Types of Encryption supported
18
AxCrypt
http://www.axantum.com/axcrypt/
Features
• Password Protect any number of files using strong encryption.
• Seamlessly integrates with Windows – single and double clicks
encrypt and decrypt
• Self-decrypting files are also supported, removing the need to
install AxCrypt to decrypt.
• AES 128-bit encryption
19
Personal Security in the Cloud 101
AES Crypt
http://www.aescrypt.com/
Features:
• AES Crypt is a file encryption software available on several
operating systems that uses the industry standard Advanced
Encryption Standard (AES) to easily and securely encrypt files.
• Supports: Windows, Mac, and Android (Crypt4All)
• AES 256-bit
20
• I’ve used RSA and PGP – with 4,096 bit keys.
Isn’t a 256 bit key pretty small?
• NO – AES is “different” – adding a bit does not
double the possible key-size, it squares it.
Cracking is exponential in key size.
NOTE: These are not from a product web site.
This is from an article on AES key encryption.
21
• Even with a supercomputer, it would take 1 billion billion years to
crack the 128-bit AES key using brute force attack. This is more than
the age of the universe (13.75 billion years). If one were to assume
that a computing system existed that could recover a DES key in a
second, it would still take that same machine approximately 149
trillion years to crack a 128-bit AES key.
• The following snippet is a snapshot of a technical paper titled "128bit versus 256-bit AES encryption" to explain why AES is sufficient to
meet future needs.
22
AES – safe for the predictable future
• Unless new technology comes along (quantum
computing?) – Moore’s law will not overcome
AES encryption for billions of years.
• In the end, AES has never been cracked yet
and is safe against any brute force attacks
contrary to belief and arguments.
23
What is needed next?
• Several of the example services we have used as
examples are free and open source.
• Some of the examples are for encrypting LARGE
datasets (as an encrypted volume). This might not be
suitable unless you have lots of small volumes. And –
some applications do not let the volume grow.
• Are we recommending anything? NO!
• What is needed is more research, and some
standardization. Perhaps “vision”.
• Before we can recommend any integration of this
technology into DOD, we highly recommend that code
Verification and Validation be performed.
24
Overall Summary
• Human issues are the root cause of most
security problems. Cloud Computing is just
another way that we “talk the talk, but don’t
walk the walk”.
• Good basic security (common sense, good
password practices, etc.) are the best defense.
• Policies and Procedures need to be updated to
encompass Cloud Computing issues.
25
Two alternative approaches
26
Questions?
27
References
http://venturebeat.com/2012/09/17/2012-security-breaches/
http://lightsquare.us/
http://lifehacker.com/391555/best-free-ways-to-protect-your-private-files
http://www.aescrypt.com/, http://www.truecrypt.org/
http://www.yousendit.com/solutions/file-transfer/secure-file-transfer
http://www.perspecsys.com/resources/what-is-cloud-dataencryption/?pi_ad_id=18542931608&gclid=CJGd-qj70LUCFWbZQgodjyAA6Q
http://security.stackexchange.com/questions/25375/why-not-use-larger-cipherkeys
http://www.drdobbs.com/open-source/beware-open-sourceencryption/220800130?queryText=beware%2Bof%2Bopen%2Bsource%2Bencrypti
on
http://www.eetimes.com/design/embedded-internet-design/4372428/Howsecure-is-AES-against-brute-force-attacks
http://www.axantum.com/axcrypt/
28

Personal Security in the Cloud – The Basics Dr. Eugene W.P.

Transcription

Similar documents

Read More - FusionStorm

iPPlus Sales Sheet - IP Plus Consulting, Inc.

Public and Private Cloud Interoperability

Company Fact Sheet 2016

Changes That Heal_indd

for Kamstrup Omnipower - smart-me

Open Cloud Initaitive http://www.opencloudinitiative.org/ Sam

Zajil Telecom eHosting Datafort

Cloud IP Camera

02. Plenair Tom Welling Dharminder Debisarun