Cryptography in the CloudWhen Moving to the Cloud, Don't Overlook Cryptographic Security
"Information in motion and information at rest are best protected by cryptographic security measures," says Ralph Spencer Poore, an expert in cryptography. "In the cloud, we don't have the luxury of having actual, physical control over the storage of information, so the only way we can ensure that the information is protected is for it to be stored cryptographically, with us maintaining control of the cryptographic key."
But know what you're looking for when you seek a cloud provider who promises cryptographic security, Poore says. "Cryptographic security measures must not be left to the imagination of the party in the cloud," he says. "Do your homework. Really understand what the capabilities are of any organization to which you're outsourcing."
Among the unique challenges are jurisdictional issues. "Because the cloud has the potential of being international, and because cryptographic technology is considered by most nations to be 'munitions' or a similarly restricted category, cryptographic implementations may have jurisdictional limitations and potential liabilities," Poore says. "The client relying on the cloud should ensure that such issues are clearly addressed by contract."
In an interview about cryptographic security in the cloud, Poore discusses:
- How cryptography relates to cloud computing;
- Challenges to overcome when employing cryptographic security;
- Key questions to ask of cloud service providers re: cryptography.
Poore is Chief Cryptologist for Cryptographic Assurance Services LLC (Arlington, TX). He has over 35 years of information security experience, including over 20 years of applied cryptography. He has written extensively on the subject and his work is cited in academic papers, national standards, professional journals, and books.
TOM FIELD: To get us started, why don't you tell us a little bit about yourself and your work, please?
RALPH SPENCER POORE: I have been in the information security business for over 35 years. I have been involved in the development of cryptographic standards and in both the crypto analysis, which is the breaking of ciphers and codes, and cryptography, which is the use of ciphers and codes, and that is why I go with the title cryptologist, which summarizes the entire field.
Cryptology TodayFIELD: Well, maybe it is appropriate to ask you then, Ralph, what is it fundamentally that security leaders need to know about cryptology today?
POORE: I think the most important thing to understand is that information in motion and information at rest are best protected by cryptographic security measures. In the case of information at rest, we often think of access controls, but that presupposes a physically securable environment and an environment over which one exercises basically full control.
In our internet realm and in the cloud, we don't have the luxury of having actual physical control over the storage of information so the only way that we can ensure that the information is protected is for it to be stored cryptographically with us maintaining control over the cryptographic key.
That allows us to trust that information can't be misused because the information can only be operated on by those people who possess the appropriate cryptographic keys.
The Cloud Computing ConnectionFIELD: So, to bring this around to our topic about cloud computing, what is most important to know about cryptography and cryptographic security as it relates to the cloud?
POORE: Well, the most important aspect of any outsourcing, especially in the instance with outsourcing into the cloud, is that your control is contractually based. That is the contract that you have, and its practical enforceability is really the only control that you can apply. You have to be able to assure that cryptographic controls and any other kinds of process controls you want to have in place are clearly defined in your contract, including with SLA's, so that you can hold them properly accountable.
In the area of cryptography, you also have to consider jurisdictional issues because while you may contract with someone over whom you can exercise legal jurisdiction, they may exist in the U.S. or in a country where you trust the jurisprudence, they in turn may further outsource to countries unknown to you, and it is necessary for you to have addressed that because cryptography is a technique that is so powerful that many nations, including the United States, treat it almost as if it were a kind of munitions or military advantage that one country would have.
Building the Business CaseFIELD: Well, that is a good way to put it into context. Now let's say as a security leader I want to make the business case for cryptographic security in the cloud. What are the benefits that I want to be talking about in that conversation?
POORE: Well, the first is to determine whether or not the data that you are using is sufficiently important to warrant protection against unauthorized disclosure, which is one of the things that cryptography works really well at doing. So if your information is information that has a requirement for privacy protection or has adverse implications to your business if it were to, say, end up in the Wall Street Journal, then in those instances you already have a business case for protecting the information, and the only protection that you are going to have against the actual event of this disclosure is the use of cryptography.
Now some organizations take a legal position and basically say "Well, we have a contract, and we will sue them for damages if they release the information." That is well and good if, from your business perspective, an after-the-fact remedy is going to be satisfactory. But for most large organizations, being able to sue somebody after the fact is not really sufficient from a business perspective. It is far more important that the disclosure be prevented.
A secondary use of cryptography is for authentication purposes and for the integrity of the message itself. Cryptography can be used to allow you to detect an unauthorized change or modification, and it can also be used for you to be able to attribute a source and destination to the information through the proper use of cryptographic key management. The use of digital signatures is an example of that.
So if you have transactions, the alternations or the unauthorized substitution of which could result in significant problems, which would be the case in say funds transfer or some other business transaction that committed large amounts of money, then it would be important for you also to use cryptography; so again, you would have a business case to have cryptography in place.
Cryptographic ChallengesFIELD: Now you started to speak to this a few minutes ago, Ralph, and that is the challenges that also have to be considered. In addition to the ones that you have outlined, what are some of the key challenges when you turn to cryptography in the cloud?
POORE: Well key is exactly the right word. Cryptography requires the management of cryptographic keys, whether this is in the symmetric key cryptography, which is where both sides use the same key for encrypting and decrypting, that key must be a secret known by no human being on the face of the planet. Or, whether it be asymmetric cryptography, which is where you use a public key and a private key, which is the case in most digital signature implementations, and even in that the private key has to be kept to secret and again should not be known by any human being.
In cryptography, the adage attributed to Benjamin Franklin that 'Two can keep a secret if one of them is dead' is altered to 'Two can keep a secret if both of them are dead.' Cryptographic secrets should not be known by human beings; it should not be possible for a human being to give up a cryptographic key.
That is quite a challenge in the cloud environment, because at least currently, if you are outsourcing the applications and therefore the computations, those have to be done in the clear. So you have a situation where your information has to be able to be decrypted by someone in the cloud in order for them to perform the functions that you are asking them to perform and then re-encrypt it for storage. That makes them part of the cryptographic key management process, and that is always a challenge because you may not be in a position to directly supervise or audit that process, yet it is critical to whether or not your information is safe and secure.
Questions for VendorsFIELD: Well that gives me a great segue into the next topic, which is as you are starting to interview cloud providers, what are the most important questions you want to be asking them about cryptographic security?
POORE: Well there are several, one of which is how are they handling cryptography from the point of view of legal structure, and what jurisdictions are they operating in? Because if they are further outsourcing or if they themselves are in a country which requires the publishing of those keys to a government agencies or restricts what algorhythms are even available, you could have a circumstance where the best that they could do would not be very good.
Tips for Cryptography in the CloudFIELD: So given everything that we have discussed here, Ralph, if you could boil it down to some critical points of advice for security leaders, what would you advise them when approaching this whole topic of cryptographic security in the cloud?
POORE: Firstly, have done your homework; really understand what the capabilities are of any organization to whom you are outsourcing. Second, make sure you have your legal people involved and that they have access to people who actually understand the details of cryptography and can help them in crafting an appropriate agreement, including appropriate service level arrangements for cryptography.
Because you are going to be 100 percent at the mercy of the contract, you need to make absolutely certain you have not left out the important aspects of how you expect cryptographic key management to work and how you expect the cryptographic materials to be controlled. Otherwise, what you will have is an automatic defense that they scrambled something and called it encryption and that met the requirements of the contract because you didn't know any better and didn't put anything stronger in the language of your contract.
In addition, the negotiation process that you go through to put that kind of detail into your outsourcing contract will tell you a great deal about the company with whom you are doing business. If they can't live up to those aspects or if they are not willing to negotiate that kind of control to be in place, then you probably shouldn't be doing business with them.