Upload
kent-white
View
219
Download
0
Embed Size (px)
Citation preview
8/13/2019 c_geot01
1/9
WHITE PAPER
Choosing a Cloud Provider with ConfidenceSSL Provides a Secure Bridge to the Cloud
8/13/2019 c_geot01
2/9
WHITEPAPER
ExecutiveSummary
CloudcomputingisrapidlytransformingtheITlandscape,andtheconversationaround
adoptingcloudtechnologyhasprogressedfromiftowhen.Enterprisesareshowing
stronginterestinoutsourced(public)cloudofferingsthatcanhelpthemreducecostsand
increasebusinessagility.Thesecloudservicesofferenormouseconomicbenefits,butthey
alsoposesignificantpotentialrisksforenterprisesthatmustsafeguardcorporateinformation
assetswhilecomplyingwithamyriadofindustryandgovernmentregulations.
ManycloudserviceproviderscandeliverthesecuritythatenterprisesneedandSSL(secure
socketslayer)certificatesarepartofthesolution.Morespecifically,SSListhesolutionfor
securingdatawhenitisinmotion.
Thegoalofthiswhitepaperistohelpenterprisesmakepragmaticdecisionsaboutwhereand
whentousecloudsolutionsbyoutliningspecificissuesthatenterprisesshouldraisewithhosting
providersbeforeselectingavendor,andbyhighlightingthewaysinwhichSSLfromatrusted
certificateauthoritycanhelpenterprisesconductbusinessinthecloudwithconfidence.
8/13/2019 c_geot01
3/9
WHITEPAPER
ReadyorNot,HereComestheCloud
Somepeoplebelievecloudcomputingisthemostsignificantparadigmshiftsincetheadventof
theinternet.Othersthinkitsjustafad.Butonethingisforcertain:cloudtechnologyisquickly
risingtothetopofeveryCIOsprioritylist1. Organizationsareacceleratingtheiruptakeofcloud
services,andindustryanalystssuchasGartnerResearchestimatethatenterprisesaroundthe
worldwillcumulativelyspendUSD$112billiononcloudservicesoverthenextfiveyears.2
New Opportunities for Business
Mostorganizationscitecostsavingsasthemostimmediatebenefitofcloudcomputing.Forthe
enterprise,cloudservicesofferlowerITcapitalexpendituresandoperatingcosts,on-demand
capacitywithself-serviceprovisioning,andpay-per-usepricingmodelsforgreaterflexibilityand
agility.Theserviceprovider,inturn,achievesexponentiallygreatereconomiesofscalebyprovidinga
standardizedsetofcomputingresourcestoalargebaseofcustomers.Manyenterprisehosting
providersarealreadywellpositionedinthemarketandhavethecorecompetencies(people,
processes,technology)todeliverthepromiseofcloudcomputingtotheenterprise.
New Security Challenges for IT
Despitethecleareconomicbenefitsofusingcloudservices,concernsaboutsecurity,
complianceanddataprivacyhaveslowedenterpriseadoption.AnIDCsurveyofITexecutives
revealsthatsecurityisthe#1challengefacingITcloudservices.3GartnerResearchhas
identifiedsevenspecificareasofsecurityrisk4associatedwithenterprisecloudcomputing,and
recommendsthatorganizationsaddressseveralkeyissueswhenselectingaprovider:
1. Access privilegesCloudserviceprovidersshouldbeabletodemonstratetheyenforceadequatehiring,oversightandaccesscontrolstoenforceadministrativedelegation.
2. Regulatory complianceEnterprisesareaccountablefortheirowndataevenwhenitsinapubliccloud,andshouldensuretheirprovidersarereadyandwillingtoundergoaudits.
3. Data locationWhenselectingahostingprovider,itsimportanttoaskwheretheirdatacentersarelocatedandiftheycancommittofollowingspecificprivacyrequirements.
4. Data segregationMostpubliccloudsaresharedenvironments,anditiscriticaltomakesurehostingproviderscanguaranteecompletedatasegregationforsecuremulti-tenancy.
5. Data recoveryEnterprisesmustmakesuretheirhostingproviderhastheabilitytodoacompleterestorationintheeventofadisaster.
6. Monitoring and reportingMonitoringandloggingpubliccloudactivityishardtodo,soenterprisesshouldaskforproofthattheirhostingproviderscansupportinvestigations.
7. Business continuity Businessescomeandgo,andenterprisesshouldaskhardquestionsabouttheportabilityoftheirdatatoavoidlock-inorpotentiallossifthebusinessfails.
Toreapthebenefitsofcloudcomputingwithoutincreasingsecurityandcompliancerisks,enterprisesmustensuretheyworkonlywithtrustedserviceprovidersthatcanaddressthese
andothercloudsecuritychallenges.Whatsmore,whenenterprisesmovefromusingjustone
cloud-basedservicetousingseveralfromdifferentproviders,theymustmanageallthese
issuesacrossmultipleoperators,eachwithdifferentinfrastructures,operationalpolicies,and
securityskills.Thiscomplexityoftrustrequirementsdrivestheneedforaubiquitousandhighly
reliablemethodtosecureyourdataasitmovesto,fromandaroundthecloud.
1.Source:GartnerEXPWorldwideSurvey (http://www.gartner.com/it/page.jsp?id=1283413 )
2.Source:GartnerResearch( http://www.gartner.com/it/page.jsp?id=1389313 )
3.Source:IDCeXchange( http://blogs.idc.com/ie/?p=730 )
4.AssessingtheSecurityRisksofCloudComputin g(http://www.gartner.com/DisplayDocument?id=685308 )Gartner,June3,2008.
http://www.gartner.com/it/page.jsp?id=1283413http://www.gartner.com/it/page.jsp?id=1283413http://www.gartner.com/it/page.jsp?id=1389313http://blogs.idc.com/ie/?p=730http://www.gartner.com/DisplayDocument?id=685308http://www.gartner.com/DisplayDocument?id=685308http://www.gartner.com/DisplayDocument?id=685308http://blogs.idc.com/ie/?p=730http://www.gartner.com/it/page.jsp?id=1389313http://www.gartner.com/it/page.jsp?id=12834138/13/2019 c_geot01
4/9
WHITEPAPER
SSLProvidesaBridgetoSecureDataintheCloud
SSLisasecurityprotocolusedbywebbrowsersandwebserverstohelpusersprotecttheir
dataduringtransfer.SSListhestandardforestablishingtrustedexchangesofinformationover
theinternet.WithouttheubiquityofSSL,anytrustovertheinternetsimplywouldnotbe
possible.SSLcomesintoplayanytimedatachangeslocation.Ifanenterprisekeepsitsdatain
thecloud,securenetworkaccesstoitisimportant.Plus,thatdataislikelytomovearound
betweenserversinthecloudwhentheserviceproviderperformsroutinemanagement
functions.Whetherdataismovingbetweenserverandbrowserorbetweenserverandserver,
SSLhelpstosecureit.
SSLdeliverstwoservicesthathelpsolvesomecloudsecurityissues.First,SSLencryptionkeeps
pryingeyesfromreadingprivatedataasitistransmittedfromservertoserverandbetween
serverandbrowser.Thesecondbenefit,possiblyevenmoreimportant,isestablishingthata
specificserveranddomaincanbetrusted.AnSSLcertificatecanauthenticatethataspecific
serveranddomaindobelongtothepersonororganizationthatitclaimstorepresent.This
benefitrequiresthatthehostingprovideruseSSLfromathird-partyCertificateAuthority(CA).
How Does SSL Work?
AnSSLcertificatecontainsapublicandprivatekeypairaswellasverifiedidentification
information.Whenabrowser(orclient)pointstoasecureddomain,theserversharesitspublic
key(viatheSSLcertificate)withtheclienttoestablishanencryptionmethodandaunique
encryptionkeyforthesession.Theclientconfirmsthatitrecognizesandtruststheissuerofthe
SSLcertificate.Thisprocess,basedonasophisticatedbackendarchitecturelacedwithchecks
anddouble-checksforsecurity,isknownastheSSLhandshakeanditcanbeginasecure
sessionthatprotectsdataprivacyandintegrity.
8/13/2019 c_geot01
5/9
WHITEPAPER
Ensuring Data Segregation and Secure Access
Datasegregationrisksareever-presentincloudstorage.Withtraditionalonsitestorage,thebusinessownercontrolsbothexactlywherethedataislocatedandexactlywhocanaccessit.
Inacloudenvironment,thatscenarioisfundamentallychanged:thecloudserviceprovider
controlswheretheserversandthedataarelocated.However,aproperimplementationofSSL
cansecuresensitivedataasitisbeingtransmittedfromplacetoplaceinthecloud,and
betweencloudproviderserversandendusersonbrowsers.
Encryption
BusinessesshouldrequiretheircloudprovidertouseacombinationofSSLandserversthat
support,atminimum,128-bitsessionencryption(or,preferably,thestronger256-bit
encryption).Thiswaytheirdataissecuredwithindustry-standardlevelsofencryptionorbetter
asitmovesbetweenserversorbetweenserverandbrowser,preventingunauthorized
interceptorsoftheirdatafrombeingabletoreadit.
Authentication
Businessesalsoshoulddemandthatserverownershipbeauthenticatedbeforeonebitofdata
transfersbetweenservers.Self-signedSSLcertificatesprovidenoauthentication.Only
independent,third-partySSLcertificatescanlegitimatelydeliverownershipauthentication.
Requiringacommercially-issuedSSLcertificatefromathird-partyCertificateAuthoritythathas
authenticatedtheservermakesitvirtuallyimpossibletoestablisharogueserverthatcan
infiltratethecloudprovidersenvironment.
Certificate Validity
Onceaserveranddomainareauthenticated,theSSLcertificateissuedtothatdevicewillbe
validforadefinedlengthoftime.IntherarecasethatanSSLcertificatehasbeencompromised
insomeway,thereisafail-safechecktoverifythatthecertificatehasnotbeenrevokedinthe
timesinceitwasoriginallyissued.EverytimeanSSLsessionhandshakeisinitiated,theSSL
certificateischeckedagainstacurrentdatabaseofrevokedcertificates.
Therearecurrentlytwostandardsusedforthisvaliditycheck,OnlineCertificatesStatusProtocol
(OCSP)andCertificateRevocationList(CRL).WithOCSPaqueryissenttothecertificate
authorityaskingifthiscertificatehasbeenrevoked;thecertificateauthorityanswersyesorno.
Iftheanswerisno,thehandshakemaycommence.CRL,ontheotherhand,requiresthatthe
browserdownloadthemostcurrentrevocationlistfromthecertificateauthorityandcheckthe
listitselftoseeifthecertificateappearsinthelist.
TheOnlineCertificateStatusProfile(OCSP)standardisconsideredthemorereliablemethodby
manybecauseitisalwaysup-to-dateandlesslikelytotime-outduetonetworktraffic.SSLcertificatesthatrelyonlyontheCRLstandardarelessdesirablebecauseininstancesofhigh
amountsofnetworktraffic,thisstepcanbemissed:somebrowserswillmisinterpretan
incompleteCRLreviewasaconfirmationthatacertificateisnotontherevokedlist,
consequentlycompletingahandshakeandinitiatingasessionbasedonarevokedSSL
certificate.Insuchascenario,arogueservercouldusearevokedcertificatetosuccessfullypass
itselfoffasalegitimateserver,creatingaripeconditionforadatabreach.
8/13/2019 c_geot01
6/9
WHITEPAPER
Facilitating Regulatory Compliance
Nextaretheregulatorycompliancerisks.Whenitcomestosecureandconfidentialdata,
businessesareburdenedwithaslewofregulations.TheserangefromlawsliketheSarbanes-
Oxley(SOX)Actwhichaffectsonlypubliccompanies,tothePaymentCardIndustrySecurity
Standard(PCI-DSS),whichaffectsanycompanyacceptingpaymentcards,tothefederalHealth
InsurancePortabilityandAccountabilityAct(HIPAA)whichaffectsanybusinesseswitheven
theremotestpossibilityoftouchingpatientdata.InEuropethereistheEUDataPrivacy
DirectiveandCanadahasanequivalentPersonalInformationProtectionandelectronic
DocumentsAct(PIPEDA).
WhenanorganizationoutsourcesITtoacloudserviceprovider,theorganizationisstillresponsible
formaintainingcompliancewithSOX,PCI,HIPAAandanyotherapplicableregulationsand
possiblymoredependingonwheretheserversandthedataareatanygivenmoment.Asaresult,
theenterprisewillbeheldliablefordatasecurityandintegrityevenifitisoutsourced.Sincethe
enterpriseITmanagercannotrelysolelyonthecloudprovidertomeettheserequirements,the
enterprisemustrequirethecloudprovidertoseeksomecomplianceoversight.Cloudcomputingproviderswhorefusetoundergoexternalauditsandsecuritycertificationsaresignalingthat
customerscanonlyusethemforthemosttrivialfunctions,accordingtoGartner.
Additionally,technologicalchangestothecloudcomputingenvironmentcanunknowinglywhittle
awayatthecomplianceofacloudcomputingproviderscustomer.Featureupgradessuchas
permissionmodifications,newcapabilities,introductionofmobiledevices,andnetworkchanges
alsocanaffectcompliance.5Here,aswithdatasegregation,SSLencryptionthwartsaccidental
disclosureofprotectedorprivatedataasregulatoryduediligenceanddataaccessisautomated.SSL
encryptionrendersallsensitivedatauselesstoanythirdpartyinterceptingorviewingit.
Keeping Data Away from Undesirable Locations
SSLaddressesthethirdareaofrisk,datalocation,inthesamemanner.Publiccloudsarelike
blackboxes:whiletheyenableubiquitousaccesstodata,theyalsoobfuscatethephysical
locationoftheserversandthedata.ButifacloudproviderusesSSLtoencryptdataasit
changesplaces,anenterprisecanbeassuredthatitsdatawillbesecureasitmovesaroundthe
cloud.Inaddition,legitimatethird-partySSLprovidersuchasGeoTrustorVeriSignwillnotissue
anSSLcertificatetoaserverinaninterdictedcountrysuchasNorthKoreaandIran.So,aslong
asthecloudproviderrequirestrustedauthenticationandencryptiononalltheirservers
throughSSLfromacertificateauthorityfollowingsuchapractice,anenterprisewillknowthat
thecloudproviderisntstoringtheirdataonIThardwareinthesecountries.
Other Areas Where SSL Can Help
Theenterpriseneedstoknowhowtheircloudprovider,withserversaroundtheglobe,safeguardsdatainthecaseofadisaster.Gartnerstatesthatanyofferingthatdoesnotreplicate
thedataandapplicationinfrastructureacrossmultiplesitesisvulnerabletototalfailure,and
thatanybusinessinthecloudhasadutytoknowifthecloudproviderisabletocompletely
restoredatafrombackupsorduplicates,andhowlongitwilltake.
Topreventdataloss,cloudserviceprovidersshouldmaintainbackupdatarepositories.Ifa
crashhappens,cloudhostswillattempttorecoverdatafrombackupservers.SSLaddsanextra
layerofprotectiontothebackupandrecoveryprocessforabusiness,ensuringthatdata
accessedfrombackuporduplicateserversisencryptedintransitandthatserversbeing
accessedforbackupdataareauthenticatedaslegitimatesourcesforthatinformation.
5.Domain10:GuidanceforApplicationSecurityV2.1,CloudSecurityAlliance,July2010.
8/13/2019 c_geot01
7/9
WHITEPAPER
UsingSSLtoEstablishandMaintainTrustintheCloud
Usingacloudserviceproviderrequiresahighleveloftrustandconfidence.Business
criticalapplicationscannotrelyontrialanderror.Businessesmustinsistuponacritical
reliabilityequationtoestablishtrust,andSSLcertificatesprovideahighlyvisibleand
immediatelyrecognizablewaytoaccomplishthat.Alternately,missingorbrokenSSLcan
destroytrustinstantly.
Forexample:supposeanenterprisechoosesacloudprovidertohosttheire-commerceweb
site,butthehosthasaproblemwiththesitesSSLcertificate.Auservisitsthesiteandis
immediatelygreetedwiththealarmingSecureConnectionFailederrororThereisaproblem
withthiswebsitessecuritycertificatemessage.Willthatuserignorethebrowserwarningand
clickthroughtocompleteatransactiononaseemingly-untrustworthysite?Notlikely.
Not All SSL is Created Equal
Thechainoftrustextendsbeyondthecloudvendortotheirsecurityprovider.Thecloud
vendorssecurityisonlyasgoodasthereliabilityofthesecuritytechnologytheyuse.Cloud
providersshouldbeusingSSLfromanestablished,reliableandsecureindependentCertificate
Authority.ItsSSLshoulddeliveratminimum128-bitsessionencryptionandoptimally256-bit
encryption.Anditshouldrequirearigorousauthenticationprocess.
EnterprisesneedtomakesuretheircloudproviderusesanSSLcertificatethatcannotbe
hacked.So,inadditiontomakingsuretheSSLcomesfromanauthorizedthird-party,the
enterpriseITorganizationshouldalsodemandthefollowingsecurityrequirementsforthe
cloudprovidersSSLsecurity:
A Certificate Authority that safeguards its global rootsbehindlayersofindustrial-
strengthsecurity,employingmultiplelevelsofelectronicandphysicalsecuritymeasures.
A Certificate Authority that maintains a disaster recovery backupforitsglobalroots
Global roots using the strong new encryption standard employing2048-bitRSAkeys.
A chained hierarchy supporting their SSL certificates.Atleastoneintermediaterootinthechainaddsanexponentiallevelofencryptionprotectiontopreventattackstotheglobalroot.
Secure hashing using the SHA-1 standardtoensurethatthecontentofcertificatescannotbetamperedwith.
Additionally,manyserversrelyonaDebian-basedoperatingsystemforgeneratingtheirSSL
keys.Thefundamentalencryptioncapabilitiesofthissystemwerecompromisedfrom2006to
2008.EnterprisesshouldmakesuretheircloudproviderisnotrelyingonserversnorSSL
certificateswhichmaybehavebeencompromisedbythisflaw.SSLcertificatescanbeissued
forvaliditylengthsofuptosixyears,soitispossiblethatSSLwiththisflawisstillbeingused.6
Authentication Generates Trust in Credentials
Trustofacredentialdependsonconfidenceinthecredentialissuer,becausetheissuer
vouchesforthecredentialsauthenticity.Certificateauthoritiesuseavarietyofauthentication
methodstoverifyinformationprovidedbyorganizations.Itisbesttochooseacloudprovider
whostandardizesonacertificateauthoritythatiswellknownandtrustedbybrowservendors,
whilemaintainingarigorousauthenticationmethodologyandahighlyreliableinfrastructure.
6.Source:http://voices.washingtonpost.com/securityfix/2008/05/debian_and_ubuntu_users_fix_yo.html
http://voices.washingtonpost.com/securityfix/2008/05/debian_and_ubuntu_users_fix_yo.htmlhttp://voices.washingtonpost.com/securityfix/2008/05/debian_and_ubuntu_users_fix_yo.htmlhttp://voices.washingtonpost.com/securityfix/2008/05/debian_and_ubuntu_users_fix_yo.html8/13/2019 c_geot01
8/9
WHITEPAPER
TherearefourlevelsofauthenticationforSSL.Allenableanencryptedexchangeof
information;thedifferencelieswithinthestrengthoftheserveranddomainauthentication
inotherwords,theamountofeffortputintovalidatingtheownershipandcontrolofthat
serveranddomain.
1. Self-signed certificates offerzeroauthenticationtoenableencryption,andthatisall.
ThistypeofSSLdoesnotprovidethesecurityrequiredbyanenterprise.
2. Domain validated certificatesofferonlybasicauthenticationbecausetheyonly
confirmthatthepersonapplyingforthecertificatehastherighttouseaspecificdomain
name.Thesecertificatesarenotrecommendedforserver-to-browserconnections
becausetheydonotvetordisplaytheidentityoftheorganizationresponsibleforthat
domainorserver.
3. Organization validated certificates offerreliableauthenticationforthecloudbecause
theyvalidatethattheorganizationclaimedtoberesponsibleforthedomainorserver
actuallyexists,andthatthepersonapplyingfortheSSLcertificateforthatdomainor
serverisanauthenticatedrepresentativefromthatorganization.TheseSSLcertificatesare
acceptablechoicesforserver-to-browserconnections,buttheydonotofferthehighest
levelofconfidence-buildingfeaturesfortheenduser.
4. Extended validation certificates (EV) arethebestchoiceforserver-to-browser
connectionsbecausetheyofferthestrongestlevelofauthenticationandtheclearest
validationthattheconnectionissecure.WithEVcertificates,thelegal,physicaland
operationalexistenceoftheorganizationisverified,asistherightofthatorganizationto
usethatdomain.UsingEVensuresthattheorganizationsidentityhasbeenverified
throughofficialrecordsmaintainedbyanauthorizedthirdparty,andthattheperson
requestingthecertificateisanauthorizedagentoftheorganization.
AnSSLcertificatewiththishighestlevelofauthenticationcanuniquelytrigger
unmistakableidentifiersinanend-userswebbrowser:agreenbrowseraddressbarthat
displaysthenameoftheorganization,andthenameofthecertificateauthoritywhich
issuedtheSSL.Whenendusersencounterthegreenaddressbar,theyhavecomplete
assurancethattheirconnectionissecure.Numerousbusinesseshavereportednoticeable
upliftsincompletedtransactions(18percentonaverageforVeriSigncustomers)after
deployingExtendedValidationSSL.Fortheseandotherreasons,EVisthepreferred
choiceforhostingapplicationsandservicesinthecloud.
8/13/2019 c_geot01
9/9
WHITE PAPER
Conclusion: Go with What You Know
SSL is a proven technology and a keystone of cloud security. When an enterprise selects a
cloud computing provider, the enterprise should consider the security options selected by that
cloud provider. Knowing that a cloud provider uses SSL from a trusted certificate authority can
go a long way toward establishing confidence in that providers commitment to safeguarding
the data in its possession.
When selecting a cloud service provider, enterprises must also be very clear with their cloud
partners regarding handling and mitigation of risk factors not addressable by SSL. Enterprises
should consider the seven categories suggested by Gartner when evaluating (and especially
when contracting with) cloud computing solutions.
Cloud providers should be using SSL from an established, reliable and secure independent
certificate authority. Its SSL should deliver at minimum 128-bit encryption and optimally
256-bit encryption based on the new 2048-bit global root. And it should require a rigorous
authentication process. The SSL issuing authority should maintain military-grade data
centers and disaster recovery sites optimized for data protection and availability. The SSL
certificate authority needs its authentication practices audited annually by a trusted
third-party auditor. The GeoTrust, Thawte, and VeriSign SSL brands all offer SSL products
that meet these requirements.
Learn More
To find a trusted cloud service provider that meets the criteria outlined in this white paper,
visithttp://www.geotrust.com/sell-ssl-certificates/strategic-partners.html.
About GeoTrust
GeoTrust is a leader in online trust products and the worlds second largest digital certificate
provider. More than 300,000 customers in over 150 countries trust GeoTrust to secure online
transactions and conduct business over the Internet. Our range of digital certificate and trust
products enable organizations of all sizes to maximize the security of their digital
transactions cost-effectively.
Contact Us
www.GeoTrust.com
2011 GeoTrust, Inc. All rights reserved. GeoTrust, the GeoTrust logo, the GeoTrust design, and other trademarks, service ma rks, anddesigns are registered or unregistered trademarks of GeoTrust, Inc. and its subsidiaries i n the United States and in foreign countries. Allother trademarks are the property of their respective owners.
APAC SALES OFFICE
GeoTrust, Inc.
134 Moray Street
South Melbourne VIC 3205
Australia
Tel +61 3 9914 5661