« Migration in die Cloud mit Schutz Ihrer sensibler Daten · ― How to migrate to cloud with CloudTrust with strong security ― Common enterprise use cases : Azure , Office365

Nagib AouiniHead of Division Cyber Security Services

« Migration in die Cloud mit Schutz Ihrer sensibler Daten »

#ESSP17Salons eCom | Swiss IT Business | SMARC | POS

30 & 31 mai 2017 – Palexpo Genève

Table of contents

― Move to cloud inhibitor

― CloudTrust vision

― How to migrate to cloud with CloudTrust with strong security

― Common enterprise use cases : Azure , Office365 and CRM Online,

Anyapp

― Questions & Answers

2

Let’s move to cloud

copyright 2017

–

Salons eCom | ELCA - ESSP17 - CloudTrust

« Are you sure »

Growth of B2B collaboration is a challenge for cloud

Legal and regulatory

compliance is alsochallenging with

cloudSwiss data protection law (LPD)

• Control of data and data portability

• Right to erasure of data

European General Data Protection Regulation (GDPR)

• Right to modify and remove data «right to be forgotten»

• Clear consent to process personal data

• Public disclosure of data breaches

©copyright 2017

Inhibitors to cloud adoption: case study international financial institution


Challenge: Use the Microsoft Office365 suite for business solution to store online documents and improve collaboration across subsidiaries

Problem: Compliance with regulations in the financial industry regarding personal information and location of this information (PCI-DSS / FINMA) and Personal Data (GDPR / LPD). Data might be hosted in Europe but on the IT view outside Europe

Data center in the US

Main office in Switzerland

Users in subsidiaries worldwide

©copyright 2017

Inhibitors to cloud adoption: case study medical information system


Problem: privacy and control of data shall beensured and data center hosted outsideSwitzerland is a serious risk for suchinformation

?

Challenge: Development of a medical portal across Switzerland allowing hospitals, doctorsand patients to access medical information hosted on Microsoft Dynamics CRM online

©copyright 2017

Inhibitors to cloud adoption: case study manufacturing company / Aerospace and Defence


Challenge: Use the Azure IaaS and PaaS services (VMs, Storage, Web …) for custom business solution to ease collaboration and productivityacross subsidiaries which are located worldwide

Problem: Some IP/Business sensitive data and export control (ITAR / FedRamp …) require somedata to be encrypted using strong key controls and encryption techniques because of juridiction

Data center in the US

Main office in Switzerland

Users in subsidiaries worldwide

copyright 2017 Salons eCom | ELCA - ESSP17 - CloudTrust

Key inhibitors and pain points to cloud adoption

©copyright 2017

What is a CASB ?


…

copyright 2017

Who control your encryption keys and your identities ?


Source : Data Encryption Technologies in Office 365

copyright 2017

CloudTrust Swiss HSM and KeyVault powered by Quantum Cryptography


Nagib Aouini, Ave de la Harpe

Birth : 01.01.74, Male

City : Geneva

Credit Card : 4111-456-432-789

જFଡ#るKM回5ঘKઋ]今6} ,જFଡ#るKM回5ঘKઋ]今6} VT, 입 ણ=时@間%ଯV.তଌK5

VBত2ଌKuঘ5시, 4K8G-E69N-03WD-7297

ढଯVBতଌમK5시5ਲ間મऑપ ఌખ7gଌਲ6H

Name

Card #

City

Email

4K8G-E69N-03WD-789

WOOWPP OOCMCMCII

OPwC;MWOOC

Name

Card #

City

Email X78789’@opopo.com

Nagib Aouini

4111-1111-1111-789

Geneva

[email protected]

CloudTrust Proxy

Hardware

Security Module

We protect all keys within a Swiss vault which prevent keys to be exported and leaked and based on QRNG (Quantum Random Number Generator)

*HSM : Hardware Security Module

TRUST & ZERO KNOWLEDGE ENCRYPTION APPROACH

PRIVACY USING STRONG ENCRYPTION AND QRNG

REMOTE CONTROL & USABILITY

HSM Remote control device

Swiss HSM

Quantum Random Generator Source

copyright 2017

CloudTrust aims to be the first open source CASB solution


copyright 2017

The CASB Market is changing and actors evolving


copyright 2017

SaaS solution by ELCA


- ELCA is a Leading Swiss software implementation and integration firm

- Existing team of highly-skilled security specialists

- Data center in Switzerland

- Strong experience in developing IT products

Overload trafficand extraordinaryeventsmanagement

Strong multi-factor authentication

Application-layer encryption

SaaS Ticketingsolution

copyright 2017

OverviewCloudTrust solution

■ ELCA developed CloudTrust, the first Open Source (OSS) CASB solution :

• Providing a CASB OSS product covering the features for visibility, data loss prevention, threatprotection and access control

• Offering advanced configuration via user friendly interface

• Hosted in Switzerland (or sovereign country) or installed on-premise. Customer can access source code to review key and encryption protocol thus providing «trust» in software. Running on OpenShift stack.


copyright 2017

CloudTrust powered by RedHat stack (current state)


GLusterFS

(Network Storage / File System)

OpenShift

(Container Platform)

Kubernetes

(Orchestration)

An

sib

le

(Man

ag

em

en

t &

Op

era

tio

ns)

CloudTrust Internal’s services KeyCloak

Federation

Plugin (WS-Fed,

SAML, OIDC …)

copyright 2017

Why Open Source CASB ?


First OSS based CASB provider

Strong Key Management with Zero Trust Knowledge approach

Flexible deployment powered by RedHat stack (OpenShift, Kubernetes and Ansible)

All in one product and fully auditable source code

No Vendor lock-in

Keep you own keys approach(KYOK)

Lower cost to maintain and support by large developerbase

Can be hosted in private cloud in sovereign country or provided as managed services

Strong R&D and collaboration with research in cryptography

Trust

copyright 2017

CloudTrust an all in one CASB solution


•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

copyright 2017 Confidential do not distribute 23

copyright 2017

IGMSuite MFA

–Multi-factor authenticationprovided as service

24


copyright 2017

CloudTrust for Office 365


With CloudTrust, company will have confidence

and control on how sensitive data is stored in

Office365

CloudTrust enables SymmetricSearchable Encryption (SSE) to document stored in Office365.

Each document is processed through a Keyword Extractor that run on-premiseand never leaves sensitive data goes to the cloud provider.

Only ciphered documents leave the enterprise while keeping the encryptionkey under control of the company.


ELCA R&D is developingadvanced algorithms for

searchable encryption allowingefficient search on encrypted data

copyright 2017

How CloudTrust performs Searchable Encryption


User saveWord

document in OneDrive

(Sharepoint)

copyright 2017

How CloudTrust performs Searchable Encryption


CloudTrust can perform some search in Office365 document. Each user generate a query that is intercepted by

CloudTrust gateway module. Then the CloudTrust search module generate an encrypted query to Office365.

This query is a result of the search module which passes DocID

User searchkeyword(s) in

Sharepoint

copyright 2017

References

– [CJ+2013] D. Cash, S. Jarecki, C. Jutla, H. Krawczyk, M.-C. Rosuk, and M. Steiner. Highly-Scalable Searchable Symmetric Encryption with Support for Boolean Queries. Cryptology ePrint Archive Report 2013/169.

– [CJ+2014] D. Cash, J. Jaeger, S. Jarecki, C. Jutla, H. Krawczyk, M.-C. Rosu, and M. Steiner. Dynamic Searchable Encryption in Very-Large Databases: Data Structures and Implementation. Proceedings of the 21st Annual Network and Distributed System Security Symposium – N DSS 2014.

– [GA+2017] M. Giraud, A. Anzala-Yamajako, O. Bernard, and P. Lafourcade. Practical Passive Leakage-Abuse Attacks Against Symmetric SearchableEncryption. Cryptology ePrint Archive Report 2017/046.

Confidential do not distribute 32

copyright 2017

References

– [HA+2014] W. He, D. Akhawe, S. Jain, E. Shi, and D. Xiaodong Song. ShadowCrypt: Encrypted Web Applications for Everyone. Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security.

– [LC+2014] B. Lau, S.P. Chung, C. Song, Y. Jang, W. Lee, and A. Boldyreva. Mimesis Aegis: A Mimicry Privacy Shield-A System's Approach to Data Privacy on Public Cloud. Proceedings of the 23rd USENIX Security Symposium. 2014.

– [ZK+2016] Y. Zhang, J. Katz, and C. Papamanthou. All Your Queries Are Belong to Us: The Power of File-Injection Attacks on Searchable Encryption. Cryptology ePrint Archive Report 2016/172.

Confidential do not distribute 33

copyright 2017

FPE from a Feistel Network – FF3

Confidential do not distribute

a d l o r s t u z A B C T Z 0 9

0 … 3 … 11 … 14 … 17 18 19 20 … 25 26 27 28 … 45 … 51 52 … 61

T r u s t…

6215 621 1622623624625625

C l o u d…

6215 621 1622623624625625

28 11 14 20 3… 45 17 20 18 19…

3 4 43 23 17… 18 11 31 8 11…

s l F i l…d e R x r…

Feistel Network

34

copyright 2017

•

•


copyright 2017

How data is saved encrypted in CRM online ?


1 - User save a new contact

2 – CASB intercept the request and encrypt

field before leaving the enteprise network 3 – Contact is

encrypted and stored in CRM

online. But user can still see it in

clear


copyright 2017

Manage & ControlCloudTrust Identity as service (IDaaS)

■ Identities B2B, B2E, B2C can be managed centrally using the user friendly web interface

■ Specific users can be easily provided with access on specific cloud applications via central IDP Hub supporting federation standards (OIDC , OAUTH, SAML 2, WS-Fed)


OIDC

SAML

WS-FED

IDP


Any app

copyright 2017

Custom made Single App App without CloudTrust


Web BrowserServer

Web App{ … }

JSON

AJAX

Application

AngularJS

Initial request

API

1

2

4

7

63

8

AngularJS App5

copyright 2017

App can be migrated in public/private cloud with CloudTrust


Web BrowserServer

Web App{ … }

JSON

AJAX

Application

AngularJS

Initial request

API

1

2

4

7

63

8

AngularJS App5

Any app

copyright 2017

How CloudTrust can protect Single Page App (Any App)


Any app

Web Browser1

{ … }JSON

copyright 2017

••••

•

•

•

•

•

•

•

•

••

•

•

Features and Benefits

copyright 2017

Gain a competitive edge by accessing our latest features prior to general availability

Experience hands-on, one-on-one learning of new features

Work closely with the CLOUDTRUST technical staff

Provide influential feedback

Access to source code if you provide developers


https://github.com/cloudtrust

Launching in Q4 2017

This program gives you early insight into CLOUDTRUST features and lets you influence product development and Gives access to GitHub repository

Register here

www.elca.ch/cloudtrust

copyright 2017

Documents

« Migration in die Cloud mit Schutz Ihrer sensibler Daten · ― How to migrate to cloud with CloudTrust with strong security ― Common enterprise use cases : Azure , Office365