Embed Size (px)
Citation preview
© 2015 Bitglass
Searchable Cloud Encryption: The Truth
Rich CampagnaVP, ProductsBitglass
Chris HinesProduct ManagerBitglass
© 2015 Bitglass
What is Encryption?
Encryption - the process of encoding messages or information in such a way that only authorized parties can read it. Encryption does not prevent interception, but denies the message content to the interceptor.
© 2015 Bitglass
Encryption is quickly becoming one of the biggest topics in security
In The Headlines
© 2015 Bitglass
Why is Encryption so hot right now?
© 2015 Bitglass
Cloud Concerns
Visibility and Audit
Hacked Accounts and Passwords
Data Leakage & Access Control
Clear Text Data-at-Rest is Vulnerable
© 2015 Bitglass
Existing Tools Won’t Cut It...
© 2015 Bitglass
● Increasingly using their devices both inside and outside the corporate security perimeter
● IT and security management can no longer count on well-defined network security perimeters
© 2015 Bitglass
The Enterprise Security Hero!!
What security technologies and controls are most effective to protect data in the cloud?
© 2015 Bitglass
Typical Cloud Encryption Challenges
● App breakages/downtime - avg. $7,900 per minute
● Crypto weakened to preserve application operations
● Protecting data in the cloud, but allowing anyone to
download/sync
● Deployment pains - software installs, user retraining,
solution customization, etc.
© 2015 Bitglass
Quiz: When is AES256 != AES256?
Encryption has two components:• Cipher (ex: AES-256) - Transforms human readable text into
something unreadable (aka: ciphertext)• Initialization vector (IV) - unpredictable random number that
ensures that ciphertext for same message is always different. Should be same # of bits as Cipher
Crypto strength = lesser of Cipher and the IV
Many limit the number of IVs to support searchEx: search Salesforce for every ciphertext value of “Bob”As number of IVs increases, search time increases exponentially
© 2015 Bitglass
Example, Please!
Simplified example - letter replacementLetter Replacement (1 IV) Replacement (26 IVs)
A B B
A B C
A B D
A B E
A B F
A B G
A B H
A B I
A B J
A B K
A B L
A... B... M...
© 2015 Bitglass
Full Strength Crypto
First-Gen Cloud Encryption Gateways● “AES-256 with Millions of Initialization Vectors”
• 1 million < 220
• 20-bit encryption not worth the hassle● Subject to chosen plaintext attacks
● AES-256 encryption with 256-bit Initialization Vectors
• Unique in the marketplace for cloud encryption• Local index allows search and sort with full
strength crypto
© 2015 Bitglass
How It Works
Premises DBVisibility● Audit & Logging● Alerts
Data Protection● True AES-256 Encryption● Contextual Access
Control● Watermarking/DRM/DLP Enterprise
Key Mgmt
Name: John StephensonSSN: 345-66-2354
Name: jczrdpwjjhhz czljwsdbxbzSSN: 3czdbmflfjfbz czdbdjnfhbgz
© 2015 Bitglass
What Does It Look Like?
Viewed through proxy Direct to Salesforce
© 2015 Bitglass
Bitglass Data-Centric Security
HQ & Branch OfficeOn-premises
ApartmentRemote
StarbucksBYOD
● No software to install
● Transparent to users
● Any user/device/app
© 2015 Bitglass
Clou
d
Encryption With Bitglass
In the Cloud At Access
On the Device
Protect data downloaded to devices
BYOD/Mobile
On the Network
Discover breaches - exfiltration and Shadow IT
Patented, strong, searchable encryption for cloud data-at-rest vetted
by Hellman & Elgamal
Visibility & Contextual Access Control
On-
prem
ise
Managed Devices
© 2015 Bitglass
First-gen Cloud Encryption GWs
Bitglass
Application changes/updates break proxy functionality
AJAX VM technology ensures resilience to application changes
Encryption algorithms weakened to preserve application functions like search, sort (20-bit equivalent)
Patented operations-preserving AES-256 bit encryption with 256-bit initialization vectors
Incomplete, exclusive focus on encryption for cloud data-at-rest leaves data leakage, BYOD gaps
Complete cloud security offering - in the cloud, at access, on the device
Deployment requires extensive installation, DNS changes, user retraining, solution customization
Deploy in minutes with no changes to user experience and no software to install
Unique Technologies & Benefits
X
© 2015 Bitglass
Total Data ProtectionOutside the Firewall
![Toward Privacy-Assured Cloud Data Servicecsis.gmu.edu/albanese/events/march-2013-cloud-security-meeting/11-Wenjing-Lou.pdfPublic key encryption or identity-based encryption [Goh03],](https://img.dokumen.tips/doc/110x75/5e2cd7d7b6510376002fc9ce/toward-privacy-assured-cloud-data-public-key-encryption-or-identity-based-encryption.jpg)
