Decouple an App From the OS Before You Move to the Cloud

Virtual Application Appliances

Subscribe to Virtual Application Appliances: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Virtual Application Appliances: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


By John Sotiropoulos - In my previous post  (Cloud Data, Security, Privacy & Confidentiality/ The ISV Perspective) I talked about the increasing exposure of data, the changing landscape of data confidentiality and the need to shield data rather than retreat into – largely mythical  -“safe heavens” of on premise.  When storing data in the cloud, key management becomes a critical aspect of data confidentiality and a new crop of vendors are beginning to emerge simplifying encryption and key management.

Having looked at most of the new crop of cloud encryption vendors, we liked Porticor for its innovative application of homomorphic algorithm to split key encryption and its use of a customer-owned security appliance.   The combination of two eliminates the need to expose the encryption key and minimizes the risks offering a unique approach to comply with EU data protection legislation, not found elsewhere in the cloud.

The devil is always in the detail and we are currently evaluating the product in detail to include it as an option for our{elasticbigdata} service.  With Porticor offering a 30-day free trial and quite affordable rates afterwards, it’s easy to evaluate the service.

Porticor is currently available as service hosted either on AWS, IBM clouds, or any VMWare based cloud. There are no technical reasons why their offering cannot run on Azure or Openstack and I assume this is down to customer-driven prioritization.  With an easy to use REST API the service can actually be used as-is from other clouds (Azure, Openstack) whilst running on AWS. This is something we have explored and will post a step-by-step lab on how to use the API.

In this post we will walk though of how you can secure cloud data against hackers, the cloud vendor themselves and any surveillance snooping.

Setting up a Porticor Project

Once you’ve registered for the free trial, you can log on to the Porticor admin web site which allows you to set up the usual admin hygiene (user profiles,  reset passwords, add more users, etc) and  most importantly the core of Porticor’s offering the Virtual Appliance with its a set of  optional add-ons for seamless storage, database,  and network encryption. These are all grouped in what Porticor calls a project.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  porticorMain Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

A Porticor Virtual Appliance, is a sophisticated data encryption black box that the customer owns and it is an actual VM. In our case an AWS instance. Whilst experimenting, you can use a micro AWS instance and take advantage of the free-tier, Amazon offers.

The appliance is created by using a private key, that is only displayed at the end the set-up sequence and you are responsible for storing it securely on your own secure storage mechanism. It will only be used again to bootstrap an appliance.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  porticor archit 1024x746 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

The key used to bootstrap the appliance is split and homomorphically encrypted. Homomorphic encryption is something that everyone gets excited about, not least  DPARA investing  $20M in the homomorphic-related PROCEED initiative with $4.7M already awarded to Galois Inc to extenst its Cryptol toolsuit to be homomorphic. The algorithm allows encrypted data to be used without decryption and one day will probably make the whole key problem history but for now it’s not ready for prime time full-scale data encryption. What Porticor has done is to apply the algorithm – and they have a long formal mathematical proof paper – to the encryption of each part of the split key so that even if an intruder compromises the appliance, the key shares are there only in an encrypted form.  Even more, on each appliance the encryption is different, so this means that an encrypted key stolen from one appliance is useless to the thief.

The bottom line is that key is not lying around in any cloud storage. There is an option to store the key during reboots in the appliance’s instance storage but this is for development purposes. I store it on an encrypted USB key an never on the cloud.

The sequence is easy and straightforward.  It follows a wizard-style sequence, asking you to provide your AWS credentials. This is important because everything that is being generated is stored on your own AWS. This means your trust to the encryption vendor, Porticor, does not have to be blind, as you control access to your appliances. It also mean you are charged for the compute used, so include that in your costing model, especially when moving away from the free tier.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  newProjectStep0 1024x469 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  newProjectStep1 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  newProjectStep2 1024x378 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  newProjectStep3 1024x414 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

At the end of this process, Porticor will give you the Master-Key used to bootstrap the project. You need to save the key securely and make sure you don’t lose it, as this is the only instance of the key.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  keyGenerationPorticor 1024x406 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

Once the Virtual Appliance has been created you can manage it in Porticor’s web interface

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  ManageVirtualApplicances 1024x364 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

but you can also see it and manage it in your AWS Management console.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  PorticorApplianceinAWS 1024x498 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

The appliance can be now used with the project add-ons which do a good job in automating encryption seamlessly for files, S3, databases, and network traffic.  They act like code-less encryption channels to these resources. This eliminates the need for you to write encryption code and rely on the appliances encryption services. These use strong encryption algorithms such as AES-256 with the added benefit of the in memory split and homormorhically encrypted key.

The appliance can also be accessed via the Porticor API in which case, it will be used for secure storage and key management with custom code doing the encryption/decryption work.

Setting Up Encryption for the S3 bucket

There are two ways of using the Porticor Virtual Appliance 1. Via the REST API to manage the key and optionally perform encryption tasks. 2.  Use the S3 Add on as the encryption tunnel to proxy the S3 requests via the appliance so that they are seamlessly encrypted and decrypted.  Most users will prefer the second approach as it saves time.

This involves supplying your AWS credential to the Virtual Appliance via the Porticor configuration site. The screen above shows how this is configured and is described in detail Porticor’s Knowledge base item  S3 Encryption With Porticor.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  ConfigureS3Encryption Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

Once you have setup the Porticor site, there are two ways of accessing your encrypted S3 bucket.  You can specify the S3 endpoint using the appliance’s URL e.g. <appliance>.d.porticor.net; Porticor can simplify this further by allowing you to do a DNS mapping so that an individual bucket can be accessed as <bucketname>.d.porticor.net (mapped to the appliance DNS). In this case you need to specify the S3 bucket name in the Porticor S3 admin page.

In many cases, S3 clients and libraries do not provide the option to specify an S3 endpoint.  They will automatically construct it from the S3 bucket name and assume <bucket>.. In this case, you have no choice but to use the hosts file redirection Porticor offers as a second way of going through the Porticor virtual appliance.

This is fairly easy for MacOSX, Linux, and Windows (but requires admin access) and you need to edit to your hosts file and add a line that maps the external IP of your appliance to the buckets S3 URL. In my case the additional line for the bigdatatests bucket is

54.227.XX.XX   bigdatatests.s3.amazonaws.com

with 54.227.XX.XX is the obscured external IP address of my security appliance.

Once the hosts file is changed (and for Mac OSX  the change is activated with an additional command described in the link above) S3 client applications will now go through the appliance

I like the hosts redirection for its transparent way to call the Virtual Appliance; the use of the standard AWS convention in application configuration would not immediately reveal the use of the Virtual Appliance to an intruder.

Whether you use the endpoint explicitly or the hosts redirection you will need to add the Porticor-issued certificate to the trusted certificates your applications. This will vary depending what the actual client application or library.

You can download the certificate by enabling the Porticor Certificate Authority (PCA) option in the Project’ configuration page.  The screen advises – see screenshot –how to install the certificate in browsers.  You should also make sure you store a secure copy of this crt file to a secure location so that you can use it in different stores if needed. Alternatively, you can re-download the certificate from the project settings cog icon.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  loadPorticorCertificate Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

For native applications you would add it to the OS-level machine certificates store i.e. Windows Certificate Storesin Windows or KeyChain Access in MacOSX or typically in /etc/ssl/certs in Linux and use the applications configuration (e.g. httpd.conf for apache) or the OS API.

For Hadoop being a java stack and other java applications this will go to key store or the  default cacerts key store. We will see how to do this later on.

But to start with, I use the Firefox S3 Organizer add-on to test all works well.

I modify my hosts files as described and I download the certificate; I save it to a secure place then add it to Firefox’s certificate store, as described in Porticor’s KB item.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  firefoxcerts Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

With the hosts redirection I can access both my encrypted and unencrypted buckets and to test the encryption, I upload an image file to S3.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  uploadingImgToS3 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

Once the image is uploaded, I download it to a different location and verify it’s usable.

I then switch to my S3 admin page in the AWS console. This runs on AWS infrastructure, it is not governed by my hosts mapping and it does not go through the appliance.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  imageinS3browser Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

I see the file listed but when I try to download it I get an error, verifying the encryption tunnel works.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  dwonloadimagefromS3browser Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  encryptedImage Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

Setting up another client with Linux Ubuntu and CrossFTP validates the behavior. When the client’s hosts file is modified to go through the Porticor encryption tunnel, the image is valid, but otherwise it always returns an invalid (encrypted) file.

S3 encryption Cloud Security Cloud Key Management Cloud Encryption AWS Encryption  Workspace0011 1024x575 Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance

This is reassuring: it doesn’t matter whether a cyber-criminal, hacker, Amazon, disgruntled admin, or NSA can get hold of my data or even my AWS credentials. The data is encrypted and the only way to decrypt is to use the secure tunneling through my Porticor encryption appliance.

Since I control the appliance VM, in an emergency – for instance, an intrusion detected – I can also shut it down when not needed. When the Porticor Virtual Appliance is turned back on, it requires a bootstrapping sequence using my private master-key. Remember, the master key has been stored on my encrypted USB key and no one else has access to it. Unless I create a new appliance instance, my data security is locked.

So far Porticor is meeting our requirements to provide a service for our elasticbigdata clients to use their data in the cloud whilst meeting the EU data protection requirements and protecting their confidential data from hacking or surveillance.

In the next post we will build on this lab on how this setup can be integrated in a BigData Hadoop environment for Map-Reduce queries via the secure encryption tunnel, the Porticor appliance provides.

About JOHN SOTIROPOULOS

John Sotiropoulos is the founder and CTO of Raythos Interactive, the Innovation Launchpad. Previously with Metastorm (now part of OpenText) he worked in a variety of roles – such as Chief Architect, Director of Product Development, and Head of Innovation – building development teams, shaping product and innovation strategy, and delivering award –winning products including social business process modeling on the cloud. In his new venture, John is working on elasticbigdata.com a cloud service to democratise Big Data and Machine Learning. He also advises and helps forward-looking companies develop product strategies, architectures, and teams that deliver business innovation and economic growth.

The post Raythos Lab: Securing Cloud Data from Cybercrime, Intrusion and Surveillance appeared first on Porticor Cloud Security.

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.