The spread of cloud computing services is a major disruptor in the era of network functions virtualization (NFV). Cloud-based services offer huge benefits such as scalability, cost performance, central management, and ease. However, these services are a centralized information repository that uses shared resources, making them a target of choice for attackers.
About the author Danny Lahav, Product Manager, Nokia Cloud Core. These shared resources include cloud computing or storage servers, and a breach on a single server can potentially cause a complete information leak and compromise. Security industry experts are exploring technologies such as firewalls and encryption to protect cloud services and platforms. As more and more cloud telecommunications services implement these technologies, it is important to understand current options.
The meaning of encryption
Encryption uses a cryptographic key to convert plain text, also known as human-readable data, into unreadable text. Similarly, decrypting encrypted data requires a respective cryptographic key to convert it to its original form. Data encryption ensures data security and integrity. Without the key, an attacker or unauthorized user cannot decrypt the data, unless the key has already been compromised. Encryption can be applied to two types of data: in transit and at rest. Data in transit includes data that travels across the Internet and system interfaces, which can be external to the system or internal between servers and application programming interfaces (APIs). It can be encrypted with HTTPS, TLS, IPSec, etc., which is crucial to prevent interception by an unauthorized user. Data at rest also means data at rest and includes storage nodes and removable storage media. Data at rest encryption can be applied to a specific data file or to all stored data. End-to-end encryption is a way of encrypting data so that it can only be decrypted at endpoints. Interfacing to cloud services through encrypted data in transit eliminates the probability of accessing the server without having a proper key: only the sender and recipient can decrypt the message on these interfaces. Encryption can also be applied in cloud systems to allow access by authorized users, as well as for access to the system through external interfaces and to protect sensitive data stored in the cloud system. Without the cryptographic key, the lost or stolen data cannot be accessed. Encrypted server data also minimizes the chances of attackers accessing data at rest. Even if they have accessed encrypted data from the server, attackers cannot "read" or compromise the data without having the keys to decrypt it. Therefore, encryption of data at rest is a key element of strong data security in the cloud.
Secure encryption key lifecycles using a hardware security module
Dedicated encryption processor specially designed to protect the lifecycle of encryption keys, the Hardware Security Module (HSM) protects and manages digital keys for strong authentication and provides encryption processing. Traditionally, HSMs are an expansion card or external device that connects to a computer or network server. Because these modules are often part of a critical IT infrastructure, they are typically bundled together for high availability, including dual power modules. Cloud operators maintain their parent project's secret key, known as the Key Encryption Key (KEK), on the HSM to interact with the Barbican through the Crypto plugin using the PKCS#11 protocol. A REST API, designed to secure storage, provision and management of secrets, Barbican is an OpenStack project that enables users to build secure, cloud-ready key management systems. These systems enable the management of sensitive information, such as symmetric and asymmetric keys, and raw secrets. Residing on the HSM, the secrets are encrypted and then decrypted during recovery, by a project-specific KEK. For example, the HSM will generate one encryption key per service to encrypt a storage volume.
Service identification with Keystone
Another OpenStack project is Keystone, which provides centralized API client authentication, service discovery, and distributed multi-tenant authorization. Keystone first authenticates a user before accessing any other services. You can also use an external authentication system such as LDAP or TACACS +. Once authenticated successfully, the user gets a temporary token that is included in the service request. The user receives access to the service if and only if the token is validated and if the user has the appropriate roles.
Dynamic key management: how Barbican manages your keys
First, the Barbican verifies a key authentication token to identify the user and the project accessing or storing a secret. It then applies a strategy to determine if access is allowed. Barbican replaces sensitive information, such as database passwords, with unique hyperlinks, which are securely stored for later retrieval. Encrypt sensitive data with dedicated encryption devices like HSMs to provide an enhanced level of security. As mentioned above, cryptographic plugins are used to communicate with the HSM via the PKCS#11 protocol. This protocol specifies an API, called "Cryptoki", for devices that carry cryptographic information and perform technology-agnostic cryptographic functions.
Why Storage Encryption Matters
Virtual machine (VM) or container based cloud systems use volume storage. Therefore, volume encryption is essential to protect data and physical storage media in virtual machines from theft, leaks, and access by attackers. Unencrypted VM data is at risk of an attacker breaking into a volume hosting platform and accessing data from many different VMs. The purpose of the encrypted volume feature is to encrypt the virtual machine data before it is written to the volume/storage (data-in-transit) and thus maintain data protection while it resides on the storage device ( data at rest). As NFV cloud telecommunication services continue to grow, the possibility of data leakage increases and therefore requires attention and appropriate solutions. Encrypting internal and external interfaces, data and volumes, dynamic key management, and more is a key step in reducing the risk of data leakage and espionage.