Simple and Secure Migration to Cloud Cryptography
Migrating applications to the public cloud brings undeniable business benefits. It also brings radical changes to the security threat scenario that, if not managed correctly, could result in damaging breaches. Use of cryptography is a fundamental tool for managing these risks, however cryptography in the cloud brings new security challenges.
Independently evaluate the security of the cryptography implemented by the host
Detect vulnerabilities in cryptography resulting from the application misusing the provider
Secure Keys on Platform
Adapt cryptography to store keys securely using the host’s key-management system
Monitor App & Platform
Monitor the host platform and integrate application cryptography audit into the CI/CD toolchain
Securing Cryptography in the Cloud
At Cryptosense we’ve seen our tools used by large organisations for several migration projects. As a result, we’ve identified a 4-step methodology for securing cryptography in the cloud.
1. Evaluate the Security of the Cloud Cryptography Platform
A migration project must independently evaluate the security of the cryptography implemented by the host as a first step. It’s not acceptable to take the cloud host’s marketing material as a guarantee of security.
Cryptosense software is used by several major financial services organisations to test cloud cryptography platforms. Negative results from our tools have resulted in “no-go” decisions for major projects, pending improvements to the platform by the host.
2. Test and Secure the Cryptography in the Application
While the importance of a secure cryptography provider is evident, most vulnerabilities in cryptography actually result from the application misusing the provider. These bugs in key-management, random number generation, and cryptographic design cannot be mitigated by WAFs or other similar technologies and need be eliminated in a full cryptography audit before the application is migrated.
Cryptosense Analyzer is the first tool capable of a complete cryptography audit on an application. Multiple financial services organisations and software companies depend on it to ensure their code is secure.
3. Secure the Keys on the Host Platform
Due to the increased exposure of a cloud application, cryptography must be adapted to store keys securely using the host’s key-management system (KMS) rather than in software. This requires a full cartography of cryptography use in the application and the key lifecycle. However, understanding the full use of cryptography of an application is hard: documentation is often incomplete and out-of-date, key personnel involved in legacy applications may have left, and manual code review is extremely costly.
Cryptosense Analyzer produces a complete cartography of cryptography and keys used in an application that allows easy and secure adaptation to the chosen KMS.
4. Monitor the Platform and the Application
Moving an application to the cloud means ceding control of platform updates to the host, each of which may cause new stability or security issues. Testing must be repeated regularly and results monitored. Additionally, to reduce time to market and promote innovation, most organisations take advantage of their new cloud platform to speed up their development and deployment cycle towards a Continuous Integration/Continuous Deployment (CI/CD) scenario. Changes to the application must also be tested to ensure cryptography security is maintained.
Cryptosense software makes sure that an application stays secure under these conditions by monitoring the host cryptography platform on a regular basis and by integrating the application cryptography audit by Cryptosense Analyzer into the CI/CD toolchain.