Architecture & Operations

A7: The ABCs of Architecting Better Cryptography in the Cloud

Friday, June 9, 2023 1:30 PM - 2:30 PM

Room 401/402


Whether configuring a SaaS application, migrating a legacy application to the cloud, or building out a multi-tenant IaaS service offering, it's hard to avoid the need to implement and manage encryption keys and interactions with cryptographic services. Given the distributed nature of the cloud, and our increased reliance on authentication and trust to secure these resources, strong cryptography plays a crucial role for the protection of confidentiality and integrity for cloud services -- but underlying (or perhaps undermining) its strength is the importance of key management and lifecycle management. Many cloud services come equipped with turnkey key management, with built-in integrations to secure key storage and operations to minimize misuse or abuse of keys and certificates. However, for most applications, there exists the need to employ customer-provided/supplied and customer-managed keys, for encryption, signing, and authentication. Unfortunately, organizations moving workloads to the cloud often fail to understand the importance of defining a solid cryptosystem and employing best practices for secrets management that provide the foundation required to secure these applications and services. Whether tasked with designing, documenting, managing, or auditing these key management processes, the jargon and complexity of cryptography can quickly confuse even the most experienced security professional or technologist, leaving an opportunity for adversaries to exploit these gaps. In this session, Dr. Pfanstiel will guide attendees into the world of cloud cryptography, covering the basics of cryptography, current key management models, customer and service provider responsibilities, and the key management lifecycle as it pertains to the most common use cases (transport encryption, storage encryption, signing, authentication, and data integrity verification). From there, Dr. Pfanstiel will share from his years building and auditing advanced payments cryptosystems, using examples from PCI and NIST standards, discussing common implementation mistakes, and how to identify these errors before they result in compromise of sensitive systems or data. All participants are welcome, and are sure to improve their knowledge of key management in the cloud. Cloud engineers, security architects, and auditors will engage in thoughtful discussion of best practice and leave better prepared to raise the bar for identifying and resolving weakness in cloud cryptosystems.

Learner Objectives

After this session, cloud engineers, security architects, and auditors will - Recognize the important role of key management services for cloud applications - Understand the threats associated with poor cryptography engineering design for cloud services - Readily identify common mistakes associated with customer-managed keys - Learn effective documentation and communication techniques for improved assurance and audit success