The service, which includes a Virtual Appliance and an agent software, offers standard AES 256 or Blowfish encryption that has a maximum key length of 2048 bits. A unique “split-key” method adds to the security. The customer holds the master key, common to all data objects such as a disk or the file in the application, and Porticor holds the other key, which is unique for each data object. When the application accesses the data store, Porticor uses both parts of the key to encrypt or decrypt the data. The service encrypts the master key when in use to prevent hackers from stealing it.

The offering is scalable, with the customer given the ability to expand the encryption to any number of projects, and each project allowed infinite data across multiple databases and file servers. Porticor also provides a secure API that allows the customer to control all functions and integrate data encryption to an automated environment.

Amazon Web Services have already implemented the Porticor offering successfully, whereas successful testing is over for major players including Microsoft. Porticor is in the process of negotiation with key cloud storage players for closer integration of technology that would make the product seamless and easy to implement.
Source: http://www.cio.com/article/700217/Startup_Porticor_Launches_with_Encryption_Technology_for_Cloud_Computing?taxonomyId=3089

A True Random Number Generator (xkcd.com)

In the last week or two, the security community has been abuzz with two different papers on the security of RSA keys. It turns out there are tens of thousands of RSA keys out there that are weak: they share a prime modulus with another public key, allowing both keys to be factored (i.e. broken) in a matter of minutes. The dust seems to have settled by now, and the root cause appears to be poor generation of these keys, in other words, low quality random number generators. How does this issue relate to cloud security, Porticor’s forte? Read on…

Generation of cryptographic quality random numbers is a difficult science, well beyond the scope of this blog. Unfortunately, the old saying applies: you get what you pay for. In the case of crypto randomness, the more initial randomness (a.k.a. entropy) you stir into the pot, the better the quality of the random numbers you will get out of it. And the stronger your cryptographic system will become.

The current research is the latest in a long history of cryptanalysis by exploiting faulty random number generators (RNGs). Starting with the early days of SSL, there have been many such attacks on crypto-systems. Perhaps the best known, but certainly the most embarrassing, is the Debian/openssl bug, where for almost two years, any RSA keys on Debian and Ubuntu systems were taken from the space of 2¹⁵ keys, and were thus trivial to guess. Lucky for us, this was fixed in mid-2008.

Back to the new research: it turns out most of the weak keys are related to that essential ingredient of the stew, initial entropy. Before it can spit out good encryption keys, the RNG needs to be affected by real-life events, such as key-presses, network packets, disk rotations. Now, many systems start out by creating RSA keys (often in the form of certificates) very early on, as early as a few seconds after the system has been turned on. In the case of a PC, there’s already a useful amount of entropy available before any new software is installed. So where do we expect the lack of entropy to be a problem?

Magnetic Random Number Generator for Your Fridge

• In embedded appliances, which boot up from a “burned” factory image and immediately create some keys.
• In virtual systems (cloud instances), which boot up from stock software images and immediately go off to create some crypto keys.

All is not lost. When designing a complex virtual system, you can apply some industry best practices to obtain a solid randomness pipeline. This is essential if cryptography is a central part of your application’s security. And with the prevalent use of SSL, this is true for most modern systems.

• Use the Linux /dev/random and /dev/urandom generator. This generator underwent serious scrutiny. Even though some minor weaknesses were found, it is generally believed to be sufficiently strong for crpytographic uses.
• Whenever an appliance is booted, and that includes its first-time boot, it should receive an injection of randomness from a central randomness source, which may be your management subsystem. This allows the appliance to generate strong keys as soon as it starts out.
• The management subsystem itself needs to receive a significant amount of real entropy from user and network interaction.
• When generating a Master Key for a customer project, combine the strong randomness that you made available on the virtual appliance together with the weak randomness in the user’s browser (unfortunately JavaScript RNGs are still very low quality, but we are hoping to see some improvement). Although this is uncommon in cryptographic engineering, in this case you get the best of the two sources.

To summarize, the RSA algorithm is as strong as ever, and you definitely need a crypto-grade random number generator to use it securely. This is far from trivial in the cloud, and is yet another reason to get cloud security from the experts.

When it comes to security in the cloud, organizations are confident in their cloud providers, but also and reluctant to expose certain types of data and applications, according to IT industry association CompTIA. Security vendors maintain the problem is one of visibility and control, and each has a solution.

It’s an oft-repeated mantra: Organizations engaged in or investigating cloud computing in any of its many flavors are concerned about security. In fact, concerns about security, data privacy and data residency are often cited as inhibitors to cloud adoption. But are the concerns justified? Some security experts say visibility and control are the missing elements.

In a recent study of IT and business executives, CompTIA, the IT industry association, found that 50 percent of respondents cited greater reliance on Internet-based applications like cloud computing and software-as-a-service as a driving factor in their cyber security concerns. But a number of cloud experts say that in many ways data in the cloud is more secure than in an on-premise installation–or at least rapidly becoming that way–especially for smaller organizations that don’t have the resources to dedicate to security technology and expert staff.

Security Staffing Issues?

Access to enough IT staff with security expertise may be particularly tricky for organizations of all sizes. CompTIA says 41 percent of organizations reported moderate or significant deficiencies in security expertise among IT staff. On average, CompTIA says organizations were about 30 percent short of their headcount devoted to security. According to the Bureau of Labor Statistics (BLS), which adds the category of Information Security Analyst in 2011, unemployment for people employed in the category stands at 0 percent.

Christopher Primault, co-founder and managing director of GetApp.com, a business software marketplace that vets cloud-based apps and organizes information about them for small businesses, says that cloud services help organizations get around this problem because they provide professionals dedicated to safeguarding your information.

“Your data is probably safer with the vast majority of vendors than if you keep it on your premises,” Primault says. “I really believe it’s true.” He adds, “We only use cloud services, so we were born in the cloud. The cost for me to keep data in-house and protect that data would be high. Frankly, by having my data in the cloud, I feel more secure.”

Primault is not alone. According to CompTIA, 85 percent of organizations using cloud services are confident or very confident in their cloud service provider when it comes to security. But those same organizations are reluctant to put certain types of data or applications in the cloud.

“There is a slight paradox among users of the cloud right now,” says Tim Herbert, research vice president with CompTIA. “They convey very strong confidence in cloud service provider security. At the same time, many companies are very reluctant to put certain types of data or applications into a cloud environment. Companies have moved some of the non-critical systems into the cloud, but they are not there yet in terms of moving their most critical systems to the cloud.”

Firms are especially reluctant to put confidential company financial data and credit card data in the cloud. CompTIA found 49 percent of small firms, 55 percent of medium firms and 56 percent of large firms were unwilling to put confidential company financial data in the cloud. When it came to credit card data, 50 percent of small firms, 50 percent of medium firms and 53 percent of large firms were reluctant.

Cloud Security Assessment Shortcomings

Even as organizations struggle between confidence in the security measures of cloud service providers and reluctance to place sensitive data in the cloud, they are also on the whole overlooking critical elements of cloud security when evaluating service providers’ security policies, Herbert says. In particular, regulatory compliance, geolocation of data and the credentials of the provider are often glossed over.

“Despite some of the concerns, only 29 percent of the companies in the study say they engage in a heavy or comprehensive review of the cloud service providers’ security practices,” Herbert says.

In the study, 50 percent of respondents say they either sometimes or rarely/never assess the geographic location of a cloud provider’s data centers. A further 46 percent say they either sometimes or rarely/never assess the regulatory compliance of cloud providers. And 44 percent say they either sometimes or rarely/never assess a provider’s identity and access management. This can lead to some unpleasant surprises, according to CompTIA.

“Recently, the City of Los Angeles and Google learned the hard way what happens when an uncertain regulatory variable is introduced into a cloud deployment,” CompTIA says in its 9th Annual Information Security Trends Study. “LA had to alter its plan to shift 30,000 city employees to Google Apps when it was discovered that Google Apps was not fully compliant with the FBI’s security requirements for connecting to the Criminal Justice Information System (CJIS), a clearinghouse of law enforcement data administered by the Department of Justice.”

CompTIA adds, “This is one notable example of what is sure to be a more regular occurrence-organizations making the transition to the cloud only to discover a security-related element that forces a change of plans. As the cloud model matures, some of these issues may naturally work themselves out, but in the shorter-term, IT solution providers and cloud vendors can provide a valuable service in reducing the likelihood of these types of situations, Longer term, third party assessments of cloud service provider security policies, procedures and capabilities may become standard.”

Securing the Cloud

In the meantime, security vendors are determined to make the cloud a trusted environment in which organizations can do business.  ”The real challenge is that companies need to move to the cloud,” says Dave Canellos, CEO of Toronto-based PerspecSys, a provider of privacy, residency and security solutions for the cloud. “This isn’t a fad. It’s really about how you manage that responsibility and ensure that you protect the information that you are now managing.”

Nicholas Popp, vice president of product management and development at Symantec, acknowledges that the cloud is not quite up to par with on-premise installations when it comes to security. But he also says he believes the time is rapidly approaching.

“The cloud eventually will be more secure,” he says. “Security as a do-it-yourself operation is getting more and more difficult.”

Popp predicted that within three to five years, the cloud will be the more secure environment for small and mid-sized businesses (SMBs), while the horizon for larger enterprises is probably in the 10-year range.

“A lot of people will claim that the cloud is fundamentally insecure,” he says. “The real issue is not security, it’s more about control and visibility. It’s a trust issue. Salesforce and Google need to have good security. From a security standpoint, they’re going to be much better than most companies.”

The problem, Popp says, is that organizations don’t have a good mechanism for injecting their own security policies into cloud services and they don’t have the ability to access logs.

“The issue is that the cloud guys do not provide IT with enough control to set their own policy,” he says. “It’s actually difficult because every cloud is different. You have different APIs and security frameworks. They’re all going to have different ways to do security and expose that security. We need to create a new control point so IT can inject their own policies on top of these cloud services.”

Additionally, he says, an organization’s IT staff needs to have access to logs and backups for both regulatory compliance and the capability to perform forensics if something does get compromised. Symantec’s answer is O3, a cloud information gateway that it likens to the earth’s ozone layer. It’s intended to sit between an organization and its cloud services and act as a sort of cloud firewall. Popp says it will provide three layers of control: an identity and access control layer, an information protection layer and an information management layer. The first layer provides role-based access to information in the cloud, while the second enforces and organization’s security policy. The final layer will capture all the logs and allow organizations to demonstrate regulatory compliance.

PerspecSys takes another tack, though like Symantec it focuses on the message of control.

“We make cloud applications mission-critical for companies by ensuring that their sensitive data never moves outside the company’s network,” explains Canellos. “We help you use the application in the cloud, but keep the sensitive data behind your firewall at all times.”

PerspecSys focuses on protecting data in flight with an approach that Canellos says helps reduce the risk of data transfer, data processing and storage in the cloud.

“If you talk to data centers or the cloud providers, when the data is under their control, within the perimeter of their data center, they can give you all the assurances that the data is probably more secure than if it is with the perimeter of an SMB network,” he says. “But what happens when the data is in flight? At that point, if you look at the agreements companies have with data centers, that is no longer their responsibility.”

The PerspecSys Cloud Control Gateway uses tokenization to replace sensitive data in the cloud.

“Our solution sits between the conversation of the end user of the cloud application and the cloud,” Canellos says. “Essentially, we’re moderating the transaction between the end user and the cloud. Whatever the company has deemed to be sensitive information, we go ahead and steer that information to a local database behind the company firewall. In its place, we use replacement data.”

Israeli-firm Porticor also believes that trust and control of data in the cloud is the problem, but its answer is all about encryption and key management. Gilad Parann-Nissany, Porticor co-founder and CEO, likens Porticor’s solution to a safety deposit box in a Swiss bank. Porticor uses encryption key-splitting technology to give the customer a master encryption key common to all data objects in an application, while Porticor keeps its own set of encryption keys-’banker keys’ as Parann-Nissany refers to them-for each data object. When an application accesses the data store, it uses both parts of the key to dynamically encrypt and decrypt the data. The master key itself is homomorphically encrypted so it is never exposed, even when in use.

“The customer has control through the customer master key and the banker works very hard to secure every file and disk,” Parann-Nissany says. “Only the combination of the customer key and the banker key will open a disk.”

Moreover, the keys in Porticor’s possession are encrypted with the master key, so Porticor can’t even access the keys without the customer.

“Suppose you’re not dealing with a hacker,” Parann-Nissany says. “Your attacker is a business rival and they go to court and get a court order for your data. Because of the nature of the solution, we have nothing. Even the banker key is not there, it’s encrypted through the master key. They have to go to the customer if they want the data.”

He added, “The banker can never see the customer key. Even when it is being combined with the other keys, it is itself encrypted through this technique. The key point is that we can manage the customer keys without ever touching them or knowing them ourselves.”

CompTIA recommends that organizations use the Cloud Security Alliance (CSA) as a resource for security questions when evaluating cloud service providers. The CSA, a nonprofit organization, has a list of more than 200 questions covering data integrity, security architecture, audits, regulatory compliance, governance, physical security, legal and more. It also publishes a top-level security roadmap for cloud operations.

Thor Olavsrud is a senior writer for CIO.com. Follow him @ThorOlavsrud.

A Tel Aviv start-up called Porticor that’s just hit the radar says it’s got a way to secure the cloud, any cloud. Fancy that, a trustworthy cloud. And Porticor delivers its data encryption solution to IaaS and PaaS users through the cloud in minutes. Fancy that.

It’s supposed to solve the biggest challenge for data encryption in the cloud – storing keys. It promises that a user’s data encryption key will never be exposed and that it can deliver data security across virtual disks, databases, distributed storage and file systems.

All this wonderfulness, called the Porticor Virtual Private Data (VPD) System, a combination of the start-up’s Virtual Appliance and Virtual Key Management Service, comes complements of its patent-pending homomorphic split-key encryption technology, which is supposed to increase security by an order of magnitude through hosted key management.

It’s supposed to be the industry’s first solution to combine data encryption with patented key management in defense of critical data in public, private and hybrid cloud environments. Users can supposedly kiss good-bye traditional data security solutions that require costly software licenses and create operational overhead. Porticor’s widgetry is a cost-effective virtual appliance that requires no encryption or key management experience to encrypt customers’ entire data layer with a proven AES 256-bit encryption algorithm.

The start-up expects the breakthrough to mitigate concerns about adopting the cloud. VPD may best be compared to a Swiss bank. Entry to a Swiss lockbox needs two keys: one in possession of the bank, the other in possession of the owner. That’s what Porticor does. It takes a patented split-key approach. Each data object, such as a disk or file, is encrypted with a unique key that’s split in two: a master key and a specific key. The master key is common to all data objects of one application and remains the possession of the application owner and is unknown to Porticor.

The second, “specific” key is different for each data object and is stored by the Porticor Virtual Key Management Service. As the application accesses the data store, Porticor uses both keys to dynamically encrypt and decrypt the data.

When the master key is in the cloud, it is said to be homomorphically encrypted – even when in use – and can never be seen in the cloud. This mathematical technique lets Porticor do key-splitting and key-joining without knowing the key. It only knows the encrypted form of the keys. By leaving one encryption with the customer Porticor differs from cloud encryption solutions that put customer encryption keys in the hands of a security vendor or cloud provider.

The widgetry complies with SOX, HIPAA, PCI DDS and GLBA, and reportedly solves the issues raised by the EU Data Protection and the US Patriot Act.

It supports Amazon’s Virtual Private Cloud (VPC), where Porticor’s virtual appliance would logically go alongside the user’s application servers so the data never leaves the VPC unencrypted. Users can also snapshot their EBS disks, which are also encrypted.

Red Hat is reportedly offering the Porticor widgetry in its Cloud Foundation. Porticor, which got started in 2010, is backed by $1 million A round from Glilot Capital. CEO Gilad Parann-Nissany said the company is working with Fortune 1000s.

Porticor introduced its Virtual Private Data (Porticor VPD) system, a solution combining data encryption with patented key management to protect critical data in public, private and hybrid cloud environments.

Until today, the requirements for securing company and customer private data stored in the cloud were not fully met, due to the issue of keys stored in the cloud not being addressed. Now, enterprises can leverage Porticor’s homomorphic split-key encryption technology to ensure the privacy of data stored in the cloud, and benefit from the industry’s only cloud data protection system that delivers data security across virtual disks, databases, distributed storage and file systems.

The Porticor VPD system is made up of the Porticor Virtual Appliance and the Porticor Virtual Key Management Service, delivering the industry’s highest level of data privacy in a public environment for data protection and compliance to regulations such as SOX, HIPAA, PCI DDS and GLBA, while also solving the issues raised by EU Data Protection and the U.S. Patriot Act.

Using a unique, patent-pending technology, Porticor enables IaaS and PaaS cloud users to create a secured environment within minutes while completely eliminating the need to trust a security vendor or cloud provider with their encryption keys, therefore solving the biggest challenge for data encryption in the cloud – storing the keys.

Unlike traditional data security solutions which require costly software licenses and operational overhead, Porticor is a virtual appliance that requires no encryption or key management experience to encrypt customers’ entire data layer with the proven AES 256-bit encryption algorithm within minutes.

Unlike today’s cloud encryption solutions which put customers’ encryption keys in the hands of the security vendor or cloud providers, Porticor’s patented Virtual Key Management service, with breakthrough split-key encryption technology, and built for homomorphic key encryption, will uniquely keep the encryption key in the customer’s control, delivering a trusted cloud-based key management system.

With Porticor’s VDP each data object, such as a disk or file, is encrypted with a unique key which is split in two: a master key and a specific key. The master key is common to all data objects of one application, and remains the sole possession of the application owner and is unknown to Porticor; while the second specific key is different for each data object and is stored by the Porticor Virtual Key Management Service.

As the application accesses the data store, Porticor uses both parts of the key to dynamically encrypt and decrypt the data. When the master key is in the cloud, it will be homomorphically encrypted – even when in use – and can never be seen in the cloud.

Data security concerns remain top of mind for CIOs considering shifting to the cloud, which has introduced a new set of complex security issues for IT teams to manage. Startup cloud data security company Porticorhas launched its data encryption service offering to protect data in public, private and hybrid cloud environments.

The Israel-based company’s data encryption service is managed in the cloud, with private data stored across a variety of storage types, including virtual disks, databases, distributed storage and file systems. Company officials said Porticor’s cloud-based security service – a patent-pending split-key encryption technology – ensure the privacy of data stored in the cloud.

Prior to launching the company two years ago, the firm’s founders said they realized that the critical issue of keys stored in the cloud was being unaddressed.

“Previous cloud data security solutions attempt to tackle only a few of the data security issues organizations face when moving to the cloud, while also introducing significant costs and overhead,” said Gilad Parann-Nissany, Porticor founder and CEO. “Porticor addresses data security in a unique way, delivering a level of trust for the security of customers’ cloud data yet unseen in the industry.”

Porticor launched in 2010, and plans to expand its U.S. presence with new offices this year. The company is venture backed, with Glilot Capital leading its recent Series A round of funding. Porticor’s initial partners included Amazon AWS and Red Hat, Inc.

The company solves a significant cloud security issue, according to Gordon England, general partner at Glilot Capital who is also former U.S. deputy Secretary of Defense and Secretary of the Navy.

“Many organizations have already realized the advantages of cloud infrastructure, but security hazards and regulation prevent many more from truly leveraging cloud benefits,” England said. “Porticor solves a major cloud security problem and has the right team and technology to best address customers’ needs.  Its combination of uncompromising security with ease of implementation and full cloud operations are very important for cloud users.  The highly innovative approach being fielded by Porticor will be critically important for a wide range of organizations.”

Porticor offers data privacy in a public environment for data protection and compliance to regulations such as SOX, HIPAA, PCI DDS and GLBA, while also solving the issues raised by EU Data Protection and the U.S. Patriot Act, company officials said. Porticor also helps IaaS and PaaS cloud users to create a secured encrypted environment while eliminating the need to trust the security vendor or cloud provider with their encryption keys.

The company’s Virtual Private Data (VPD) platform is available in several editions. Pricing begins at $27.50 per month per Porticor virtual appliance.

Data at rest has long been protected by technology called public key infrastructure (PKI), in which data is encrypted when it’s created by a public key, and only decrypted by the authorized person holding the private key. But data protection is complicated in cloud environments.

According to a new report,InformationWeek’s “Data Encryption: Ushering In a New Era”, cloud and mobility are adding new challenges to security. “The problem of mobility and cloud is it forces policies, processes and encryption technologies to have to scale to an outside device, organization, and too many more use cases,” says Michael Davis, CEO of Savid Technologies and author of the report. “This usually means the governance/audit team isn’t ready, the security team gets bogged down in details related to deployment, but in the end we don’t see users impacted too much by encryption in these spaces as the technology is usually transparent.”

A number of firms are developing technologies to address one of the top security concerns of companies considering a cloud deployment. One such company, Israeli-based Porticor, is coming out with an encryption tool that secures data managed by public cloud service providers and by companies that deliver private cloud platforms to enterprise customers. The founder and CEO says their approach to data security in the cloud is based on the concept of the safe deposit box people use to securely store valuables in a bank.

“A safe deposit box in a bank has two keys, one for the customer and the other for the banker,” says Gilad Parann-Nissany. The customer can’t open the box without the banker’s key and the banker can’t open the box without the customer’s key.

In the cloud environment, Porticor’s solution gives one key to the customer — in this case the customer who subscribes to a public cloud infrastructure as a service (IaaS) provider, or to a company that operates a private cloud for a customer under the platform as a service (PaaS) model. The provider, or “banker,” has a unique key for each application that the customer runs in the public or private cloud environment, he explains.

The safe deposit box analogy is not new in data encryption, says Scott Crawford, managing research director at Enterprise Management Associates, but he believes Porticor’s approach to protecting data in third-party-hosted resources is unique. “It is targeted to help solve the problem of balancing control over data security with reliable key management that has challenged many other approaches up to now,” he says.

But Porticor is not alone in trying to deliver a cloud data security solution. He identifies CipherCloud as a company offering a data security gateway designed specifically for cloud environments, as does Navajo Systems, a company acquired by Salesforce.com in August 2011. There are also a number of vendors that address both on-premise and cloud data security through various approaches including Vormetric, Gazzang and Voltage Security.

Porticor’s Virtual Private Data System offering is two-fold: the Porticor Virtual Appliance/Agent; and the Porticor Virtual Key Management Service. The appliance encrypts the customer’s entire data layer using the AES 256-bit encryption algorithm; pricing starts at $27.50 per month per appliance. The key management service uses the company’ patent-pending key-splitting technology to create the customer and banker keys.

The offering gives customers the security of knowing they maintain control over their data when they entrust it to the cloud, and offloads the responsibility for protecting that data from the cloud providers to Porticor. “For the first time, what we allow our customers to do here is to basically maintain privacy within a public environment. We have eliminated the dilemma of where do we store the key,” says co-founder Ariel Dan.

Porticor was founded in 2010 and its veteran start-up team spent time at SAP, Check Point Software Technologies, Websense and PortAuthority. The company is in the midst of finalizing partnerships with one major IaaS public cloud service provider and another major PaaS private cloud provider — both U.S.-based — but wasn’t ready to disclose their identities.

TEL AVIV, Israel – Feb. 15, 2012 – Porticor’, the leading cloud data security company delivering the only cloud-based data encryption solution that infuses trust into the cloud by ensuring customer keys are never exposed, today introduced the Porticor Virtual Private Data™ (Porticor VPD™) system, the industry’s first solution combining data encryption with patented key management to protect critical data in public, private and hybrid cloud environments.