Cloud Backup
 

We`re just sending through your details

Please give us a few moments whilst we get your account ready.

OKAY

How Safe Are Your Backup Encryption Keys?

How Safe Are Your Backup Encryption Keys?

posted in Product ● 2 Feb 2016

In a private experiment at Worcester Polytechnic Institute, Amazon Web Services (AWS) got mud on their faces when a group of academics were able to sneak a peek at encryption keys temporarily stored in CPU cache. And in other news, HP has withdrawn from the public Cloud arena citing reasons of cloud-investment prudence. Oracle, on the other hand, are jumping in with both feet citing reasons of making loads and loads of money.

Wait, what? Encryption keys were stolen how?

Yes, a few well-intentioned professors were able to leverage an RSA encryption library vulnerability to scan the cache of the CPU on a machine hosting several VMs. After sifting through the heaps of information contained in said cache, they managed to glean the RSA encryption keys used by the adjacent VMs. Fortunately, their report reveals that this technique could be used on other multi-tenant cloud environments – unfortunately AWS were the lab mice this time around. The vulnerability has since been patched.

This illustrates how cloud security can be taken for granted. In an article by Network World, Yehuda Lindell, chief scientist and co-founder of security firm Dyadic, was quoted saying, “Although a difficult attack to carry out, this further highlights the fact that secret keys are vulnerable, wherever they may be. They are even more vulnerable in cloud and virtualised environments where you have less direct control. This specific attack may be prevented by appropriate patching… However, the type of attack is almost impossible to completely prevent.”

The best defence…

Since your backup solution is already a line of defence against data loss, you’ll need to ensure it cannot be easily compromised. So how does one attempt to “completely” prevent these types of attacks, especially concerning cloud-based backup?

  1. Your first salvo is still the encryption key – ensure that all backup data stored on a collocated or multi-tenanted environment is encrypted with a symmetric key algorithm such as AES. One caveat though: your backup data should always remain in encrypted form on the server and should only ever be decrypted on the client where the data is restored. This circumvents any CPU snooping done in the cloud.
  2. Patching security vulnerabilities is ideally the best solution but one has to become aware of the vulnerabilities somehow and the fix must be available, which it isn’t always.
  3. Alternatively, avoid using shared clouds a.k.a. elastic cloud storage. Consider having your backup solution hosted on a dedicated instance i.e. where VMs are isolated at host-level. Most cloud providers will be able to accommodate this.
  4. AWS recommend using, and provide, Hardware Security Modules (HSM). These devices are external to the host system and safeguard digital encryption keys by isolating them from the computing environment. HSMs prevent key tampering and bus probing.

A stitch in time…

So you see, your backup encryption keys might not be as safe as you thought. With all the other cloud-security considerations and mitigations to be aware of, if you can take these precautions, it will be one less thing to worry about in keeping your backup data safe from attack.

Bocada support for Redstor improves backup monitoring and revenue opportunities for MSPs

Reading, United Kingdom, September 23, 2021Redstor, a global data management and protection SaaS business, today announced a partnership with Bocada LLC, an award-winning IT automation company, to provide MSPs with greater visibility over customer environments and increase their revenue opportunities. 

Continue reading

XTECH and Redstor enter strategic partnership

Reading, 15 September 2021 – Redstor and XTECH announce a strategic partnership to protect customers’ traditional infrastructure as well as cloud and SaaS data from a single app.

Continue reading

How machine learning combats threats like the Kaseya ransomware attack that targeted MSPs

The recent ransomware attack on Kaseya, a cloud-based IT and security management provider services company that supplies tech-management tools to customers worldwide, has the potential to be the most serious cyber-criminal incident this year.

Continue reading

Download The Ultimate MSP Growth Guide

  • This field is for validation purposes and should be left unchanged.