《Security++ Hide your secrets via a distributed Hardware Security Module.pdf》由会员分享,可在线阅读,更多相关《Security++ Hide your secrets via a distributed Hardware Security Module.pdf(20页珍藏版)》请在三个皮匠报告上搜索。
1、Iris DingCloud Software Engineer,Malini BhandaruSenior Principal Engineer,Thanks to my colleagues:QimingLiu,HuailongZhang,XintongChen,XinHuang,RuijingGuo,RuoyuYing,ChangranWang,ForrestZhao,SoodKapil,PoussaSakari,PuustinenIsmo,ValluriAmarnath,Venkatasubramanian SankaranarayananSecurity+:Hide your sec
2、rets via a distributed Hardware Security Module(HSM)Agenda Cloud HSM and Challenges Distributed HSM Use CasesHardware Security Module(HSM)A physical computing device that safeguards and manages secrets(most importantly digital keys),performs encryption and decryption functions for digital signatures
3、,strong authentication and other cryptographic functions.Traditionally a plug-in card or an external device that attaches directly to a computer or network server.A hardware security module contains one or more secure cryptoprocessor chips.https:/en.wikipedia.org/wiki/Hardware_security_moduleHSM Mar
4、ketExpected to reach USD 2.0 Billion by 2028,growing at a CAGR of 13.1%Driven by:Growing data breaches and cyberattacksIncreasing demand for data security in cloud environments*Data source:https:/ HSMPros Lower cost from sharing Flexibility and simplicityCons:Higher latency crypto operations Lower t
5、ransaction rate(TPS)Migration difficulty No substitutes on edgeDistributed HSMWhere you need it,sized to your needsHighly Secure,even at the EdgeLower Latency and Greater ThroughputLower CostHow?UsingTrusted Execution Environments!APPTrusted Execution Environments(TEEs)Hardware and firmware supporte
6、d confidentiality and integrity of code and dataProtect even from privileged processes(OS,Hypervisor.)Demonstrate trust-quotes and attestationData at RestData in MotionData in UseSECURECPU-TrustedOperating System/Virtual Machine Monitor-UntrustedTEEIntel SGX:a Process-based TEEMemory Encryption Acce
7、ss ControlRemote AttestationSealinghttps:/ Case 1 Istio Service Mesh(mTLS&Gateways)https:/ HSM via SGX enclaveLocal Crypto operationsCredentials can be synced from remote HSM or locally generatedUse Case 1-Istio Service Mesh(mTLS control plane)Leverage external CAPrivate keysare in clear textPrivate
8、 keys are generated locallyLeverage external certificate authorityPrivate keys never exposed in clear textSigned cert issued on enclave verificationCrypto Operations locallyBEFOREAFTERUse Case 1-Istio Service Mesh(gateway control plane)Private keys are in clear textPrivate keys are uploaded external
9、lyPrivate keys never exposed in clear textGot keys uploaded only if enclave attestation verifiedCrypto Operation happened locallyBEFOREAFTERUse Case 1-Istio Service Mesh(data plane)Crypto operations using the private keys in memoryPrivate keys never exposed in clear textGot keys uploaded only if enc
10、lave attestation verifiedCrypto Operation happened locallyBEFOREAFTERUse Case 2 Certificate Authority(CA)Trusted Certificate ServiceQuote Attestation Controllertcs issuergocryptocrypto11sgx enclaveQA controllerAttestation pluginAttestation ServiceCertificate Signing Request(CSR)Cloud HSM or key Stor
11、ehttps:/ Credentials can be synced from remote HSM or locally generatedCrypto operations happen in local SGX enclaveCredentials synced only if enclave attestation verifiedUse Case 2-Certificate Authority FlowUse Case 2-Certificate Authority Sample UsageFuture StepsUnified APICrypto operation happened in Local distributed HSMDistributed HSM AdapterAWS cloud HSMAzure managed HSMGoogle cloud HSMCooperate on-prem HSMIBM Cloud HSMResourceshttps:/ Us!Thank youPlease scan the QR Code aboveto leave feedback on this session