Identity and access control

Secure Cloud Authentication with Private – Public Keys

Shantha Kumari

You cannot ignore the various cloud based services that most of the enterprises use on a daily basis. Some of these services use password authentication but many of them use public and private keys for authentication.

The use of public / private keys have increased, and is now being used by a number of protocols and applications. The primary reason for this is improving security, since the keys provide a much better security than a password that was chosen by a user. In order to provide cloud services, we have to ensure we’re properly protecting our public/private keys.

Sample encryption & decryption process

Some Business areas where public/private keys are used:

The most common use of the public/private key pairs are by the applications hosted on cloud based dedicated servers. You simply rent a dedicated server from cloud service providers such as Microsoft Azure or Amazon Web Service. All it requires is a bank account and a few simple mouse clicks to get a dedicated server up and running in matter of minutes.

The administrators use SSH daemon for interacting with them. The Secure Shell or SSH, is an cryptographic (encrypted) network protocol to allow remote login and other network services to operate securely over an unsecured network. You will use the public-private keys to secure your application while password authentication is disabled.

Often used in the banks and other kinds of financial institutions; the website application issues a new key for every user who are given access to this service.

Developers use the public-private keys to authenticate, via the private key to push or pull the source code in the cloud environment. The cloud tools simplify the installation and maintenance of the source code repositories.

Understanding Key Security

Asymmetric encryption uses the public and private keys, to authenticate the system or encrypt/decrypt the data, while in transit. The public key can always be shared with the public as it is used for data encryption while the private key can only decrypt data. Using specific commands the keys can be generated which can accept various arguments to fine-tune the key generation process.

Ways to improve security of public and private keys:

  1. Use password-protected keys:

It is important to select a strong password when generating the private key, to protect it from an unlawful use. An attacker who has gained access to the machine that stores the private keys will eventually be able to access the private keys which in the unencrypted form can provide an attacker access to the cloud-based system.

The attacker can gain access to the machine through various techniques like uploading the shell through a web-based vulnerability in the web application. He will be able to gain partial access to the underlying file system or the access/directory where administrators often place the private keys for authenticating the other cloud-based systems.

This emphasizes the importance of encrypting the private keys with an additional strong password that  prevents the attacker from gaining access to other systems.

  1. Use a strong key.

When creating the private key, it is possible to instruct the ssh-keygen command, to create keys of the following size: 1024, 2048, 4096 and so on. The private keys are usually constructed from the product of two randomly generated prime number. The strength of the public/private key encryption lies in the fact that it’s very easy to calculate the product of two randomly chosen prime numbers, but it is difficult to determine which of the two prime numbers were used by knowing their product.

It is advisable to choose the 4096- bit key that is currently considered secure as it contains enough possibilities to prevent the attacker from using brute-force to gain the passwords in real time.

  1. Reduce the login time.

Using the public and private keys, involves providing password for the private keys all the time. The ssh-agent which stores the decrypted private key in the cache for the duration of the session, can reduce the time it takes to authenticate the system.
The decrypted key can then be used to authenticate the cloud-service without providing the private key password. The decrypted version of the key is only available in the cache and only to the ssh-agent process, while the actual file in the file system remains encrypted. An attacker with access to the file system, will only be able to steal the encrypted version of the private key.

  1. Back up your keys.

Creating backup is a good idea when you rely on a number of public/private key-pairs to authenticate the cloud-based services. Otherwise, if the keys are lost through hard drive failure or accidental file removal operation, the user would no longer be able to authenticate the cloud-based service.

Failing to back up the keys properly can result in getting locked of the cloud service. Contacting the cloud service provider can restore access to the system, but the process is long and cumbersome. In the worst-case scenario, access to the system is lost completely. This can happen if everything is encrypted in the cloud and the cloud-service provider doesn’t have any access to the system or files.

Usage of the public and private keys have increased and is now used by a number of cloud-based services instead of the passwords to authenticate the system, as it provides much better security. Therefore, properly securing the public and private keys are necessary to prevent the attackers from gaining access to the cloud service.

There are ways to protect the public and private keys on the client. So even if an attacker is able to compromise the client, he won’t be able to use the keys. Keep in mind that an attacker who has gained the private keys can authenticate the cloud service and perform a lot of malicious actions like stealing user data, decrypt sensitive information and disrupt the service, among others.

For more details or information, connect with us at info@sysfore.com or call us at +91-80-4110-5555. Website: www.sysfore.com

Panama Paper Leaks: Is Data Security at Risk in the Future?

Shantha Kumari

By now, you have probably heard about the Panama Papers Leak, which leaked (and continue to leak) the names of high-profile persons who used fake companies to hide their wealth and/or avoid taxes.

The huge data leak, around 1.5 million documents were leaked from law firm Mossack Fonseca, which exposes how the rich and powerful allegedly hide their money across the globe.

The 11.5m files, which date back as far as the 1970’s, were obtained from an anonymous source by Süddeutsche Zeitung – a German newspaper. They were then passed on to the International Consortium of Investigative Journalists (ICIJ), a US-based group, and then distributed to various journalists and media organizations worldwide for analysis.

Panama Paper Leaks

How these files were obtained remains a mystery. But it’s safe to assume that it was an inside job, which required privileged access to  this huge amount of data. The anonymous source offered the 2.6 terabytes of data, which surpassed the combined total of the Wikileaks Cablegate, Offshore Leaks, Lux Leaks, and Swiss Leaks.

Prevention is better than cure; so you might as well get in touch with Sysfore to know more about securing your cloud data.

So how safe is your Data??

Can anyone with IT privileges and access get hold of your data? Where does your organization’s data security figure in this chaos? There are too much data, and too many ways for security breakdowns to occur. What will your company do to prevent these breakdowns?

It is this question that should be garnering more attention, especially for anyone who has to handle IT or security duties.

One possible theory circulated on how the Panama Papers breach happened is due to the sloppy patches and outdated plug-ins.

Mossack Fonseca uses WordPress on its main website and Drupal on the customer portal for sharing sensitive information, and both Its Drupal and WordPress sites were outdated, according to an extensive analysis by the team behind WordFence, a WordPress security plug-in.

Lessons learned from the Panama Paper Leaks:

There are fundamentally two key aspects to securing data:

  • Access – who has the right to the data. Broadly speaking, this is authentication (user id, password, and perhaps other methodologies and validations).
  • Protection – who is the guardian of the data. Who is responsible for the data. What precautions are taken, should someone break into a server, or an unscrupulous employee copy the data.

This wake up call to data security has made organizations take extra precautions and upgrading their existing security measures.

Prioritize your data – Know what data is valuable to you and your customers; set data protection depending on it. Set up Identity and Access Management (IAM) for all levels of your personnel and ensure it is not violated. You can use either Amazon or Azure Cloud IAM.

Data Redundancy and Replication – Spread your data across multiple infrastructures and locations to protect your information. Ensure latest technologies is employed and phase out your old legacy defenses and networks.

Educate employees – Train your employee about the latest security software, its use, recognize and spot the leak, block and report any suspicious attack.

The Panama Paper Leak is just the tip of the iceberg. If organizations want to safeguard their data in the future, the must bolster the perimeter, engage different authentication methods, educate employees and understand the strategy needed in a world where data, specifically stolen data, could be the end for your business and reputation.

You can employ Sysfore’s expertise in Cloud Security to boost your data security measures.

Give us a call at +91-80-4110-5555 or mail us on info@sysfore.com, to know more.

5 Big Cloud Security Features for Enterprise Use

Shantha Kumari

The cloud computing is still an emerging technology with people discovering its true potential. One important feature which draws attention is Cloud Security.

Cloud computing can help businesses cut costs in any number of ways, but the information that cloud systems handle is varied, confidential with high security measures in place.

Talk to Sysfore’s Cloud Specialists and we’ll ensure your Cloud Security is top grade. Book an appointment now.

Here are some of the biggest actual security features that cloud providers use to protect client data, and make systems effectively secure against hacking and unauthorized access.

Cloud security

Multi-Factor Authentication

It’s a major source of user security for cloud systems, which often get deployed across many different business locations and individual access points. Essentially, multi-factor authentication just means authenticating users in a combination of ways. Using multiple authentication strategies or factors creates better security for digital systems.

In general, multi-factor authentication involves combining different categories of security inputs. One category is the password, which is an intangible concept that someone creates and uses for access. Another category is a physical possession, such as a traditional key, a key card or even someone’s mobile device.

A third category of security is called biometrics. This focuses on things that are inherent to an individual body. Unlike the above two categories, biometrics security components cannot be lost or misplaced. Biometrics uses things like fingerprint scanning, voice recognition and facial imaging.

Multi-factor authentication requires two or more of these different security components to work together, which makes systems much more secure.

Identity and Access Management

This category of security is closely related to authentication, but it works a bit differently. Here businesses have a way to assign access and privileges to individual identities that will be authenticated within the system. If multi-factor authentication is the method of access, then identity and access management is the assignment of clearances or the “permission vehicle” for letting people into the system.

Cloud services should incorporate this design, so that managers can think carefully about what information people need access to, and assign access based on those considerations. It’s important that people who are doing the work can get into the system to do their jobs, but the system must also keep a lid on sensitive data and ensure that it’s distributed to as few people as possible.

Encryption Standards and Key Handling Tools

Encryption is a core component of cloud security. In various ways, cloud providers encrypt data so that it can’t be stolen or leaked as it makes its way to and around the cloud. Each cloud company will have its own security encryption standard, where better encryption generally means better security.

Encryption standard along with key handling should be the focus of the enterprises. Encryption systems typically use sets of encryption keys that allow for authorized use of the data. Businesses can now opt for Amazon Web Services or Azure which offers a set of key management tools. Some cloud providers also offer key management services of their own that not only encrypt data, but also preserve the right kinds of access.

Cloud Encryption Gateways

It’s also important to figure out how and when data is encrypted and when it is decrypted, because again, without decryption, valuable data can become useless to those who need to handle it.

A cloud encryption gateway is very much like a virtual private network or VPN system. It provides a secure tunnel for data from one specific point to another. In VPN systems, data is often encrypted as it leaves a private network and makes its way through the public Internet. It’s decrypted on the other side, which is why people refer to it as a “security tunnel” for data.

A cloud encryption gateway acts the same way. It provides a consistent means and method of encrypting data as it leaves the private network and enters the cloud. It’s going to serve as both an effective means of security, and maintaining compliance if regulators start looking into how a company handles its data.

Mobile Platform Security

Cloud security also needs to address the rapidly growing area of IT that so many of us are now using to do all kinds of computing and perform all kinds of transactions: mobile. The mobile arena is becoming more and more a part of our lives, and cloud services need to anticipate the challenges of keeping data safe while it’s going to and from mobile endpoints.

Cloud mobile strategy needs to look at effective encryption, any vulnerabilities inherent in mobile operating systems or commonly used mobile applications. They should be able to explain to clients in a way that doesn’t make their heads spin.

You can contact us at  info@sysfore.com or call us at +91-80-4110-5555 to better understand the requirements of the Cloud Security for your Enterprise use.