CryptoMove on Making the Cloud More Secure and Effective for Developers

Guest post by John Spurlock, CryptoMove Business Analyst

In this article highlighting AWS’ partnership with CryptoMove, we’ll discuss how innovations like moving target defense make the cloud more secure and effective for developers.

The Second Wave of Cloud Security Innovation

The first wave of cloud security startups and innovative technologies were built around a premise that is now obsolete, namely that the cloud was a dangerous environment which required extra security measures compared to traditional on-prem deployments. Initially, cloud security services needed to make a secure environment in the cloud so that developers could take advantage of its features without risking exposing their code to malicious actors. This is no longer the case.

Now, as cloud providers invest in advanced security measures at an unprecedented rate, it has become clear that the cloud is as secure, if not the most secure option for developers and enterprises. A cloud giant like Amazon Web Services is capable of a much larger total resource input in terms of technology, money, and engineers for their security stack than the average in house security team would be capable of. However, cloud security is still a shared responsibility: it requires active engagement from developers to ensure that workflows are being performed with the optimal balance of security and development velocity in a devops model. With more and more CIO’s and enterprises rapidly adopting cloud-native development strategies, innovating for the second wave of cloud security innovation is all the more paramount.

Moving target defense: A Cloud Security Paradigm Shift

One of the many possible innovations that can kick secure cloud development into high gear is moving target defense. Moving target data protection is a revolutionary paradigm shift in data storage pioneered by CryptoMove. The principle is simple: instead of storing high-value data in a single location and guarding it, keys and/or data are fragmented and the shards are continuously transferred between different servers within the cloud. Each piece is re-encrypted, mutated, replicated, and tracked as it moves around the distributed environment. After years of stealth R&D with the Department of Homeland Security and other early adopters, CryptoMove is bringing its moving target defense technology to the commercial market. Moving target defense is an exciting area of security research and can be threat modelled with game theory and whose risk reduction can be quantified.

Cloud-native development is so exciting because it can take theoretical ideas like moving target defense and turn them into real practical products and solutions. Further, the fact that the cloud is the most secure option on the market does not mean that new technologies in cloud security are unnecessary. Innovations within the cloud can provide more effective, secure, and valuable uses of the new resources opened up by cloud services like AWS. Even if old security strategies like encryption have been successfully ported to the cloud, these approaches do not nearly give developers the full mileage they could be getting out of the cloud environment. It’s like being re-routed onto the Autobahn but still driving 50mph.

Starling flocks exhibiting “murmuration” are a surprisingly good visual metaphor for Moving Target Defense.

Keys and secrets management in cloud-native development

Additionally, cloud-native development creates new security risks which require new kinds of solutions. For instance, cloud developers have to manage an increasingly large number of keys and secrets like API keys, SSL certs, and other tokens which can be critical entry points for attackers. Without a secure vault for these keys and easy ways to authenticate access to them, developers will be creating more risks for themselves as they generate more keys and leave them unprotected. CryptoMove’s Tholos product sets out to address exactly this problem by adding an extra layer of defense to the most valuable targets: keys and secrets. (See CryptoMove’s review of secrets management solutions and best practices here.)

Extra Mileage in the Cloud

While there are obvious advantages in terms of security, moving target defense also provides secondary benefits which cannot be accomplished by traditional data at-rest solutions traditionally used in on-prem deployments. For instance, CryptoMove can actually increase the speed of encryption and decryption operations, since it uses parallel processing to divide the read/writes across many different servers working on small fragments instead of having one machine handle a large file.

Additionally, CryptoMove takes advantage of the natural advantages that the cloud has in terms of scalability while increasing security at scale. In a traditional deployment, every machine that is added to the cloud will be a new point of vulnerability since all the data in the cloud will be synced locally to that machine. With CryptoMove, each machine, even each piece of data and/or key saved into the store, adds greater security to the entire decentralized datastore since it provides an increase in the number of nodes to which the data fragments can move, increasing entropy within the system. (More on this theory can be found here.)

These sorts of innovations take advantage of the scalability that the cloud can offer, enhancing performance and security by disrupting traditional storage protocol. The cloud may already be more secure than on-prem deployments, but it can be much more effective and secure when it is used as a platform for innovations like moving target defense.

CryptoMove and AWS Partnership

CryptoMove was selected as a top 10 startup at AWS re:Invent, and we learned so much from the conference. We discussed our underlying platform and commercial use cases with hundreds of developers, getting insight into what features would be useful and what possible use cases might emerge. At AWS re:Invent, CryptoMove launched a private beta and signed up hundreds of developers from top tech companies, financial institutions, hotels, airlines, health care, startups, and more. We’re excited to work further with AWS to bring advanced moving target defense technology to the cloud. Together we can bring a new wave of innovation to make data storage even more secure.