cloud security and privacy

Cloud Security and Privacy:Cloud Security and Privacy:An Enterprise Perspective on Risks and ComplianceAn Enterprise Perspective on Risks and Compliance

Tim MatherTim MatherSubra Kumaraswamy, SunSubra Kumaraswamy, SunShahed Latif, KPMGShahed Latif, KPMG

© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif

What We Do What We Do NotNot DiscussDiscuss

•• Existing aspects of information security Existing aspects of information security which are not impacted by which are not impacted by ‘‘cloud computingcloud computing’’

•• Consumer aspects of cloud computingConsumer aspects of cloud computing

22


What We Do DiscussWhat We Do Discuss•• Infrastructure SecurityInfrastructure Security

•• NetworkNetwork--levellevel•• HostHost--levellevel•• ApplicationApplication--levellevel

•• Data SecurityData Security•• Identity and Access Management (IAM)Identity and Access Management (IAM)•• Privacy Considerations Privacy Considerations •• Audit & Compliance ConsiderationsAudit & Compliance Considerations•• SecuritySecurity--asas--aa-- [Cloud] Service (SaaS)[Cloud] Service (SaaS)•• Impact on the Role of Corporate ITImpact on the Role of Corporate IT

Where Risk Has Changed: ±33


Components of Information SecurityComponents of Information Security

Information Security – Infrastructure

Network-level

Host-level

Application-level

Information Security – DataEncryption (transit, rest, processing), lineage, provenance, remanence

Security Management ServicesManagement – ACL, hygiene, patching, VA, incident response

Identity services – AAA, federation, provisioning

44


Cloud Computing: EvolutionCloud Computing: Evolution

55


Cloud Pyramid of FlexibilityCloud Pyramid of Flexibility

66


Infrastructure Security Infrastructure Security –– currentlycurrently

• Trust boundaries have moved• Specifically, customers are unsure where those

trust boundaries have moved to• Established model of network tiers or zones no

longer exists• Domain model does not fully replicate previous

model• No viable, scalable model for host-to-host trust• Data labeling / tagging required at application-

level• Data separation is logical not physical

77


Infrastructure SecurityInfrastructure Security –– going forwardgoing forward

•• Need for greater transparency regarding Need for greater transparency regarding which party (CSP or customer) provides which party (CSP or customer) provides which security capabilitywhich security capability

•• InterInter--relationships between systems, relationships between systems, services, and people needs to be addressed services, and people needs to be addressed by identity managementby identity management

88


Data SecurityData Security –– currentlycurrently

•• ProviderProvider’’s data collection efforts and s data collection efforts and monitoring of such monitoring of such (e.g., IPS, NBA)(e.g., IPS, NBA)

•• Use of encryptionUse of encryption•• PointPoint--toto--multipoint datamultipoint data--inin--transit an issuetransit an issue•• DataData--atat--rest possibly not encryptedrest possibly not encrypted•• Data being processed definitely not encryptedData being processed definitely not encrypted•• Key management is a Key management is a significantsignificant issueissue•• Advocated alternative methods Advocated alternative methods (e.g., obfuscation, (e.g., obfuscation,

redaction, truncation)redaction, truncation) are nonsenseare nonsense•• Data lineageData lineage•• Data provenanceData provenance•• Data remanenceData remanence

99


Data SecurityData Security –– going forwardgoing forward

LargeLarge--scale multiscale multi--entity key managemententity key management•• Must scale past multiMust scale past multi--enterprise to interenterprise to inter--cloudcloud

•• Not just hundreds of thousands of systems or even millions of Not just hundreds of thousands of systems or even millions of virtual machine images, but billions of files or objectsvirtual machine images, but billions of files or objects

•• Must not only handle key management lifecycle Must not only handle key management lifecycle (per NIST (per NIST SP 800SP 800--57, Recommendation for Key Management)57, Recommendation for Key Management), but also, but also

•• Key recoveryKey recovery•• Key archivingKey archiving•• Key hierarchies / chaining for legal entitiesKey hierarchies / chaining for legal entities

•• Fully homomorphic encryptionFully homomorphic encryption•• Potentially huge boon to cloud computingPotentially huge boon to cloud computing•• Will increase need for better key managementWill increase need for better key management

1010


IAMIAM –– currentlycurrently

• Generally speaking, poor situation today:

• Federated identity widely not available• Strong authentication available only through

delegation• Provisioning of user access is proprietary to

provider• User profiles are limited to “administrator” and

“user”• Privilege management is coarse, not granular

1111


IAMIAM –– going forwardgoing forward

•• Emerging identityEmerging identity--asas--aa--service (IDaaS) service (IDaaS) needs to evolve beyond authenticationneeds to evolve beyond authentication

•• SAML, SPML and XACML (especially) need SAML, SPML and XACML (especially) need to be more fully leveragedto be more fully leveraged

•• Increasing need for userIncreasing need for user--toto--service and service and serviceservice--toto--service authentication and service authentication and authorization authorization (OAuth)(OAuth)

1212


PrivacyPrivacy –– currentlycurrently

•• Transborder data issues may be exacerbatedTransborder data issues may be exacerbated•• Specifically, where are cloud computing activities Specifically, where are cloud computing activities

occurring?occurring?

•• Data governance is weakData governance is weak•• Encryption is not pervasiveEncryption is not pervasive•• Data remanence receives inadequate attentionData remanence receives inadequate attention•• Cusps absolve themselves of privacy concerns: Cusps absolve themselves of privacy concerns:

‘‘We donWe don’’t look at your datat look at your data’’

1313


PrivacyPrivacy –– going forwardgoing forward

•• Privacy laws are inconsistent across Privacy laws are inconsistent across jurisdictions; need global standardjurisdictions; need global standard

•• Need specific requirements for auditing Need specific requirements for auditing (e.g., (e.g., AICPA/CICA Generally Accepted Privacy Principles AICPA/CICA Generally Accepted Privacy Principles –– GAPP)GAPP)

1414


Audit & ComplianceAudit & Compliance –– currentlycurrently

•• Effectiveness of current audit frameworks Effectiveness of current audit frameworks questionable questionable (e.g., SAS 70 Type II)(e.g., SAS 70 Type II)

•• CSP users need to define:CSP users need to define:• their control requirements• understand their CSP’s internal control monitor-

ing processes• analyze relevant external audit reports

•• Issue is Issue is assuranceassurance of complianceof compliance1515


Audit & ComplianceAudit & Compliance –– going forwardgoing forward

•• InterInter--cloud cloud (i.e., cross(i.e., cross--CSP)CSP) solutions will solutions will demand unified compliance frameworkdemand unified compliance framework

•• Volume, multiVolume, multi--tenancy of cloud computing, tenancy of cloud computing, demand that CSP compliance programs be demand that CSP compliance programs be more realmore real--time and have greater coverage time and have greater coverage than most traditional compliance programsthan most traditional compliance programs

1616


SecuritySecurity--asas--aa--ServiceService –– currentlycurrently

1717

•• Some offerings matureSome offerings mature•• EE--mail filtering, archivingmail filtering, archiving•• Web content filteringWeb content filtering

•• Some offerings still emergingSome offerings still emerging•• (E(E--mail) eDiscoverymail) eDiscovery•• IdentityIdentity--asas--aa--Service (IDaaS)Service (IDaaS)•• Encryption, key managementEncryption, key management

•• TodayToday’’s securitys security--asas--aa--service providers sell service providers sell to CSP customers, not CSPsto CSP customers, not CSPs

•• None of todayNone of today’’s CSPs offer securitys CSPs offer security--asas--aa--service as integrated offeringservice as integrated offering


SecuritySecurity--asas--aa--ServiceService –– going forwardgoing forward

•• Horizontal integrationHorizontal integration•• Pure play SaaS providers will broaden offerings Pure play SaaS providers will broaden offerings

beyond ebeyond e--mail + Web content filteringmail + Web content filtering•• Vertical integrationVertical integration

•• CSPs will offer SaaS as integrated offeringCSPs will offer SaaS as integrated offering•• IDaaS has to scale effectively for cloud IDaaS has to scale effectively for cloud

computing to truly take offcomputing to truly take off•• Complexity of key management screams for Complexity of key management screams for

SaaS offeringSaaS offering

1818


Impact on Role of Corporate ITImpact on Role of Corporate IT –– currentlycurrently

• Governance issue as internal IT becomes “consultants” and business analysts to business units

• Delineation of responsibilities between providers and customers much more nebulous than between customers and outsourcers, collocation facilities, or ASPs

• Cloud computing likely to involve much more direct business unit interaction with CSPs than with other providers previously

1919


Impact on Role of Corporate ITImpact on Role of Corporate IT –– going forwardgoing forward

2020

• Relationship between business units and corporate IT departments vis-à-vis CSPs will shift greater power to business units from IT

• Number of functions performed today by corporate IT departments will shift to CSPs, along with corresponding job positions

• Functions performed by corporate IT departments will shift from those who do (i.e., practitioners who build or operate) to those who define and manage

• IT itself will become more of a commodity as practices and skills are standardized and automated


ConclusionsConclusions• Part of customers’ infrastructure security

moves beyond their control• Provider’s infrastructure security may

(enterprise) or may not (SMB) be less robust than customers’ expectations

• Data security becomes significantly more important – yet provider capabilities are inadequate (except for simple storage which can be encrypted, and processing of non-sensitive (unregulated and unclassified) data

2121


ConclusionsConclusions (continued)(continued)• IAM is less than adequate for enterprises –

weak authentication unless delegated back to customers or federated, weak authoriza-tion, proprietary provisioning

• Because of above, expect significant business unit pressure to desensitize or anonymize data; expect this to become a chokepoint• No established standards for obfuscation,

redaction, or truncation

2222


WhatWhat’’s Good about the Cloud?s Good about the Cloud?

•• A lot! Both for enterprises and SMBs A lot! Both for enterprises and SMBs –– for for handling of nonhandling of non--sensitive (unregulated and sensitive (unregulated and unclassified) dataunclassified) data

•• CostCost•• FlexibilityFlexibility•• ScalabilityScalability•• SpeedSpeed

2323


Developments to WatchDevelopments to Watch

2424

•• VMwareVMware’’s vCloud API s vCloud API −− submitted to DMTFsubmitted to DMTF•• AmazonAmazon’’s Virtual Private Cloud s Virtual Private Cloud −− hybrid hybrid

cloud that extends private cloud through cloud that extends private cloud through ““cloud burstingcloud bursting””

•• SecuritySecurity--asas--aa--Service offered by CSPs (e.g., Service offered by CSPs (e.g., AmazonAmazon’’s Multis Multi--Factor Authentication)Factor Authentication)

•• Cloud Security Alliance v2 white paperCloud Security Alliance v2 white paper•• Slow transparency and assurance from CSP Slow transparency and assurance from CSP

(e.g., ISO 27002(e.g., ISO 27002--based assurance)based assurance)•• IT governance framework that blends ITIL, IT governance framework that blends ITIL,

ISO 27002, CObIT ISO 27002, CObIT


Cloud Security and Privacy:Cloud Security and Privacy:An Enterprise Perspective on Risks and ComplianceAn Enterprise Perspective on Risks and Compliance

Continue the discussion onContinue the discussion on--line at: cloudsecurityandprivacy.comline at: cloudsecurityandprivacy.com2525

cloud security and privacy

Documents