Upload File

cloud security camp 2016 final - boston university · [email protected] • educate and...

  • Home
  • Documents
  • Cloud Security Camp 2016 Final - Boston University · [email protected] • Educate and ensure cloud consumers share the security model for cloud deployments • Ensure you
22
Security Camp 2016 Cloud Security August 18, 2016

Upload: others

Post on 22-May-2020

3 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Cloud Security Camp 2016 Final - Boston University · aws-security@amazon.com • Educate and ensure cloud consumers share the security model for cloud deployments • Ensure you

Security Camp 2016 Cloud Security

August 18, 2016

Page 2: Cloud Security Camp 2016 Final - Boston University · aws-security@amazon.com • Educate and ensure cloud consumers share the security model for cloud deployments • Ensure you

What I’ll be discussing • Cloud Security Topics

• Cloud overview • The VPC and structures• Cloud Access Methods • Who owns your data?• Cover your Cloud trail? • Protection approaches• Encryption? • Breach?• EXIT stage left?• Not covering OS level stuff• No Containerization stuff

Information Services & Technology

2

August 18, 2016

Page 3: Cloud Security Camp 2016 Final - Boston University · aws-security@amazon.com • Educate and ensure cloud consumers share the security model for cloud deployments • Ensure you

Cloud 101- The Cloud

Information Services & Technology

3

August 18, 2016

Page 4: Cloud Security Camp 2016 Final - Boston University · aws-security@amazon.com • Educate and ensure cloud consumers share the security model for cloud deployments • Ensure you

Cloud 201 – The VPC

Information Services & Technology

4

August 18, 2016

Page 5: Cloud Security Camp 2016 Final - Boston University · aws-security@amazon.com • Educate and ensure cloud consumers share the security model for cloud deployments • Ensure you

More complicated example

Information Services & Technology

5

August 18, 2016

Page 6: Cloud Security Camp 2016 Final - Boston University · aws-security@amazon.com • Educate and ensure cloud consumers share the security model for cloud deployments • Ensure you

Cloud Access Methods

Information Services & Technology

6

August 18, 2016

Page 7: Cloud Security Camp 2016 Final - Boston University · aws-security@amazon.com • Educate and ensure cloud consumers share the security model for cloud deployments • Ensure you

Who owns your data?

Information Services & Technology

7

August 18, 2016

Page 8: Cloud Security Camp 2016 Final - Boston University · aws-security@amazon.com • Educate and ensure cloud consumers share the security model for cloud deployments • Ensure you

Cloud Security ModelsUnderstand the shared responsibility model

• Ensure cloud consumers and BU teams represent the shared security model for cloud in projects.

Information Services & Technology

8

August 18, 2016

Page 9: Cloud Security Camp 2016 Final - Boston University · aws-security@amazon.com • Educate and ensure cloud consumers share the security model for cloud deployments • Ensure you

Cloud environment separation

Information Services & Technology

9

August 18, 2016

Page 10: Cloud Security Camp 2016 Final - Boston University · aws-security@amazon.com • Educate and ensure cloud consumers share the security model for cloud deployments • Ensure you

Cloud Computing Reference Architecture 2.0

Information Services & Technology

10

August 18, 2016

Page 11: Cloud Security Camp 2016 Final - Boston University · aws-security@amazon.com • Educate and ensure cloud consumers share the security model for cloud deployments • Ensure you

Cloud Security Reference Architecture

Information Services & Technology

11

August 18, 2016

Page 12: Cloud Security Camp 2016 Final - Boston University · aws-security@amazon.com • Educate and ensure cloud consumers share the security model for cloud deployments • Ensure you

Cloud Security Topics

• Require Encryption in transit and at rest from cloud providers• Bi directionally and from cloud to cloud (use

appropriate service s3,rds,etc.) • AWS AZ to AZ, Region to Region ARE NOT

ENCRYPTED• Use EBS Encryption for block encryption • Strong encryption options required• Some providers require extra tools (SaaS, IaaS) • Start with CSP Managed Keys (Simplified) but

study a CloudHSM• FIPS 140-2 Level 2 certified • Highly secure flash device (AWS Indicates it

is NOT a key management system)

Information Services & Technology

12

August 18, 2016

Page 13: Cloud Security Camp 2016 Final - Boston University · aws-security@amazon.com • Educate and ensure cloud consumers share the security model for cloud deployments • Ensure you

Cloud Security Workloads

• Require cloud workloads to be vulnerability scanned• Superior providers

have toolsets for workload and instance level scanning. Require their use.

• Require all custom BU created templates to be security scanned prior to use and over a frequency

• Review vulnerability disclosures from CSP

• Review instance security

Information Services & Technology

13

August 18, 2016

Page 14: Cloud Security Camp 2016 Final - Boston University · aws-security@amazon.com • Educate and ensure cloud consumers share the security model for cloud deployments • Ensure you

Cloud Security History Lesson

• Require activation of logs and send them to the security target• cloud trails, VPC

flowlogs for AWS –Require xx days in archsite and yy days at provider

• Only cost is S3 storage of the log files – Build into project budgets

Information Services & Technology

14

August 18, 2016

Page 15: Cloud Security Camp 2016 Final - Boston University · aws-security@amazon.com • Educate and ensure cloud consumers share the security model for cloud deployments • Ensure you

Cloud Security IAM

• Require IAM for access to the provider and multi-factor authentication• Make person responsible for

the architecture document and implement IAM policy

• Extract and store ROOT Keys within Enterprise Architecture and Systems Cloud Team

• Federate IAM when possible• Use RBAC where possible • Ensure MFA is enabled and

audit on a regular frequency

Information Services & Technology

15

August 18, 2016

Page 16: Cloud Security Camp 2016 Final - Boston University · aws-security@amazon.com • Educate and ensure cloud consumers share the security model for cloud deployments • Ensure you

Cloud Security ITIL• Require strong access for actions

requiring infrastructure changes • Changes to the infrastructure must

be documented and communicated via RFC to change manager and approved

• Changed to VPC IGW/Peering must be approved by your central security team

Information Services & Technology

16

August 18, 2016

Page 17: Cloud Security Camp 2016 Final - Boston University · aws-security@amazon.com • Educate and ensure cloud consumers share the security model for cloud deployments • Ensure you

Cloud Security forensics • Require security groups and private subnets that

peer to send logs “home”

• Log (for example)• API Calls• CloudTrail• Console • S3, EC2, Other • Elastic Load Balancer Logs• Cloud Front Content client facing logs

• Monitoring and alerting (for example)• Advanced metering infrastructure changes• ACL security rule changes• EBS volumes made public• ANY monitoring disabled • CloudTrail logging disabled• Limits alert or too many instances created, started• ANY new users created and credentials assigned• IAM adds of users to groups , account policy changed• API access keys created/deleted/rotated• If not federated / user password changed• DB instance deleted • Cost optimization changes including, bill increases / resources• Password guessing attempts• Encryption Keys created/enabled/deleted• Implement autonomic thread based on velocity or known bad IP

• Implement an account de-provisioning policy for breach or staff separation

Information Services & Technology

17

August 18, 2016

Page 18: Cloud Security Camp 2016 Final - Boston University · aws-security@amazon.com • Educate and ensure cloud consumers share the security model for cloud deployments • Ensure you

Cloud Security Tooling

• Require regular cloud scanning reports (SaaS, IaaS, etc.)• Contracts should include the language • Cloud providers will produce reports or EA&S

teams

• Evaluate the use of Cloud Access Security Brokers• Provide API level protection to cloud service

environments.• Apply pressure to current security vendors to

provide native support for CSPs.

• Ensure you have exit language in your contracts providing a grace period for post contract termination retrieval of data

Information Services & Technology

18

August 18, 2016

Page 19: Cloud Security Camp 2016 Final - Boston University · aws-security@amazon.com • Educate and ensure cloud consumers share the security model for cloud deployments • Ensure you

v Network Integration Considerations:• Internet2 • VPN/IPSEC • NAT • Routing • Proxy• Public vs Private IP• Reporting • Security

Information Services & Technology August 18, 2016

Page 20: Cloud Security Camp 2016 Final - Boston University · aws-security@amazon.com • Educate and ensure cloud consumers share the security model for cloud deployments • Ensure you

Cloud Security Strategy • Standardize platform creation using architecture

patterns and Change Detection

• Ensure cloud workloads are not exposed to patching delays• Adopt an ephemeral approach to instance

patching utilizing automation• Set a requirement in days (Max XX?) for patch

application.• Adopt managed services where possible and

contractually lock patch frequencies

• Create a breach workflow • Assume a compromise will occur and develop a

workflow with responsibilities and signoffs• Understand notification process for CSP e.g.

[email protected]

• Educate and ensure cloud consumers share the security model for cloud deployments

• Ensure you use tagging in CSP • Metadata on cloud assets allow searchable rapid

intelligence

Information Services & Technology

20

August 18, 2016

Page 21: Cloud Security Camp 2016 Final - Boston University · aws-security@amazon.com • Educate and ensure cloud consumers share the security model for cloud deployments • Ensure you

Cloud Security Wrap upQuestions?

• Who owns your data?• Logging up and down the stack• End to End Encryption – Always• Ensure backups of configuration

data (CLI Exports and CloudFormation)

• Use Multiple Cloud Provider datacenters

• Your Cloud Security Policy enterprise wide

• Evaluate your position quarterly• Review security bulletins • What are your backup frequencies

and last restoration validation? • Do your homework

Information Services & Technology

21

May 10, 2016

Page 22: Cloud Security Camp 2016 Final - Boston University · aws-security@amazon.com • Educate and ensure cloud consumers share the security model for cloud deployments • Ensure you

Cloud Security Reference Notes

• AWS Service Organization Control

• Cloud Security Alliance• AWS Security Roadshow • AWS Security Bulletins• Microsoft Azure Publications• AWS PGP Public Key for

notifications• Gartner Technical Professional

Advice G00260748

Information Services & Technology

22

May 10, 2016


National Cyber Security Centre (NCSC) Cloud Security ... · Cloud Security Principle 4: Governance 23 Cloud Security Principle 5: Operational Security 25 Cloud Security Principle

CLOUD STORAGE SECURITY INTRODUCTION - SNIA Security Concerns with Cloud Understanding how Cloud services provide for the ... cloud computing environment, ... Cloud Storage Security

Scaling the Cloud - Cloud Security

Product Specifications: UC-B160-T...support. Advanced security features ensure privacy, reliability, and compliance with the organization’s IT policies. XiO Cloud Connected XiO Cloud

Imperva SecureSphere for AWS - Cyber Security Leader … · Protect Data and Ensure Compliance in the AWS Cloud ... Protect Web Apps in the Cloud with Best-of-Breed Security SecureSphere

Cloud Services - GÉANT · Security. 2.3.1 Cloud Service Security . The CSP will need to put appropriate measures in place to properly ensure the physical and logical security of

WHITEPAPER SECURITY + INFRASTRUCTUREimeetcentral.com/wp-content/uploads/2015/12/iMeet...data security to ensure privacy and availability. The AWS cloud infrastructure is the industry

Risk Assessment and Cloud Strategy Development · Risk Assessment and Cloud ... users of cloud computing to ensure the security of cloud resources they provide. ... governance and

Planning Guide: Cloud Security - Intel · 5 Intel IT Center Planning Guide | Cloud Security The Cloud Security Alliance, an industry group promoting cloud computing security …

Professional Cloud security Manager - wiselearner.com Cloud Security Manager.pdf · Understanding Cloud Computing Vulnerabilities Vulnerability Vulnerabilities and Cloud Risk Cloud

Cloud Security ("securing the cloud")

Cloud Security - Security Aspects of Cloud Computing

Security for Cloud Computing: 10 Steps to Ensure Success€¦ · 10 Steps to Ensure Success 10 Steps to Manage Cloud Security A reference to help enterprise IT & business decision

Federated Cloud Security Architecture for Secure and … · Federated Cloud Security Architecture 171 2 Cloud Security We briefly review cloud security [40] and related prior work

Security Framework for Cloud Data Sharingijsrcseit.com/paper/CSEIT1833237.pdfto ensure data confidentiality. The data confidentiality issue can be resolved by increasing the cloud

Data Security Methods in Cloud Computing - bruma.pdf · migration. This paper analyzes the security of cloud computer technology, as well as the issues to ensure the security of the

5G-ENSURE Security Architecture5gensure.eu/sites/default/files/5G-ENSURE-security-architecture... · 5G-ENSURE Security Architecture Alireza Ranjbar, Ericsson Ghada Arfaoui, Orange

Single Sign-On for Forcepoint Web Security Cloud Sign-On for Forcepoint Web Security Cloud 3 Configuration steps Before you begin, ensure that you have the following pre-requisites:

Cloud Security Certification - Certified Cloud Security

Data center security - Zonesmedia.zones.com/images/pdf/zones-data-center-security-article.pdf · Cloud infrastructure helps ensure the separation of administrators and physical server

CLOUD SECURITY OVERVIEW · Application Security To ensure application security, Dialpad has deployed several methodologies. CLOUD SECURITY OVERVIEW Contact Sales: (844) 979-4824 6

Security for Cloud Computing: 10 Steps to Ensure Success

Cloud Security - SAS€¦ · Cloud Security Principals 5. Operational security •The service provider should have processes and procedures in place to ensure the operational security

Nailing Cloud Security With Pre-Cloud Security Thinking?

Cloud Services and Security Spotlight - VITA · percent of respondents use their cloud provider’s security tools and 35 percent deploy third-party security software to ensure the

Cloud Security & Cloud Encryption Explained

Cloud security

Cloud Insights Security : Cloud Insights...Cloud Insights Security Product and customer data security is of utmost importance at NetApp. Cloud Insights follows security best practices

Webinar: Security for Cloud Computing: 10 Steps to Ensure Success · PDF file · 2018-01-1010 Steps to Ensure Success Version 3.0 . ... IBM Watson and Cloud Platform . ... Step 7:

A New Mode to Ensure Security in Cloud Computing Services

Cloud security: Accelerating cloud adoption

Security for Cloud Computing: Ten Steps to Ensure · PDF fileYou may download, store, ... Security for Cloud Computing: Ten Steps to ... routing and even reputation between tenants

How Best To Ensure Security In AWS Cloud?

Navigating the Changing Cloud Security Landscape · Navigating the Changing Cloud Security Landscape Dell cloud security white paper | September 2013 As cloud security threat levels

Securing a Large Project with Private Cloud Computing · Cloud Computing Security Challenges • Addressing Security via Private Cloud ... Cloud Computing Security Challenges •