clouds and security
TRANSCRIPT
Cloud Computing = .COM 2.0?
Predrag Mitrovic, CISSP, CISM, [email protected]
2 minute bio
www.cloudadvisor.se
www.cloudadvisor.se
www.cloudadvisor.se
1990 Botkyrka kommun
www.cloudadvisor.se
www.cloudadvisor.se
1995 IDG Nätverk & Kommunikation
1997 NetHouse Konsult & Media
www.cloudadvisor.se
www.cloudadvisor.se
1999 Novell EMEA
2000 Microsoft
www.cloudadvisor.se
www.cloudadvisor.se
2007 LabCenter
www.cloudadvisor.se
October 1st
MyNethouse
www.cloudadvisor.se
www.cloudadvisor.se
•www.cloudadvisor.se
www.cloudadvisor.se
Secu
rity-a
s-a
-Serv
ice
Storage-as-a-Service
Inte
gra
tion
-as-a
-Serv
ice Database-as-a-Service
Information-as-a-Service
Process-as-a-Service
Application-as-a-Service
Pla
tform
-as-a
-Serv
ice
Management/Governance-as-a-Service
Testing-as-a-Service
Trends behind the hype CPU Speed doubled
every 24 months Memory capacity
doubles every 18 months
Bandwidth explosion OSS The programmable
web Virtualization
Information explosion (+50% growth YoY)
70 % of ICT budgets for maintenance
Up to 85% of capacity idle
Unclear value perception from business side
www.cloudadvisor.se
www.cloudadvisor.se
• Ge
eka
nd
po
ke.c
om
un
de
r e
n c
rea
tive
co
mm
on
s-lic
en
sG
ee
kan
dp
oke
.co
m u
nd
er
en
cre
ativ
e c
om
mo
ns-
lice
ns
Definition
Clouds are hardware-based services offering compute, network and storage capacity where: Hardware management is highly abstracted from
the buyer Buyers incur infrastructure costs as variable OPEX Infrastructure capacity is highly elastic (up or
down)
McKinsey & Company
www.cloudadvisor.se
The idea
Shared infrastructure
Server
OS
Database
App Server
Storage
Network
App 1
Server
OS
Database
App Server
Storage
Network
App 2
Server
OS
Database
App Server
Storage
Network
App 100
www.cloudadvisor.se
CPU, RAM, Networking
Storage
SW Kernel (OS & VM)
Virtualized resources
Cloud applications
Virtuell
Image 1
Virtual
Image.. n
Virtual
Image 1
Security
Risk Governanc
e
Lifecyclemgmt
AAA
Auditing
Security in-
depth
Incident mgmt
Mgmt
Reporting
Use monitor
KapacityplanningNetwork
management
Automati-zation
Billing
www.cloudadvisor.se
•IaaS
CPU, RAM, Networking
Storage
SW Kernel (OS & VM)
Virtualized resources
Cloud applications
Virtuell
Image 1
Virtual
Image.. n
Virtual
Image 1
Security
Risk Governanc
e
Lifecyclemgmt
AAA
Auditing
Security in-
depth
Incident mgmt
Mgmt
Reporting
Use monitor
KapacityplanningNetwork
management
Automati-zation
Billing
www.cloudadvisor.se
•PaaS
CPU, RAM, Networking
Storage
SW Kernel (OS & VM)
Virtualized resources
Cloud applications
Virtuell
Image 1
Virtual
Image.. n
Virtual
Image 1
Security
Risk Governanc
e
Lifecyclemgmt
AAA
Auditing
Security in-
depth
Incident mgmt
Mgmt
Reporting
Use monitor
KapacityplanningNetwork
management
Automati-zation
Billing
www.cloudadvisor.se
•SaaS
IaaS example
www.cloudadvisor.se
PaaS examples
www.cloudadvisor.se
SaaS examples
www.cloudadvisor.se
www.cloudadvisor.se
www.cloudadvisor.se
www.cloudadvisor.se
Security in the clouds
CPU, RAM, Networking
Storage
SW Kernel (OS & VM)
Virtualized resources
Cloud applications
Virtuell
Image 1
Virtual
Image.. n
Virtual
Image 1
Security
Risk Governanc
e
Lifecyclemgmt
AAA
Auditing
Security in-
depth
Incident mgmt
www.cloudadvisor.se
Security in depth - facility Physical perimeter
protected Guards CCTV Fire safety Location against
natural disasters Secure logistics
www.cloudadvisor.se
CPU, RAM, Networking
www.cloudadvisor.se
Environment & climate secured Physical access control Redundancy Automated supervision – CPU, RAM, fans, disc
etc Enterprise FW NIDS/NIPS
Security in depth - hardware
www.cloudadvisor.se
Patch management: Host OS & virtual hosts Hostbased FW HIDS/HIPS Filesystem encryption OS & VM hardening Routines for provisioning/de-provisioning of
VM´s
SW Kernel (OS & VM)
Security in depth – SW Kernel
www.cloudadvisor.se
DLP Integrity auditing Filesystem encryption Personal FW Activity monitor DB Hardening Authorization & Auditing
Storage
Virtualized resourcesVirtual
Image
Security in depth – virtualized resources
Security in depth – applications
www.cloudadvisor.se
Authentication & Authorization Code quality Least privilige SDL
Applications
Soft side of security Security Practice
Statement? Control of compliance? How do I map my
demands? How about ”damage
control”? …
www.cloudadvisor.se
Security
Risk Governance
Lifecyclemgmt
AAA
Auditing
Security in-depth
Incident mgmt
Enter due diligence Insiders? High ”administrator power”? Stress test of plans/abilities business
continuity and disaster recovery My penetration testing?
www.cloudadvisor.se
Risk management
www.cloudadvisor.se
Risk management Vendors KRI/KPI + my KRI/KPI = ? Regular audits on vendors security policy,
processes and procedures. Ownership and partnering?
www.cloudadvisor.se
Governance
www.cloudadvisor.se
Governance Recurring auditing by trusted third party to
validate SPS & SLA Declaration of partnerships with third party Who is financing the vendor?
www.cloudadvisor.se
Legal
www.cloudadvisor.se
Legal Plan for expected/unexpected exit: Assurance
of secure delivery and destruction of data. Clause for information not traversing
geographical boundaries. Rights to reuse my information?
www.cloudadvisor.se
Compliance & Audit
www.cloudadvisor.se
Compliance & audit Classification:
Which systems are handling regulated information?
What data is handled within the systems? SAS 70 type II audits? Demand ISO 27001 certification?
www.cloudadvisor.se
ILM
www.cloudadvisor.se
ILM Logical segregation of information – What
control mechanisms do we implement for parts outside of our control?
Verify backup & restore of segregated information & simulate how the information is assimilated ”in-house” in case of termination.
www.cloudadvisor.se
Portability & Interoperability
www.cloudadvisor.se
P & I SaaS
Process for continuous extraction in open formats IaaS
Develop ”binaries” not tied to Virtual Machine Images specific to the vendor
PaaS Developer platform in the cloud allows portability
with platform in-house
www.cloudadvisor.se
Identity
www.cloudadvisor.se
Identity Federation schema
SAML (version?) WS-Federation Liberty ID-FF
Multiple authentication factors? Authorization and governing of rights on
application/data?
www.cloudadvisor.se
Datacenter operations
www.cloudadvisor.se
Datacenter operations Maintenance schemas Process for misconfigurations (fallbacks) Versioning Helpdesk
www.cloudadvisor.se
Incident handling
www.cloudadvisor.se
Incident handling Common definition of an incident? Roles under an incident? When/how am I notified? Can I use my own CSIRT? Police? Dawn-raid on another tenant – consequence?
www.cloudadvisor.se
Conclusions
www.cloudadvisor.se
Cloud Computing is built on known technology – but the risks are definitively virgin territory!
www.cloudadvisor.se
There are loads of exciting opportunities – open to all!
www.cloudadvisor.se
Business demands results without ”whining and but´s” – handle it or be bypassed and marginalized!
www.cloudadvisor.se
Why not implement the philosophy of the cloud in your IT?
www.cloudadvisor.se
DISCUSSION
www.cloudadvisor.se
Nice links http://cloudforum.org http://cloudsecurityalliance.org http://cloudcamp.org http://opencloudmanifesto.org http://opencrowd.com http://eucalyptus.com http://aws.amazon.com/ec2 http://www.ibm.com/ibm/cloud/labs/ http://www.hpl.hp.com/research/cloud.html
www.cloudadvisor.se
Thank you!
Predrag Mitrovic, [email protected]+46 (0) 709 – 200 350 or on the net: http://mynethouse.se
Blogs (in Swedish only): http://blogg.idg.se/itperspektiv http://cloudadvisor.se
www.cloudadvisor.se