isaca cloud security presentation 2013-09-24

Cloud SecurityMajor Hayden, Rackspace

Cloud Security // ISACA San Antonio 2013-09-24 2

Why are we here today?


Who am I?

Chief Security Architect at Rackspace

Red Hat Certified Architect and MySQL DBA

Five years of cloud operations experience Integrated Slicehost with Rackspace Launched Rackspace’s Cloud Servers product

based on Slicehost technology Launched Rackspace’s Open Cloud Servers

powered by OpenStack


Today’s big three

1. An understandable and repeatable definition of cloud really does exist (and I’ll help you learn it)

2. There are different cloud deployment strategies and you can secure each of them

3. Cloud hosting risks are very similar to the risks from other IT hosting methods


What is cloud hosting?


Cloud hosting is a shift from managing

computersto utilizing

computing resources


Colocation

Dedicated

Managed Cloud


Key points

Resources are always available

Pay for what you use

Fewer fixed costs, more variable costs

Maintain business focus


Cloud hostingbrings new challenges


Homes vs. Apartments

Flickr: atelier_tee Flickr: oldtasty


Key points

Can’t choose your neighbors

Fluctuating performance

Stay within the confines of the system

Service providers can touch your data*


Cattle vs. Pets(Credit goes to Gavin McCance at CERN for this analogy)


Key points

Rely on automation

Use configuration management

Build in redundancy based on business needs


Cloud types:Public, Private, and Hybrid


Benefits

Public: easily expandable and cheap

Private: host with provider or host internally, fewer noisy neighbor issues, compliance is easier

Hybrid: helpful for bridging into cloud, allows for the workloads to run where they run best


Let’s go throughyour questions


What due diligence should a company

perform when selecting cloud

services?


Due diligence

Easy answer: Assess a cloud provider just as you would any other provider of IT services

Look for business practice and security maturity

Test the provider thoroughly ahead of time

Monitor the provider’s actions closely around outages or when receiving support


What are somegood contractual

agreement clauses?


Contractual agreements

Confidentiality and security requirements

Encryption standards*

Service description and SLA’s

Indemnification


What are the risksif the company

owns the servers?


Company-owned server risks

Similar to self-hosted or vendor-hosted IT services on dedicated equipment

IT staff that maintain the servers will have some level of access to virtual machine data


Does the internet-facing nature of

public cloud create additional risks?


Public cloud networking risks

About the same as internet-facing dedicated hardware

Some public clouds may have hardware networking devices such as firewalls or load balancers

Other providers might provide a shared firewall or load balancer environment to use


How do I securely store data in cloud

services?


Storing data in cloud

Your data is never fully safe in any storage

Understand your most probable threats first

Make your data less useful to others Encryption with digital signatures Sharding Tokenization (can help with data transport

laws) Hardware Security Module (HSM)


Thanks for inviting me!

Q&A?

Have more questions [email protected]

mhttp://major.io/

Cloud SecurityMajor Hayden, Rackspace

isaca cloud security presentation 2013-09-24

Technology

cloud provider

cloud services

managed cloud

cloud types

cloud security major

cloud hosting risks

nature of public cloud

security maturity