losing control to the cloud
DESCRIPTION
TRANSCRIPT
![Page 1: Losing Control to the Cloud](https://reader034.vdocuments.net/reader034/viewer/2022051608/5456d2b2b1af9f39378b5000/html5/thumbnails/1.jpg)
How to Gain Comfort in Using the Cloud
by Jason Falciola, GCIH, GAWN!Technical Account Manager, Northeast October 20th 2010
![Page 2: Losing Control to the Cloud](https://reader034.vdocuments.net/reader034/viewer/2022051608/5456d2b2b1af9f39378b5000/html5/thumbnails/2.jpg)
Agenda
What Perspective does Qualys bring to this discussion? − Security & Compliance Software as a Service (SaaS) provider since 1999 − Continuously expanding platform to address evolving challenges
Rapid Market and Technology Changes The Security & Compliance Conundrum Cloud Definition Cloud Questions Reliance on Existing Frameworks Tackling the Cloud Moving Forward Q&A
COMPANY CONFIDENTIAL 1!
![Page 3: Losing Control to the Cloud](https://reader034.vdocuments.net/reader034/viewer/2022051608/5456d2b2b1af9f39378b5000/html5/thumbnails/3.jpg)
Private Clouds"
SaaS" PaaS IaaS"
Internet"
COMPANY CONFIDENTIAL 2!
Technology and Market Trends "Cloud Computing a disruptive technology
Accelerated Industry " Consolidation
Moving toward thin clients and a Data Center centric model
Security moving into the " Infrastructure and toward " Cloud Services
QualysGuard Service"
![Page 4: Losing Control to the Cloud](https://reader034.vdocuments.net/reader034/viewer/2022051608/5456d2b2b1af9f39378b5000/html5/thumbnails/4.jpg)
“In our February 2010 survey of 518 business technology pros, security
concerns again led the list of reasons not to use cloud services, while on the roster
of drivers, 77% cited cost savings.”
-‐-‐ InformaPon Week
hSp://www.informaPonweek.com/news/security/management/showArPcle.jhtml?arPcleID=224202319
Survey Says… (Information Week)
![Page 5: Losing Control to the Cloud](https://reader034.vdocuments.net/reader034/viewer/2022051608/5456d2b2b1af9f39378b5000/html5/thumbnails/5.jpg)
Key Findings: • Sixty percent (60%) more survey respondents are willing to use soaware as a service (SaaS) for sensiPve data than are willing to use tradiPonal outsourcing.
• The quesPonnaire is the most common form of external party risk assessment, with half of the quesPonnaires based on industry-‐standard frameworks and the other half being organizaPonally unique.
Recommenda1ons: • Develop internal experPse on external risk assessment, and on the contractual clauses that address security, privacy, regulatory compliance, conPnuity and disaster recovery.
• Take an organized approach to SaaS and public cloud purchases, and build a team and processes to work with the business to address all security, compliance, integraPon and contractual needs so that a decision can be made on whether a potenPal seller can meet those requirements.
-‐-‐ Gartner “Assessment Prac1ces for Cloud, SaaS and Partner Risks”, April 2010
hSp://www.gartner.com/DisplayDocument?doc_cd=175916
Survey Says… (Gartner)
![Page 6: Losing Control to the Cloud](https://reader034.vdocuments.net/reader034/viewer/2022051608/5456d2b2b1af9f39378b5000/html5/thumbnails/6.jpg)
Agenda
What Perspective does Qualys bring to this discussion? − Security & Compliance Software as a Service (SaaS) provider since 1999 − Continuously expanding platform to address evolving challenges
Rapid Market and Technology Changes The Security & Compliance Conundrum Cloud Definition Cloud Questions Reliance on Existing Frameworks Tackling the Cloud Moving Forward Q&A
COMPANY CONFIDENTIAL 5!
![Page 7: Losing Control to the Cloud](https://reader034.vdocuments.net/reader034/viewer/2022051608/5456d2b2b1af9f39378b5000/html5/thumbnails/7.jpg)
Security & Compliance Conundrum "Having to address the New and Old Challenges
New and multiplying attack vectors Authentication still an!
unresolved issue Security & compliance
silos, fragmented tools & data
Lack of enterprise/agency wide visibility and policy enforcement!
COMPANY CONFIDENTIAL 6!
Private Clouds
SaaS PaaS/ IaaS
Regulations, Industry Standards, Internal Policies
PCI HIPAA SOX FISMA NERC
FFIEC
![Page 8: Losing Control to the Cloud](https://reader034.vdocuments.net/reader034/viewer/2022051608/5456d2b2b1af9f39378b5000/html5/thumbnails/8.jpg)
Agenda
What Perspective does Qualys bring to this discussion? − Security & Compliance Software as a Service (SaaS) provider since 1999 − Continuously expanding platform to address evolving challenges
Rapid Market and Technology Changes The Security & Compliance Conundrum Cloud Definition Cloud Questions Reliance on Existing Frameworks Tackling the Cloud Moving Forward Q&A
COMPANY CONFIDENTIAL 7!
![Page 9: Losing Control to the Cloud](https://reader034.vdocuments.net/reader034/viewer/2022051608/5456d2b2b1af9f39378b5000/html5/thumbnails/9.jpg)
What is the Cloud? Definition
8
Defini1on:
“The cloud is a model for enabling convenient, on-‐demand network access to a shared pool of configurable compuPng resources (e.g., networks, servers, storage, applicaPons, and services) that can be rapidly provisioned and released with minimal management effort or service provider interacPon”
– NIST Informa,on Technology Laboratory
![Page 10: Losing Control to the Cloud](https://reader034.vdocuments.net/reader034/viewer/2022051608/5456d2b2b1af9f39378b5000/html5/thumbnails/10.jpg)
What is the Cloud? Essentials
9
Five Essential Characteristics:!
1. On-demand, self-service – Ability to unilaterally provision computing capabilities
2. Broad network access – Available over the network and accessed through standard mechanisms that promote heterogonous thin or thick client platforms
3. Resource pooling – Resources are pooled to serve multiple consumers using a multi tenant model (location independence)
4. Rapid elasticity – capabilities can be rapidly and elastically provisioned
5. Measured service – Resource usage can be monitored, controlled and reported
![Page 11: Losing Control to the Cloud](https://reader034.vdocuments.net/reader034/viewer/2022051608/5456d2b2b1af9f39378b5000/html5/thumbnails/11.jpg)
What is the Cloud? Service Models
Three Service Models 1. Software As A Service (SaaS) – Managed application/service where customers
consume application resources as needed, without impact to internal computing resources. Security provided by cloud vendor
2. Platform as a Service (PaaS) - Developers build and manage their own custom applications on top of platform provided by the cloud vendor. Application and data security managed by cloud customer.
3. Infrastructure as a Service (IaaS) - Cloud vendor provides storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software which can include operating systems and applications. Cloud vendor protects infrastructure, but operating systems, applications, and content is managed and secured by the cloud consumer.
10
Key Takeaway - The lower down the stack the cloud service provider goes, the more security capabilities and management enterprises are responsible for.
![Page 12: Losing Control to the Cloud](https://reader034.vdocuments.net/reader034/viewer/2022051608/5456d2b2b1af9f39378b5000/html5/thumbnails/12.jpg)
What is the Cloud? Deployment Models
Four Deployment Models 1. Public: Made available to the general public or large industry group and is
owned by an organization selling cloud services.
2. Private: Operated solely for a single or group of organizations isolated among peers. May be managed by the organization or a third party and may exist on-premise or off-premise.
3. Community: Shared by several organizations and supports a specific community that has shared concerns. May be managed by the organization or a third party and may exist on-premise or off-premise.
4. Hybrid: Composed of two or more clouds (Private, Community, or Public) that remain unique, but are bound together standardized or proprietary technology that enables data and application portability (cloud bursting for load balancing between clouds).
11
![Page 13: Losing Control to the Cloud](https://reader034.vdocuments.net/reader034/viewer/2022051608/5456d2b2b1af9f39378b5000/html5/thumbnails/13.jpg)
What is the Cloud? Visual Definition
![Page 14: Losing Control to the Cloud](https://reader034.vdocuments.net/reader034/viewer/2022051608/5456d2b2b1af9f39378b5000/html5/thumbnails/14.jpg)
Agenda
What Perspective does Qualys bring to this discussion? − Security & Compliance Software as a Service (SaaS) provider since 1999 − Continuously expanding platform to address evolving challenges
Rapid Market and Technology Changes The Security & Compliance Conundrum Cloud Definition Cloud Questions Reliance on Existing Frameworks Tackling the Cloud Moving Forward Q&A
COMPANY CONFIDENTIAL 13!
![Page 15: Losing Control to the Cloud](https://reader034.vdocuments.net/reader034/viewer/2022051608/5456d2b2b1af9f39378b5000/html5/thumbnails/15.jpg)
Cloud Questions
New technology combined with un-proven vendors / service providers
Innovative technology in the hands of the users Data leaving the perimeter Growing number of third parties requiring
connectivity Control validation changes to trust Transparency limited to what you know Challenging to report Risk back to the business
![Page 16: Losing Control to the Cloud](https://reader034.vdocuments.net/reader034/viewer/2022051608/5456d2b2b1af9f39378b5000/html5/thumbnails/16.jpg)
Critical Challenges for Security Professionals
Security Program
Ques1onnaires On-‐Site Review Third Party
15!
Security Budgets
Staffing/ Resources
Reduce Confusion
![Page 17: Losing Control to the Cloud](https://reader034.vdocuments.net/reader034/viewer/2022051608/5456d2b2b1af9f39378b5000/html5/thumbnails/17.jpg)
Audit Activities and Costs
Up to 5 man days of work to complete Hotel Transportation Any Corrective Actions Hidden costs (e.g., require pen test, out of
office work, regulatory) What would the average cost be
![Page 18: Losing Control to the Cloud](https://reader034.vdocuments.net/reader034/viewer/2022051608/5456d2b2b1af9f39378b5000/html5/thumbnails/18.jpg)
Multiple Reviews
Cloud User
SaaS SP 1
IaaS SP
SaaS SP 2
PaaS SP
SaaS SP 3
SaaS SP 4
No standard Scalability After the fact Custom
Reviews
![Page 19: Losing Control to the Cloud](https://reader034.vdocuments.net/reader034/viewer/2022051608/5456d2b2b1af9f39378b5000/html5/thumbnails/19.jpg)
S-P-I Framework
IaaS Infrastructure as a Service
You build security in
You “RFP” security in
PaaS Plajorm as a Service
SaaS Soaware as a Service
Source: hSp://www.cloudsecurityalliance.org
![Page 20: Losing Control to the Cloud](https://reader034.vdocuments.net/reader034/viewer/2022051608/5456d2b2b1af9f39378b5000/html5/thumbnails/20.jpg)
Agenda
What Perspective does Qualys bring to this discussion? − Security & Compliance Software as a Service (SaaS) provider since 1999 − Continuously expanding platform to address evolving challenges
Rapid Market and Technology Changes The Security & Compliance Conundrum Cloud Definition Cloud Questions Reliance on Existing Frameworks Tackling the Cloud Moving Forward Q&A
COMPANY CONFIDENTIAL 19!
![Page 21: Losing Control to the Cloud](https://reader034.vdocuments.net/reader034/viewer/2022051608/5456d2b2b1af9f39378b5000/html5/thumbnails/21.jpg)
Existing Frameworks in Use
Security Questionnaires OnSite Review ISO 27002 SAS-70 Type II SysTrust PCI Third Party Penetration Test
![Page 22: Losing Control to the Cloud](https://reader034.vdocuments.net/reader034/viewer/2022051608/5456d2b2b1af9f39378b5000/html5/thumbnails/22.jpg)
Agenda
What Perspective does Qualys bring to this discussion? − Security & Compliance Software as a Service (SaaS) provider since 1999 − Continuously expanding platform to address evolving challenges
Rapid Market and Technology Changes The Security & Compliance Conundrum Cloud Definition Cloud Questions Reliance on Existing Frameworks Tackling the Cloud Moving Forward Q&A
COMPANY CONFIDENTIAL 21!
![Page 23: Losing Control to the Cloud](https://reader034.vdocuments.net/reader034/viewer/2022051608/5456d2b2b1af9f39378b5000/html5/thumbnails/23.jpg)
Available Resources for Cloud Users – NIST & ENISA NIST − Cloud Definition − SCAP – Security Content Automation Protocol!
http://scap.nist.gov − Continuous Monitoring!
ENISA − Report: “Cloud Computing: Benefits,!
Risks and Recommendations for !Information Security”
− http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment
![Page 24: Losing Control to the Cloud](https://reader034.vdocuments.net/reader034/viewer/2022051608/5456d2b2b1af9f39378b5000/html5/thumbnails/24.jpg)
Available Resources (cont’d)" - Cloud Security Alliance (CSA) Cloud Security Alliance − CSA Guide − Research Papers!
Initiatives in Progress/Released − CSA Guidance V2.1 – Released Dec 2009!
http://cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf
− CSA Top Threats Research – Released March 2010 − CSA Cloud Controls Matrix – Released April 2010 − Trusted Cloud Initiative – Release Q4 2010 − CSA Cloud Metrics Working Group − Consensus Assessment Initiative
![Page 25: Losing Control to the Cloud](https://reader034.vdocuments.net/reader034/viewer/2022051608/5456d2b2b1af9f39378b5000/html5/thumbnails/25.jpg)
Available Resources (cont’d) "- CSA Guidance Research
Guidance > 100k downloads: cloudsecurityalliance.org/guidance
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Security, Bus. Cont,, and Disaster Recovery
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
Cloud Architecture
Ope
ratin
g in
the
Clo
ud
Governing the
Cloud
![Page 26: Losing Control to the Cloud](https://reader034.vdocuments.net/reader034/viewer/2022051608/5456d2b2b1af9f39378b5000/html5/thumbnails/26.jpg)
Available Resources (cont’d) "– CSA Cloud Controls Matrix Tool
Controls derived from guidance
Rated as applicable to S-P-I Customer vs Provider role Mapped to ISO 27001,
COBIT, PCI, HIPAA Help bridge the gap for IT & IT
auditors between existing controls and cloud controls
www.cloudsecurityalliance.org/cm.html
![Page 27: Losing Control to the Cloud](https://reader034.vdocuments.net/reader034/viewer/2022051608/5456d2b2b1af9f39378b5000/html5/thumbnails/27.jpg)
Available Resources (cont’d) – CAMM, Shared Assessments Common Assurance Maturity Model (CAMM)!
Shared Assessments − Target Data Tracker − Self Information Gathering (SIG) – Level I, Level II − AUP – Agreed upon Procedures − Business Continuity Questions, Privacy
Questions, Other tools − Mapped to ISO 27002:2005, COBIT 4.0 / 4.1,
PCI 1.1 / 1.2, FFIEC
![Page 28: Losing Control to the Cloud](https://reader034.vdocuments.net/reader034/viewer/2022051608/5456d2b2b1af9f39378b5000/html5/thumbnails/28.jpg)
Available Resources (cont’d) – Jericho Forum Cloud Cube Model
![Page 29: Losing Control to the Cloud](https://reader034.vdocuments.net/reader034/viewer/2022051608/5456d2b2b1af9f39378b5000/html5/thumbnails/29.jpg)
Available Resources (cont’d) – Jericho Forum Self-Assessment
![Page 30: Losing Control to the Cloud](https://reader034.vdocuments.net/reader034/viewer/2022051608/5456d2b2b1af9f39378b5000/html5/thumbnails/30.jpg)
29
Proprietary, Blended Approach
PCI
CoBIT
ISO-‐27001
CAMM
ENISA
CSA
Recommendation: Use a Proprietary, Blended Approach
One size does not fit all
Same if not stronger controls
Reliance on periodic audits
![Page 31: Losing Control to the Cloud](https://reader034.vdocuments.net/reader034/viewer/2022051608/5456d2b2b1af9f39378b5000/html5/thumbnails/31.jpg)
Agenda
What Perspective does Qualys bring to this discussion? − Security & Compliance Software as a Service (SaaS) provider since 1999 − Continuously expanding platform to address evolving challenges
Rapid Market and Technology Changes The Security & Compliance Conundrum Cloud Definition Cloud Questions Reliance on Existing Frameworks Tackling the Cloud Moving Forward Q&A
COMPANY CONFIDENTIAL 30!
![Page 32: Losing Control to the Cloud](https://reader034.vdocuments.net/reader034/viewer/2022051608/5456d2b2b1af9f39378b5000/html5/thumbnails/32.jpg)
Moving Forward
Collaborative effort amongst associations required
Joint Paper with CSA, CloudAudit/A6, ISACA, and ISF
Hope to include NIST, PCI and BITS Cloud Users will continue to use
available resources for assessments
![Page 33: Losing Control to the Cloud](https://reader034.vdocuments.net/reader034/viewer/2022051608/5456d2b2b1af9f39378b5000/html5/thumbnails/33.jpg)
Assessing Cloud Security: References
Cloud Audit / A6 (Automated Audit, Assertion, Assessment, and Assurance API) – Now a project of CSA − http://www.cloudaudit.org
Cloud Security Alliance - CSA − http://www.cloudsecurityalliance.org/
Common Assurance Maturity Model − http://common-assurance.com/
JERICHO Forum − http://www.opengroup.org/jericho/
Shared Assessments − http://www.sharedassessments.org/
Qualys − http://www.qualys.com/efficient_ciso - Strategies for the Efficient CISO − http://www.qualys.com/products/qg_suite/malware_detection/ - Free Tool − http://www.qualys.com/aurora - Research by iSec Partners
![Page 34: Losing Control to the Cloud](https://reader034.vdocuments.net/reader034/viewer/2022051608/5456d2b2b1af9f39378b5000/html5/thumbnails/34.jpg)
QualysGuard Freemium Services"More than just “free” services – leverage the cloud
www.qualys.com/stopmalware
www.ssllabs.com
https://browsercheck.qualys.com
Other Freemium services in the making: Malware Research Portal HoneyNet Research Portal Automated Generation of IDS Signatures COMPANY CONFIDENTIAL 33!
https://community.qualys.com/docs/DOC-1351
![Page 35: Losing Control to the Cloud](https://reader034.vdocuments.net/reader034/viewer/2022051608/5456d2b2b1af9f39378b5000/html5/thumbnails/35.jpg)
Thank You
Thanks! Q&A?
Jason Falciola, GCIH, GAWN jfalciola AT qualys.com
+1 973-464-5659
http://www.qualys.com