SESSION ID:SESSION ID:

#RSAC

Moshe Ferber

Balancing Innovation and Security—Cloud Adoption at Governments

PGR-R02

Chairman, Cloud Security Alliance, Israel@Ferbermoshe

#RSAC

Moshe Ferber

✓ Information security professional for over 20 years

✓ Founder, partner and investor at various initiatives and startups

✓ Popular industry speaker & lecturer (DEFCON, BlackHat, Infosec and more)

✓ Top contributer to ISC2 CCSP & CSA CCSK certifications.

✓ CCSK Certification lecturer for the Cloud Security Alliance.

✓ Member of the board at Macshava Tova – Narrowing societal gaps

✓ Chairman of the Board, Cloud Security Alliance, Israeli Chapter

#RSAC

Our journey begins…

Government decision #2097 (2014)

“Promoting innovation at the public sector by appointing the ICT Authority to define the

government cloud computing strategy”

http://www.pmo.gov.il/Secretary/GovDecisions/2014/Pages/dec2097.aspx

#RSAC

Government roles in cloud computing

Roles

Regulator

Provider

Promoter

Consumer

#RSAC

Government as regulator

Critical Infrastructure Financial Sector

Health Services Military & HLS

#RSAC

Government as regulator

Government as promotor

Should government promote cloud computing (at private sector)?

Or let the forces of the free market decide…

Increase resilience

• Mostly important for Small Medium Businesses

Increase innovation

• Datacenters are like roads and public transportation.

#RSAC

Government as provider

Government cloud strategy (2015)

“Enhance information technology in the government by promoting central cloud infrastructure for governments offices“

https://govshare.gov.il/he/node/1624

Private cloud

•Focused on IaaS/PaaS

•Operated by the ICT authority

•Tender in process

Public cloud

•SaaS but also IaaS/PaaS

•Supplementary for the private cloud

•Responsibility of the governments offices

#RSAC

Government as consumer

Government public cloud policy (01.2016)

“Define which workloads could move to public cloud environment and the process to insure responsible

adoption”

The topic for today discussion

#RSAC

The challenges

Just like any other organization…

Lose of control

Lose of availability

Lose of visibility and flexibility

#RSAC

Unique challenges

No tier 1 providers with local datacenter

Reputation considerations are considerable

Ability to conduct low level forensics on events is crucial

Tenders laws limits ability to control the identity of provider

Needed to move fast before the horses will be gone….

#RSAC

Step 1: setup a committee

Data protection authority

)ILITA)

ICT Authority

Cyber Authority

#RSAC

Step 2: Learn from others

Interesting concepts out there:

Thank you ENISA for this:Security Framework for Governmental Clouds

https://www.enisa.europa.eu/publications/security-framework-for-govenmental-clouds

Estonia: Using data embassies

UK: building services catalog

USA: pre-authorizing providers

#RSAC

Important concepts

Chances for a hack are the same on or off the

cloud

Risk management of Cloud migration is the responsibility of the

office

The cloud adoption committee will

recommend, not decide

A white list of provider exits, but each

ministry can evaluate new providers

Not going to invent the wheel – relay on

others

#RSAC

Apps with data exposed to public

Test/Dev environments (masked / anonymized data)

High performance / Short life span applications

Tenders / calculators

Government symbols

Critical applications

Sensitive or classified information

Step 3: Workloads that can migrate to public cloud

#RSAC

Step 4: ICT guidelines

In order to help the different ministries to evaluate the risk and create controls, the committee created:

Threat framework to address

• Our version of the CSA notorious 9.

• Thank you CSA

Controls mitigation

• A checklist for evaluating the controls

• Our own mix & match

• Thank you NIST, ENISA, ISO & more

Providers requirements

• Minimal requirements (certification, location of data centers)

• Used to create standard for authorized providers

#RSAC

Step 5: process for cloud migration

Examine

• App adheres to criteria for migration to cloud

Map

• Data types & classification

• Interfaces

• Users

• Laws, regulations

Evaluate

• Risks to the application

• Relevant providers

Create

• Cloud migration strategy

• List of controls based on shared responsibility model

#RSAC

The ICT role in the process

Manage the pool of authorized

vendors

Lead the public cloud committee

Provide continues knowledge on

threats and controls

Perform periodic audits on cloud

deployments

#RSAC

Insights

We think it is like this:

SaaS

PaaS

IaaS

#RSAC

Insights

SaaS

PaaSIaaS

When actually it looks like this:

#RSAC

Insights

And this is our challenges:

Gain the expertise for building secure applications

Evaluate our providers correctly

Very hard to provide best practices

SaaS

PaaSIaaS

#RSAC

Insights

We are great believers in the shared responsibility model:

#RSAC

Insights

But you can not built cloud policy based on the SPI model:

The borders are overlapping

IaaS PaaS SaaS

#RSAC

Insights

Setting mandatory requirements are important!

(i.e. ISO27K mandatory for all providers)

But does not always make sense!

Sometimes you want to maintain flexibility

#RSAC

Insights

Controlling your own encryption keys is important.

But, very challenging in most scenarios!

And hackers don’t really care who stores the keys

#RSAC

Insights

Compensating controls works best in cloud computing

Invest more in backups, audits and reviews!

Luckily, most providers getting better in supporting that

#RSAC

Insights

And sometimes the best compensating control is:

To be able to pack your data and leave!

Take care of lock-in risks

#RSAC

Applying insights

Transparency is crucial

#RSAC

Applying insights

Look for advance encryption options

#RSAC

Applying insights

Robust monitoring options are mandatory

#RSAC

Applying insights

Prefer clear contractual language

#RSAC

Applying insights

Shift to secure by default

#RSAC

Applying insights

Good operational security practices

#RSAC

Applying insights

In which jurisdictions your data stored?

#RSAC

Applying insights

Be ready to take your data and leave

#RSAC

To wrap this up

Government got various roles in cloud computing

Make sure to balance the need for innovation with the global risks

#RSAC

Thank you for your Time!

@Ferbermoshe - keep in touch!