securing the cloud - iit itmitm.iit.edu/netsecure11/scottclark_cloudsecurity.pdfgovernance and...

Insert presenter logo here on slide master

Foundational Best

Practices For Securing

Cloud Computing

Scott Clark

Securing The Cloud


Agenda

2

Introduction to Cloud Computing

What is Different in the Cloud?

CSA Guidance

Additional Resources


What is Cloud Computing?

• Compute as a utility: third major era of computing

– Mainframe

– PC Client/Server

– Cloud computing: On demand model for allocation and consumption of computing

• Cloud enabled by:

– Moore’s Law: Costs of compute & storage approaching zero

– Hyperconnectivity: Robust bandwidth from dotcom investments

– Service Oriented Architecture (SOA)

– Scale: Major providers create massive IT capabilities


How to think about Cloud

• “Perfect storm” convergence of existing technologies in a new business model

• The next platform for software applications – Disruption!

• Not one “cloud” – many types and deployments of cloud

• Aspects of our legacy we can learn from – but key differences

– Mainframes

– Virtualization

– Outsourcing

• Challenges many of our IT definitions, e.g. what is data?


• Many concepts “in the cloud” are similar to concepts in standard outsourcing

• There are at least four themes which require a different mindset when working on security for cloud services:– Role clarity for security controls

– Legal / jurisdictional / cross-border data movement

– Virtualization concentration risk

– Virtualization network security control parity.

5




Role Clarity

IaaSInfrastructure as a

Service

PaaSPlatform as a Service

SaaSSoftware as a Service

Security ~ YOU

Security ~ THEM



Legal / Jurisdictional Issues Amplified

“Cloud” Provider Datacenter in San Francisco, USA

“Cloud” Provider Datacenter in Tokyo, Japan

“Cloud” Provider Datacenter in Geneva, Switzerland

“Cloud” Provider Datacenter in Sao Paolo, Brazil

“Cloud” Provider Datacenter in London, U.K.

Yo

ur C

orp

ora

te D

ata

?



Virtualization Concentration Risks

“Old Way – Hack a

System”

“New Way – Hack a

Datacenter”

Hypervisor


Virtualized N-Tier Control Equivalence


“Current Way” “New Way”

HypervisorInternet

Users

Presentation

Layer

Data Layer

How do we

ensure control

parity?

Internet

Users

•FW

•WAF

•NIDS / IPS

•FW

•WAF

•NIDS / IPS


Key Cloud Security Problems

From CSA Top Threats Research:

–Trust: Lack of Provider transparency, impacts Governance, Risk Management, Compliance

–Data: Leakage, Loss or Storage in unfriendly geography

–Insecure Cloud software

–Malicious use of Cloud services

–Account/Service Hijacking

–Malicious Insiders

–Cloud-specific attacks

Cloud Security Alliance Guidance

11


Cloud Security Alliance Guidance

Available at http://www.cloudsecurityalliance.org/Research.html

Governance and Enterprise Risk Management

Legal and Electronic Discovery

Compliance and Audit

Information Lifecycle Management

Portability and Interoperability

Security, Bus. Cont,, and Disaster Recovery

Data Center Operations

Incident Response, Notification, Remediation

Application Security

Encryption and Key Management

Identity and Access Management

Virtualization

Cloud Architecture

Op

era

tin

g i

n t

he C

lou

d

Go

vern

ing

the C

lou

d

http://www.cloudsecurityalliance.org/Research.html


Defining Cloud

• On demand provisioning

• Elasticity

• Multi-tenancy

• Key types

– Infrastructure as a Service (IaaS): basic O/S & storage

– Platform as a Service (PaaS): IaaS + rapid dev

– Software as a Service (SaaS): complete application

– Public, Private, Community & Hybrid Cloud deployments



• Due Diligence of providers governance structure and process in addition to security controls. SLA’s

• Risk Assessment approaches between provider and user should be consistent. Consistency in Impact Analysis and definition of likelihood












Virtualization

Cloud Architecture

Op

era

tin

g i

n t

he C

lou

d

Go

vern

ing

the C

lou

d



• Mutual understanding of roles related to litigation, discovery searches and expert testimony

• Data in custody of provider must receive equivalent guardianship as original owner

• Unified process for responding to subpoenas and service of process, etc












Virtualization

Cloud Architecture

Op

era

tin

g i

n t

he C

lou

d

Go

vern

ing

the C

lou

d



• Right to Audit Clause

• Analyze Impact or Regulations on data security

• Prepare evidence of how each requirement is being met

• Auditor qualification and selection












Virtualization

Cloud Architecture

Op

era

tin

g i

n t

he C

lou

d

Go

vern

ing

the C

lou

d



• How is Integrity maintained?

• If compromised how its detected and reported?

• Identify all controls used during date lifecycle

• Know where you data is!

• Understand provider’s data search capabilities and limitations












Virtualization

Cloud Architecture

Op

era

tin

g i

n t

he C

lou

d

Go

vern

ing

the C

lou

d



• IaaS - Understand VM capture and porting to new provider especially if different technologies used.

• PaaS – Understand how logging, monitoring and audit transfers to another provider

• SaaS – perform regular backups into useable form without SaaS.












Virtualization

Cloud Architecture

Op

era

tin

g i

n t

he C

lou

d

Go

vern

ing

the C

lou

d


Security, Business Continuity and Disaster Recovery

• Conduct an onsite inspection whenever possible

• Inspect cloud providers disaster recovery and business continuity plans

• Ask for documentation of external and internal security controls –adherence to industry standards?












Virtualization

Cloud Architecture

Op

era

tin

g i

n t

he C

lou

d

Go

vern

ing

the C

lou

d



• Demonstration of Compartmentalization of systems, networks, management, provisioning and personnel

• Understanding of providers patch management policies and procedures –should be reflected in the contract!












Virtualization

Cloud Architecture

Op

era

tin

g i

n t

he C

lou

d

Go

vern

ing

the C

lou

d


Incident Response, Notification and Remediation

• May have limited involvement in Incident Response, understand prearranged communicated path to providers incident response team

• What incident detection and analysis tools used? Will proprietary tools make joint investigations difficult?












Virtualization

Cloud Architecture

Op

era

tin

g i

n t

he C

lou

d

Go

vern

ing

the C

lou

d



• S-P-I creates different trust boundaries in SDLC – account for in dev, test and production

• Obtain contractual permission before performing remote vulnerability and application assessments

– provider inability to distinguish testing from an actual attack












Virtualization

Cloud Architecture

Op

era

tin

g i

n t

he C

lou

d

Go

vern

ing

the C

lou

d



• Separate key management from provider hosting the data creating a chain of separation

• Understand provider’s key management lifecycle: how keys are generated, used, stored, backed up, rotated and deleted

• Ensure encryption adheres to industry and government standards when stipulated in the contract












Virtualization

Cloud Architecture

Op

era

tin

g i

n t

he C

lou

d

Go

vern

ing

the C

lou

d



• IAM is a big challenge today in secure cloud computing

• Identity – avoid providers proprietary solutions unique to cloud provider

• Local authentication service offered by provider should be OATH compliant












Virtualization

Cloud Architecture

Op

era

tin

g i

n t

he C

lou

d

Go

vern

ing

the C

lou

d


Virtualization

• Understand internal security controls to VM other than built in Hypervisor isolation – IDS, AV, vulnerability scanning etc.

• Understand external security controls to protect administrative interfaces exposed (Web-based, API’s)

• Reporting mechanisms that provides evidence of isolation and raises alerts if a breach of isolation occurs.












Virtualization

Cloud Architecture

Op

era

tin

g i

n t

he C

lou

d

Go

vern

ing

the C

lou

d

Additional Cloud Security Alliance Resources

26


Cloud Security Alliance Initiatives

1. GRC Stack

2. Security Guidance for Critical Areas of Focus in Cloud Computing

3. Cloud Controls Matrix (CCM)

4. Consensus Assessments Initiative

5. Cloud Metrics

6. Trusted Cloud Initiative

7. Top Threats to Cloud Computing

8. CloudAudit

9. Common Assurance Maturity Model

10. CloudSIRT

11. Security as a Service

27


Cloud Controls Matrix Tool

• Controls derived from guidance

• Rated as applicable to S-P-I

• Customer vs Provider role

• Mapped to COBIT, HIPAA, ISO/IEC 27002-2005, NIST SP800-53 and PCI DSS

• Help bridge the gap for IT & IT auditors

www.cloudsecurityalliance.org/cm.html

http://www.cloudsecurityalliance.org/cm.html


Contact

• Help us secure cloud computing

• www.cloudsecurityalliance.org

• Cloud Security Alliance, Chicago Chapter

• [email protected]

• LinkedIn: http://www.linkedin.com/groups?gid=3755674

http://www.cloudsecurityalliance.org/

http://www.linkedin.com/groups?gid=3755674

Questions?

30

securing the cloud - iit itmitm.iit.edu/netsecure11/scottclark_cloudsecurity.pdfgovernance and...

Documents