securing the cloud - iit itmitm.iit.edu/netsecure11/scottclark_cloudsecurity.pdfgovernance and...
TRANSCRIPT
Insert presenter logo here on slide master
Foundational Best
Practices For Securing
Cloud Computing
Scott Clark
Securing The Cloud
Insert presenter logo here on slide master
Agenda
2
Introduction to Cloud Computing
What is Different in the Cloud?
CSA Guidance
Additional Resources
Insert presenter logo here on slide master
What is Cloud Computing?
• Compute as a utility: third major era of computing
– Mainframe
– PC Client/Server
– Cloud computing: On demand model for allocation and consumption of computing
• Cloud enabled by:
– Moore’s Law: Costs of compute & storage approaching zero
– Hyperconnectivity: Robust bandwidth from dotcom investments
– Service Oriented Architecture (SOA)
– Scale: Major providers create massive IT capabilities
Insert presenter logo here on slide master
How to think about Cloud
• “Perfect storm” convergence of existing technologies in a new business model
• The next platform for software applications – Disruption!
• Not one “cloud” – many types and deployments of cloud
• Aspects of our legacy we can learn from – but key differences
– Mainframes
– Virtualization
– Outsourcing
• Challenges many of our IT definitions, e.g. what is data?
Insert presenter logo here on slide master
• Many concepts “in the cloud” are similar to concepts in standard outsourcing
• There are at least four themes which require a different mindset when working on security for cloud services:– Role clarity for security controls
– Legal / jurisdictional / cross-border data movement
– Virtualization concentration risk
– Virtualization network security control parity.
5
What is Different in the Cloud?
Insert presenter logo here on slide master
What is Different in the Cloud?
Role Clarity
IaaSInfrastructure as a
Service
PaaSPlatform as a Service
SaaSSoftware as a Service
Security ~ YOU
Security ~ THEM
Insert presenter logo here on slide master
What is Different in the Cloud?
Legal / Jurisdictional Issues Amplified
“Cloud” Provider Datacenter in San Francisco, USA
“Cloud” Provider Datacenter in Tokyo, Japan
“Cloud” Provider Datacenter in Geneva, Switzerland
“Cloud” Provider Datacenter in Sao Paolo, Brazil
“Cloud” Provider Datacenter in London, U.K.
Yo
ur C
orp
ora
te D
ata
?
Insert presenter logo here on slide master
What is Different in the Cloud?
Virtualization Concentration Risks
“Old Way – Hack a
System”
“New Way – Hack a
Datacenter”
Hypervisor
Insert presenter logo here on slide master
Virtualized N-Tier Control Equivalence
What is Different in the Cloud?
“Current Way” “New Way”
HypervisorInternet
Users
Presentation
Layer
Data Layer
How do we
ensure control
parity?
Internet
Users
•FW
•WAF
•NIDS / IPS
•FW
•WAF
•NIDS / IPS
Insert presenter logo here on slide master
Key Cloud Security Problems
From CSA Top Threats Research:
–Trust: Lack of Provider transparency, impacts Governance, Risk Management, Compliance
–Data: Leakage, Loss or Storage in unfriendly geography
–Insecure Cloud software
–Malicious use of Cloud services
–Account/Service Hijacking
–Malicious Insiders
–Cloud-specific attacks
Cloud Security Alliance Guidance
11
Insert presenter logo here on slide master
Cloud Security Alliance Guidance
Available at http://www.cloudsecurityalliance.org/Research.html
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Security, Bus. Cont,, and Disaster Recovery
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
Cloud Architecture
Op
era
tin
g i
n t
he C
lou
d
Go
vern
ing
the C
lou
d
Insert presenter logo here on slide master
Defining Cloud
• On demand provisioning
• Elasticity
• Multi-tenancy
• Key types
– Infrastructure as a Service (IaaS): basic O/S & storage
– Platform as a Service (PaaS): IaaS + rapid dev
– Software as a Service (SaaS): complete application
– Public, Private, Community & Hybrid Cloud deployments
Insert presenter logo here on slide master
Governance and Enterprise Risk Management
• Due Diligence of providers governance structure and process in addition to security controls. SLA’s
• Risk Assessment approaches between provider and user should be consistent. Consistency in Impact Analysis and definition of likelihood
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Security, Bus. Cont,, and Disaster Recovery
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
Cloud Architecture
Op
era
tin
g i
n t
he C
lou
d
Go
vern
ing
the C
lou
d
Insert presenter logo here on slide master
Legal and Electronic Discovery
• Mutual understanding of roles related to litigation, discovery searches and expert testimony
• Data in custody of provider must receive equivalent guardianship as original owner
• Unified process for responding to subpoenas and service of process, etc
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Security, Bus. Cont,, and Disaster Recovery
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
Cloud Architecture
Op
era
tin
g i
n t
he C
lou
d
Go
vern
ing
the C
lou
d
Insert presenter logo here on slide master
Compliance and Audit
• Right to Audit Clause
• Analyze Impact or Regulations on data security
• Prepare evidence of how each requirement is being met
• Auditor qualification and selection
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Security, Bus. Cont,, and Disaster Recovery
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
Cloud Architecture
Op
era
tin
g i
n t
he C
lou
d
Go
vern
ing
the C
lou
d
Insert presenter logo here on slide master
Information Lifecycle Management
• How is Integrity maintained?
• If compromised how its detected and reported?
• Identify all controls used during date lifecycle
• Know where you data is!
• Understand provider’s data search capabilities and limitations
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Security, Bus. Cont,, and Disaster Recovery
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
Cloud Architecture
Op
era
tin
g i
n t
he C
lou
d
Go
vern
ing
the C
lou
d
Insert presenter logo here on slide master
Portability and Interoperability
• IaaS - Understand VM capture and porting to new provider especially if different technologies used.
• PaaS – Understand how logging, monitoring and audit transfers to another provider
• SaaS – perform regular backups into useable form without SaaS.
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Security, Bus. Cont,, and Disaster Recovery
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
Cloud Architecture
Op
era
tin
g i
n t
he C
lou
d
Go
vern
ing
the C
lou
d
Insert presenter logo here on slide master
Security, Business Continuity and Disaster Recovery
• Conduct an onsite inspection whenever possible
• Inspect cloud providers disaster recovery and business continuity plans
• Ask for documentation of external and internal security controls –adherence to industry standards?
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Security, Bus. Cont,, and Disaster Recovery
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
Cloud Architecture
Op
era
tin
g i
n t
he C
lou
d
Go
vern
ing
the C
lou
d
Insert presenter logo here on slide master
Data Center Operations
• Demonstration of Compartmentalization of systems, networks, management, provisioning and personnel
• Understanding of providers patch management policies and procedures –should be reflected in the contract!
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Security, Bus. Cont,, and Disaster Recovery
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
Cloud Architecture
Op
era
tin
g i
n t
he C
lou
d
Go
vern
ing
the C
lou
d
Insert presenter logo here on slide master
Incident Response, Notification and Remediation
• May have limited involvement in Incident Response, understand prearranged communicated path to providers incident response team
• What incident detection and analysis tools used? Will proprietary tools make joint investigations difficult?
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Security, Bus. Cont,, and Disaster Recovery
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
Cloud Architecture
Op
era
tin
g i
n t
he C
lou
d
Go
vern
ing
the C
lou
d
Insert presenter logo here on slide master
Application Security
• S-P-I creates different trust boundaries in SDLC – account for in dev, test and production
• Obtain contractual permission before performing remote vulnerability and application assessments
– provider inability to distinguish testing from an actual attack
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Security, Bus. Cont,, and Disaster Recovery
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
Cloud Architecture
Op
era
tin
g i
n t
he C
lou
d
Go
vern
ing
the C
lou
d
Insert presenter logo here on slide master
Encryption and Key Management
• Separate key management from provider hosting the data creating a chain of separation
• Understand provider’s key management lifecycle: how keys are generated, used, stored, backed up, rotated and deleted
• Ensure encryption adheres to industry and government standards when stipulated in the contract
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Security, Bus. Cont,, and Disaster Recovery
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
Cloud Architecture
Op
era
tin
g i
n t
he C
lou
d
Go
vern
ing
the C
lou
d
Insert presenter logo here on slide master
Identity and Access Management
• IAM is a big challenge today in secure cloud computing
• Identity – avoid providers proprietary solutions unique to cloud provider
• Local authentication service offered by provider should be OATH compliant
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Security, Bus. Cont,, and Disaster Recovery
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
Cloud Architecture
Op
era
tin
g i
n t
he C
lou
d
Go
vern
ing
the C
lou
d
Insert presenter logo here on slide master
Virtualization
• Understand internal security controls to VM other than built in Hypervisor isolation – IDS, AV, vulnerability scanning etc.
• Understand external security controls to protect administrative interfaces exposed (Web-based, API’s)
• Reporting mechanisms that provides evidence of isolation and raises alerts if a breach of isolation occurs.
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Security, Bus. Cont,, and Disaster Recovery
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
Cloud Architecture
Op
era
tin
g i
n t
he C
lou
d
Go
vern
ing
the C
lou
d
Additional Cloud Security Alliance Resources
26
Insert presenter logo here on slide master
Cloud Security Alliance Initiatives
1. GRC Stack
2. Security Guidance for Critical Areas of Focus in Cloud Computing
3. Cloud Controls Matrix (CCM)
4. Consensus Assessments Initiative
5. Cloud Metrics
6. Trusted Cloud Initiative
7. Top Threats to Cloud Computing
8. CloudAudit
9. Common Assurance Maturity Model
10. CloudSIRT
11. Security as a Service
27
Insert presenter logo here on slide master
Cloud Controls Matrix Tool
• Controls derived from guidance
• Rated as applicable to S-P-I
• Customer vs Provider role
• Mapped to COBIT, HIPAA, ISO/IEC 27002-2005, NIST SP800-53 and PCI DSS
• Help bridge the gap for IT & IT auditors
www.cloudsecurityalliance.org/cm.html
Insert presenter logo here on slide master
Contact
• Help us secure cloud computing
• www.cloudsecurityalliance.org
• Cloud Security Alliance, Chicago Chapter
• LinkedIn: http://www.linkedin.com/groups?gid=3755674
Questions?
30