1. Securing Cloud Computing Environments Protecting your Data in Private & Public CloudsHrusostomos Vicatos Cloud Summit 2012 - Johannesburg, South Africa

2. What is Cloud - refresher Cloud delivery through Automated Provisioning enabling On Demand Self Service Cloud is Elastic in Nature Resource Usage is measured to enable automatic control and optimization Cloud Capabilities delivered over the Network and accessed through heterogeneous client platforms Resources are pooled and shared Public or Shared Cloud is a vanilla offering with minimal or NO customization Cloud is generally delivered as a Hosted Service Offering Cloud is not a silver bullet solution to every problem Some Customers and Service Offerings cannot be fulfilled with a Cloud delivery model unless prepared to change the business requirements and/or application architecture 3. Generic Types of Cloud Offerings Main Variants (SPI framework) SAAS (Software as a Service) Applications in the cloud Very Vanilla Little Integration and Simple migration PAAS (Platform as a Service) Development Environment in the Cloud Building blocks and Tools that One can string together into something useful IAAS (Infrastructure as a Service) Typical IT building blocks that are Virtualised and Shared Compute, Storage, Backup in the Cloud Linthicum Model (xAAS) Storage, Database, Information, Process, Application, Platform, Integration, Security, Management, Governance & Testing as a Service DAAS Desktop as a Service 4. Ask Yourself? What is my Core Business? Critical Dependencies on which Processes, Tools, Human Resources, Information? What are the potential threats to these Critical dependencies and what impact could they have if realised? What am I doing to protect my Core Business? And how do I mitigate these threats in terms of a successful security attack? What are my organisation compliance requirements? Industry Specific? Financially and Legally? New Acts (CPA, PPI etc.) What Control and Process Management Frameworks have we adopted? Which of the Specific Controls are being implemented? How are we managing compliance and effectiveness of our deployed control measures? 5. Ask Yourself? What is my Core Business? Critical Dependencies on which Processes, Tools, Human Resources, Information? What are the potential threats to these Critical dependencies and what impact could they have if realised? What am I doing to protect my Core Business? And how do I mitigate these threats in terms of a successful security attack? What are my organisation compliance requirements? Industry Specific? Financially and Legally? New Acts (CPA, PPI etc.) What Control and Process Management Frameworks have we adopted? Which of the Specific Controls are being implemented? How are we managing compliance and effectiveness of our deployed control measures? 6. Cloud Tenancy Types 7. Q: How does my Security Posture Change? 8. Jericho Forum Cloud Cube Model Internal/External Defines the Physical Data Location Inside or Outside your Organisations Physical Boundaries Example Virtualised Disk in your Organisations Data Centre = Internal Amazon SC3 = External Relevance https://collaboration.opengroup.org/jericho/Physical Security Facility Management Environmental Controls Housekeeping 9. Jericho Forum Cloud Cube Model ProprietaryOpen Defines state of ownership or Cloud technology elements used Closed and Limited to Provider or Open and available to others Proprietary could be innovative and uniqueExample Ubuntu Cloud Infrastructure & Openstack as Open Proprietary: Various PAASPsRelevance Interoperability with Other Cloud Solutions Ease of EntryExit Proprietary Toolsets not necessarily a Service Provider Lock in (If widely available through other Providers) Risks re: Provider Viability and Sustainability Tools Development Standards and Security Controls - Provider vs. Community Driven Various Tools within Set (FAB)https://collaboration.opengroup.org/jericho/ 10. Jericho Forum Cloud Cube Model Perimeterized/De-Perimeterized Within or Outside Traditional Secure IT boundaries Within or Outside of your Organisations own security control perimeterExample Typically Organisations Network FireWalls indicate traditional IT Security Boundaries Extending your Organisations Network Addressing and Firewalling into a Service Providers Data Centre makes your hosted solution Virtually PerimeterizedRelevance Determination of Perimeter Security Controls Solution Location impacts Deployment Architectures https://collaboration.opengroup.org/jericho/ie. Encrypting Databases when in DePerimeterized Mode. Increased Abstraction between different solution layers Importance of certain Security Functions, like Identity & Access Management raised 11. Jericho Forum Cloud Cube Model Insourced/Outsourced Resources and Processes could be internal to and under control of your organisation, or serviced by a third PartyExample If you utilize Amazon EC2Amazon resources and operating processes like change or incident management are utilizedhttps://collaboration.opengroup.org/jericho/Relevance IT Service Management Processes Service Delivery Methodology HR Policies (Ethics, Interest, Behaviour) Contract Management (SLA) Data & Application Terms of Operation (ie. Customer Compliance obligations Enterprise Systems Management Tools Housekeeping & Continuous Improvement 12. Security Management Iterative Process Continuous Improvement Cyclic Top Down to Bottom Up and begin againClassification Key Processes Data SystemsApplications Customer Priorities !!! Operations Process focus DDD : Prevention RRR : Mitigation Stakeholder Requirements Tradeoff Customer Obligations EnterpriseBusiness Priorities Cloud Service Provider Commitments Industry Compliance 13. Security Management Iterative Process Continuous Improvement Cyclic Top Down to Bottom Up and begin againClassification Key Processes Data SystemsApplications Customer Priorities !!! Operations Process focus DDD : Prevention RRR : Mitigation Stakeholder Requirements Tradeoff Customer Obligations EnterpriseBusiness Priorities Cloud Service Provider Commitments Industry Compliance 14. The Landscape The Infra and App landscape coverage still the same 15. The Landscape The Infra and App landscape coverage still the sameBASIC DATA CENTRE OUTSOURCE 16. The Landscape The Infra and App landscape coverage still the sameINFRASTRUCTURE AS A SERVICE 17. The Landscape The Infra and App landscape coverage still the sameSOFTWARE AS A SERVICE Or PLATFORM AS A SERVICE 18. The Landscape The Infra and App landscape gets more complex VirtualisationAutomationDATABASE VIRTUALISATION LAYER O/S VIRTUALISATION LAYER SERVER VIRTUALISATION LAYER STORAGE VIRTUALISATION LAYER NETWORK VIRTUALISATION LAYERSECURITY ZONE CAPPLICATION VIRTUALISATION LAYERSECURITY ZONE BSECURITY ZONE ADESKTOP VIRTUALISATION LAYER 19. SABSA Method Business Requirements Driven Risk Assessed Enterprise Wide Architectural Governance Compliant Return of Value tied to Business Objectiveshttp://www.sabsa-institute.org/the-sabsa-method.aspxBased on Zachmann EA Model 20. Focus Issue 1: Identity Management Jericho Forum The Cloud won't take off fully without appropriate Identity Management and Access Management Collaborative Clouds will need a significant shift from Enterprise Centric security to User Centric SecurityIn the Cloud Services Environment Identity Management, Entitlement and Access management must extend beyond human user The use of APIs and automated system interactions require that All Entities have a unique identity Authentication Mechanisms extend to Entities Entities include any Person, Organisation, Computing Device, Code, Data or Physical PossessionSome Data from Identity Theft Resource Center (http://www.idtheftcenter.org) Breach : Event when individuals Name + Social Security Number, drivers licences, medical or financial record is put at risk In USA alone published breach incidents for 2012 (~9 Months) 324 Breaches Year to Date (as of 9 October 2012) 12 Banking/Financial Breaches including Union Bank, First Republic, Citibank and Wells Fargo 37 US government or military breaches 111 MedicalHealth Care9.4 Million Records exposed (known) Exposed Record Count Unknown for 156 Breaches (48% of Breaches)Passwords are Dead Linked In, Sony, Gawker, Zappos and others Human Habit = Password Re-Use Weak Password Selection Common Linked In Stolen Passwords include LinkedIn, Password1, hatemyjob, killmenow 21. Focus Issue 1: User Identity Management Unique Identification System Portable individualized Solution Biometric Authentication Encrypted One Time Password Delivery Configurable User Pin Integrates into Existing IAM Simple API Shared Authentication Model Benefits Enabled User Centric Authentication Shared Central Authentication Multi-Services Capable Application Authentication Banking Encrypted Message Delivery Cost Effective Context Aware Credentials authentication Multi-Finger Sequences Web Services Architecture Supported Rapid DeploymentFlicker CodeSecure Agses Server Agses Device 22. Focus Issue 2: Virtualised Network Security Key Attribute of Cloud Services- Broad Network Access Effective Network Security is Critical Network Security is not a single device or technology solution Ecosystem Contextualised WAN vs. LAN vs. DC Network vs Edge Access Cloud Model Types Service Awareness Different Service Types (Web, Voice, Real Time vs Asynchronous) Differentiated Security Priorities Different Security Elements form a coherent architecture Zones or Security Segmentation utilised within a single business domain to separate different security classes Incorporate Behaviour and Traffic Analysis Techniques Derive Baseline Behaviour for norms Outside Norm Behaviour as Trigger for targeted Security analysisinvestigation Improved Remediation Actions Spin Off Benefits such as Improved Performance and Availability Baseline data for Traffic Behaviour an input to Capacity Management 23. Focus Issue 2: Virtualised Network Security Multi-Tenancy Multiple Application Zones Different Network Security Elements 24. Focus Issue 2: Virtualised Network Security Multi-Tenancy Multiple Application Zones Different Network Security ElementsResilienceDifferentiationVirtualise and Consolidate Different Network Security Elements to Common Platform 25. Focus Issue 2: Virtualised Network Security 26. Focus Issue 2: Virtualised Network Security 27. Focus Issue 2: Virtualised Network Security 28. Focus Issue 2: Virtualised Network Security 29. Protecting Your Information Assets Profile and Classify Your Applications Correctly Deploy AppsServices into most correct Cloud type (ie. Public vs. Private) Ensure appropriate Security Controls & Measures (Right Securing) Evaluate Security levelsstandards of your Cloud Service Provider (CSP) Leverage Existing Standards ie. ISO 27000 Series Compliment the Vanilla Offerings security where necessary Enforce use of Third Party Audit Services by your CSP Regular Vulnerability Assessments and Penetration Testing Provide Security in Depth Multiple Layers Multi Factor, Context Aware authentication and access control is foundational Ensure all Entities have Unique Identity & are authenticated Incorporate Honey PotsTrip Wires where appropriate Utilise encryption techniques for data in transit and at rest 30. Protecting Your Information Assets Insist on Security Metrics and Compliance commitments in your CSP SLA Carefully Plan your security with your CSP Ensure that the offered solution satisfies your organisational security and usercustomer privacy requirements Ensure Security Event Monitoring, Logging and Assessment is undertaken for CSP managed services Ensure CSPs are transparent with you regarding their security processes, practices and effectiveness Build redundancy and resilience across multiple CSPs to mitigate Disaster and reliability issues Dont Assume it is catered for automatically by the CSP or built into each deployed service Leverage Knowledge Sources and Bodies collaboration.opengroup.org/jericho/ cloudsecurityalliance.org/ 31. Some Parting Thoughts Cloud can bring benefits to your Organisation Reduced Capital and Operating Costs Simplifying Core Operating Processes Ease of deployment Do not assume. Everything is taken care of Your business priorities, compliance and controls are automatically catered for All your current applications and be deployed into Vanilla Cloud offerings Cloud is not absolution of ITs responsibility to the Organisation but rather an effective toolset to optimise your capability Security is a concernBut so is Availability, Skills, CSP reputation and sustainability Mitigate this through Augmenting the Vanilla Offering Keep the Balance ie. Cost of Security vs. Liability Contract your Business (Security) requirements with firm, clear commitments from your CSP Ensure effective Service Level and Partner Management Processes are in effect in your IT shop (Manage your CSP) 32. Thank YouTo Contact Hrusostomos Hrus.Vicatos@Victree.biz at +27 (0) 81 270 9315General Enquiries : info@victree.biz or Fax us at +27 (0)86 269 9181 You can visit us at http://www.victree.biz