Cloud Security. Nantawan Wongkachonkitti Electronic Government Agency, Thailand Cloud Security Alliance, Thailand Chapter October 2014

Transcription

1 Cloud Security Nantawan Wongkachonkitti Electronic Government Agency, Thailand Cloud Security Alliance, Thailand Chapter October 2014

2 Agenda Introduction Security Assessment for Cloud Secure Cloud Infrastructure Security by each Service Model Electronic Government Agency (Public Organization), Thailand (EGA) Cloud Security Alliance (CSA)

3 INTRODUCTION TO CLOUD

4 NIST Model of Cloud Computing

5 Cloud Service Model Based on Demand of Cloud consumer & Supply of Cloud provider XaaS : Everything as a Service

6 Multi-Tenancy Managed by Customer Managed by Vendor Traditional IaaS PaaS SaaS Application Application Application Application Data Data Data Data API/Runtime API/Runtime API/Runtime API/Runtime Middleware Middleware Middleware Middleware OS OS OS OS Virtualization Virtualization Virtualization Virtualization Server Server Server Server Storage Storage Storage Storage Network Network Network Network

7 Deployment Model Public/Private/Hybrid/Community Based on Trusted/Untrusted accessible and consume. Multi-Tenancy Concept Infrastructure Managed/Owned/Located

8 General Cloud Architecture Self Service Management Service Management Service Catalog CMDB API/Interoperability/Portability Mgt. Virtualization Orchestration/Configuration Provision Management Security/Risk Management Risk/Compliance Control Identity/Access Mgt. Configuration Mgt. SLA Mgt. Performance/Capacity/ Availability Monitoring/Incident Storage Virtualization Computing Network Encryption Mgt. Auditing and Assessment Intrusion Mgt. Hardening Physical/Data Center 8

9 SECURITY ASSESSMENT FOR CLOUD

10 - Data Lose/Confidential/Protection - Multi-tenancy problem - Vulnerability of Cloud Infra: Hypervisor, Cloud software, API - Availability - Access Control/Authorization - Location of Data/Physical Security - Legislation, Law, Compliance, Standard Risk of Cloud Computing

11 Know Categorize asset of Cloud service Before start ISMS (Information Security Management System) Recommend : based on process; write the flow. Base on data/information/transaction/processing/ Function/Application classification concept Define Asset : CPS asset, Your asset / Owner/Category/Dependency/Value

12 Sample of Asset Matrix 12

13 Define your ISMS to protect your asset on Cloud service Define Scope Define ISMS Policy/Procedure Risk Assessment and Risk Management Define Methodology Identify Risk Analyze and Evaluate Risk Address Risk/Risk Treatment Choose security control Management Approval and Resource Statement of Applicability Amazon Web Services: Overview of Security Processes per.pdf

14 Define your ISMS to protect your asset on Cloud service [Cont.] Threat : not only hacker Cloud provider, Muti-tenancy, supply chain, 3 party, outsourcing. External standard and compliance. Vulnerability : based on cloud technology and architecture Virtualization API/Cloud Solution Risk: Threat x Vulnerability x Exposure x Impact x Likelihood and more The Notorious Nine: Cloud Computing Top Threats in 2013 ; CSA / Cloud Computing Risk Assessment ; enisa

15 Overall Cloud Risk Management Sketch Data Flow (Withou t Cloud) Identify Asset Evaluate Asset Map to Deploym ent Model Map to Service Model Sketch Data Flow (With Cloud) Documen t Helps you make early risk decisions on cloud usage, and is not a replacement for a full risk management. 15

16 Questions for Asset Evaluating Step How would we be harmed if the asset became public and widely distributed? How would we be harmed if an employee of our cloud provider accessed the asset? How would we be harmed if the process or function was manipulated by an outsider? How would we be harmed if the process or function failed to provide expected results? How would we be harmed if the information/data was unexpectedly changed? How would we be harmed if the asset was unavailable for a period of time? 16

17 SECURE CLOUD INFRASTRUCTURE

18 Secure Cloud Infrastructure Network Security Infrastructur e Component /Architectur e Security Management Plane Security Hypervisor Security

19 1. General Cloud Architecture Self Service Management Service Management Service Catalog CMDB API/Interoperability/Portability Mgt. Virtualization Orchestration/Configuration Provision Management Security/Risk Management Risk/Compliance Control Identity/Access Mgt. Configuration Mgt. SLA Mgt. Performance/Capacity/ Availability Monitoring/Incident Storage Virtualization Computing Network Encryption Mgt. Auditing and Assessment Intrusion Mgt. Hardening Physical/Data Center 19

20 1. General Cloud Architecture Self Service Management Service Management Service Catalog CMDB Configuration Mgt. API/Interoperability/Portability Mgt. Security In-depth ; Provision Hardening; Management Patch ; Configuration Best Practice and Virtualization monitoring. Virtualization Orchestration/Configuration Security/Risk Management Risk/Compliance Control Identity/Access Mgt. Encryption Mgt. SLA Mgt. Performance/Capacity/ Availability Monitoring/Incident Storage Computing Network Auditing and Assessment Intrusion Mgt. Hardening Physical/Data Center 20

21 2. Network Security Use separate physical networks Isolate the cloud networks from the normal LAN Prevent MAC address spoofing (to prevent spoofing and man-in-the-middle attacks) Restrict network access to the Cloud Management Server Strictly control access to Management network to protect sensitive control data Use Firewall/IDS/IPS IDS = Intrusion Detection System, IPS = Intrusion Prevention System

22 Zoning your Network Use trust/availability zones to segregate networks Network Pool A Net Pool B Network Pool C Storage Pool A General Zone Storage Pool C Secure Zone

23 Sample : vcloud Physical Deployment Diagram

24 Sample : vcloud Logical Deployment Diagram

25 3. Management Plane Key Functions Provisioning VMs Starting/stopping VMs Configuring resource pools for VMs Compute Storage Network (VLANs) Authentication Access Control Logging/Monitoring

26 3. Management Plane Security Restrict network access to Management Plane Strictly control access to Management network to protect sensitive control data Use Firewall to protect Management network Limit authorized persons with privileges to access Management Plane Enable Management Plane s logging and perform regular review Use secure remote access to Management Plane, e.g. SSH

27 4. Hypervisor Security Hardening Hypervisor OS Patch and Update Service and Feature Restrict Restrict on Administrative Interface : SSH, Web, CLI Network Access Control User Access Control Monitoring Hypervisor Backup and Restore Guest OS isolation : Assign own resources for each Guest OS Based on security level

28 Security Baseline Every system, OS, Application should have security baseline. Best security baseline is Production s Security Guideline. Example: vsphere Security Guideline vsphere Security Hardening Guide

29 Security Baseline Tools Control Compliance Tools VMware Compliance Checker for vsphere mpliance-chk&lp=default

30

31 SECURITY BY EACH SERVICE MODEL

32 Security by Each Service Model The lower down the stack the cloud service provider stops, the more security capabilities and management consumers are responsible for implementing and managing themselves.

33 IaaS Security: Where to Start Firewall with restrictive policy Communications Encryption Network Zoning Protect Access Keys Virtual Machine Host Security

34 PaaS Security: Where to Start App Logging Communications Encryption, e.g. SSL Good Security Test for App Good App Design Your Application Limited Network Access to App

35 SaaS Security: Where to Start Security Settings in Software Communications Encryption, e.g. SSL, if possible Software used Data Backup

36 About EGA Electronic Government Agency (Public Organization) Thailand, founded 2011 Under supervision of the Ministry of Information and Technology and Communication Technology of Thailand Responsibilities of promoting and supporting the development of e-government services Developing e-government system the best supports Thailand ICT development Center for driving the e-government service development Enabling Complete & Secure e-government

37 G-Cloud (Government Cloud Service) Manages Cloud Enterprise Architecture development for use as a development model for other government organizations Offers Infrastructure as a Service (IaaS) and Software as a Service (SaaS), Plans to provide Platform as a Service (PaaS) in 2015 Works with the private sectors to develop IT system for Government agencies on G-Cloud in order to promote local software industry and increase national competitiveness

38 G-Cloud Model Secure Internet

39 About the Cloud Security Alliance Global, not-for-profit organization, founded 2009 Over 58,000 individual members, 200 corporate members, 75 chapters world wide Geographically divided into Americas, EMEA and APAC regions to meet strategic objectives Established with the aim of bringing trust to the cloud Develop a global trusted cloud ecosystem Building best practices and standards for next-gen IT Grounded in an agile philosophy, rapid development of applied research that supports all activities To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.

40 CCSK Certificate of Cloud Security Knowledge Benchmark of cloud security competency Measures mastery of CSA guidance and ENISA cloud risks whitepaper Understand cloud issues Look for the CCSKs at cloud providers, consulting partners Online web-based examination

41 CSA STAR Registry CSA STAR (Security, Trust and Assurance Registry) Public Registry of Cloud Provider self assessments Based on Consensus Assessments Initiative Questionnaire Provider may substitute documented Cloud Controls Matrix compliance Voluntary industry action promoting transparency Free market competition to provide quality assessments Provider may elect to provide assessments from third parties

42