Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Transcription

1 Securing The Cloud Foundational Best Practices For Securing Cloud Computing Scott Clark

2 Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources 2

3 What is Cloud Computing? Compute as a utility: third major era of computing Mainframe PC Client/Server Cloud computing: On demand model for allocation and consumption of computing Cloud enabled by: Moore s Law: Costs of compute & storage approaching zero Hyperconnectivity: Robust bandwidth from dotcom investments Service Oriented Architecture (SOA) Scale: Major providers create massive IT capabilities

4 How to think about Cloud Perfect storm convergence of existing technologies in a new business model The next platform for software applications Disruption! Not one cloud many types and deployments of cloud Aspects of our legacy we can learn from but key differences Mainframes Virtualization Outsourcing Challenges many of our IT definitions, e.g. what is data?

5 What is Different in the Cloud? Many concepts in the cloud are similar to concepts in standard outsourcing There are at least four themes which require a different mindset when working on security for cloud services: Role clarity for security controls Legal / jurisdictional / cross-border data movement Virtualization concentration risk Virtualization network security control parity. 5

6 What is Different in the Cloud? Role Clarity Security ~ THEM Security ~ YOU SaaS Software as a Service IaaS Infrastructure as a Service PaaS Platform as a Service

7 What is Different in the Cloud? Legal / Jurisdictional Issues Amplified Cloud Provider Datacenter in London, U.K. Cloud Provider Datacenter in Sao Paolo, Brazil Cloud Provider Datacenter in Geneva, Switzerland Cloud Provider Datacenter in Tokyo, Japan Your Corporate Data? Cloud Provider Datacenter in San Francisco, USA

8 What is Different in the Cloud? Virtualization Concentration Risks Old Way Hack a System New Way Hack a Datacenter Hypervisor

9 What is Different in the Cloud? Virtualized N-Tier Control Equivalence Current Way New Way Users Internet How do we ensure control parity? Hypervisor FW WAF NIDS / IPS Presentation Layer Data Layer FW WAF NIDS / IPS Internet Users

10 Key Cloud Security Problems From CSA Top Threats Research: Trust: Lack of Provider transparency, impacts Governance, Risk Management, Compliance Data: Leakage, Loss or Storage in unfriendly geography Insecure Cloud software Malicious use of Cloud services Account/Service Hijacking Malicious Insiders Cloud-specific attacks

11 Cloud Security Alliance Guidance 11

12 Cloud Security Alliance Guidance Operating in the Cloud Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Governing the Cloud Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Available at

13 Defining Cloud On demand provisioning Elasticity Multi-tenancy Key types Infrastructure as a Service (IaaS): basic O/S & storage Platform as a Service (PaaS): IaaS + rapid dev Software as a Service (SaaS): complete application Public, Private, Community & Hybrid Cloud deployments

14 Governance and Enterprise Risk Management Operating in the Cloud Due Diligence of providers governance structure and process in addition to security controls. SLA s Risk Assessment approaches between provider and user should be consistent. Consistency in Impact Analysis and definition of likelihood Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud

15 Legal and Electronic Discovery Operating in the Cloud Mutual understanding of roles related to litigation, discovery searches and expert testimony Data in custody of provider must receive equivalent guardianship as original owner Unified process for responding to subpoenas and service of process, etc Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud

16 Compliance and Audit Operating in the Cloud Right to Audit Clause Cloud Architecture Analyze Impact or Regulations on data security Prepare evidence of how each requirement is being met Auditor qualification and selection Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud

17 Information Lifecycle Management Operating in the Cloud How is Integrity maintained? If compromised how its detected and reported? Identify all controls used during date lifecycle Know where you data is! Understand provider s data search capabilities and limitations Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud

18 Portability and Interoperability Operating in the Cloud IaaS - Understand VM capture and porting to new provider especially if different technologies used. PaaS Understand how logging, monitoring and audit transfers to another provider SaaS perform regular backups into useable form without SaaS. Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud

19 Security, Business Continuity and Disaster Recovery Operating in the Cloud Conduct an onsite inspection whenever possible Inspect cloud providers disaster recovery and business continuity plans Ask for documentation of external and internal security controls adherence to industry standards? Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud

20 Data Center Operations Operating in the Cloud Demonstration of Compartmentalization of systems, networks, management, provisioning and personnel Understanding of providers patch management policies and procedures should be reflected in the contract! Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud

21 Incident Response, Notification and Remediation Operating in the Cloud May have limited involvement in Incident Response, understand prearranged communicated path to providers incident response team What incident detection and analysis tools used? Will proprietary tools make joint investigations difficult? Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud

22 Application Security Operating in the Cloud S-P-I creates different trust boundaries in SDLC account for in dev, test and production Obtain contractual permission before performing remote vulnerability and application assessments provider inability to distinguish testing from an actual attack Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud

23 Encryption and Key Management Operating in the Cloud Separate key management from provider hosting the data creating a chain of separation Understand provider s key management lifecycle: how keys are generated, used, stored, backed up, rotated and deleted Ensure encryption adheres to industry and government standards when stipulated in the contract Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud

24 Identity and Access Management Operating in the Cloud IAM is a big challenge today in secure cloud computing Identity avoid providers proprietary solutions unique to cloud provider Local authentication service offered by provider should be OATH compliant Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Governing the Cloud Encryption and Key Management Identity and Access Management Virtualization

25 Virtualization Operating in the Cloud Understand internal security controls to VM other than built in Hypervisor isolation IDS, AV, vulnerability scanning etc. Understand external security controls to protect administrative interfaces exposed (Web-based, API s) Reporting mechanisms that provides evidence of isolation and raises alerts if a breach of isolation occurs. Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud

26 Additional Cloud Security Alliance Resources 26

27 Cloud Security Alliance Initiatives 1. GRC Stack 2. Security Guidance for Critical Areas of Focus in Cloud Computing 3. Cloud Controls Matrix (CCM) 4. Consensus Assessments Initiative 5. Cloud Metrics 6. Trusted Cloud Initiative 7. Top Threats to Cloud Computing 8. CloudAudit 9. Common Assurance Maturity Model 10. CloudSIRT 11. Security as a Service 27

28 Cloud Controls Matrix Tool Controls derived from guidance Rated as applicable to S-P-I Customer vs Provider role Mapped to COBIT, HIPAA, ISO/IEC , NIST SP and PCI DSS Help bridge the gap for IT & IT auditors

29 Contact Help us secure cloud computing Cloud Security Alliance, Chicago Chapter LinkedIn:

30 Questions? 30