Secure your cloud applications by building solid foundations with enterprise (security ) architecture

Transcription

1 Supporting Business Agility Secure your cloud applications by building solid foundations with enterprise (security ) architecture Vladimir Jirasek, Managing director Jirasek Consulting Services & Research Director, Cloud Security Alliance, UK chapter Classification: Public 1

2 About me MBA (MSc) degree 20 years experience in IT 13 years experience in InfoSec Worked in various companies in diverse sectors Engaged in security organisations as projects such as CAMM, CSA Technical editor of a cloud security book Present at security and IT conferences Classification: Public 2

3 Agenda Enterprise architecture crash course Security architecture overview Cloud security models Governance in Cloud Data security in Cloud Identity and Access in Cloud Classification: Public 3

4 Supporting Business Agility ENTERPRISE ARCHITECTURE Classification: Public 4

5 What is Enterprise Architecture Enterprise architecture (EA) is the process of translating business vision and strategy into effective enterprise change by creating, communicating and improving the key requirements, principles and models that describe the enterprise's future state and enable its evolution. Wikipedia Enterprise architecture is about strategy, not about engineering. Gartner Common sense to ensure everyone in a company is pulling in one direction, maximising ROI, reducing waste, increasing efficiency, effectiveness, agility, maintaining strategic focus and delivering tactical solutions. Vladimir Jirasek Classification: Public 5

6 EA is a business support function Should be discussed here Is commonly discussed here Classification: Public 6

7 EA frameworks Source: Classification: Public 7

8 One of the most used architecture frameworks: TOGAF Classification: Public 8

9 Supporting Business Agility ENTERPRISE SECURITY ARCHITECTURE Classification: Public 9

10 People Services Technology Jirasek Consulting Services Security model business drives security Feedback: update business requirements International security standards Input Security management Correction of security processes Governance Line Management Laws & Regulations Defin e Compliance requirements Business objectives Input Policy framework Information Security policies Information Security standards Mandate Process framework Information Security Processes Measured by Metrics framework Information Security Metrics objectives IT GRC Inform Product Management Program Management Risk & Compliance Defin e Business impact Defin e Business & information risks Information Security guidelines Define security controls Security intelligence Execute security controls External security metrics Measure security maturity Assurance Auditors Security management Security Services Security threats Input Security Professionals Classification: Public 10

11 Security architecture domains Security architect work across all domains Stakeholder in EA Works with domain architects (depends on the size of an organisation) Classification: Public 11

12 Cloud model maps to Security model Cloud model Direct map Classification: Public 12

13 Responsibilities for areas in security model compared to delivery models Provider responsible Customer responsible GRC Business continuity SIEM Identity, Access Cryptography Data security Application sec. Host security Network security Physical security IaaS PaaS SaaS IaaS PaaS SaaS Classification: Public 13

14 Should data security be on CIOs agendas? Why only CIO? PaaS/SaaS Mandatory reading! SaaS SaaS Cloud provider reputation/costs Present time Your company reputation/costs Consolidation of Cloud providers Future Cost savings in Enterprises Not many security breaches so far. Why? Will become targeted as more enterprises rely on public Cloud computing Classification: Public 14

15 Supporting Business Agility CLOUD DEPLOYMENT GOVERNANCE Classification: Public 15

16 Governance related to Cloud Setting company policy for Cloud computing Risk based decision which Cloud provider, if any, to engage Assigning responsibilities for enforcing and monitoring of the policy compliance Set corrective actions for non-compliance Classification: Public 16

17 Cloud governance::policy Cloud adopted typically by a) IT directors managed relatively consistently and mostly [I P]aaS b) Business managers less governance; typically SaaS Policy should state: It is a policy of. to manage the usage of external Cloud computing services, taking into account risks to business processes, legal and regulatory compliance when using external services Cloud services. CIO is responsible for creating and communicating external Cloud computing strategy and standards. Classification: Public 17

18 Cloud standard structure General statements Governance requirements for Cloud Enterprise architecture to be ready for Cloud and Cloud services to plug-in (IAM, SIEM, Data architecture, Forensic) Discovery of Cloud service use Before Cloud project Cloud service to comply with data classification Encrypting all sensitive data in Cloud Identity and Access management (AAA) link to Cloud service During Cloud project Due diligence to be performed Do not forget right to audit Know locations of PII During Cloud project (cont) Assess availability (SLA and DR) of Cloud provider Assess Cloud provider security controls Assess potential for forensic investigation by company s team Running a Cloud service Limit use of live data for development and testing Monitor cloud provider s security controls Link Company s SIEM with Cloud provider and monitor for incidents Moving out of Cloud Data cleansing Data portability Classification: Public 18

19 Examples: I have 1TB of CSV files, now what? Customer uses well know CRM in Cloud SaaS designed to immerse clients into well defined, bespoke CRM No known data mode Export of data in CSV. Tip: Portability is the key in SaaS applications. Think about leaving the Cloud provider upfront. How will you take your data? Classification: Public 19

20 Example: Scaling up/down development Large manufacture and service company Requirement to support development needs with seasonal demands ideal case for [I P]aaS Security team approached up-front to perform review Live data not uploaded to the provider before on-site sanitising Classification: Public 20

21 Supporting Business Agility DATA SECURITY IN CLOUD Classification: Public 21

22 Cloud provider: AES-128 so it must be secure! Trust me! Cloud service user PDF Secret PDF Secret Cloud Service Provider Just because it is encrypted does not make it secure Look end to end. Classification: Public 22

23 However not all data in the cloud are secret! Classification: Public 23

24 Sometimes too much encryption is bad though. Who holds encryption keys? Are they available? Classification: Public 24

25 Network Hos t Application Data SIEM Jirasek Consulting Services Data protection options in cloud models Infrastructure as a Service Platform as a Service Software as a Service Extend company SIEM Plug-in to Provider s SIEM Extend DLP or edrm Extend company file or object encryption Provider operated data/database encryption Encrypting/tokenising reverse proxy engines (e.g. CipherCloud) Tokenisation and anonymisation Application encryption (customer retains keys) Encryption appliance (e.g. Safe-Net ProtectV) Provider dependent and operated host encryption Web TLS (for IaaS operated by customer) Network VPN (could extend to SaaS) Classification: Public 25

26 Example of SaaS Use of Gmail inside and outside an organisation Intra company Sender Recipient Proxy SaaS web based application. Other standard interfaces IMAP, POP3, SMTP, Web API Data in Gmail available to anyone with proper authentication TLS used on transport layer Consider using CipherCloud like product but be mindful of traffic flows with external customers Sender Recipient Classification: Public 26

27 Example of IaaS Cloud provider offers virtual computing resources for Internal apps deployment Intra company Internal user Administrator Key management HSM VPN Cloud provider can theoretically access all data, if decryption happens on the virtual machine! But would they? Use two possible models: Local crypto operations with remote key management. Consider SafeNet ProtectV Remote crypto operations over VPN speed penalty Travelling user Data encrypted Remote encryption operations Data encrypted Local encryption operations Virtual servers Classification: Public 27

28 Supporting Business Agility IDENTITY AND ACCESS MANAGEMENT IN CLOUD Classification: Public 28

29 IAM is a complex domain::closer to information management then security! Federation Entitlements Access management Identity management These capabilities can be and are mixed between on-site managed by organisations or provided as a service by Cloud providers. Classification: Public 29

30 Identity management::mostly information management Principal management Credential management Attribute management Group memberships Business and IT roles Directory Link to HR data Provision and de-provision users from cloud services automatically Classification: Public 30

31 Entitlements and Access management Entitlements Managing access policies XACML policies (Subject, Rule, Resource) Bespoke policies Based on attributes or groups Connects subjects and resources Access management Uses identity information, entitlement policies and context to make access decisions: Grant Deny Grant but limit Decision closer to resource Classification: Public 31

32 Identity Federation::Let s trust identity providers Not everyone wants to have thousands of username/passwords Cloud services are ideal for identity federation SAML 2.0 OAUTH 2.0 (do not confuse with OATH) Classification: Public 32

33 Summary Create Enterprise Architecture function with dotted line to CEO Appoint Security Architect as part of Enterprise architecture function Have a Cloud policy/standard and update risk management classification Always think of exit from Cloud first! Discover usage of Cloud services Prepare you enterprise architecture to plug Cloud services in IAM, SIEM, Key management Build IAM that supports changing business. Federate and Federate Do not fear Cloud sophisticated form of outsourcing: use supplier management techniques. Classification: Public 33

34 Links A Comparison of the Top Four Enterprise- Architecture Methodologies - TOGAF CipherCloud - Amazon AWS Security - Dropbox security incidents / Classification: Public 34

35 Contact Vladimir Jirasek About.me/Jirasek Classification: Public 35