Cloud Security. DLT Solutions LLC June #DLTCloud

Transcription

1 Cloud Security DLT Solutions LLC June 2011

2 Contact Information DLT Cloud Advisory Group CLOUD01 ( )

3 Your Hosts Van Ristau Chief Technology Officer, DLT Solutions David Blankenhorn Chief Cloud Technologist, DLT Solutions Leads DLT s Cloud Advisory Group 3

4 Introduction Cloud Webcast Series Five weekly webcasts (Thursdays May 12 June 9) Webcast #1 May 12 Introduction to Cloud Computing Webcast #2 May 19 Software as a Service (SaaS) Webcast #3 May 26 Infrastructure as a Service (IaaS) Webcast #4 June 2 Platform as a Service (PaaS) Webcast #5 June 9 Securing the Cloud Series Objectives Provide the audience with A baseline understanding of Cloud Computing service models. Suggested decision criteria for selecting appropriate Cloud services. An overview of vendor Cloud services available Vendor-neutral discussion with Brand vendor examples. 4

5 Agenda Cloud Security What s different? Key Security and Privacy Issues Security Upside Security Downside Threats & Risks Private & Virtual Private Clouds What To Look For What To Ask Considerations and Cautions Resources 5

6 Current Models It s All Inside Physical Datacenter Systems Servers (Hypervisors) Storage Network Appliances Application Platforms Operating Systems (VMs) Applications Account Management Identity Authentication Authorization Governance, Risk & Compliance (GRC) Audit Analysis Business Continuity Security Infrastructure Intrusion Prevention Intrusion Detection Continuous Monitoring Access Controls Client Interface Browsers Smartphones Desktops Laptops Tablets A very simplified view 6

7 Traditional Hosting Models IT Systems Application Platform GRC Account Management Security Infrastructure Client Interface Hosting Provider Physical Data Center Systems (limited) Application Platform (limited) GRC 7

8 Public Cloud - Realms of Responsibility SaaS PaaS IaaS Application Application Platform Security Infrastructure Physical Data Center Systems Hypervisor Subscriber Responsibilities GRC Account Management Client Interface GRC Account Management Client Interface Application GRC Account Management Client Interface Application Application Platform Security Infrastructure 8

9 Key Security & Privacy Issues Governance Data Protection Compliance Incident Response Trust Availability Architecture & Software Isolation Identity & Access As defined by NIST 9

10 Possible Security Upside Cloud Staff Specialization Platform Strength Resource Availability Backup & Recovery Data Concentration Source: NIST Internal Staff (Re)specialization Standards Focus Investigation & Forensics Logging Complimentary Cloud Services 10

11 Possible Security Downside Shared, Multi-tenant Services Complexity Loss of Control & Visibility Internet Facing Data Sovereignty And the bad guys can use it too 11

12 Top Threats & Risks Threats Abuse & Nefarious Use Insecure Interfaces & APIs Malicious Insiders Shared Technology Data Loss or Leakage Account or Service Hijacking Unknown Risk Profile Source: Cloud Security Alliances (CSA) Top Threats to Cloud Computing v1.0 Risks Privileged User Access Regulatory & Ethical Compliance Data Location Data Segregation Disaster Recovery Investigative Support Source: Gartner 12

13 What About Private? Needs Additional Security Virtualization Cloud Infrastructure Systems Servers (Hypervisors?) Storage VM Mobility Network Appliances Loses Scale Requires New Skills Pay Upfront Solves Data Sovereignty Maintains Control & Visibility Physical Datacenter Application Platforms Operating Systems (VMs?) Applications Account Management Identity Authentication Authorization Governance, Risk & Compliance (GRC) Audit Analysis Security Infrastructure Intrusion Prevention Intrusion Detection Continuous Monitoring Access Controls Client Interface Browsers Smartphones Laptops Tablets 13

14 Virtual Private Cloud? Resource Dedication Multi-Tenancy Risk Reduced Virtual Private Network (VPN) Additional Security Boundaries Visibility & Control Increased But still limited Agility Premium Pricing 14

15 What To Look For Service Level Agreements Certifications & Compliance FISMA SAS 70, Type II ISO PCI DSS, HIPAA, etc. Penetration Testing Incident Response Processes & Procedures Service & Data Recovery 15

16 What To Ask How to audit? Where s the data? Who can access? How are employees trained? What data classification is used? How viable? 16

17 Considerations & Cautions Data Sovereignty Key Management Identity Integration Network Latency Cloud Compatibility Auditors Trust, but Verify Risk Mitigation 17

18 Resources National Institute of Standards and Technology (NIST) : Guide to Security Certification and Accreditation of Federal Systems r3: Recommended Security Controls for Federal Information Systems and Organizations : DRAFT Cloud Computing Synopsis and Recommendations : Guidelines on Security and Privacy in Public Cloud Computing : Guide to Security for Full Virtualization Technologies Cloud Security Alliance (CSA) Cloud Controls Matrix European Network and Information Security Agency (ENISA) Cloud Computing: Benefits, risks and recommendations for information security Federal Risk and Authorization Management Program (FedRAMP) 18

19 Closing Thoughts Clouds are massive complex systems [that] can be reduced to simple primitives that are replicated thousands of times and common functional units. Peter Mell and Tim Grance, NIST. OR When eating an elephant, take one [bite] at a time. General Creighton Abrams Jr. 19

20 Contact Information DLT Cloud Advisory Group CLOUD01 ( ) 20