1 Cloud Security & Risk Management PRESENTATION AT THE OPEN GROUP CONFERENCE MARCH 2011 Image Area VARAD G. VARADARAJAN ENTERPRISE ARCHITECTURE COE COGNIZANT TECHNOLOGY SOLUTIONS For details please
2 Agenda The advantages and disadvantages of cloud computing Choosing the right cloud model Migrating to the cloud A security perspective Assessing the risks of service providers Top security domains Risk Mitigation Strategies
3 Cloud Security The Pros and Cons
4 Ready to move to the cloud? Increased Risks Lowered Costs?? Moving to the cloud offers both benefits and risks! Conflict of interest between provider and consumer
5 Visual Model of Cloud Computing Broad Network Access Rapid Elasticity Measured Service On Demand Self Service Characteristics Resource Pooling Software As A Service (SAAS) Platform As A Service (PAAS) Infrastructure As A Service (IAAS) Service Models Public Private Community Hybrid Deployment Models Source: NIST
6 Security benefits in cloud computing Risk transfer through contractual obligation Market differentiation Lowers cost of security Improves availability Simplifies governance Managed Security - Client relies on established processes for BCP/DRP, Incident response, patch management, anti-virus
7 But, are we really secure? Diminished control (standard APIs) Vendor lock-in Provider s architecture can be a black box Difficult to access log files Compliance violations and service outages Data crossing trust boundaries Data loss or leakage Increased attack surface Loss of reputation or erosion of trust What about rogue clouds????
8 Risks from Multi-tenancy & Virtualization Cost Hypervisor escape Malicious clients Opacity to traditional controls Risk Data Elements Table Database Application Virtual Server Physical Server Data Center Degree of Multitenancy / Virtualization LOW HIGH
9 Risk In Federated Clouds Service A Data exchanged between cloud applications in a supply chain Service B Service C Sensitive data crossing trust boundaries to accommodate spike in demand? FIS FIS FIS Cloudburst Federated Identity Software (FIS) SAML Enterprise Need Federated Identity Solution Data crossing trust boundaries Encrypt data in transit
10 Clients need to do an in-depth assessment of the providers with respect to security, governance, risk and compliance Choosing the right model involves a trade-off between the perceived benefits vs. perceived risks (risk appetite)
11 Choosing the right model
12 Public Partner Private Non Cloud Which deployment model is right? Public Private Partner (Community) Hybrid Who owns infrastructure? Third party Organization Organization Both organization and third party Who manages the infrastructure? Third party Organization or third party Organization or third party Both organization and third party Where is the infrastructure located? Off premise On premise or off premise Who accesses and consumes the data/applications? On premise or off premise Both on premise and off premise All (Un-trusted) Organization (Trusted) Organization and partners (Trusted) Trusted and un-trusted Liability Cost Assurance Source: ENISA 2009
13 IaaS PaaS SaaS Which service model is right for me? Presentation APIs Applications Data Metadata Content Integration & Middleware APIs Core Connectivity & Delivery Apps Security Platform Security Infra Security IaaS PaaS SaaS Client Client Provider Client Provider Provider Provider Provider Provider Responsibility of securing underlying infrastructure and abstraction layers rests with the provider Securing the platform falls onto The provider, while securing the apps Developed on the platform falls on the client Security controls and scope are negotiated into the service contract service levels, compliance, privacy etc. Abstraction Hardware Facilities Source: CSA Guide
14 Where is it deployed? Internal External The Cloud Cube Internal or External? Proprietary or Open? Perimeterized or non-perimeterized? Outsourced LAMP Stack, Amazon EC2, Global access Each permutation / combination has a different security risk profile Insourced Custom Apps Stack for multiple B.Us, using Eucalyptus under corporation control Deployed within company Proprietary Open What is the tech stack? Source: Jericho Forum
15 A wide spectrum of service providers Storage (IaaS) Compute (IaaS) Compute Software Database PaaS SaaS (CRM) Amazon S3 Amazon EC2 Globus Apache CouchDB Google App Engine SalesForce.com Mosso Cloud Files Elastra Hadoop Amazon SimpleDB / RDS Microsoft Azure MS Dynamics Nirvanix AppNexus Sun Grid Engine Microsoft Sql Azure Force.com Oracle On Demand Box.net Eucalyptus (Compute) GridGain Google Big Query Eteios Zoho Eucalyptus (Storage) DAC Eucalyptus (MySQL) RightNow Oracle Coherence Responsys
16 Migrating to the cloud A security perspective
17 Migrating to the cloud A 5 step model to manage risks [AMPRC] 1 SELECT ASSETS What are the assets that can be moved to the cloud? Select Data, Applications, Processes, Functions Select the right model, service provider and SLAs Negotiate / renegotiate contracts, ensure risk mitigation strategies are in place, evaluate residual risk 5 SET UP CONTRACTS 2 SELECT MODELS What are the deployment / service models? IaaS, PaaS, SaaS, Private, Partner, Public External/Internal Proprietary/Open Perimeterized/Non What are the risks of each service provider? Create threat models Use checklists, questionnaires, heat maps 4 EVALUATE RISKS 3 SELECT SERVICE PROVIDERS Who are the service providers who will fit the requirements?
18 Confidentiality Create scenarios and threat models Availability Scenario What types of attacks can be launched by insiders (within provider)? What types of attacks can be launched by outsiders? How will the architecture scale to thousands of users and millions of transactions? Will information cross trust boundaries private to public to partner etc? What events can cause service disruption from provider? In what ways can hackers gain control of data at rest or in transit? How do we test if the provider is compliant with all regulations? Area C/I C/I A C A I CIA
19 Risk Assessment
20 How do we assess the risks? A client must assess the risks/benefits through questions and check-lists Risks must be rated using overall impact and likelihood of occurrence Heat maps will help identify the critical risks Once identified, risk mitigation strategies might be worked out with the vendor
21 Probability How do we compare risks? 1.0 Low impact, High Probability Which is more serious? 0.50 Fat Tail 0.25 High impact, Low Probability 0 $0 $100K $500K $1 MM Impact
22 Probability Of Occurrence Scoring Table Almost Certain Definite, one or more impacts expected within one year Likely Likely, one or more impacts expected within one year Moderate Likely, one or more impacts expected within two to three years Unlikely Probable, impact expected within two to three years Rare Not probable, impact not expected to occur within three years
23 Impact Scoring Tables Technical Impact Technical Impact Description Min Score Max Score Loss of confidentiality How much data could be disclosed and how sensitive is it? 0 1 Loss of integrity How much data could be corrupted and how damaged is it? 0 1 Loss of availability How much service could be lost and how vital is it? 0 1 Loss of accountability Are the threat agents' actions traceable to an individual? 0 1 Business Impact Business Impact Description Min Score Max Score Financial damage How much financial damage will result from an exploit? 0 1 Reputation damage Would an exploit result in reputation damage that would harm the business? 0 1 Non-compliance How much exposure does non-compliance introduce? 0 1 Privacy violation How much personally identifiable information could be disclosed? 0 1 Source: OWASP Normalized Total Score 0 1
24 Probability Of Occurrence Score Sample Risk Heat Map Number of risks with this rating Almost Certain Likely Moderate Unlikely Rare Negligible Low Med Very High Extreme Impact Score
25 Top Security Domains
26 Important Security Domains Multi factor, Federated Identity, Provisioning, Deprovisioning Multitenancy risk Hypervisor vulnerabilities Risk identification, analysis, evaluation, Treatment, monitor and review Security breach disclosure laws, regulatory, privacy, international laws Algorithm, Key Length, Key Management Regulations (SOX, HIPAA), Data Privacy, Electronic Discovery, Incident Response SDLC, Binary Analysis, Scanners, Web App Firewalls, Transactional Security Data storage, use, archival destruction Incident Response, Notification and Remediation Interoperability and movement of data between different Service providers External perimeter, Structural internal barriers, Access control, Surveillance, Power backup, fire Business impact analysis, plan, Redundancy, Backup, Archival
27 Cloud Controls Matrix for Compliance List Of Controls *** Compliance Independent Audits Data Governance Retention Delivery Model? Iaas Paas Saas Data Governance - Secure Disposal Data Governance Risk Assessments Scope? Service Provider Tenant Facility Security Information Security Policy Information Security Baseline Requirements Information Security Encryption COBIT HIPAA Information Security Incident Management Information Security Incident Reporting ISO/IEC Information Security Reporting Security Architecture Network Security Security Architecture Segmentation Security Architecture Audit Logging Compliance? NIST PCI DSS GAPP Source: CSA ***
28 Access Control Does the provider have standardized mechanisms for Authentication, Authorization and Access Control? Are there robust password policies? Is there support for two-factor authentication? Is there support for federated identity management? How are users provisioned and de-provisioned?
29 Application Security Is security part of the SDLC process? (Esp. for SaaS / PaaS Providers) Are standard vulnerabilities being addressed? Buffer overflows, SQL injection, cross-site scripting Are cloud-specific security issues addressed? Multi-tenancy introduces new attack vectors such as cross-site scripting, cross-site request forgery and hypervisor escape Developing an application for internal or stand-alone use is not the same as developing for the cloud Are all network communications encrypted? Synchronous: SSL / IPSec Asynchronous: Encryption of messages with key management Do applications log all intrusion attempts?
30 Encryption and Key Management Does service provider encrypt all data, while at rest or in motion? Multi-tenanted architecture makes it easy for data to be leaked unless all data at rest is encrypted Encrypting databases is of no use if SQL injection attacks exist Does customer have a say in the encryption algorithm, key length and key management process? Is the key management process simple to understand? If customer encrypts data, then data will become opaque to provider and no value-added service can be built on it
31 Architecture Is data crossing trust boundaries? Is data being passed from private to public cloud regularly or through cloud bursts to accommodate spikes? Are there specific safeguards at such boundaries? Enforcement of intrusion detection / prevention, deep packet inspection, limiting DDOS attacks etc Are the platforms hardened? Appropriate patches, up-to-date anti-virus software and locking down of unnecessary services? Virtualization has benefits and risks Cleaner isolation, reduced attack surface, automated deployment Virtual interfaces opaque to traditional network security controls Patch management is more challenging in a virtual environment
32 Compliance Is the service provider compliant with all the major regulations for my business? SOX, HIPAA, GLBA, Basel II Where will my data be stored? Are there legal restrictions in data going outside the country? Safe Harbor Principles: Companies operating in the European Union are not allowed to send personal data to countries outside the European Economic Area unless there is a guarantee that it will receive equivalent levels of protection. Are there procedures to destroy the data when no longer needed? (Even if encrypted) Does the provider keep adequate records in the event of litigation? Is the data being backed up regularly and available / searchable? Does the provider operate a Security Operations Center (SOC) to provide incident management and response in the event of a breach? Private Cloud: Is there an authorization process to keep track of provisioning / deprovisioning new servers, users etc?
33 Risk Mitigation Strategies
34 Risk Mitigation Strategies Deploy additional security wherever needed Encryption, firewalls, Intrusion Detection (IDS), Data Loss prevention (DLP) Supplementary backup Multi-sourcing Insurance, penalties and indemnities Provider negotiation Set Extensive monitoring goals (KPIs) Has the provider been audited? SAS 70 Type II, ISO/IEC 27001:2005 Are you managing residual risks?
35 Summary Moving to the cloud has both risks and benefits Conflict of interest between provider and consumer Do your home work thoroughly before moving your data or assets Use a standard process to evaluate risks across service providers Ensure maximum coverage through SLAs, Indemnity clauses and other contracts Useful sources: ENISA, Cloud Security Alliance
36 Thank You , Cognizant Technology Solutions. Private & Confidential
37 Approaches to extending the perimeter Approach Description Benefits Disadvantages Extending the enterprise into the cloud Enterprise will set up an IPSec VPN connection to a server located on the cloud Cloud servers are effectively inside the perimeter, so all the services within the enterprise will extend to the application in the cloud (e.g. Active Directory) Viruses can propagate from the cloud into your enterprise Extending the cloud into the enterprise A cloud service provider will set up and run the service inside the enterprise (e.g. an service run by a Service Provider within the enterprise) A managed service set up inside your data center and run by the provider Cloud provider will have access to the enterprise s data and applications, and must be trusted
38 Policy and Organizational Risks Lock-in Loss of governance Compliance challenges Loss of business reputation due to co-tenant activities Cloud service termination or failure Cloud provider acquisition Supply chain failure
39 Technical Risks Resource exhaustion (under or over provisioning) Isolation failure Malicious insider inside cloud provider Management interface compromise (manipulation, availability of infrastructure) Intercepting data in transit Data leakage on up/download, intra-cloud Insecure or ineffective deletion of data Distributed Denial of Service (DDOS) Economic Denial of Service (EDOS) Loss of encryption keys Undertaking malicious probes or scans Service Engine compromise Conflicts between customer hardening procedures and cloud environment
November 09 Benefits, risks and recommendations for information security ABOUT ENISA The European Network and Information Security Agency (ENISA) is an EU agency created to advance the functioning of the
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
GOVERNANCE STRATEGIES New Requirements for Security and Compliance Auditing in the Cloud Cloud computing poses new challenges for IT security, compliance, and audit professionals who must protect corporate
Risk perception and risk management in cloud computing: Results from a case study of Swiss companies Nathalie Brender Haute Ecole de Gestion de Genève Campus de Battelle, Bâtiment F 7 route de Drize, 1227
WHITE PAPER Informatica Cloud Architecture and Security Overview Independent Analysis of the Architecture and Security Features of Informatica Cloud Prepared by Mercury Consulting, a leader in Ground to
Security Officer s Checklist in a Sourcing Deal Guide Share Europe Ostend, May 9th 2014 Johan Van Mengsel IBM Distinguished IT Specialist IBM Client Abstract Sourcing deals creates opportunities and challenges.
A COALFIRE WHITE PAPER Using s Cloud & Data Center Security Solution to meet PCI DSS 3.0 Compliance Implementing s Deep Security Platform in a Payment Card Environment April 2015 Page 1 Executive Summary...
Cloud Service Level Agreement Standardisation Guidelines Brussels 24/06/2014 1 Table of Contents Preamble... 4 1. Principles for the development of Service Level Agreement Standards for Cloud Computing...
ARTICLE 29 DATA PROTECTION WORKING PARTY 01037/12/EN WP 196 Opinion 05/2012 on Cloud Computing Adopted July 1 st 2012 This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent
Top Threats to Cloud Computing V1.0 Prepared by the Cloud Security Alliance March 2010 Top Threats to Cloud Computing V1.0 Introduction The permanent and official location for the Cloud Security Alliance
The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...
IT@Intel White Paper Intel IT IT Best Practices Cloud Computing and Information Security January 2012 Virtualizing High-Security Servers in a Private Cloud Executive Overview Our HTZ architecture and design
INTRODUCTION Legal practices are increasingly using cloud storage and software systems as an alternative to in-house data storage and IT programmes. The cloud has a number of advantages particularly flexibility
CLOUD COMPUTING: IS YOUR COMPANY WEIGHING BOTH BENEFITS & RISKS? Toby Merrill CLOUD COMPUTING: IS YOUR COMPANY WEIGHING BOTH BENEFITS & RISKS? Toby Merrill Toby Merrill, Thomas Kang April 2014 Cloud computing
Reducing the Cyber Risk in 10 Critical Areas Information Risk Management Regime Establish a governance framework Enable and support risk management across the organisation. Determine your risk appetite
Checklist to Assess Security in IT Contracts Federal Agencies that outsource or contract IT services or solutions must determine if security is adequate in existing and new contracts. Executive Summary
RSA Security Brief March 2010 Infrastructure Security: Getting to the Bottom of Compliance in the Cloud Authors Sam Curry CTO, Marketing RSA, the Security Division of EMC Jon Darbyshire President & CEO,
1 October 2013 Cloud Security Whitepaper A Briefing on Cloud Security Challenges and Opportunities SINTEF ICT Software Engineering, Safety and Security Martin Gilje Jaatun, Per Håkon Meland, Karin Bernsmed
Special Publication 800-146 DRAFT Cloud Computing Synopsis and Recommendations Recommendations of the National Institute of Standards and Technology Lee Badger Tim Grance Robert Patt-Corner Jeff Voas NIST
Institute of Architecture of Application Systems University of Stuttgart Universittsstrae 38 D 70569 Stuttgart Diplomarbeit Nr. 3538 Risk assessment-based decision support for the migration of applications
WHITE PAPER Securing Your Cloud-Based Data Integration A Best Practices Checklist A Report on Secure Integration Techniques Targeted at the Information Technology Executive Prepared by Mercury Consulting,
Standard: Version: 2.0 Date: June 2011 Author: PCI Data Security Standard (PCI DSS) Virtualization Special Interest Group PCI Security Standards Council Information Supplement: PCI DSS Virtualization Guidelines
Special Publication 800-125 Guide to Security for Full Virtualization Technologies Recommendations of the National Institute of Standards and Technology Karen Scarfone Murugiah Souppaya Paul Hoffman NIST
Cyber Security Planning Guide The below entities collaborated in the creation of this guide. This does not constitute or imply an endorsement by the FCC of any commercial product, service or enterprise
Cyber Security Planning Guide The below entities collaborated in the creation of this guide. This does not constitute or imply an endorsement by the FCC of any commercial product, service or enterprise
Trend Micro Deep Security Server Security Protecting the Dynamic Datacenter A Trend Micro White Paper August 2009 I. SECURITY IN THE DYNAMIC DATACENTER The purpose of IT security is to enable your business,