What REALLY matters in Cloud Security? RE: Internet of things sensors, data, security and beyond!

Transcription

1 What REALLY matters in Cloud Security? RE: Internet of things sensors, data, security and beyond! HOW to best integrate security into the office AND the cloud? And what is a thing is that MORE we have to do??? Dec 9, 2013 Mike Davis mike@sciap.org ElectEngr/MSEE, CISSP, SysEngr ISSA / ISC2 / SOeC AFCEA / NDIA IEEE / INCOSE / et al easy button COMPLEXITY

2 Cyber Security Overall Status (Senior IA/Cyber VIP Mike Jacobs same issues as years ago, but better in last 10) Technology G trending We have what we NEED NOW Business Policy Procedures / standards Education Leadership Awareness Y Y G G R G Some LSIs resist change Legislation poor Can t be voluntary NIST done well Need uniform implementation 170+ CAEs (schools) 10,000+ / year Complexity vs CISO C suite complacency and inability to absorb Education starting earlier, STEM, NICE Must all provide an enterprise integrated, cyber package including cloud security!

3 What s new in cyber, and what matters? Sensor + WiFi = device Things > systems, machines, equipment, and devices connected to the Internet and each other RIFD, Apps, MEMS, WSN, SCADA, PLC, ASIC, API, ETC, etc Is all this stuff secure? How much is needed? COMPLEXITY Is everywhere! What is a due diligence level of security? The Internet of things (IoT) is not really new IoT requires ALL the cyber protections we already know and still need to do! Where sensors dominate

4 Complexity of Enterprise IT Systems is Increasing AND so is the associated Cyber Security from sensor to cloud! So what is good enough security? Follow the DATA, where is it, who has it how sure are you?

5 SO what does matter in Cyber? CYBER is fundamentally all about TRUST and DATA It s NOT about expensive new cyber capabilities / toys but more about the SoS / I&I glue (distributed trust, resiliency, automation, profiles, etc) 90+% of security incidents are from lack of doing the basics! Conduct Effective Security Continuous Monitoring (SCM / SIEM) a MUST DO! USE enforced: cyber hygiene, enterprise access control, & reduce complexity (APLs) Shift from only protecting the network, to the DATA security itself information centric view Embrace your Risk Management Plan LIVE IT! Have an enforceable security policy what is allowed / not train to it KNOW your baseline Protect the business from the unknown risks as well Employ a due diligence level of security then transfer residual risks! When in doubt, do the cyber BASICS well!!! An achievable 90 95% solution to MOST vulnerabilities stabilize the environment! 5

6 What s a simple IA/Cyber vision / end state look like? AND what are the requirements? Cyber is ALL about TRUST, Rules/MOAs & State KEY C I A entities / touch points things comms the cloud IoT = things + comms AND DATA Is yours assured / with a pedigree? 4Vs satisfied? A cyber end state stresses encapsulation using secure communications

7 Gartner's 2013 Hype Cycle for Emerging Technologies How do we prove end 2 end security? What is a due diligence level of cyber? Everything connected to everything? Comms Secure? Automation = machines in control? M2M Secure? IoT is all about SECURE sensors, DATA and communications! Pervasive new technologies? Built secure? ALL the technologies / connections need built in security

8 Cloud Security Factoids The cloud security challenges are principally based on: a. Trusting vendor's security model b. Customer inability to respond to audit findings c. Obtaining support for investigations d. Indirect administrator accountability e. Proprietary implementations can't be examined f. Loss of physical control Areas that will mature soon, enhancing enterprise risk management (re: Gartner): Consensus on what constitutes the most significant risks, Cloud services certification standards, Virtual machine governance and control (orchestration), Enterprise control over logging and investigation, Content based control within SaaS and PaaS, and Cloud security gateways, security "add ons" based in proxy services Cloud Security Alliance (CSA) nine critical threats: 1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service 6. Malicious Insiders 7. Abuse of Cloud Services 8. Insufficient Due Diligence 9. Shared Technology Issues Shift from only protecting the network, to the DATA itself! (e.g., data centric security) We recommend following both the NIST and CSA cloud guidance: AND an overall, enterprise, e2e, risk management approach (e.g., RMF & FedRAMP)

9 Notional Data Centric Architecture iso the typical information environment IA / Security / cyber (e.g., defense in depth (DiD)) Supports quality / assured data (with pedigree / provenance) Cyber must be preserved in the full data AND capabilities life cycle Must accommodate BOTH in house and cloud IA controls / inheritance What IA/security capabilities are needed for the DATA itself? OMG / DDS Reputation based Security How does the DATA move about? DATA Storage Services Apps Host / device Business logic Behavior monitoring Middleware Must account for the four Vs Volume, Variety, Velocity and Veracity transport FW/IDS/IPS Continuous monitoring Data is either at rest, being processed OR in transit DCA Security = DCPS, DDSI, DataReader, DataWriter, Pub / Sub. Java, mobile code, widgets, storage SW, middleware, services, ESB, etc

10 Cloud Security Overview Security in the cloud is likely better than you have in house * Security is the SAME everywhere WHO does which IA controls changes * Don t sell cloud offer security capabilities instead end2end services * Few are all in the 100% Hence TWO environments to manage * ALL must use the same cloud security standards (and QA in SLA / supports SoS too) content/uploads/cloud Security Standards SEP xlsx * Implement SCM / SIEM integrate cloud metrics / status (& QA the SLAs) * Service Level Agreements (SLA)not sufficient trust but verify (Orchestration SW?) * Encrypt everywhere Yes more key management, but risks greatly reduced * Data owners always accountable for PII / privacy / compliance (& location) * Update Risk management Plan (RMP) = Comms, COOP. with cloud R&R For more details see paper: Cloud Security What really matters? At (under Cyber Body of Knowledge ) mike@sciap.org