Cloud Risks and Opportunities

Transcription

1 Cloud Risks and Opportunities John Howie COO Cloud Security Alliance #SCCLondon

2 About the Cloud Security Alliance Global, not- for- profit organiza;on Building security best prac;ces for next genera;on IT Research and Educa;onal Programs Cloud Provider Cer;fica;on User Cer;fica;on Awareness and Marke;ng The globally authorita;ve source for Trust in the Cloud To promote the use of best prac1ces for providing security assurance within Cloud Compu1ng, and provide educa1on on the uses of Cloud Compu1ng to help secure all other forms of compu1ng.

3 CSA Fast Facts Founded in 2009 Membership stats 48,000 individual members, 66 chapters globally 170+ corporate members Major cloud providers, tech companies, infosec leaders, governments, financial ins;tu;ons, retail, healthcare and more Offices in SeaWle USA, Singapore, Greece Over 30 research projects in 25 working groups Strategic partnerships with governments, research ins;tu;ons, professional associa;ons and industry

4 Growing to serve the Industry 2009 CSA launch at RSA 2009 with Security Guidance for Cri;cal Areas of Focus in Cloud Compu;ng 6,000 members 2010 Launch Cer;ficate of Cloud Security Knowledge (CCSK) 15,000 members 2011 Launch CSA Security, Trust and Assurance Registry (STAR) 27,000 members 2012 Launch CSA Mobile and Big Data research to address emerging needs 42,000 members 50,000 40,000 30,000 20,000 10,000 0 Membership Growth Nort h Amer ica

5

6 Cloud Actors

7 CLOUD CONSUMER

8 About the Notorious Nine The Notorious Nine can be downloaded here Top Threats WG formed in 2009 to engage experts and the broader community to iden;fy top security threats for Cloud Compu;ng Purpose of the series of reports was to educate cloud providers/consumers on how to mi;gate risk when deploying/adop;ng cloud compu;ng Expanded the report from the Seven Deadly Sins to the Evil 8 to the Notorious 9 in 2013 New version mapped to Cloud Controls Matrix and Risk Matrix added (Actual vs. Perceived Risk)

9 Notorious Nine Methodology Surveyed over 300 Security Professionals from 50 countries globally Validated that the threat lis;ng reflects the most current concerns of the industry Reflected current consensus among experts about the most significant threats to cloud security Experts iden;fied nine cri;cal threats to cloud compu;ng in 2013

10 9 Threats Identified (1 4) #1 Threat: Data Breaches Ranking Comparison #2 Threat: Data Loss Ranking Comparison #3 Threat: Account or Service Traffic Hijacking Ranking Comparison #4 Threat: Insecure Interfaces and APIs Ranking Comparison

11 9 Threats Identified (5 9) #5 Threat: Denial of Service Ranking Comparison #6 Threat: Malicious Insiders Ranking Comparison #7 Threat: Abuse of Cloud Services Ranking Comparison #8 Threat: Insufficient Due Diligence Ranking Comparison #9 Threat: Shared Technology Vulnerabili;es Ranking Comparison

12 CLOUD CARRIER

13 Internet Threats AWacks against internet infrastructure con;nue to plague us Rou;ng hijacks (BGP) DNS compromise PKI Some solu;ons exist, but The current protocols are fundamentally broken We need to start over (IPv6 is not a solu;on)

14 CLOUD PROVIDER

15 Tradi;onal Approach Tradi;onally development, test and produc;on environments were strictly separated Developers worked in a dedicated environment and handed completed code over to testers Testers work in a separate environment and perform unit, func;onal and end- to- end tes;ng Tested and built code is handed over to Opera;ons staff who deploy in pre- produc;on environment to perform deployment and integra;on tes;ng before signing release off Released code is deployed into produc;on environment by Opera;ons staff Developers and testers do not have access to produc;on environment

16 Classic Solware Development Dev Test Pre- Prod Prod Development Staff Opera;ons Staff

17 Modern Approach: DevOps Olen leveraged in conjunc;on with Agile Development, Developer Opera;ons (DevOps) is just what it sounds like Developers are responsible for development and opera;ons management of their solware Separa;on between environments can be eroded: code is developed, tested and deployed in produc;on environment Ra;onale behind DevOps is that developers can quickly roll out new features and fix problems as they are discovered Cited as cri;cal market advantage in highly compe;;ve industries such as Search, Social Media, Collabora;on, etc. Gaining adop;on in tradi;onal business environments, too

18 DevOps Solware Development Deployment is accomplished by turning on new features to all users rather than deploying new solware Feedback can be structured, ad hoc, or even a percep;on Deployment User Feedback Test Development Tes;ng is usually done by deploying to a limited popula;on of users and watching their experiences Development might be done in situ, in the produc;on environment

19 DevOps Security Challenge PCI DSS v Separate development/test environments from produc;on environments, and enforce the separa;on with access controls Separa;on of du;es between development/test and produc;on environments ISO/IEC 27002: Separa;on of development, test, and opera;onal facili;es Control: Development, test, and opera;onal facili;es should be separated to reduce the risks of unauthorised access or changes to the opera;onal system.

20 Summary Cloud compu;ng is s;ll a developing field Significant pressure on costs and agility mean some security issues might be passed over New technology will bring new issues Cloud providers are probably bewer than you at protec;ng your data The problem is that they might be doing it in a way that violates your compliance obliga;ons

21 THANK YOU #SCCLondon