Bringing Cloud Security Down to Earth. Andreas M Antonopoulos Senior Vice President & Founding Partner

Transcription

1 Bringing Cloud Security Down to Earth Andreas M Antonopoulos Senior Vice President & Founding Partner

2 Agenda About Nemertes Cloud Dynamics and Adoption Assessing Risk of Cloud Services Controls to Address Risk Establishing Trust Identity Management Recommendations Summary and Conclusions

3 About Nemertes Analyze business value of emerging technologies Advise Fortune 100-2,000 businesses on critical IT strategies t Benchmark reality h 2,500+ IT executives share strategies, costs, vendor satisfaction. Analysts have years experience, including operational Founded d 2002

4 Cloud Dynamics and Adoption IaaS & PaaS adoption < 1% SaaS adoption = 60% Limitation of IaaS and PaaS adoption is concern over security and compliance Virtualization i provides agility, flexibility and scalability for cloud offerings Virtualization Security (VirtSec) is a fundamental aspect of cloud security for all cloud models *Based on Cloud Security Alliance CSA Guide service model (

5 Assessing Risk of Cloud Services Asset Assessment Define assets Assign values of asset loss or compromise Vulnerability Assessment Risk Assessment Define vulnerabilities Assess probability of exploit Define all risks Risk probability Risk impact Probabi ility Low Medium High Risk Mitigation Preventive and detective controls Compensating controls Residual risk Impact

6 Public Cloud Risks: Top 10 Loss of governance h CSP may prohibit vulnerability testing and visibility to internal procedures h Incompatibility with in-house provisioning and management tools Service provider lock-in h Minimal portability between providers h Custom APIs, runtime, databases, applications and storage semantics Compliance risks h CSP may not be compliant with specific requirements h Auditors have little visibility into CSP internal controls e-discovery and litigation support h CSP has limited responsibility h Shared tenancy complicates process

7 Public Cloud Risks: Top 10 Continued Management interface compromise hhijacking management interface for control of tenant resources hcompromise management interface for CSP Network management failure hmis-configuration leading to service outage (DNS, network, application) happlication performance issues Isolation Failure hmulti-tenancy increases risk of hopping resource pools hdenial of Service (DoS) attack against co-resident tenant

8 Public Cloud Risks: Top 10 Continued Data protection hlack of visibility into breaches of confidential/sensitive data hrisk of co-resident unlawful data Insecure/incomplete data deletion hdata deletion policies may not be compatible with CSP hno guarantee that true wiping of data occurs Malicious insider hcsp administrator has access to multiple tenant services hcsp security team has visibility to all event logs

9 Controls to Address Risk Model Preventive Controls Detective Controls SaaS Identity Management including multi- Access reports factor authentication Browser patching and hardening Endpoint security PaaS User authentication (multi-factor) User privilege management Browser patching and hardening Endpoint security Access reports Vulnerability scanning (application and user access) IaaS VPN for management access and Access reports movement of VMs Event logging and correlation Configuration and patch management Vulnerability scanning (application and Access controls and multi-factor user access) authentication Host IDS/IPS VirtSec appliance

10 Preventive Control: Identity Management The concept of trust changes with cloud model h Trust must extend into the cloud (SaaS, PaaS and IaaS) Three key identity management areas h User management, Authentication management, Authorization management Evolving standards SAML Secure Assertion Markup Language Single Sign-on (SSO) XACML extensible Access Control Markup Language least privilege OAuth Open Authentication share cloud data

11 User Access Management (SAML) Cloud Service Provider (CSP) User User attempts log-on CSP generates SAML request and redirects browser to IM 3 5 Identity Manager (IM) 4 Time IM parses SAML request and generates SAML response User sends SAML response to CSP Assertion Consumer Service (ACS) ACS verifies SAML response and redirects user to destination URL

12 Authorization Management (XACML) User 1 Policy Enforcement Point (PEP) Policy Decision Point (PDP) Policy Access Point (PAP) Policy Information Point (PIP) Access Request 2 PEP sends XACML request to PDP 3 4 PDP requests policy info from PAP PDP requests info on subject, resource & environment attributes from PIP PDP responds with authorization decision 5 6 Allow or deny access Time

13 Authentication Management (OAuth) Web App CSP User Time Request token for CSP service CSP verifies web app and responds User redirected to CSP authorization page User prompted to login to account and verify web app User redirected to web app auth. page along with authorized request token Web app sends request for access token to CSP auth. service Web app sends request including access token to CSP service 8 CSP provides requested data

14 Identity Management Recommendations IAM Area Challenge Recommendation User Management Secure and timely management of onboarding and offboarding cloud users Extending enterprise IAM systems into cloud Avoid building custom interfaces for user provisioning Push cloud provider to use open standards Authentication Management Credential management Strong authentication Delegated authentication ti ti Manage credentials in own identity solution and federate with cloud provider When users s self-provision s o services a decentralized standard like OpenID provides authentication to multiple services For IaaS establish a dedicated VPN or use standard assertion (SAML) with encryption (SSL) For IaaS, PaaS and SaaS push cloud provider to delegate authentication to the enterprise via SAML or WS-Federation Multi-factor authentication is essential

15 Identity Management Recommendations, Continued IAM Area Challenge Recommendation Authorization Management Establishing standard authorization model for multiple cloud providers Passing authorization information between cloud providers Enforcing and monitoring enforcement of authorization Identity authoritative sources of user and policy information Determine privacy policies for type of data Establish mechanism to transfer policy information from policy administration point (PAP) to policy decision point (PDP) Establish mechanism to transfer policy information from policy information point (PIP) to PDP Establish mechanism to request policy decision from PDP Establish policy enforcement point (PEP) to enforce policy Implement logging of all authorization management actions

16 Summary A risk-based approach is the only way to assess a cloud computing deployment decision h Most offerings are currently too risky for sensitive data Establish detective and preventive controls specific to each cloud deployment model: h SaaS - Browser patching, endpoint security, access reports h PaaS Browser patching, hardening, endpoint security, access reports and vulnerability scanning h IaaS VPN, configuration and patch management, host IDS/IPS, VirtSec appliance, access reports, vulnerability scanning, logging & event management Identity management is a key area of preventive control focus for all service models h This starts internally

17 Conclusion: What Should You Be Doing? Urgent: Act Now Inventory all CSP relationships. Assess CSP against top 10 risks. Meet with auditors to assess compliance issues. Short-Term Plans Implement VirtSec and identity management in-house (or via third-party service) before moving to IaaS and PaaS. Long-Term Plans Push for open standards for APIs, platforms, user provisioning, authentication ti ti and authorization ti Overall Focus Keep focus on cloud goals of increasing flexibility and agility and providing a strong ROI. 17 Nemertes Research DN0457

18 Thank You Andreas M Antonopoulos SVP & Founding Partner andreas@nemertes.com