Risks and Countermeasures in the Public Cloud

Transcription

1 Risks and Countermeasures in the Public Cloud Alessandro Vallega fond member of AIEA Security Business Development, Oracle Italy Oracle Community for Security Director Clusit Board of Directors Paragliding Pilot 1

2 There is Cloud and Cloud 2

3 1. Confidentiality (a problem of the company) 2. Governance (a problem of the company IT) 3

4 Risks overview Source: Enisa, Cloud Computing Security Risk Assessment Top security risks Loss of Governance Lock In Isolation Failure Compliance Risk Management Interface Compromise Data Protection Insecure / incomplete data deletion Malicious Insider 4

5 Risks overview CONFIDENTIALITY Source: Enisa, Cloud Computing Security Risk Assessment Top security risks Loss of Governance Lock In Isolation Failure Compliance Risk Management Interface Compromise Data Protection Insecure / incomplete data deletion Malicious Insider 5

6 Data breaches Largest Incidents Attacks Are increasing Every Year Incidents by Business Type Known attacks between Sept 1th to Sept 15th, % 15% 18% 52% Government Business Med Education Source: Rapporto Clusit 2013; Hackmageddon.com; DatalossDB.com 6

7 ... In the Cloud 7

8 Compliance is not enough Basel Committee, BdI and ECB Consob IVASS PCI Council Garante della Privacy Italian and EU government and parliament... Many other authorities 8

9 Compliance is not enough Basel Committee, BdI and ECB Consob IVASS PCI Council Garante della Privacy Italian and EU government and parliament... Many other authorities They require measures to guarantee: Confidentiality Integrity Availability To safeguard the rights of third parties 9

10 Compliance is not enough Basel Committee, BdI and ECB Consob IVASS PCI Council Garante della Privacy Italian and EU government and parliament... Many other authorities They require measures to guarantee: Confidentiality Integrity Availability To safeguard the rights of third parties Regulator authorities assume that each company independently protect their rights The company should assess the risk and protect its Intellectual Property 10

11 Espionage: old human habit but with new technologies ICT + Public Cloud + Mobile + Social + Big Data High Risk Exposure to Industrial Espionage Complexity + Vulnerability + Attackers SKRAM + IT Inadequacy Source: Washington Post e La Repubblica.it (link) 11

12 Multidisciplinary approach and Governance Data classification Risk analysis Define and execute controls And incident mngt procedures Understand Security Needs Exercise Control Comprehend Rules Know Technology Laws & Rules Contracts (CC/CP) Limitations Opportunities To successfully use Public Cloud you need to coordinate many different professionalities: Internal Customer Security Risk Compliance / Legal Procurement ICT Audit 12

13 Govern the changes TRADITIONAL IT GOVERN PROJECT INTEGRATION SOURCING MAKE / BUY BUDGET NEGOTIATE / ALLOCATE 13

14 Govern the changes GOVERN PROJECT INTEGRATION TRADITIONAL IT BUSINESS ALIGNMENT SOURCING MAKE / BUY BUDGET NEGOTIATE / ALLOCATE LINE 14

15 Govern the changes TRADITIONAL IT BUSINESS ALIGNMENT CLOUD ANARCHY GOVERN PROJECT INTEGRATION nobody SOURCING MAKE / BUY OBTAIN (CLOUD) LINE BUDGET NEGOTIATE / ALLOCATE LINE LINE 15

16 Govern the changes Opportunity to add value to the company TRADITIONAL IT BUSINESS ALIGNMENT CLOUD ANARCHY CLOUD MATURITY GOVERN PROJECT INTEGRATION MODERNIZE nobody + SOURCING MAKE / BUY OBTAIN (CLOUD) LINE + BUDGET NEGOTIATE / ALLOCATE LINE LINE LINE 16

17 HINTS RELATED TO TECHNOLOGICAL MEASURES 17

18 Use the best architectural security technologies Verify which security technologies are used by the provider and collaborate in administering them, according to the service model Deeply use international best practices (ISO27000, CobiT...) Authentication Strong Authentication Authorization Fine Grained Authorization Segregation Extended Segregation of Duties of Duties Source: Oracle Community for Security Privacy nel Cloud 18

19 Adopt a new set of misure minime 1. Use only secure networks and secure network protocols 2. Encrypt data at rest in the database and storage 3. Remove keys from the provider or at least require serious segregation of duties and access control 4. Adopt database and file system fine grained authorization even in case of System Administrators 5. Implement identity federation 6. Extend / complete your identity deprovisioning systems 7. Request fine grained log management, including read access, and proactively analyze results Source: Oracle Community for Security Privacy nel Cloud 19

20 Privacy nel Cloud: Le sfide della tecnologia e la tutela dei dati personali per un azienda italiana Rapporto Clusit sulla sicurezza ICT in Italia portoclusit/ 20

21 Thank you c4s.clusit.it 21