Compliance and Cloud Computing

Transcription

1 Compliance and Cloud Computing Balaji Palanisamy Director, Southwest- US Coalfire Systems, Inc. July 24, 2014

2 Agenda Introduction Cloud Computing Basics Cloud Computing Threats Security vs. Compliance Practical insights into the provider s world Working Models for Cloud Adoption Summary QA 2

3 Coalfire Systems Coalfire offers demonstrated leadership in the key areas of IT Governance, Risk & Compliance (GRC) auditing, assessment and validation for PCI, HIPAA, ISO, FFIEC, FedRAMP, and NERC with offices across the U.S. and U.K. - We re Hiring 3

4 Why is Cloud Computing relevant to you? 4

5 Why is Cloud Computing relevant to you? 5

6 Why is Cloud Computing relevant to you? The adoption of Cloud computing is definitely on the rise according to: Gartner - Forrester - doption/fulltext/-/e-res Research - es/cloud_wave_5_press_release_final.pdf 6

7 Why is Cloud Computing relevant to you? The Federal Government To harness the benefits of cloud computing, we have instituted a Cloud First policy. This policy is intended to accelerate the pace at which the government will realize the value of cloud computing by requiring agencies to evaluate safe, secure cloud computing options before making any new investments. Texas Government Gov. Rick Perry today gave the keynote address at the Richardson Chamber of Commerce's Annual Meeting, and announced the state is investing $2.45 million through the Texas Enterprise Fund (TEF) in the Virtual Computing Environment Company (VCE) for the creation of a corporate headquarters in Richardson. This investment is expected to create at least 434 local jobs and generate an estimated $35 million in capital investment. 7

8 Why is Cloud Computing relevant to you? The adoption of Cloud Computing is definitely on the rise and we (Information Security professionals) need to prepare ourselves to: gain competence and practical exposure to these environments; analyze risks that are unique to the world of Cloud Computing; and guide and influence Cloud adoption within your organizations. 8

9 Cloud Computing Basics 9

10 Cloud Computing Basics What is Cloud Computing? According to NIST : Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. 10

11 Cloud Computing Basics Image Courtesy : cloudsecurityalliance.org 11

12 Cloud Computing Basics Five (5) Essential Characteristics On-demand self-service Broad network access Resource pooling Rapid elasticity Measured service 12

13 Cloud Computing Basics Four (4) Deployment Models Private Public Community Hybrid 13

14 Cloud Computing Basics Three (3) Service Models Infrastructure as a Service Platform as a Service Software as a Service 14

15 Cloud Computing Models Service Models -Security Based on Span of Control 15 Image Courtesy : pcisecuritystandards.org

16 Cloud Computing Models Service Models -Security Based on Span of Control Image Courtesy : pcisecuritystandards.org 16

17 Cloud Computing Models Real World Scenarios Managed Services E.g. Physical Security, Patch management, Anti- Virus management, Firewall Management Extending in house infrastructure E.g. Database Management, Network Monitoring, Batch Scheduling (X)as a Service E.g. Identity, Storage, Encryption Chaining of providers E.g. AirBnB Travel, NetFlix Entertainment Operational Challenges Upgrades, Migrations, Disaster Recovery 17

18 Cloud Computing Threats 18

19 Cloud Computing Threats The Cloud Security Alliance Notorious Nine 1. Data Breaches Image Courtesy : Verizon Breach Report 19

20 Cloud Computing Threats The Cloud Security Alliance Notorious Nine 1. Data Breaches 2. Data Loss Intellectual Property Sales Information Mailing addresses Postings on Social media Health Information 20

21 Cloud Computing Threats The Cloud Security Alliance Notorious Nine 1. Data Breaches 2. Data Loss 3. Account Hijacking User Names and Passwords Phone Numbers Personal Profiles Security Questions for remembering passwords 21

22 Cloud Computing Threats The Cloud Security Alliance Notorious Nine 1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs Image Courtesy : Verizon Breach Report 22

23 Cloud Computing Threats The Cloud Security Alliance Notorious Nine 1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service Image Courtesy : CloudSecurity alliance.org 23

24 Cloud Computing Threats The Cloud Security Alliance Notorious Nine 1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service 6. Malicious Insiders 24

25 Cloud Computing Threats The Cloud Security Alliance Notorious Nine 1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service 6. Malicious Insiders 7. Abuse of Cloud Services 25

26 Cloud Computing Threats The Cloud Security Alliance Notorious Nine 1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service 6. Malicious Insiders 7. Abuse of Cloud Services 8. Insufficient Due Diligence 26

27 Cloud Computing Threats The Cloud Security Alliance Notorious Nine 1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service 6. Malicious Insiders 7. Abuse of Cloud Services 8. Insufficient Due Diligence 9. Shared Technology Issues 27

28 Security versus Compliance 28

29 Security versus Compliance Compliance is often mistaken for this rigid set of rules, unbending and binary. A necessary evil to get around to do your job, like the barricade in the picture. When in reality it is only a baseline. Compliance raises the minimum bar across your environment to address a baseline amount of risk. You build and add to it as time goes on. If compliance is your goal, as one of my customer s put it it is a case of when we get breached not if we get breached. 29

30 Security versus Compliance Why is Compliance a baseline? Established for the small business owner As well as for the big banks and wall street firms 30

31 Practical insights into the provider s world 31

32 Practical insights into the provider s world Focus is on protecting all customers Two layers of security Security infrastructure built to protect the core and dedicated to the core Security infrastructure built to protect customers and shared between customers Customization may be difficult. E.g. Web Application Firewalls 32

33 Practical insights into the provider s world Upgrades and Migration plans are time consuming Customer education is important Stability is a core operating principle 33

34 Practical insights into the provider s world Not all providers invest in a Security Operations Center (SOC) The ones that do have a SOC, may not have organizational independence Customer s security posture depends on the mix of services consumed 34

35 Working Models for Cloud Adoption 35

36 Working Models Payment Island Identify and extract IT workflows and Data flows that handle sensitive data Move the underlying IT infrastructure to a cloud provider Apply enhanced security controls that could not be applied within the corporate network Allow only controlled interactions with other corporate applications 36

37 Working Models Security as a Service Identify core security functions that require investment Review cloud based offerings for ease of adoption and cost benefits Improve security posture by leveraging appropriate cloud services Services that could be delivered efficiently from the cloud include DDOS mitigation, SPAM filtering, Vulnerability Scanning 37

38 Working Models Extending Organizational controls Identify existing controls that apply to the CSP Identify points of interaction with the cloud service provider Ensure there is a RACI matrix between the two organizations for each control For controls that need to be managed in-house extend/integrate current toolsets and processes with the cloud service provider May not always be simple but has the advantage of providing an organizational view 38

39 In Summary Cloud adoption can be a business advantage Cloud adoption risks are unique to your organization and.. Due Diligence is of utmost importance Consider Cloud specific controls for comparing apples to oranges 39

40 Balaji Palanisamy Director Southwest Region (Dallas, TX) (972)