How to procure a secure cloud service

Transcription

1 How to procure a secure cloud service Dr Giles Hogben European Network and Information Security Agency

2 Security in the cloud contracting lifecycle Can cloud meet your security requirements Choose the provider that meets security requirements Set up the contract/sla Fulfilling your responsibilities for security Managing the contract

3 Traditional IT investment Resources used/purchased Investment in Infrastructure Wasted investment Demand for infrastructure

4 Cloud IT investment Resources used/purchased Investment in Infrastructure Demand for infrastructure

5 Cloud IT investment Resources used/purchased Investment in Infrastructure Demand for infrastructure

6 => Shared Resources Hardware, database, memory, etc... like buying a hotel room or booking an aircraft.

7 Implications for security

8 => Economies of scale and security All kinds of security measures, are cheaper when implemented on a larger scale. (e.g. filtering, patch management, hardening of virtual machine instances and hypervisors, etc) The same amount of investment in security buys better protection. Key Question: Is your current setup really better from a security standpoint?

9 But.

10 => Very high value assets Most risks are not new, but they are amplified by resource concentration the asset values are high. o Trustworthiness of insiders. o Hypervisors- hypervisor layer attacks on virtual machines are very attractive. o More Data in transit (Without encryption?) o Management interfaces big juicy targets

11 => Co tenancy and Isolation failure o Like a Hotel you may be able to hear your neighbours if the walls are not well insulated Storage (e.g. Side channel attacks) see Virtual machines Entropy pools ( Resource use (e.g. Bandwidth)

12 => Lock in Few tools, procedures or standard formats for data and service portability. Difficult to migrate from one provider to another (or take your data back home). You went into cloud to store massive amounts of data cheaply keeping a copy at home defeats the object?

13 => Loss of Governance The client cedes control to the provider Security measures (crocodiles vs electric fences) Limited information available about incidents Outsource or sub contract services to third parties (fourth parties?)

14 Just encrypt your data in the cloud and you don t have to worry about a thing? Unfortunately not... Practical processing operations on encrypted data are not possible

15 Legal and contractual risks Lack of compliance with EU Data Protection Directive Difficult for the customer (data controller) to check the security of data handling practices of the provider Subpoena and e discovery Risk allocation and limitation of liability Intellectual Property

16 Security in the cloud contracting lifecycle Can cloud meet your security requirements Choosing the provider that meets security requirements Setting up the contract/sla Fulfilling the customer s responsibilities for security Managing the contract

17

18 ENISA Cloud Assurance Framework A minimum baseline for: Comparing cloud offers Assessing the risk to go Cloud Includes legal and contractual considerations (also to reduce audit burden on cloud providers)

19 CSA Controls Matrix

20 Security in the cloud contracting lifecycle Can cloud meet your security requirements Choosing the provider that meets security requirements Setting up the contract/sla Fulfilling the customer s responsibilities for security Managing the contract

21 Contract hints Get a security expert to review the contract terms Check existing certifications (ISO, PCI, etc ) If you have enough bargaining muscle, get some security clauses in the contract/sla otherwise choose the contract which is most secure

22 Contract hints Availability Well defined (reachability, response time, functional) Defined over shorter period (per week) Scalability (e.g. max number of instances available per customer per day) Time to provision Authentication levels (e.g. NIST levels) CSA/ENISA controls

23 Security in the cloud contracting lifecycle Can cloud meet your security requirements Choosing the provider that meets security requirements Setting up the contract/sla Fulfilling the customer s responsibilities for security Managing the contract

24 Somebody else s problem (SEP) syndrome Appirio Cloud Storage fully encrypts each piece of data as it passes from your computer to the Amazon S3 store. Once there, it is protected by the same strong security mechanisms that protect thousands of customers using Amazon s services

25 Amazon AWS ToS o YOU ARE SOLELY RESPONSIBLE FOR APPLYING APPROPRIATE SECURITY MEASURES TO YOUR DATA, INCLUDING ENCRYPTING SENSITIVE DATA. o You are personally responsible for all Applications running on and traffic originating from the instances you initiate within Amazon EC2. As such, you should protect your authentication keys and security credentials. Actions taken using your credentials shall be deemed to be actions taken by you.

26 Customer side of the bargain IaaS Encrypt At rest and in motion Look after your keys and credentials Identity management Guest security platform Compliance with data protection law

27 Customer side of the bargain IaaS Design for failure Redundant implementation Geographical Performance and incident monitoring Decouple Parallelise Use distributed queues etc Use REST

28 How smugmug survived the Amazon outage Redundancy: Multiple availability zones Design for failure any instance can fail Design for the reliability of individual components e.g. don t use temporary storage methods for permanent storage Not completely cloud how smugmug survived theamazonpocalypse/

29

30 Customer side of the bargain PaaS Credential management Encryption System staging Compliance with data protection law SaaS Credential management Encryption and key management for selected data Compliance with data protection law

31 Security in the cloud contracting lifecycle Can cloud meet your security requirements Choosing the provider that meets security requirements Setting up the contract/sla Fulfilling the customer s responsibilities for security Managing the contract

32 Monitoring and Enforcement Penalties SLRs you need something to monitor => SP should ideally report Availability Incidents (reported within a defined time frame) Recovery time Security metrics (e.g. intrusions blocked)

33 Monitoring and Enforcement Testing Availability (using probes and samples for instance) Penetration tests Failover and backup tests Data portability Load testing Unit tests

34 ENISA Deliverables and Ongoing Activities Cloud Computing: Benefits, Risks and Recommendations for Information security Assurance framework Gov-Cloud security and resilience analysis (2010) 34

35 Questions? Giles Hogben (giles.hogbenqenisa.europa.eu) Secure applications and services, ENISA security 35