SECURITY MODELS FOR CLOUD 2012. Kurtis E. Minder, CISSP

Similar documents
Security Issues in Cloud Computing

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

John Essner, CISO Office of Information Technology State of New Jersey

Cloud Security Introduction and Overview

Cloud Security. DLT Solutions LLC June #DLTCloud

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Unified Threat Management, Managed Security, and the Cloud Services Model

Cloud Computing; What is it, How long has it been here, and Where is it going?

Cloud Computing: Opportunities, Challenges, and Solutions. Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Are You Prepared for the Cloud? Nick Kael Principal Security Strategist Symantec

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter

Virtualization Impact on Compliance and Audit

Assessing Risks in the Cloud

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

Consumption IT. Michael Shepherd Business Development Manager. Cisco Public Sector May 1 st 2014

What Cloud computing means in real life

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

Security, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32

CompTIA Cloud+ Course Content. Length: 5 Days. Who Should Attend:

10/25/2012 BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH Agenda. Security Cases What is Cloud? Road Map Security Concerns

White Paper on CLOUD COMPUTING

Cloud Services Overview

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

Shared Services Canada and Cloud Computing Architecture Framework Advisory Committee

Managing Cloud Computing Risk

CompTIA Cloud+ 9318; 5 Days, Instructor-led

The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing

East African Information Conference th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst

Topics. Images courtesy of Majd F. Sakr or from Wikipedia unless otherwise noted.

Lecture 02b Cloud Computing II

Cloud Courses Description

Trust but Verify. Vincent Campitelli. VP IT Risk Management

INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS

Emerging Approaches in a Cloud-Connected Enterprise: Containers and Microservices

Cloud Computing Governance & Security. Security Risks in the Cloud

Future of Cloud Computing. Irena Bojanova, Ph.D. UMUC, NIST

Introduction to Engineering Using Robotics Experiments Lecture 18 Cloud Computing

Cloud Computing Security Issues

A Strawman Model. NIST Cloud Computing Reference Architecture and Taxonomy Working Group. January 3, 2011

RE Think. IT & Business. Invent. IBM SmartCloud Security. Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC

Leveraging the Cloud. September 22, Digital Government Institute Cloud-Enabled Government Conference Washington, DC

Cloud Security. Nantawan Wongkachonkitti Electronic Government Agency, Thailand Cloud Security Alliance, Thailand Chapter October 2014

Unmasking Virtualization Security. Eric A. Hibbard, CISSP, CISA Hitachi Data Systems

INTERNATIONAL JOURNAL OF ELECTRONICS AND COMMUNICATION ENGINEERING & TECHNOLOGY (IJECET) Introduction to Cloud Security. Taniya

Lecture 02a Cloud Computing I

Cloud Computing. What is Cloud Computing?

Security & Trust in the Cloud

Managed Cloud Services

See Appendix A for the complete definition which includes the five essential characteristics, three service models, and four deployment models.

A Survey on Cloud Security Issues and Techniques

Dispelling the Myths about Cloud Computing Security

Securing the Physical, Virtual, Cloud Continuum

Mitigating Information Security Risks of Virtualization Technologies

VMware vcloud Powered Services

Security Management of Cloud-Native Applications. Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM)

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS

Office of the Government Chief Information Officer The Government of the Hong Kong Special Administrative Region

Moving beyond Virtualization as you make your Cloud journey. David Angradi

BUSINESS MANAGEMENT SUPPORT

Securing the Cloud with IBM Security Systems. IBM Security Systems IBM Corporation IBM IBM Corporation Corporation

CLOUD SERVICES FOR EMS

CLOUD COMPUTING. A Primer

Cloud Courses Description

How To Protect Your Cloud From Attack

Cloud Computing Standards: Overview and ITU-T positioning

Perspectives on Moving to the Cloud Paradigm and the Need for Standards. Peter Mell, Tim Grance NIST, Information Technology Laboratory

Cloud Computing. Course: Designing and Implementing Service Oriented Business Processes

Visions of Clouds and Cloud Security. Rob Randell, CISSP Senior Security and Compliance Specialist VMware, Inc.

CLOUD COMPUTING DEMYSTIFIED

Secure Cloud Computing Concepts Supporting Big Data in Healthcare. Ryan D. Pehrson Director, Solutions & Architecture Integrated Data Storage, LLC

Research on Operation Management under the Environment of Cloud Computing Data Center

Where in the Cloud are You? Session Thursday, March 5, 2015: 1:45 PM-2:45 PM Virginia (Sheraton Seattle)

Marco Mantegazza WebSphere Client Technical Professional Team IBM Software Group. Virtualization and Cloud

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015

Seeing Though the Clouds

Information Technology: This Year s Hot Issue - Cloud Computing

DISTRIBUTED SYSTEMS [COMP9243] Lecture 9a: Cloud Computing WHAT IS CLOUD COMPUTING? 2

Building Storage Service in a Private Cloud

Expert Reference Series of White Papers. Understanding NIST s Cloud Computing Reference Architecture: Part II

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud

Transcription:

SECURITY MODELS FOR CLOUD 2012 Kurtis E. Minder, CISSP

INTRODUCTION Kurtis E. Minder, Technical Sales Professional Companies: Roles: Security Design Engineer Systems Engineer Sales Engineer Salesperson Business Development Global Account Manager Actual work: Installation / Configuration Design Support Product development / POC Audit Penetration testing Sales / BD

CISSP CERTIFICATION Access Control Application Security Business Continuity and Disaster Recovery Planning Cryptography Information Security and Risk Management Legal, Regulations, Compliance and Investigations Operations Security The CISSP was the first credential in the field of information security, accredited by the ANSI (American National Standards Institute) to ISO (International Standards Organization) Standard 17024:2003. CISSP certification is not only an objective measure of excellence, but a globally recognized standard of achievement. Physical (Environmental) Security CISSP Security Architecture and Design Telecommunications and Network Security

AGENDA Cloud, Defined The Business Need Cloud Security Models Cloud Security Security for Cloud Apps Additional Security Concerns

CLOUD, DEFINED NIST Definition* Cloud computing is a model for enabling ubiquitous, convenient, ondemand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. *SP800-145

CLOUD Cloud Security, what does that mean? Clean Pipe or Security Services as a Utility Shared Services Model (Multi-tenancy) Integrating with the carrier backbone Cloud Computing SAAS, IAAS, PAAS need Security! How to provision? Is it VM? Is it appliance? Securing YOUR access to Cloud resources

SECURITY AS A SERVICE

SECURITY AS A SERVICE (CLOUD SECURITY) Alternative to purchasing premise equipment Often provided by an Managed Security Services Provider / Carrier No capital expenditure Outsource log / compliance responsibilities

CLOUD SECURITY / CLEAN PIPE MPLS NETWORK VPLS ID VLAN ID VDOM Private Network

CLOUD SECURITY EXAMPLE Customer C Office 1 Customer B MPLS Data Center Customer A Internet Customer C Office 2 VLAN VLAN VLAN VLAN VDOM VDOM VDOM VDOM

CLOUD COMPUTING / SECURITY

WHY MOVE TO CLOUD COMPUTING? Elastic Services Pay as you go Utility Computing No capital expenditure Offsite Storage Disaster Recovery App Replication Mobility applications BYOD Support

CLOUD COMPUTING OFFERINGS Infrastructure as a Service (Sometimes Hardware as a Service HAAS) Outsourcing of equipment to SP - Examples are Storage, Processing, Elastic Computing Platform as a Service Outsourcing of the computing platform to SP - Allows for custom development and flexibility (OS or web platform delivered as a service) Software as a Service Complete application outsourced (WP, SF.com, etc.)

SECURING CLOUD APPLICATIONS Most cloud applications are virtualized Hypervisor is a fundamental component Hypervisor is a program that allows multiple operating systems to share a single hardware host. Each operating system appears to have the host's processor, memory, and other resources all to itself. However, the hypervisor is actually controlling the host processor and resources, allocating what is needed to each operating system in turn and making sure that the guest operating systems (called virtual machines) cannot disrupt each other. * Three primary methods of securing cloud apps Extra-Hypervisor Intra-Hypervisor Host *thanks techtarget

EXTRA-HYPERVISOR SECURITY Outside the VM platform Typically an appliance Pros: Fast / Mature Security Appliance Security Appliance Cons: Lack of Visibility into VM space VM VM VM VSWITCH VM VM VM VSWITCH HYPERVISOR

INTRA-HYPERVISOR SECURITY VM based Typically leverages API for integration with the hypervisor Security VM VM VM VM VM VSWITCH Pros: Visibility to intra-vm communication Cons: Takes CPU from VM VM Security VM VM VM VM VSWITCH HYPERVISOR

THE VM SECURITY PROBLEM VSwitch is not a switch Hypervisor vendors have limited APIs High Availability is more complicated Takes Resources from VM application operations Easy to create new applications!

COMBINED ARCHITECTURE Security VM With Virtualization Web Servers DB Servers Mail Servers Collaboration Servers Internet Vswitch NIC Intranet Vswitch NIC Vswitch Vswitch Vswitch VM Kernel Hypervisor Security Appliance MGMT Security Appliance Network

ADDITIONAL SECURITY CONCERNS

DO YOU *TRUST* YOUR PROVIDER? Multi-tenant Data Stores...what does that mean? Cross contamination If another cloud customer is compromised, can it spread? Is the Hypervisor hardened? How is log data handled/stored? Forensics / Incident Response

DO YOU TRUST YOUR ANALYSTS? How do you control how many cloud apps are spun up and why? How do you keep employees from violating policy in the cloud?

THE LEGAL LAG If an incident occurs, what is the provider s responsibility? How can log data be extracted? How quickly? Can data evidence be extracted in a legally admissible format? Does the contract allow you to run Incident Response test plans? Will the provider participate?

CLOUD SECURITY ALLIANCE AND NIST

NIST REFERENCES NIST Definition of Cloud Computing: SP 800-145 Guidelines on Security and Privacy in Public Cloud Computing: SP 800-144 U.S. Government Cloud Computing Technology Roadmap, Release 1.0: SP 500-293 FedRAMP = Federal Risk and Authorization Management Program

CLOUD SECURITY ALLIANCE (CSA) Vendor and customer supported organization driving standards in cloud computing and cloud security. Sees itself as a standards incubator Works closely with the Federal Government and NIST

Cloud Architecture SECURITY GUIDANCE Security Guidance for Critical Areas of Focus in Cloud Computing.14 Domains - Version 3.0 - http:// www.cloudsecurityalliance.org Business Continuity and Disaster Recovery Governance and Enterprise Risk Management Data Center Operations Legal: Contracts and Electronic Discovery Incident Response Compliance and Audit Notification and Remediation Information Management and Data Security Application Security Portability and Interoperability Traditional Security Encryption and Key Management Identity and Access Management Virtualization and Security as a Service

CSA STAR STAR = CSA SECURITY, TRUST AND ASSURANCE REGISTRY Cloud providers self assess their security Launched in Q4 of 2011 https://cloudsecurityalliance.org/star/faq/

CONCLUDING Business finance objectives pushing enterprises to the cloud Managed Services / Utility and Cloud Security offers a viable alternative to self managed Evolution of physical to virtual driving security architecture in new directions Policy, Process must be automated to ensure proper compliance and protection for virtual assets The legal and audit standards have not caught up to cloud adoption

I WORK @ FTNT Founded in 2000 Nasdaq Listed FTNT ~2000 Employees Over 1M units shipped Over 100k customers

THANK YOU! Questions? Need to reach me? Kurtis Minder - kurtis@kurtisminder.com - 847-902-3325 (m) kurtisminder (Skype)

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information