Life in the Cloud A Service Provider s View. Michael Smith mismith@akamai.com Security Evangelist

Similar documents
Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Building a Resilient World Wide Web

Table of Contents. Introduction. Audience. At Course Completion

Security Controls for the Autodesk 360 Managed Services

White Paper How Noah Mobile uses Microsoft Azure Core Services

Security Issues in Cloud Computing

Security Controls What Works. Southside Virginia Community College: Security Awareness

Library Systems Security: On Premises & Off Premises

Auditing Cloud Computing and Outsourced Operations

PCI DSS. Payment Card Industry Data Security Standard.

Securing the Service Desk in the Cloud

Big Data, Big Risk, Big Rewards. Hussein Syed

Introduction to Cyber Security / Information Security

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

Payment Card Industry Data Security Standard

Through the Security Looking Glass. Presented by Steve Meek, CISSP

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Cloud Security Framework (CSF): Gap Analysis & Roadmap

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst

Security Management of Cloud-Native Applications. Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM)

Managing Cloud Computing Risk

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

BMC s Security Strategy for ITSM in the SaaS Environment

Cloud Computing: The atmospheric jeopardy. Unique Approach Unique Solutions. Salmon Ltd 2014 Commercial in Confidence Page 1 of 5

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

Blackboard Collaborate Web Conferencing Hosted Environment Technical Infrastructure and Security

Appendix E to DIR Contract Number DIR-TSO-2736 CLOUD SERVICES CONTENT (ENTERPRISE CLOUD & PRIVATE CLOUD)

Akamai Security Products

The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing

Las Vegas Datacenter Overview. Product Overview and Data Sheet. Created on 6/18/2014 3:49:00 PM

East African Information Conference th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Payment Card Industry (PCI) Data Security Standard

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

Digi Device Cloud: Security You Can Trust

Building Energy Security Framework

SERENA SOFTWARE Serena Service Manager Security

Cloud Security Framework (CSF): Gap Analysis & Roadmap

University of Pittsburgh Security Assessment Questionnaire (v1.5)

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

Security Considerations

Kim Decarolis Compliance and Security Specialist (248) Mark Wayne Vice President Compliance and Security Specialist

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Two Approaches to PCI-DSS Compliance

Feliciano Intini Responsabile dei programmi di Sicurezza e Privacy Microsoft Italia

Key Considerations of Regulatory Compliance in the Public Cloud

With Eversync s cloud data tiering, the customer can tier data protection as follows:

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

GFI White Paper PCI-DSS compliance and GFI Software products

Cloud Security. Are you on the train or the tracks? ISSA CISO Executive Forum April 18, Brian Grayek CISSP, CCSK, ITILv3

custom hosting for how you do business

A Survey on Cloud Security Issues and Techniques

Birst Security and Reliability

Injazat s Managed Services Portfolio

Cloud Computing Governance & Security. Security Risks in the Cloud

White Paper: Librestream Security Overview

Cloud Computing Thunder and Lightning on Your Horizon?

Business In the Cloud. Mitigating Risk. Fred Pinkett VP of Product Management Security Innovation

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

John Essner, CISO Office of Information Technology State of New Jersey

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

Tenzing Security Services and Best Practices

Remote Voting Conference

PCI Compliance. Top 10 Questions & Answers

The Education Fellowship Finance Centralisation IT Security Strategy

How To Protect Your Cloud Computing Resources From Attack

Security Threat Risk Assessment: the final key piece of the PIA puzzle

Security aspects of e-tailing. Chapter 7

UNIFIED MEETING 5 SECURITY WHITEPAPER INFO@INTERCALL.COM INTERCALL.COM

Need to be PCI DSS compliant and reduce the risk of fraud?

KeyLock Solutions Security and Privacy Protection Practices

Cloud Service Providers Overcoming security and compliance barriers

CSA Virtualisation Working Group Best Practices for Mitigating Risks in Virtualized Environments

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

SECURITY OVERVIEW FOR MY.ENDNOTE.COM. In line with commercial industry standards, Thomson Reuters employs a dedicated security team to protect our

Administrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation

March

How RSA has helped EMC to secure its Virtual Infrastructure

Cyber Security Symposium 2015 September 29,2015

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.

Using Skybox Solutions to Achieve PCI Compliance

RE Cloud from Richardson Eyres

Introduction to QualysGuard IT Compliance SaaS Services. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe

CONTENTS. PCI DSS Compliance Guide

Goals. Understanding security testing

Alliance Key Manager Cloud HSM Frequently Asked Questions

IBX Business Network Platform Information Security Controls Document Classification [Public]

ProjectManager.com Security White Paper

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

PCI Requirements Coverage Summary Table

Overcoming PCI Compliance Challenges

PCI Compliance Top 10 Questions and Answers

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

PCI Compliance 3.1. About Us

IT Risk and Security Cloud Computing Mike Thomas Erie Insurance May 2011

Three Critical Success Factors for PCI Assessment. Seth Peter NetSPI April 21, 2010

How To Achieve Pca Compliance With Redhat Enterprise Linux

74% 96 Action Items. Compliance

It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud

Transcription:

Life in the Cloud A Service Provider s View Michael Smith mismith@akamai.com Security Evangelist 1

Agenda Cloud is Secure, Right? Building a Cloud Security Program Security Program Case Study Features, Products, and Configurations What I Want You to Know Summary 2

Because this is a Cloud Security Talk Cloud is: On-demand self-service Broad network access Resource pooling Rapid elasticity Measured service --CSA Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 3

What the Cloud Security Alliance Says Cloud computing is about gracefully losing control while maintaining accountability even if the operational responsibility falls upon one or more third parties. --CSA Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 4

What the Cloud Security Alliance Says Cloud computing is about gracefully losing control while maintaining accountability even if the operational responsibility falls upon one or more third parties. --CSA Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 But... CSA Guidance is customer-centric and cloud is, by nature, provider-centric. 4

What the Cloud Providers Say* We have a SAS-70 (but we won t let you see the results or the assertions) We have a ton of big customers, so you can trust us (and maybe you can talk to them) The cloud is more secure! *Self Excluded 5

What the Cloud Providers Say* We have a SAS-70 (but we won t let you see the results or the assertions) We have a ton of big customers, so you can trust us (and maybe you can talk to them) The cloud is more secure! Trust Me! Source:cornify.com *Self Excluded 5

So Really... What drives a cloud provider s security program? How does a good cloud security program look? What does a cloud tenant need security-wise to build inside of a particular cloud? How does the cloud provider protect themselves from customer security problems? 6

The Proper Landing Attitude Security of the cloud solution is a joint responsibility between the customer and the service provider. Please act accordingly. 7

Agenda Cloud is Secure, Right? Building a Cloud Security Program Security Program Case Study Features, Products, and Configurations What I Want You to Know Summary 8

Security Program Considerations Avoid DNS-- Does Not Scale Build secure infrastructure Automate, automate, automate Provide self-service capabilities wherever possible Meet 75% of customers requirements with organic platform features Meet 25% of customers requirements with addon modules 9

Security Program Considerations Avoid DNS-- Does Not Scale Build secure infrastructure Automate, automate, automate Provide self-service capabilities wherever possible Meet 75% of customers requirements with organic platform features Meet 25% of customers requirements with addon modules = Reduce the one-off costs per customer while building a security program that scales. 9

The Akamai Cloud: Largest Distributed Computing Platform in the World 73,000+ Servers 1,600+ Locations 70 Countries All branches of the US Military 85 of the top 100 online retailers 9 of the top 10 anti-virus companies 29 of the top 30 M&E companies 4.5+ Tbps, 15-25% of web traffic 10+ Million transactions per second 10

What Drives the Akamai Platform? 2018: 100 Tbps 2010: 3.5 Tbps 11

Agenda Cloud is Secure, Right? Building a Cloud Security Program Security Program Case Study Features, Products, and Configurations What I Want You to Know Summary 12

Security Governance Policy framework established around ISO 27002 framework Policies established by Sr. Director of InfoSec Evaluated annually by 3 rd party security consulting firm Executive report available upon request Quarterly reporting to CEO and staff on state of security 13

Compliance PCI DSS certified Level 1 merchant service provider Annual 3 rd party audit Annual penetration testing Quarterly vulnerability assessments Annual ISO27002 gap analysis (Foundstone) 2009 rating: 92% compliance against the standard US Government DHS Authorization to Operate (NIST SP 800-37) USAF Assessment 14

Risk Management Risk management activities conducted throughout the product lifecycle Vulnerabilities evaluated in two models Probability (Common Vulnerability Scoring System) Damage (Severity/Actor evaluation) Risks categorized by area of influence Security (Threats) Scaling (Growth) Bulletproofing (Human error) 15

Physical/Environmental Security SSL network: Safe combo locks on racks In-rack cameras reporting intrusion events directly to Akamai NOCC Network deployed in professional colocation facilities with industry standard environmental controls Software controls for key management to minimize physical attack surface 16

Secure Key Management: KMI Key Generation Audit Server Key Distribution Edge Server DSA authenticated 256-bit AES connections 256-bit AES encrypted messages End User End User 17

Operations Management Each application reports telemetry in real time into distributed reporting infrastructure Data aggregation feeds into autonomic management systems, alert infrastructure Autonomic systems act to mitigate faults Alerts trigger human actions to recover root causes (e.g., system failures trigger mapping rebalancing network-wide, while alerts trigger human recovery efforts to restore a machine to service) 18

Real Time Event Management: Query Aggregator Alert server NOCC Akamai 19

Access Control Management 20

Access Control Management Encrypted Authenticated Connection Encrypted Authenticated Connection Access Grant Capabilities: Location Time window Access Gateway Server Frequency Type of target system 2-factor authentication 21

Software Development All system components (OS, kernel, applications), as well as configuration are treated as software Software components developed with automated configuration utilities Vulnerabilities and patches deployed as new software images Change once, deploy often 22

Software Deployment: NetDeploy System Quality Akamai Network Akamai Assurance Operations Config Akamai 80.67.64.112 EdgeSuite Server 12.129.72.181 Top Level NS Developer while (1){ serve_bits(); log_hits();} Software repository 64.215.169.143 SSL Server 23

Zoning Phase 3: Release Type Phase 1->2 Phase 2->3 Entire Network Phase 2: Subset (< 1/8 th ) the network Phase 1: One Machine Customer Config System Config Standard Software Release 15 mins 20 mins 30 min 2 hours 24 hours 24 hours 24

Security and the Sales Lifecycle First Encounter: Information Security Management System Focus Sheet Security Capabilities Focus Sheet Customer-provided questionnaire Introductory security meeting Due Diligence Phase (requires NDA): BITS SIG http://www.sharedassessments.org/ Executive Summary of ISO 27002 Assessment More Detailed Meeting Audit/Assessment Phase: Audit support Compliance modules Akamai Confidential: Not for Release 25

Agenda Cloud is Secure, Right? Building a Cloud Security Program Security Program Case Study Features, Products, and Configurations What I Want You to Know Summary 26

Features, Products, and Configurations Controls provided to all customers Controls provided as an additional product Controls configured by customer Controls on roadmap Controls not provided 27

Agenda Cloud is Secure, Right? Building a Cloud Security Program Security Program Case Study Features, Products, and Configurations What I Want You to Know Summary 28

What I Want You to Know I can do some things (including security) that you can t do easily or at all. 29

What I Want You to Know I have tools to help you meet your security and compliance goals. 30

What I Want You to Know Right-to-Audit is DNS. 31

What I Want You to Know I need you to audit your portal users. 32

What I Want You to Know I provide traffic logs and need you to review them. 33

What I Want You to Know Your standard Terms and Conditions are DNS. 34

What I Want You to Know When you set up an insecure configuration, it impacts my security. 35

Agenda Cloud is Secure, Right? Building a Cloud Security Program Security Program Case Study Features, Products, and Configurations What I Want You to Know Summary 36

Cloud Customers Know Thyself and what you can put in a cloud Business processes Data types Understand the delineation of responsibilities By control By component Get a roadmap brief Changing support New features, products, and capabilities Make decisions based on cost, benefit, and risk 37

Cloud Providers Automate, automate, automate Focus on your unique security capabilities Availability through massive redundancy Security automation Security that scales with demand Build a standards-based security program (!=SAS-70 for most cases) Delineation of responsibility is how you protect yourself Build compliance products to meet the last 25% I showed you mine, you show me yours 38

Agenda Cloud is Secure, Right? Building a Cloud Security Program Security Program Case Study Features, Products, and Configurations What I Want You to Know Summary 39

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information