Dispelling the Myths about Cloud Computing Security



Similar documents
Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Cloud Security and Managing Use Risks

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

SECURITY MODELS FOR CLOUD Kurtis E. Minder, CISSP

Security, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32

Key Considerations of Regulatory Compliance in the Public Cloud

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:

Cloud Security. DLT Solutions LLC June #DLTCloud

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

Cloud Security. Nantawan Wongkachonkitti Electronic Government Agency, Thailand Cloud Security Alliance, Thailand Chapter October 2014

Cloud Security & Risk. Adam Cravedi, CISA Senior IT Auditor acravedi@compassitc.com

Cloud Courses Description

Cloud Computing: Opportunities, Challenges, and Solutions. Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University

Cisco Cloud Assessments. Justin Tang

Visions of Clouds and Cloud Security. Rob Randell, CISSP Senior Security and Compliance Specialist VMware, Inc.

Governance and Control in the Cloud. Infrastructure as a Service

Cloud Security Alliance and Standards. Jim Reavis Executive Director March 2012

A Comparison of IT Governance & Control Frameworks in Cloud Computing. Jack D. Becker ITDS Department, UNT & Elana Bailey

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

Logically Securing a Public Cloud Service

THE BLUENOSE SECURITY FRAMEWORK

Security in the Cloud

Managing Cloud Computing Risk

Assessing Risks in the Cloud

Cloud Security Introduction and Overview

Cloud Security Who do you trust?

The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

Security Issues in Cloud Computing

Cloud Computing Security Issues

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

Cloud Computing; What is it, How long has it been here, and Where is it going?

When Security, Privacy and Forensics Meet in the Cloud

Cloud Computing Governance & Security. Security Risks in the Cloud

Orchestrating the New Paradigm Cloud Assurance

Cloud Courses Description

Security Controls What Works. Southside Virginia Community College: Security Awareness

Cloud Security for Federal Agencies

Time to Value: Successful Cloud Software Implementation

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

Data Privacy, Security, and Risk Management in the Cloud

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

HIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers

Security & Trust in the Cloud

Stock Broker System Audit Framework. Audit Process

Cloud Services Overview

Cloud Security & Risk Management PRESENTATION AT THE OPEN GROUP CONFERENCE

John Essner, CISO Office of Information Technology State of New Jersey

SECURING HEALTH INFORMATION IN THE CLOUD. Feisal Nanji, Executive Director, Techumen

How To Protect Your Cloud Computing Resources From Attack

Auditing Cloud Computing and Outsourced Operations

Cloud Computing: Risks and Auditing

Cybersecurity: What CFO s Need to Know

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

HIPAA in the Cloud How to Effectively Collaborate with Cloud Providers

APAC OF POSSIBILITIES: TIPS FOR INCREASING CLOUD SECURITY AND ADOPTION

UTH~ihltli. December 11, Report on Institutional Use of Cloud Computing #14-204

A HYPE-FREE STROLL THROUGH CLOUD STORAGE SECURITY. Eric A. Hibbard, CISSP, CISA Hitachi Data Systems

Overview of Topics Covered

Digi Device Cloud: Security You Can Trust

Altius IT Policy Collection Compliance and Standards Matrix

Cloud and Regulations: A match made in heaven, or the worst blind date ever?

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Cloud Computing Trends, Examples & What s Ahead

BMC s Security Strategy for ITSM in the SaaS Environment

Client Security Risk Assessment Questionnaire

Cloud Security. Are you on the train or the tracks? ISSA CISO Executive Forum April 18, Brian Grayek CISSP, CCSK, ITILv3

AHLA. JJ. Keeping Your Cloud Services Provider from Raining on Your Parade. Jean Hess Manager HORNE LLP Ridgeland, MS

Protec'ng Data and Privacy in a World of Clouds and Third Par'es Vincent Campitelli

NCTA Cloud Architecture

Approach to Information Security Architecture. Kaapro Kanto Chief Architect, Security and Privacy TeliaSonera

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

Compliance and the Cloud: What You Can and What You Can t Outsource

Third Party Security: Are your vendors compromising the security of your Agency?

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

Cloud Security: Evaluating Risks within IAAS/PAAS/SAAS

Securing the Cloud. Cloud Computer Security Techniques and Tactics. Vic (J.R.) Winkler. Technical Editor Bill Meine ELSEVIER

How To Understand Cloud Computing

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Adopting Cloud Computing with a RISK Mitigation Strategy

Cloud Data Security. Sol Cates

EAaaS Cloud Security Best Practices

Seeing Though the Clouds

The Second National HIPAA Summit

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

Security Tool Kit System Checklist Departmental Servers and Enterprise Systems

Security Management of Cloud-Native Applications. Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM)

Healthcare: La sicurezza nel Cloud October 18, IBM Corporation

The Magazine for IT Security. May issue 3. sör alex / photocase.com

Cloud Risk Management: How to Consolidate your CSP and Corporate Risk Profile

Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control

Securely Outsourcing to the Cloud: Five Key Questions to Ask

Study concluded that success rate for penetration from outside threats higher in corporate data centers

Case Studies: Protecting Sensitive Data in

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

5/29/2015. Auditing IT Contracts From Afar. Disclaimer. Agenda

Transcription:

Dispelling the Myths about Cloud Computing Security security is no longer an hinderance to the cloud! Leo F. Howell, CISSP CISA CCSK

Knowledge MYTH we are all talking about the same cloud Discussion cloud computing architectural framework

NIST Model for Cloud Computing www.nist.gov

CSA Cloud Reference Model (SPI) Presentation Modality Presentation Platform APIs Application Metadata Content APIs Core Connectivity & Delivery Abstraction Hardware Facilities Software as a Service (SaaS) Integration & Middleware Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Data Source: Cloud Security Alliance

Cloud Service Model Example IaaS PaaS SaaS

Jericho Cloud Cube Model management ownership resource location walling Backend Technology Source: www.jerichoforum.org

Knowledge MYTH the cloud is crystal clear to all of us! D E K N U B D E

Responsibility MYTH the CSP takes care of security Discussion security responsibilities in IaaS, PaaS, SaaS

IaaS Security Responsibilities Consumer... Management Plane Security build secure systems & segregate by classification OS Hardening Patching Host-based Firewall Antivirus Host IDS Network Firewall Crypto-key Management Infrastructure as a Service (IaaS) APIs CSP... API Security Hypervisor Virtual Firewalls Software Defined Networking Multi-Tenancy Security SAN Encryption Secure SAN Storage

PaaS Security Responsibilities SecDevelopment Application SecDeployment SecOperation Application Application Consumer... strong emphasis on application security Platform as a Service (PaaS) Integration & Middleware Secure Development SDLC security Sec requirements Threat modeling Masking, Tokenization Static & dynamic analysis Fuzzing ion t App-level encryption a r pe O t men ure cess y o c l ep Se L ac ess ed w r u SS Acc Sec revie & e Id cans ts Cod anning V-s n-tes ng V-sc test i Pe nitor Pen Mo CSP... Infrastructure Security

SaaS Security Responsibilities Presentation Modality Presentation Platform APIs Basic SecDep and some SecOps Identity & Access Management (perimeterized or deperimeterized) Grouping & Role-based Access CTRL Basic application logic & form-based CTRLs Special attention to BCP/DR due to lock-in risks Data Protection primarily handed off to CSP, so need strong RFP/Contract Metadata Content Software as a Service (SaaS) Application Data consumer... CSP... SecDev, SecDep, some SecOps infrastructure and Platform Security

Security Impact by Cloud Architecture Source: Cloud security Alliance

Responsibility MYTH consumers are mostly responsible for security in IaaS, then PaaS, then SaaS D E K N U B D E

Geo-Location MYTH you can t control where in the world your data is stored Discussion security considerations for international data storage and processing

Geo-Location Control over Cloud Data Offshore storage is a key consideration when selecting a CSP Laws and regulations (e.g., ITAR/export controls, DFARS, certain PII or PHI) may prevent offshore storage of data CSPs are beginning to address this - e.g., you can configure GoogleCloud to prevent offshore storage Don t just focus on storage. What about geo-location for processing? Some cloud vendors provide the option for domestic storage only just pick the right one!

Geo-Location MYTH you can determine where your data is stored, just pick the right CSP and contract it in D E K N U B D E

Confidentiality MYTH CSPs and their sub-contractors have unfettered access to your data Discussion encryption and key management in the cloud

Data Confidentiality in the Cloud Tokenization - replace sensitive data elements with tokens Masking - hide sensitive data with replacement characters before clouding Encryption without key management is useless Crypto-shredding - encrypt the data and throw away all copies of the key to securely delete

Confidentiality MYTH encrypt your data and control the key D E K N U B D E

Incidents Response MYTH IR can t be done in the cloud Discussion incidents response and forensics in the cloud

What can you do as a Consumer in IR? Prepare Detect & Analyze Least capabilities in SaaS Some capabilities in PaaS Most capabilities in IaaS Contain, Eradicate, Recover Contacts Roles and responsibilities Shut down access to SaaS, no logs Adjust app controls in PaaS, maybe application logs available Take snapshot in IaaS, shut down servers, firewall blocks, review non-network logs Post-incident Activities Similar to traditional Remember! Consumers have the highest level of controls in IaaS and the least control in SaaS - same is true for visibility in the incident management lifecycle.

Incidents Response MYTH IaaS provides the most capabilities for IR; SaaS provides the least D E K N U B D E

Assurance MYTH the is no way to measure security in the cloud and provide assurance Discussion auditing and measuring security in the cloud

Measuring Security in the Cloud Service Organization Controls SOC 2/SOC 3 - confidentiality, integrity, availability at the CSP Type 2 SOCs test effectiveness and shows the auditor s results PCI compliant clouds; HIPAA compliant clouds FedRamp compliant GovCloud Cloud Controls Matrix (CCMv 3.0) Create your own checklists

Assurance MYTH measuring standards are emerging, you just need to know what to ask for D E K N U B D E

DR/BCP MYTH you don t need a DR/BCP plan for cloud services Discussion DR/BCP for cloud services in the cloud

Disaster Recovery and BCP in the Cloud More resilience in the cloud Avoid over reliance on a single provider; avoid vendor lock-ins Have you planned for the disaster of the vendor suddenly going out of business? DR responsibilities shifts but DR planning is still necessary, especially in a SaaS cloud

DR/BCP MYTH the cloud may be resilient but you still need to plan, including for failed CSPs ed m r C o n i f

Conclusion Security can no longer be seen as an hinderance to moving to the cloud But, tread lightly and diligently!

Contact Leo F. Howell Assistant Director, IT Policy and Compliance NC State University lfhowell@ncsu.edu Resources: Cloud Security Alliance (CSA) www.cloudsecurityalliance.org Cloud Security Alliance Security Guidance for Critical Areas of Focus in Cloud Computing https://cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf CCMv3.0 Download: https://cloudsecurityalliance.org/research/ccm/ The Jericho Forum: www.jerichoforum.org

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information