Security Challenges of Cloud Providers ( Wie baue ich sichere Luftschlösser in den Wolken )

Similar documents
Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)

Study on Cloud security in Japan

Security of Cloud Computing

Cloud Security Introduction and Overview

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects

CLOUD SECURITY THROUGH COBIT, ISO ISMS CONTROLS, ASSURANCE AND COMPLIANCE

Managing Cloud Computing Risk

Cloud Computing Governance & Security. Security Risks in the Cloud

Security Issues in Cloud Computing

How To Protect Your Cloud Computing Resources From Attack

Top 10 Cloud Risks That Will Keep You Awake at Night

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Cloud Security Fails & How the SDLC could (not?) have prevented them

SECURITY CONCERNS AND SOLUTIONS FOR CLOUD COMPUTING

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

How To Secure Cloud Computing

What Is The Cloud And How Can Your Agency Use It. Tom Konop Mark Piontek Cathleen Christensen

Cloud Security & Risk Management PRESENTATION AT THE OPEN GROUP CONFERENCE

The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing

Cloud Security. DLT Solutions LLC June #DLTCloud

Cloud-Security: Show-Stopper or Enabling Technology?

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

IT Risk and Security Cloud Computing Mike Thomas Erie Insurance May 2011

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst

What Cloud computing means in real life

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

How To Manage Cloud Data Safely

External Supplier Control Requirements

Cloud Security Who do you trust?

Cloud Security:Threats & Mitgations

Cloud Security and Managing Use Risks

Private vs. Public Cloud Solutions

East African Information Conference th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?

Splunk Enterprise Log Management Role Supporting the ISO Framework EXECUTIVE BRIEF

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

10/25/2012 BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH Agenda. Security Cases What is Cloud? Road Map Security Concerns

Security Management of Cloud-Native Applications. Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM)

Cloud Computing; What is it, How long has it been here, and Where is it going?

Assessing Risks in the Cloud

Tips For Buying Cloud Infrastructure

NSTAC Report to the President on Cloud Computing: Cloud Computing Security Controls For NS/EP (Appendix E)

Cloud computing: benefits, risks and recommendations for information security

Tufts University. Department of Computer Science. COMP 116 Introduction to Computer Security Fall 2014 Final Project. Guocui Gao

How to ensure control and security when moving to SaaS/cloud applications

FACING SECURITY CHALLENGES

Clinical Trials in the Cloud: A New Paradigm?

Security Threat Risk Assessment: the final key piece of the PIA puzzle

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

Securing SaaS Applications: A Cloud Security Perspective for Application Providers

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

Cloud Security Prof. Dr. Michael Waidner Fraunhofer SIT CASED. Fraunhofer SIT. Fraunhofer-Gesellschaft 2011

security in the cloud White Paper Series

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

Cloud Computing Business, Technology & Security. Subra Kumaraswamy Director, Security Architecture, ebay

New Requirements for Security and Compliance Auditing in the Cloud

External Supplier Control Requirements

CAPABILITY STATEMENT

Computer Forensics and Incident Response in the Cloud. Stephen Coty AlertLogic, AlertLogic_ACID

Cyber Security and Cloud Computing. Dr Daniel Prince Course Director MSc in Cyber Security

Security and Compliance in Clouds: Challenges and Solutions

Cloud Infrastructure Security

Evolution of Cyber Security and Cyber Threats with focus on Cloud Computing

On Premise Vs Cloud: Selection Approach & Implementation Strategies

Cloud Security. Nantawan Wongkachonkitti Electronic Government Agency, Thailand Cloud Security Alliance, Thailand Chapter October 2014

Cloud Computing Security Considerations

Bellevue University Cybersecurity Programs & Courses

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks. Alex Leemon, Sr. Manager

Cloud Security Who do you trust?

Chapter 1: Introduction

NCTA Cloud Architecture

INFORMATION SYSTEMS. Revised: August 2013

Unmasking Virtualization Security. Eric A. Hibbard, CISSP, CISA Hitachi Data Systems

Supplier Security Assessment Questionnaire

Cloud Computing. Making legal aspects less cloudy. Erik Luysterborg Partner Cyber Security & Privacy Belgium EMEA Data Protection & Privacy Leader

Securing the Cloud with IBM Security Systems. IBM Security Systems IBM Corporation IBM IBM Corporation Corporation

KeyLock Solutions Security and Privacy Protection Practices

Compliance in Clouds A cloud computing security perspective

Westcon Presentation on Security Innovation, Opportunity, and Compromise

Securing Smart City Platforms IoT, M2M, Cloud and Big Data

Threat Modeling Cloud Applications

Transcription:

23.11.2015 Jan Philipp Manager, Cyber Risk Services Enterprise Architect Security Challenges of Cloud Providers ( Wie baue ich sichere Luftschlösser in den Wolken )

Purpose today Introduction» Who I am (http://archimatrix.com/jphilipp) Gh0st, Sanity Gambit, Unit-Y,.» Why this topic: Security Challenges of Cloud Providers Background Info» What are Clouds and what can they do» What Cloud security information already exists 2

Purpose today Agenda» Cloud Challenges Targeted and opportunistic attacks against Cloud and EDCs» Security models, frameworks and white papers NIST, BSI, and ENISA putting it all together» Explanations of the risks categories What goes where & what is different in the cloud» Working best practices from the field What all the existing tools don t adequately address 3

4x4 of: What are Clouds» "All that matters is results; I don't care how it's done"» "I don't want to own assets I want to pay for elastic usage, like a utility"» "I want accessibility from anywhere, from any device"» "It's about economies of scale, with effective and dynamic sharing" Acquisition Model Service Business Model Pay for usage Access Model Internet Technical Model Scalable, elastic, shareable Cloud Computing: A style of computing where massively scalable IT-enabled capabilities are provided "as a service" to external customers using Internet technologies 4

Cloud vs. Traditional IT Platform Similarities» Sets of interfaces and infrastructure» Extensible, solutions built on platform, platform hides infrastructure» Multiple levels of platforms possible» Platform as "you are here Value determined by what is made accessible» Similar success factors (ecosystem) Differences» Not a stand-alone platform that is always purchased» Separated by a network (the Internet)» Not a client server platform, but a distributed platform - WOA» Access to data and capabilities as a result of community» Global-class and elastic Consumer-inspired 5

Cloud Challenges (Tech) Adapted from: Gartner Summit Event Service Management Technologies immature Costs Economies of scale limits, or customer trades data or advertising for services Culture Trust, chargeback, sharing EC2 & S3 Connection Only as good as the Internet, unless you pay to "harden" your connection High Availability Stateless, no problem; stateful, same issue as in enterprises Scalability Parallel processing, no problem; sequential processing, different story Customization Difficult. At least with monolithic applications 6

Cloud Challenges (Sec) Targeted and Opportunistic Attacks Source: AlertLogic 2013 State of Cloud Security Report 7

Sec Models, Framework, ENISA (European Network and Information Security Agency) Cloud Computing Benefits, risks and recommendations for information security Original Nov 2009, Updated Dec 2012 BSI (federal Office of Information Security) Security Recommendations for Cloud Computing Providers June 2011 NIST (National Institute of Standards and Technology) All compliant with the Nov 2013 NIST Cloud Computing 5 Security Reference Architecture 8

Service Consumer NIST / BSI / ENISA Technical Risks Classical Risks with Cloud Impact Policy & Organizational Risks Legal Risks Cloud Service Provider Security Management Data Protection Information Security SaaS PaaS Reporting IaaS Abstraction Layer SLA Invoicing Hardware Monitoring Infrastructure Provisioning

Typical Policy and Org. Risks General risks» Provider solution lock-in» Loss of governance» Compliance challenges Event driven risks» Cloud service termination or failure» Cloud provider acquisition» Loss of business reputation due to co-tenant activities» Supply chain failure (due to Cloud provider outsourcing specialized tasks to 3rd parties) 10

Typical Cloud Technical Risks Confidentiality» Isolation failure» Data leakage On up/download, intra-cloud, interception in transit» Insecure or ineffective deletion of data Integrity» Cloud provider malicious insider (abuse of high privilege roles)» Undertaking malicious probes or scans Availability» Loss of encryption keys» Resource exhaustion and denial of service DDoS/EDoS» Conflicts: Customer hardening vs. cloud environment 11» Compromise service engine

General legal risks» Subpoena and e-discovery» Risk from change of jurisdiction» Export controls» Data protection risks Additional legal considerations 12 Legal Risk Considerations» Bundesdatenschutz (BDSG)» Information Security (ISO27001)» Governance (ISO38500)» Risk Management (MaRisk, KontraG)» Internal control systems (JAP) (IDW PS261, 330, ERS FAIT 1)» Outsourcing (PS951/SAS70//SSAE16, ISAE3402)

Classical IT Risks: Cloud Impact Confidentiality» Privilege escalation» Social engineering attacks, like impersonation» Backups lost or stolen, or theft of computer equipment Integrity» Modifying of network traffic» Loss or compromise of logs (manipulation of forensic investigation) Availability» Network breaks» Poor network management (congestion, mis-connection, )» Natural disasters 13» Transitions

Security: Best practices Tips and Best Practices From the Field For Cloud Providers 14

Sec: Best practices» Provide the Security Architecture Drawing» Allow Access to the Environment Log and Systems Policy & Organizational Risks» Allow the Use of Correlation Tools and Log Retention» Have a Security Point Person to Serve the Contractor During the Contract Period» Manage Vulnerabilities, Threats and Risks by Aligning With the Contractor/Tenant» Have the SAS 70 Certification or Similar» Permit External Audits for Cloud Security Relevant Statements Share information between Cloud provider and tenant/contractor Be transparent as provider.

Sec: Best practices Legal Risks» Establish SLAs in the Contract, Including in the Cases of Security Incidents» Detail the End of Business Operations Process in the Contract» Detail the Process for Responding to Legal Requirements» Identify Where the Solution Data Center(s) Will Be to Meet Local Legal Particularities Relevant Statements You have to think of everything both as cloud consumer and provider at the beginning! You have to make provisions for all potential changes at the beginning.

Sec: Best practices» Have Specialized Protections for the Perimeter Technical Risks» Hold the Firewall Segregating All Networks, including Server Environment Operators and Users» Segregate Functions Inside the Provider» Detail How Much the Environment/Infrastructure Is Shared With Other Clients» Notify How Information Leakage Control is Managed» Detail Procedures in Case of DDoS Attacks» Demonstrate the Process of Cryptographic Keys Management Relevant Statements Treat the cloud as your company perimeter it s not just firewalls Understand the other types of tenants hosted and how they are separated.

Sec: Best practices Classic IT Risks with Cloud impact» Allow Vulnerability Analysis and Ethical Hacking» Share the Business Continuity Policy and Disaster Recovery Plan» Detail the Data Disposal Process in the Contract» Access Control with Strong (ideally multifactor) Authentication Relevant Statements Treat the security and access of Cloud applications like you would any other application. Plan for disaster and change in the Cloud and include it in your plans.

Thanks for coming out! Jan Philipp Manager, Cyber Risk Services Cloud klaut aber trotzdem jphilipp@deloitte.de 23.11.2015 19

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information