Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Similar documents
Cloud Security Alliance: Industry Efforts to Secure Cloud Computing

Assessing Risks in the Cloud

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter

Security Issues in Cloud Computing

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

Cloud Computing Security Issues

Cloud Computing Governance & Security. Security Risks in the Cloud

How To Protect Your Cloud Computing Resources From Attack

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

Cloud Security and Managing Use Risks

Managing Cloud Computing Risk

Cloud Security. DLT Solutions LLC June #DLTCloud

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

TOOLS and BEST PRACTICES

Cloud Security Introduction and Overview

Cloud Services Overview

How to ensure control and security when moving to SaaS/cloud applications

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

SECURE CLOUD COMPUTING

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

Cloud Computing Business, Technology & Security. Subra Kumaraswamy Director, Security Architecture, ebay

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

LEGAL ISSUES IN CLOUD COMPUTING

SECURITY MODELS FOR CLOUD Kurtis E. Minder, CISSP

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.

10/25/2012 BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH Agenda. Security Cases What is Cloud? Road Map Security Concerns

Key Considerations of Regulatory Compliance in the Public Cloud

OWASP Chapter Meeting June Presented by: Brayton Rider, SecureState Chief Architect

D. L. Corbet & Assoc., LLC

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

How To Secure Cloud Computing

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

Cloud Security Certification

Intel IT Cloud 2013 and Beyond. Name Title Month, Day 2013

Cloud Computing in a Regulated Environment

Cloud Infrastructure Security

Cloud Security. Nantawan Wongkachonkitti Electronic Government Agency, Thailand Cloud Security Alliance, Thailand Chapter October 2014

RE Think. IT & Business. Invent. IBM SmartCloud Security. Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC

Securing The Cloud With Confidence. Opinion Piece

How To Protect Your Cloud From Attack

Assessing, Evaluating and Managing Cloud Computing Security

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Visions of Clouds and Cloud Security. Rob Randell, CISSP Senior Security and Compliance Specialist VMware, Inc.

John Essner, CISO Office of Information Technology State of New Jersey

Security Management of Cloud-Native Applications. Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM)

Protec'ng Data and Privacy in a World of Clouds and Third Par'es Vincent Campitelli

A HYPE-FREE STROLL THROUGH CLOUD STORAGE SECURITY

How to procure a secure cloud service

Cloud Computing: Risks and Auditing

Are You Prepared for the Cloud? Nick Kael Principal Security Strategist Symantec

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)

CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST618 Designing and Implementing Cloud Security CAST

A Flexible and Comprehensive Approach to a Cloud Compliance Program

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

Threat Modeling Cloud Applications

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Building an Effective

Building an Effec.ve Cloud Security Program

Auditing Cloud Computing and Outsourced Operations

INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Wrapping Audit Arms around the Cloud Georgia 2013 Conference for College and University Auditors

What Cloud computing means in real life

Capturing the New Frontier:

New Requirements for Security and Compliance Auditing in the Cloud

Adopting Cloud Computing with a RISK Mitigation Strategy

Cloud Courses Description

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Cloud IaaS: Security Considerations

The Magical Cloud. Lennart Franked. Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall.

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst

Cloud Essentials for Architects using OpenStack

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

Compliance and the Cloud: What You Can and What You Can t Outsource

Dispelling the Myths about Cloud Computing Security

Cloud Security:Threats & Mitgations

SECURITY CONCERNS AND SOLUTIONS FOR CLOUD COMPUTING

Is it Time to Trust the Cloud? Unpacking the Notorious Nine

Security & Trust in the Cloud

6 Cloud computing overview

Cloud Computing: Background, Risks and Audit Recommendations

CyberSource Payment Security. with PCI DSS Tokenization Guidelines

Emerging Approaches in a Cloud-Connected Enterprise: Containers and Microservices

FACING SECURITY CHALLENGES

Transcription:

Securing The Cloud Foundational Best Practices For Securing Cloud Computing Scott Clark

Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources 2

What is Cloud Computing? Compute as a utility: third major era of computing Mainframe PC Client/Server Cloud computing: On demand model for allocation and consumption of computing Cloud enabled by: Moore s Law: Costs of compute & storage approaching zero Hyperconnectivity: Robust bandwidth from dotcom investments Service Oriented Architecture (SOA) Scale: Major providers create massive IT capabilities

How to think about Cloud Perfect storm convergence of existing technologies in a new business model The next platform for software applications Disruption! Not one cloud many types and deployments of cloud Aspects of our legacy we can learn from but key differences Mainframes Virtualization Outsourcing Challenges many of our IT definitions, e.g. what is data?

What is Different in the Cloud? Many concepts in the cloud are similar to concepts in standard outsourcing There are at least four themes which require a different mindset when working on security for cloud services: Role clarity for security controls Legal / jurisdictional / cross-border data movement Virtualization concentration risk Virtualization network security control parity. 5

What is Different in the Cloud? Role Clarity Security ~ THEM Security ~ YOU SaaS Software as a Service IaaS Infrastructure as a Service PaaS Platform as a Service

What is Different in the Cloud? Legal / Jurisdictional Issues Amplified Cloud Provider Datacenter in London, U.K. Cloud Provider Datacenter in Sao Paolo, Brazil Cloud Provider Datacenter in Geneva, Switzerland Cloud Provider Datacenter in Tokyo, Japan Your Corporate Data? Cloud Provider Datacenter in San Francisco, USA

What is Different in the Cloud? Virtualization Concentration Risks Old Way Hack a System New Way Hack a Datacenter Hypervisor

What is Different in the Cloud? Virtualized N-Tier Control Equivalence Current Way New Way Users Internet How do we ensure control parity? Hypervisor FW WAF NIDS / IPS Presentation Layer Data Layer FW WAF NIDS / IPS Internet Users

Key Cloud Security Problems From CSA Top Threats Research: Trust: Lack of Provider transparency, impacts Governance, Risk Management, Compliance Data: Leakage, Loss or Storage in unfriendly geography Insecure Cloud software Malicious use of Cloud services Account/Service Hijacking Malicious Insiders Cloud-specific attacks

Cloud Security Alliance Guidance 11

Cloud Security Alliance Guidance Operating in the Cloud Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Governing the Cloud Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Available at http://www.cloudsecurityalliance.org/research.html

Defining Cloud On demand provisioning Elasticity Multi-tenancy Key types Infrastructure as a Service (IaaS): basic O/S & storage Platform as a Service (PaaS): IaaS + rapid dev Software as a Service (SaaS): complete application Public, Private, Community & Hybrid Cloud deployments

Governance and Enterprise Risk Management Operating in the Cloud Due Diligence of providers governance structure and process in addition to security controls. SLA s Risk Assessment approaches between provider and user should be consistent. Consistency in Impact Analysis and definition of likelihood Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud

Legal and Electronic Discovery Operating in the Cloud Mutual understanding of roles related to litigation, discovery searches and expert testimony Data in custody of provider must receive equivalent guardianship as original owner Unified process for responding to subpoenas and service of process, etc Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud

Compliance and Audit Operating in the Cloud Right to Audit Clause Cloud Architecture Analyze Impact or Regulations on data security Prepare evidence of how each requirement is being met Auditor qualification and selection Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud

Information Lifecycle Management Operating in the Cloud How is Integrity maintained? If compromised how its detected and reported? Identify all controls used during date lifecycle Know where you data is! Understand provider s data search capabilities and limitations Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud

Portability and Interoperability Operating in the Cloud IaaS - Understand VM capture and porting to new provider especially if different technologies used. PaaS Understand how logging, monitoring and audit transfers to another provider SaaS perform regular backups into useable form without SaaS. Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud

Security, Business Continuity and Disaster Recovery Operating in the Cloud Conduct an onsite inspection whenever possible Inspect cloud providers disaster recovery and business continuity plans Ask for documentation of external and internal security controls adherence to industry standards? Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud

Data Center Operations Operating in the Cloud Demonstration of Compartmentalization of systems, networks, management, provisioning and personnel Understanding of providers patch management policies and procedures should be reflected in the contract! Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud

Incident Response, Notification and Remediation Operating in the Cloud May have limited involvement in Incident Response, understand prearranged communicated path to providers incident response team What incident detection and analysis tools used? Will proprietary tools make joint investigations difficult? Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud

Application Security Operating in the Cloud S-P-I creates different trust boundaries in SDLC account for in dev, test and production Obtain contractual permission before performing remote vulnerability and application assessments provider inability to distinguish testing from an actual attack Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud

Encryption and Key Management Operating in the Cloud Separate key management from provider hosting the data creating a chain of separation Understand provider s key management lifecycle: how keys are generated, used, stored, backed up, rotated and deleted Ensure encryption adheres to industry and government standards when stipulated in the contract Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud

Identity and Access Management Operating in the Cloud IAM is a big challenge today in secure cloud computing Identity avoid providers proprietary solutions unique to cloud provider Local authentication service offered by provider should be OATH compliant Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Governing the Cloud Encryption and Key Management Identity and Access Management Virtualization

Virtualization Operating in the Cloud Understand internal security controls to VM other than built in Hypervisor isolation IDS, AV, vulnerability scanning etc. Understand external security controls to protect administrative interfaces exposed (Web-based, API s) Reporting mechanisms that provides evidence of isolation and raises alerts if a breach of isolation occurs. Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud

Additional Cloud Security Alliance Resources 26

Cloud Security Alliance Initiatives 1. GRC Stack 2. Security Guidance for Critical Areas of Focus in Cloud Computing 3. Cloud Controls Matrix (CCM) 4. Consensus Assessments Initiative 5. Cloud Metrics 6. Trusted Cloud Initiative 7. Top Threats to Cloud Computing 8. CloudAudit 9. Common Assurance Maturity Model 10. CloudSIRT 11. Security as a Service 27

Cloud Controls Matrix Tool Controls derived from guidance Rated as applicable to S-P-I Customer vs Provider role Mapped to COBIT, HIPAA, ISO/IEC 27002-2005, NIST SP800-53 and PCI DSS Help bridge the gap for IT & IT auditors www.cloudsecurityalliance.org/cm.html

Contact Help us secure cloud computing www.cloudsecurityalliance.org Cloud Security Alliance, Chicago Chapter sclark@accuvant.com LinkedIn: http://www.linkedin.com/groups?gid=3755674

Questions? 30

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information