WP9 D9.5 Risk Analysis and Countermeasures

Similar documents
EuroCloud Deutschland_eco e.v. Cloud Computing is the future! For sure! But secure!

Security in the Cloud

Cloud Security and Managing Use Risks

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

How to ensure control and security when moving to SaaS/cloud applications

Protec'ng Data and Privacy in a World of Clouds and Third Par'es Vincent Campitelli

Business Continuity and the Cloud. Aaron Shaver US Signal, Solution Architect

Is it Time to Trust the Cloud? Unpacking the Notorious Nine

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

Validating Enterprise Systems: A Practical Guide

Tufts University. Department of Computer Science. COMP 116 Introduction to Computer Security Fall 2014 Final Project. Guocui Gao

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

An SME perspective on Cloud Computing November 09. Survey

Open Certification Framework. Vision Statement

G-Cloud III Services Service Definition Accenture Cloud Security Services

A Comparison of IT Governance & Control Frameworks in Cloud Computing. Jack D. Becker ITDS Department, UNT & Elana Bailey

Cloud Terminology Handbook

Disaster recovery strategic planning: How achievable will it be?

Security Issues in Cloud Computing

The NREN s core activities are in providing network and associated services to its user community that usually comprises:

Cloud Security: Evaluating Risks within IAAS/PAAS/SAAS

Cloud Computing What Auditors need to know

Cloud Security Introduction and Overview

Cloud computing and personal data protection. Gwendal LE GRAND Director of technology and innovation CNIL

White Paper. Cloud Vademecum

Hedge Funds & the Cloud: The Pros, Cons and Considerations

East African Information Conference th August, 2013, Kampala, Uganda. Security and Privacy: Can we trust the cloud?

Whitepaper. Canopy Security. Simplicity, Agility, Transparency. An Atos company. Powered by EMC 2 and VMware

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Cisco Cloud Assessments. Justin Tang

Security, Compliance & Risk Management for Cloud Relationships. Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. In-Depth Seminars D32

Overview TECHIS Carry out security testing activities

EXIN Cloud Computing Foundation

Private & Hybrid Cloud: Risk, Security and Audit. Scott Lowry, Hassan Javed VMware, Inc. March 2012

Cloud Computing Governance & Security. Security Risks in the Cloud

How To Secure Cloud Computing

Orchestrating the New Paradigm Cloud Assurance

INFORMATION ASSURANCE

How To Be A Successful Compliance Officer

Security Threat Risk Assessment: the final key piece of the PIA puzzle

Service Organization Control Reports

Understanding ISO and Preparing for the Modern Era of Cloud Security

How to procure a secure cloud service

Service availability (in the clouds)

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)

A. Reference information. A0. G-Cloud Programme unique ID number for the service and version number of this scoping template

INFRASTRUCTURE AS A SERVICE BUYER S CHECKLIST

Cloud Security. DLT Solutions LLC June #DLTCloud

Team A SaaS Strategy

Security Challenges of Cloud Providers ( Wie baue ich sichere Luftschlösser in den Wolken )

Information Security: Cloud Computing

How small and medium-sized enterprises can formulate an information security management system

White Paper: Cloud Security. Cloud Security

Cloud Security Certification

GRC Stack Research Sponsorship

Cloud Computing Paradigm Shift. Jan Šedivý

Chapter 2. Migrating into a Cloud

Infrastructure as a Service (IaaS) Dancik International and Peak 10

Cloud Infrastructure Security

Security and Privacy in Cloud Computing

Need to reassure customers that your cloud services are secure? Inspire confidence with STAR Certification from BSI

On Premise Vs Cloud: Selection Approach & Implementation Strategies

Managing Cloud Computing Risk

IBM & Cloud Computing. Smarter Planet. John Easton UK & Ireland Cloud Computing Technical Leader

NNIT Cybersecurity. A new threat landscape requires a new approach

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:

Cloud computing: benefits, risks and recommendations for information security

ENISA and Cloud Security

How To Protect Your Cloud Computing Resources From Attack

Need to reassure customers that your cloud services are secure? Inspire confidence with STAR Certification from BSI

Acquia Comments on EU Recommendations for Data Processing in the Cloud

FLEXIBLE COMPUTING LTD. Service Description & Pricing. Cloud RockStars. G-Cloud

Refresher on cloud computing

Federal Aviation Administration. efast. Cloud Computing Services. 25 October Federal Aviation Administration

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

FedRAMP Penetration Test Guidance. Version 1.0.1

Transcription:

WP9 D9.5 Risk Analysis and Countermeasures Risk Analysis approach for the Cloud for Europe PCP pilots Friday 20150911 Jan Colpaert Fedict, BE

Starting points - observations any Before using cloud technology, think about risk Cloud makes it easier to reduce risk Easier resilience Pre-certified components Cloud introduces new risks Lock-in Legal imbalance between provider and tenant s risk Insufficient distinction between tenant s duties and duties that can be outsourced to the CSP 2

Types of audience Corporate (Government) end user of cloud technology (typically SaaS) Owner of applications that use cloud technology IaaS PaaS SaaS sub-components Legal contractual exit strategy technical security resilience Owners of applications that provide cloud services Legal contractual certification of end-service 3

Think about risk! People make shortcuts like: This application only handles public data so we can host it in a low cost simple environment My IaaS cloud provider is certified, so we are safe Lets try to ask the right questions! 4

The risk landscapes (The Open Group, FAIR) Asset Landscape Loss Landscape Controls Landscape Threat Landscape Vulnerability Landscape 5

Asset Landscape Asset Analysis Application Context Compliance requirements Hosting type Application related assets 6

Threat landscape Likelihood: depends on Loss potential, Implemented protection measures Often tenant s responsibility Capabilities of the treat source / agent Depends highly on the loss potential In Internet facing applications and high profile applications we always have to assume very high capability The impact of most threats can be assessed by means of the impact of more generic risks: Confidentiality breach Integrity breach Availability breach (RTO) Transaction loss (RPO) 7

Loss (Impact) Landscape Government applications: Business Impact Society Impact How to assess impact level? Lack of internationally accepted scales UK s HMG IA nr 1 defines a scale 6 impact levels not really needed for mapping on measures Differentiation between Confidentiality, Integrity and Availabiltiy makes sense 8

Threat Community Risk analysis approach Asset Analysis Threat landscape analysis Generic Threats Confidentiality Breach Loss (impact) analysis Threat Own Business Society Integrity Breach Transaction loss Availability Breach threat s Specific Threats Vulnerability or likelihood consideration Risk aversion Required Controls 9

Cloud technology Introduces new risks such as: Lock-in Legislation related risks Contractual, financial Unbalanced: Impact for underlying IaaS/PaaS CSP may be smaller than impact of application Makes it easier to reduce risk: Easier to build resilient services Use multiple (IaaS) providers Easy scaling Disaster recovery datacenter without capex Certification of the underlying infrastructure layers 10

Classical Risk Assessment Classical risk assessment methods tend to be very detailed and time consuming: hundreds of threats for which: Impact Probability/Likelyhood Threat source capabilities need to be analyzed A risk appetite/aversion factor is applied 11

Simplified Risk Assessment (1) Impact is more dependent on the application than on the threat. Therefore we determine the impact of more generic threats Impact of confidentiality breach Impact of integrity breach Impact of availability breach Not all threats belong to these generic threats. There are some special cases: Legal Contractual Financial 12

Simplified Risk Assessment (2) Likelihood depends mainly on the threat, the planned protection methods, the attractiveness of the assets and the loss potential. There remains a dependence on the application that must be examined in some cases Document the assumptions under which the risk assessment was made! Tenant is responsible for the controls, not only cloud provider! 13

Simplified Risk Assessment (3) Threat source capabilities. Depends on the loss potential! Most cloud applications are open to the Internet, we must assume capabilities are very high for high-profile applications Classical threat agents (natural, unintentional human,.. ) can be covered at the underlying CSP level (assuming certified service). 14

Main goals: Make application owners think about Characteristics of the application Impact level, and availability requirements Required certification levels Measures to avoid lock-in Measures to enhance availability 15

Mapping risk level on measures/controls Special focus on: Controls that could be forgotten because tenant believes it is CSP s responsibility Areas that cannot be covered by certification or contract Cloud related controls 16

Risk assessment for PCP Pilots Is a risk impact level scale required? Too many controls Is there a way to find a drilldown approach (e.g. depending on impact level) CSA CCM and Enisa metaframework are helpful but do not really define a drill-down method Not enough distinction between tenants responsibilities and CSP s guarantees. Too often, certification of underlying platform is seen as sufficient, where highest risks resides on application side 17

Risk assessment questionnaire Currently using (or inspired by): Impact levels from UK s HMG IA 1 Appendix A Structure of controls from CSA Cloud Controls Matrix 18

HMG IA 1 Appendix A example 19

Questionnaire Quick Scan 20

Availability Impact mapping 21

Questions? public D9.5 Deliverable http://www.cloudforeurope.eu/documents/10179/51418/risk+analysis,+certification+and+other+measures/ 22

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information