Supporting Business Agility Secure your cloud applications by building solid foundations with enterprise (security ) architecture Vladimir Jirasek, Managing director Jirasek Consulting Services & Research Director, Cloud Security Alliance, UK chapter Classification: Public 1
About me MBA (MSc) degree 20 years experience in IT 13 years experience in InfoSec Worked in various companies in diverse sectors Engaged in security organisations as projects such as CAMM, CSA Technical editor of a cloud security book Present at security and IT conferences Classification: Public 2
Agenda Enterprise architecture crash course Security architecture overview Cloud security models Governance in Cloud Data security in Cloud Identity and Access in Cloud Classification: Public 3
Supporting Business Agility ENTERPRISE ARCHITECTURE Classification: Public 4
What is Enterprise Architecture Enterprise architecture (EA) is the process of translating business vision and strategy into effective enterprise change by creating, communicating and improving the key requirements, principles and models that describe the enterprise's future state and enable its evolution. Wikipedia Enterprise architecture is about strategy, not about engineering. Gartner Common sense to ensure everyone in a company is pulling in one direction, maximising ROI, reducing waste, increasing efficiency, effectiveness, agility, maintaining strategic focus and delivering tactical solutions. Vladimir Jirasek Classification: Public 5
EA is a business support function Should be discussed here Is commonly discussed here Classification: Public 6
EA frameworks Source: http://msdn.microsoft.com/en-us/library/bb466232.aspx Classification: Public 7
One of the most used architecture frameworks: TOGAF Classification: Public 8
Supporting Business Agility ENTERPRISE SECURITY ARCHITECTURE Classification: Public 9
People Services Technology Jirasek Consulting Services Security model business drives security Feedback: update business requirements International security standards Input Security management Correction of security processes Governance Line Management Laws & Regulations Defin e Compliance requirements Business objectives Input Policy framework Information Security policies Information Security standards Mandate Process framework Information Security Processes Measured by Metrics framework Information Security Metrics objectives IT GRC Inform Product Management Program Management Risk & Compliance Defin e Business impact Defin e Business & information risks Information Security guidelines Define security controls Security intelligence Execute security controls External security metrics Measure security maturity Assurance Auditors Security management Security Services Security threats Input Security Professionals Classification: Public 10
Security architecture domains Security architect work across all domains Stakeholder in EA Works with domain architects (depends on the size of an organisation) Classification: Public 11
Cloud model maps to Security model Cloud model Direct map Classification: Public 12
Responsibilities for areas in security model compared to delivery models Provider responsible Customer responsible GRC Business continuity SIEM Identity, Access Cryptography Data security Application sec. Host security Network security Physical security IaaS PaaS SaaS IaaS PaaS SaaS Classification: Public 13
Should data security be on CIOs agendas? Why only CIO? PaaS/SaaS Mandatory reading! SaaS SaaS Cloud provider reputation/costs Present time Your company reputation/costs Consolidation of Cloud providers Future Cost savings in Enterprises Not many security breaches so far. Why? Will become targeted as more enterprises rely on public Cloud computing Classification: Public 14
Supporting Business Agility CLOUD DEPLOYMENT GOVERNANCE Classification: Public 15
Governance related to Cloud Setting company policy for Cloud computing Risk based decision which Cloud provider, if any, to engage Assigning responsibilities for enforcing and monitoring of the policy compliance Set corrective actions for non-compliance Classification: Public 16
Cloud governance::policy Cloud adopted typically by a) IT directors managed relatively consistently and mostly [I P]aaS b) Business managers less governance; typically SaaS Policy should state: It is a policy of. to manage the usage of external Cloud computing services, taking into account risks to business processes, legal and regulatory compliance when using external services Cloud services. CIO is responsible for creating and communicating external Cloud computing strategy and standards. Classification: Public 17
Cloud standard structure General statements Governance requirements for Cloud Enterprise architecture to be ready for Cloud and Cloud services to plug-in (IAM, SIEM, Data architecture, Forensic) Discovery of Cloud service use Before Cloud project Cloud service to comply with data classification Encrypting all sensitive data in Cloud Identity and Access management (AAA) link to Cloud service During Cloud project Due diligence to be performed Do not forget right to audit Know locations of PII During Cloud project (cont) Assess availability (SLA and DR) of Cloud provider Assess Cloud provider security controls Assess potential for forensic investigation by company s team Running a Cloud service Limit use of live data for development and testing Monitor cloud provider s security controls Link Company s SIEM with Cloud provider and monitor for incidents Moving out of Cloud Data cleansing Data portability Classification: Public 18
Examples: I have 1TB of CSV files, now what? Customer uses well know CRM in Cloud SaaS designed to immerse clients into well defined, bespoke CRM No known data mode Export of data in CSV. Tip: Portability is the key in SaaS applications. Think about leaving the Cloud provider upfront. How will you take your data? Classification: Public 19
Example: Scaling up/down development Large manufacture and service company Requirement to support development needs with seasonal demands ideal case for [I P]aaS Security team approached up-front to perform review Live data not uploaded to the provider before on-site sanitising Classification: Public 20
Supporting Business Agility DATA SECURITY IN CLOUD Classification: Public 21
Cloud provider: AES-128 so it must be secure! Trust me! Cloud service user PDF Secret 0101000 1101010 1010110 1010100 1010101 0101100 110101 PDF Secret Cloud Service Provider Just because it is encrypted does not make it secure Look end to end. Classification: Public 22
However not all data in the cloud are secret! Classification: Public 23
Sometimes too much encryption is bad though. Who holds encryption keys? Are they available? Classification: Public 24
Network Hos t Application Data SIEM Jirasek Consulting Services Data protection options in cloud models Infrastructure as a Service Platform as a Service Software as a Service Extend company SIEM Plug-in to Provider s SIEM Extend DLP or edrm Extend company file or object encryption Provider operated data/database encryption Encrypting/tokenising reverse proxy engines (e.g. CipherCloud) Tokenisation and anonymisation Application encryption (customer retains keys) Encryption appliance (e.g. Safe-Net ProtectV) Provider dependent and operated host encryption Web TLS (for IaaS operated by customer) Network VPN (could extend to SaaS) Classification: Public 25
Example of SaaS Use of Gmail inside and outside an organisation Intra company Sender Recipient Proxy SaaS web based application. Other standard interfaces IMAP, POP3, SMTP, Web API Data in Gmail available to anyone with proper authentication TLS used on transport layer Consider using CipherCloud like product but be mindful of traffic flows with external customers Sender Recipient Classification: Public 26
Example of IaaS Cloud provider offers virtual computing resources for Internal apps deployment Intra company Internal user Administrator Key management HSM VPN Cloud provider can theoretically access all data, if decryption happens on the virtual machine! But would they? Use two possible models: Local crypto operations with remote key management. Consider SafeNet ProtectV Remote crypto operations over VPN speed penalty Travelling user Data encrypted Remote encryption operations Data encrypted Local encryption operations Virtual servers Classification: Public 27
Supporting Business Agility IDENTITY AND ACCESS MANAGEMENT IN CLOUD Classification: Public 28
IAM is a complex domain::closer to information management then security! Federation Entitlements Access management Identity management These capabilities can be and are mixed between on-site managed by organisations or provided as a service by Cloud providers. Classification: Public 29
Identity management::mostly information management Principal management Credential management Attribute management Group memberships Business and IT roles Directory Link to HR data Provision and de-provision users from cloud services automatically Classification: Public 30
Entitlements and Access management Entitlements Managing access policies XACML policies (Subject, Rule, Resource) Bespoke policies Based on attributes or groups Connects subjects and resources Access management Uses identity information, entitlement policies and context to make access decisions: Grant Deny Grant but limit Decision closer to resource Classification: Public 31
Identity Federation::Let s trust identity providers Not everyone wants to have thousands of username/passwords Cloud services are ideal for identity federation SAML 2.0 OAUTH 2.0 (do not confuse with OATH) Classification: Public 32
Summary Create Enterprise Architecture function with dotted line to CEO Appoint Security Architect as part of Enterprise architecture function Have a Cloud policy/standard and update risk management classification Always think of exit from Cloud first! Discover usage of Cloud services Prepare you enterprise architecture to plug Cloud services in IAM, SIEM, Key management Build IAM that supports changing business. Federate and Federate Do not fear Cloud sophisticated form of outsourcing: use supplier management techniques. Classification: Public 33
Links A Comparison of the Top Four Enterprise- Architecture Methodologies - http://msdn.microsoft.com/enus/library/bb466232.aspx TOGAF 9 - http://www.opengroup.org/togaf/ CipherCloud - http://www.ciphercloud.com/ Amazon AWS Security - https://aws.amazon.com/security/ Dropbox security incidents - http://www.zdnet.com/dropbox-gets-hacked-again- 7000001928/ Classification: Public 34
Contact Vladimir Jirasek vladimir@jirasekconsulting.com www.jirasekconsulting.com @vjirasek About.me/Jirasek Classification: Public 35