Security Considerations for Cloud Computing Steve Ouzman Security Engineer
AGENDA Introduction Brief Cloud Overview Security Considerations ServiceNow Security Overview Summary
Cloud Computing Overview The cloud model promotes availability and scalability and is composed of: - five essential characteristics - three service models - four deployment models.
Cloud Definition Deployment Models Private Cloud Hybrid Clouds Community Cloud Public Cloud Service Models Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Essential Characteristics On Demand Self-Service Broad Network Access Rapid Elasticity Resource Pooling Measured Service Common Characteristics Massive Scale Homogeneity Virtualization Low Cost Software Resilient Computing Geographic Distribution Service Orientation Advanced Security Based upon original chart created by Alex Dowbor - http://ornot.wordpress.com
Cloud Computing Security Considerations
Seven Security Considerations For Cloud Computing 1. Abuse of Cloud Computing Resources:- IaaS & PaaS platforms provide huge computing resources and can provide a very simple registration process to adopt. Eg. IaaS Offerings have hosted the Zeus Botnet, Infostealer trojan horses. 2. Insecure Interfaces and API s:- Cloud Providers expose a set of API for interacting customers to manage their data and interact with 3 rd party applications for integrations. These need strict controls. Eg. Anonymous access / re-usable passwords. Improper Authorizations.
Seven Security Considerations For Cloud Computing 3. Malicious Insiders:- Well known threat for most organizations. Threat amplified for consumers of cloud services by the convergence of IT Services under single management. 4. Shared Technology Issues:- IaaS and some SaaS vendors deliver their services in a scalable way by sharing resources. Multi-tenant environment share hardware resources through hypervisors / virtualization and can expose the underlying operating system.
Seven Security Considerations For Cloud Computing 5. Data Loss or Leakage:- Many ways to compromise data. Deletion / Alteration of records without backup. Loss of encryption key. Insufficient authorization controls. Eg. Insufficient AAA controls, Encryption of sensitive data in transit and at rest. 6. Account or Service Hijacking:- Not a new concept. Phishing, fraud and exploitation of software vulnerabilities still achieve results. Attackers could eavesdrop on your activities and transactions and manipulate data.
Seven Security Considerations For Cloud Computing 7. Unknown Risk Profile:- The benefits of using cloud computing resources should be measures against the security concerns. Versions of software, code updates, security practices, vulnerability profiles and security design of the cloud vendor must be understood. Furthermore legal jurisdiction and local legislation requirements need to be considered Eg. EU Privacy Laws, PCI Compliance, HIPAA etc.
Cloud Security Reference Sites ENISA:- http://www.enisa.europa.eu/act/rm/files/deliverables/ cloud-computing-risk-assessment Cloud Security Alliance:- https://cloudsecurityalliance.org/ Jericho Forum https://www.opengroup.org/jericho/
ServiceNow Security Overview
Security Program Security Program based on ISO 27001 Security Policies and Standards directly map to ISO 27002 controls We support customers regulatory requirements: PCI, SOX, FDA, HIPAA, NIST Risk based, data-centric approach
Data Location and Data Isolation Customer data ONLY exists in assigned Primary and Secondary secured datacenter No data processed/stored in business offices No data stored/processed on laptops/desktops Dedicated physical server option (additional cost) Hot DR site with asynchronous replication
Disaster Recovery Asynchronous data replication between primary and secondary datacenter Replicated backup files Coordinated DR testing (typically 4-7 minutes for failover and restored operations) Two Service-now.com DR drills per year Annual Business Impact Analysis
Datacenter Security Controls All internet connections terminate in DMZ Explicit network and host-based firewall rules RSA Two-Factor authentication for all administrator access QualysGuard for Vulnerability Management Centralized audit logging using Splunk TippingPoint IPS Sensors (blocking mode)
Penetration Testing Nightly QualysGuard Port Maps Bi-monthly Perimeter Scans using QualysGuard Integrated WhiteHat Security Application Penetration Testing Any given month: three customer initiated penetration tests in progress. Annual comprehensive Security Penetration Testing
Application Security Features LDAP/S and SAML Single Sign-On Integration Options Full encryption for data in motion (SSL, TLS, S/FTP) Column Level Encryption Full Support of Users/Groups/Roles Full Access Control List Support: Application, Module, Table, column, row Contextual Security Model
Demo Research Request Info demo.service-now.com www.service-now.com info@service-now.com