Cloud Security Are you on the train or the tracks? ISSA CISO Executive Forum April 18, 2015 Brian Grayek CISSP, CCSK, ITILv3 1
Agenda: Facts Opinions (based on experience) A little humor Some gold nuggets 2
Great quotes from CISOs I know No Cloud here. We re more secure than any Cloud I ll NEVER allow Cloud here! We ve never been hit with any intrusion. I ll never trust my data in the Cloud. 3
Cloud Computing is the Train It s coming no matter what you think or do 4
Cloud Computing = Utility Just like electricity of the 1920-30s You plug in and use as much as you need Pay for what you use Use less or more, based on the day 5
Always some people that think it s a fad and it won t last 6
My Analogy the way business sees it Cloud Users CISO Either get on the train or off the tracks. 7
The Cloud is nothing new We ve had the cloud since the mainframe and we can handle it the same way. 8
The Root of Cloud Velocity Priority Now - A recent survey of CIOs identified cloud computing as their #2 priority for 2015 *1 Security still a concern 35% of the CIOs surveyed cited security as their primary reason for keeping data on premise *1 Interesting this is driving more CIOs to PRIVATE and Hybrid Clouds Efficiency Isn't Optional - 46% of IT Leaders believe improving IT efficiency is #1 priority in 2015 *2 Faster Delivery of New Apps - 26% of all new apps being built on Public Cloud *2 A Procurement Revolution - 55% of all cloud transactions are shadow IT spending (off the books and completed using a credit card) *3 *1 - http://www.securityweek.com/sometimes-it-takes-crisis-security-budgets-rise *2 - http://www.appdynamics.com/press-release/it-leaders-identify-efficiency-cloud-and-analytics-as-top-2015-priorities/ *3 - https://www.cisco.com/web/about/ac79/docs/re/impact-of-cloud-it_consumption-models_study-report.pdf 9
What is the fundamental difference that makes the Cloud different? Scalability?? Elasticity?? On-demand self-service?? Reliability?? Multi-tenancy?? 10
What is the fundamental difference that makes the Cloud different? My choice 11
Everything is NOT ready for the Cloud Quick Winners for Cloud: Applications that are Public, Web-enabled / IPaware Workloads for Dev/Test/QA Environments Workloads that are Audit-prone or Highly Regulated Applications that Require Scaling or Elasticity Applications where Service Level is key Require Deeper Consideration: Home-grown, Legacy Applications Static / non-ip-aware 12
..and Not All Cloud vendors are alike Lots of various Cloud vendors Different technologies Different niches Different levels of security 13
Top Security Concerns with the Cloud Physical Security guns, guards, and dogs Multi-tenancy Inability to audit Lack of visibility into physical infrastructure Security of the data preventing data loss who has access to my data encryption to meet GRC & Standards what happens to the data when I leave Vulnerability review of systems, applications, etc. 14
Critical Security Areas Architecture some based on VMware, others on Citrix Xen, others???? a key criteria to security and how it can be secured 15
Critical Security Areas Security You can t add-on security 16
Critical Security Areas Location where is my data? 17
11 Key Characteristics of a Secure Cloud Architecture 1. Isolation RAM, Processor, & Storage are logically separated 2. Dedicated Resources The resources provided to the client are dedicated and no one may interfere or affect another s performance 3. VLAN and segmentation Private VLANs segregate customer networks, DMZ, and INT 4. IP Addresses Dedicated IP Addresses for both Public and Private 5. NAT Support of NAT to RFC1918 non-routable IP Address space 6. Secure VPN Connection Access to the VMs through VPN 18
11 Key Characteristics of a Secure Cloud Architecture cont d 7. Administrative Access Access to OS instances maintained by client 8. Authentication Two-factor authentication with even more robust available 9. Role-Based Access RBAC and granular control of logging, turn up/down of OS s, and auditor read-only access 10. Secure Web Console Access console portal encrypted in transit via SSL or greater 11. VM Administration Virtual Machines are managed by the client 19
Governance & Compliance Governance: Are changes logged? Reporting on roles, separation of duties? Security monitoring of the cloud environment and incidents? Patch management? Compliance: PCI DSS Level I SAS-70 Type II (SSAE-16) FIPS FISMA Safe Harbor ISO 27001 20
Look at Additional / Available Security Services Integrated Multi-Factor Authentication Log Aggregation Security Information and Event Monitoring (SIEM) Intrusion Detection (IDS) Secure OS Builds Database Access Monitoring Application Log Monitoring and Management VPN Solutions Professional Security Services GRC audit and assessment SOC / NOC Vulnerabilities Forensics 21
Cloud..MORE secure than a private datacenter? Private DC Cloud 1 customer 1,000 customers 1, maybe 2, carriers pays all the overhead pays 100% of security Intrusion = a disruption 10-200 carriers divide cost / 1,000 1,000 x Security = end of business 22
Security Support Ask if Support is available and at what costs? 24x7 phone support available? Support can run 10-20% of usage and much of the time is geared toward technically knowledgeable, expert users 23
My Recommendations to You Cloud is here and it won t go away Determine how you want to use Cloud Establish clear, Security policies for the use of Cloud and enforce them Establish strong SLAs Don t be afraid of working with more than one, Cloud company Start out slow, move ahead based on success 24
Brian Grayek Brian.Grayek@Verizon.com https://www.linkedin.com/in/briangrayek