How to procure a secure cloud service Dr Giles Hogben European Network and Information Security Agency
Security in the cloud contracting lifecycle Can cloud meet your security requirements Choose the provider that meets security requirements Set up the contract/sla Fulfilling your responsibilities for security Managing the contract
Traditional IT investment Resources used/purchased Investment in Infrastructure Wasted investment Demand for infrastructure 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019
Cloud IT investment Resources used/purchased Investment in Infrastructure Demand for infrastructure 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019
Cloud IT investment Resources used/purchased Investment in Infrastructure Demand for infrastructure 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019
=> Shared Resources Hardware, database, memory, etc... like buying a hotel room or booking an aircraft.
Implications for security
=> Economies of scale and security All kinds of security measures, are cheaper when implemented on a larger scale. (e.g. filtering, patch management, hardening of virtual machine instances and hypervisors, etc) The same amount of investment in security buys better protection. Key Question: Is your current setup really better from a security standpoint?
But.
=> Very high value assets Most risks are not new, but they are amplified by resource concentration the asset values are high. o Trustworthiness of insiders. o Hypervisors- hypervisor layer attacks on virtual machines are very attractive. o More Data in transit (Without encryption?) o Management interfaces big juicy targets
=> Co tenancy and Isolation failure o Like a Hotel you may be able to hear your neighbours if the walls are not well insulated Storage (e.g. Side channel attacks) see http://bit.ly/12h5yh Virtual machines Entropy pools (http://bit.ly/41siin) Resource use (e.g. Bandwidth)
=> Lock in Few tools, procedures or standard formats for data and service portability. Difficult to migrate from one provider to another (or take your data back home). You went into cloud to store massive amounts of data cheaply keeping a copy at home defeats the object?
=> Loss of Governance The client cedes control to the provider Security measures (crocodiles vs electric fences) Limited information available about incidents Outsource or sub contract services to third parties (fourth parties?)
Just encrypt your data in the cloud and you don t have to worry about a thing? Unfortunately not... Practical processing operations on encrypted data are not possible
Legal and contractual risks Lack of compliance with EU Data Protection Directive Difficult for the customer (data controller) to check the security of data handling practices of the provider Subpoena and e discovery Risk allocation and limitation of liability Intellectual Property
Security in the cloud contracting lifecycle Can cloud meet your security requirements Choosing the provider that meets security requirements Setting up the contract/sla Fulfilling the customer s responsibilities for security Managing the contract
ENISA Cloud Assurance Framework A minimum baseline for: Comparing cloud offers Assessing the risk to go Cloud Includes legal and contractual considerations (also to reduce audit burden on cloud providers) http://is.gd/ptiyit
CSA Controls Matrix http://is.gd/8cgwwn
Security in the cloud contracting lifecycle Can cloud meet your security requirements Choosing the provider that meets security requirements Setting up the contract/sla Fulfilling the customer s responsibilities for security Managing the contract
Contract hints Get a security expert to review the contract terms Check existing certifications (ISO, PCI, etc ) If you have enough bargaining muscle, get some security clauses in the contract/sla otherwise choose the contract which is most secure
Contract hints Availability Well defined (reachability, response time, functional) Defined over shorter period (per week) Scalability (e.g. max number of instances available per customer per day) Time to provision Authentication levels (e.g. NIST levels) CSA/ENISA controls
Security in the cloud contracting lifecycle Can cloud meet your security requirements Choosing the provider that meets security requirements Setting up the contract/sla Fulfilling the customer s responsibilities for security Managing the contract
Somebody else s problem (SEP) syndrome Appirio Cloud Storage fully encrypts each piece of data as it passes from your computer to the Amazon S3 store. Once there, it is protected by the same strong security mechanisms that protect thousands of customers using Amazon s services
Amazon AWS ToS o YOU ARE SOLELY RESPONSIBLE FOR APPLYING APPROPRIATE SECURITY MEASURES TO YOUR DATA, INCLUDING ENCRYPTING SENSITIVE DATA. o You are personally responsible for all Applications running on and traffic originating from the instances you initiate within Amazon EC2. As such, you should protect your authentication keys and security credentials. Actions taken using your credentials shall be deemed to be actions taken by you.
Customer side of the bargain IaaS Encrypt At rest and in motion Look after your keys and credentials Identity management Guest security platform Compliance with data protection law
Customer side of the bargain IaaS Design for failure Redundant implementation Geographical Performance and incident monitoring Decouple Parallelise Use distributed queues etc Use REST
How smugmug survived the Amazon outage Redundancy: Multiple availability zones Design for failure any instance can fail Design for the reliability of individual components e.g. don t use temporary storage methods for permanent storage Not completely cloud http://don.blogs.smugmug.com/2011/04/24/ how smugmug survived theamazonpocalypse/
Customer side of the bargain PaaS Credential management Encryption System staging Compliance with data protection law SaaS Credential management Encryption and key management for selected data Compliance with data protection law
Security in the cloud contracting lifecycle Can cloud meet your security requirements Choosing the provider that meets security requirements Setting up the contract/sla Fulfilling the customer s responsibilities for security Managing the contract
Monitoring and Enforcement Penalties SLRs you need something to monitor => SP should ideally report Availability Incidents (reported within a defined time frame) Recovery time Security metrics (e.g. intrusions blocked)
Monitoring and Enforcement Testing Availability (using probes and samples for instance) Penetration tests Failover and backup tests Data portability Load testing Unit tests
ENISA Deliverables and Ongoing Activities Cloud Computing: Benefits, Risks and Recommendations for Information security 2009 http://is.gd/cem9h Assurance framework http://is.gd/cnp9v0 2009 Gov-Cloud security and resilience analysis http://is.gd/0m4pfi (2010) 34
Questions? Giles Hogben (giles.hogbenqenisa.europa.eu) Secure applications and services, ENISA https:///act/application security 35