Cloud Security & Risk Management PRESENTATION AT THE OPEN GROUP CONFERENCE

Cloud Security & Risk Management PRESENTATION AT THE OPEN GROUP CONFERENCE MARCH 2011 Image Area VARAD G. VARADARAJAN ENTERPRISE ARCHITECTURE COE COGNIZANT TECHNOLOGY SOLUTIONS For details please email: varadg.varadarajan@cognizant.com

Agenda The advantages and disadvantages of cloud computing Choosing the right cloud model Migrating to the cloud A security perspective Assessing the risks of service providers Top security domains Risk Mitigation Strategies

Cloud Security The Pros and Cons

Ready to move to the cloud? Increased Risks Lowered Costs?? Moving to the cloud offers both benefits and risks! Conflict of interest between provider and consumer

Visual Model of Cloud Computing Broad Network Access Rapid Elasticity Measured Service On Demand Self Service Characteristics Resource Pooling Software As A Service (SAAS) Platform As A Service (PAAS) Infrastructure As A Service (IAAS) Service Models Public Private Community Hybrid Deployment Models Source: NIST

Security benefits in cloud computing Risk transfer through contractual obligation Market differentiation Lowers cost of security Improves availability Simplifies governance Managed Security - Client relies on established processes for BCP/DRP, Incident response, patch management, anti-virus

But, are we really secure? Diminished control (standard APIs) Vendor lock-in Provider s architecture can be a black box Difficult to access log files Compliance violations and service outages Data crossing trust boundaries Data loss or leakage Increased attack surface Loss of reputation or erosion of trust What about rogue clouds????

Risks from Multi-tenancy & Virtualization Cost Hypervisor escape Malicious clients Opacity to traditional controls Risk Data Elements Table Database Application Virtual Server Physical Server Data Center Degree of Multitenancy / Virtualization LOW HIGH

Risk In Federated Clouds Service A Data exchanged between cloud applications in a supply chain Service B Service C Sensitive data crossing trust boundaries to accommodate spike in demand? FIS FIS FIS Cloudburst Federated Identity Software (FIS) SAML Enterprise Need Federated Identity Solution Data crossing trust boundaries Encrypt data in transit

Clients need to do an in-depth assessment of the providers with respect to security, governance, risk and compliance Choosing the right model involves a trade-off between the perceived benefits vs. perceived risks (risk appetite)

Choosing the right model

Public Partner Private Non Cloud Which deployment model is right? Public Private Partner (Community) Hybrid Who owns infrastructure? Third party Organization Organization Both organization and third party Who manages the infrastructure? Third party Organization or third party Organization or third party Both organization and third party Where is the infrastructure located? Off premise On premise or off premise Who accesses and consumes the data/applications? On premise or off premise Both on premise and off premise All (Un-trusted) Organization (Trusted) Organization and partners (Trusted) Trusted and un-trusted 100 50 0 Liability Cost Assurance Source: ENISA 2009

IaaS PaaS SaaS Which service model is right for me? Presentation APIs Applications Data Metadata Content Integration & Middleware APIs Core Connectivity & Delivery Apps Security Platform Security Infra Security IaaS PaaS SaaS Client Client Provider Client Provider Provider Provider Provider Provider Responsibility of securing underlying infrastructure and abstraction layers rests with the provider Securing the platform falls onto The provider, while securing the apps Developed on the platform falls on the client Security controls and scope are negotiated into the service contract service levels, compliance, privacy etc. Abstraction Hardware Facilities Source: CSA Guide

Where is it deployed? Internal External The Cloud Cube Internal or External? Proprietary or Open? Perimeterized or non-perimeterized? Outsourced LAMP Stack, Amazon EC2, Global access Each permutation / combination has a different security risk profile Insourced Custom Apps Stack for multiple B.Us, using Eucalyptus under corporation control Deployed within company Proprietary Open What is the tech stack? Source: Jericho Forum

A wide spectrum of service providers Storage (IaaS) Compute (IaaS) Compute Software Database PaaS SaaS (CRM) Amazon S3 Amazon EC2 Globus Apache CouchDB Google App Engine SalesForce.com Mosso Cloud Files Elastra Hadoop Amazon SimpleDB / RDS Microsoft Azure MS Dynamics Nirvanix AppNexus Sun Grid Engine Microsoft Sql Azure Force.com Oracle On Demand Box.net Eucalyptus (Compute) GridGain Google Big Query Eteios Zoho Eucalyptus (Storage) DAC Eucalyptus (MySQL) RightNow Oracle Coherence Responsys

Migrating to the cloud A security perspective

Migrating to the cloud A 5 step model to manage risks [AMPRC] 1 SELECT ASSETS What are the assets that can be moved to the cloud? Select Data, Applications, Processes, Functions Select the right model, service provider and SLAs Negotiate / renegotiate contracts, ensure risk mitigation strategies are in place, evaluate residual risk 5 SET UP CONTRACTS 2 SELECT MODELS What are the deployment / service models? IaaS, PaaS, SaaS, Private, Partner, Public External/Internal Proprietary/Open Perimeterized/Non What are the risks of each service provider? Create threat models Use checklists, questionnaires, heat maps 4 EVALUATE RISKS 3 SELECT SERVICE PROVIDERS Who are the service providers who will fit the requirements?

Confidentiality Create scenarios and threat models Availability Scenario What types of attacks can be launched by insiders (within provider)? What types of attacks can be launched by outsiders? How will the architecture scale to thousands of users and millions of transactions? Will information cross trust boundaries private to public to partner etc? What events can cause service disruption from provider? In what ways can hackers gain control of data at rest or in transit? How do we test if the provider is compliant with all regulations? Area C/I C/I A C A I CIA

Risk Assessment

How do we assess the risks? A client must assess the risks/benefits through questions and check-lists Risks must be rated using overall impact and likelihood of occurrence Heat maps will help identify the critical risks Once identified, risk mitigation strategies might be worked out with the vendor

Probability How do we compare risks? 1.0 Low impact, High Probability Which is more serious? 0.50 Fat Tail 0.25 High impact, Low Probability 0 $0 $100K $500K $1 MM Impact

Probability Of Occurrence Scoring Table Almost Certain 0.8 1.0 Definite, one or more impacts expected within one year Likely 0.6 0.8 Likely, one or more impacts expected within one year Moderate 0.4 0.6 Likely, one or more impacts expected within two to three years Unlikely 0.2 0.4 Probable, impact expected within two to three years Rare 0.0 0.2 Not probable, impact not expected to occur within three years

Impact Scoring Tables Technical Impact Technical Impact Description Min Score Max Score Loss of confidentiality How much data could be disclosed and how sensitive is it? 0 1 Loss of integrity How much data could be corrupted and how damaged is it? 0 1 Loss of availability How much service could be lost and how vital is it? 0 1 Loss of accountability Are the threat agents' actions traceable to an individual? 0 1 Business Impact Business Impact Description Min Score Max Score Financial damage How much financial damage will result from an exploit? 0 1 Reputation damage Would an exploit result in reputation damage that would harm the business? 0 1 Non-compliance How much exposure does non-compliance introduce? 0 1 Privacy violation How much personally identifiable information could be disclosed? 0 1 Source: OWASP Normalized Total Score 0 1

Probability Of Occurrence Score Sample Risk Heat Map Number of risks with this rating Almost Certain 1.0 1 1 1 1 0.9 3 2 6 1 Likely 0.8 0.7 4 2 0.6 Moderate Unlikely Rare 0.5 0.4 0.3 3 1 1 1 1 0.2 7 1 1 0.1 20 11 16 0.0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1.0 Negligible Low Med Very High Extreme Impact Score

Top Security Domains

Important Security Domains Multi factor, Federated Identity, Provisioning, Deprovisioning Multitenancy risk Hypervisor vulnerabilities Risk identification, analysis, evaluation, Treatment, monitor and review Security breach disclosure laws, regulatory, privacy, international laws Algorithm, Key Length, Key Management Regulations (SOX, HIPAA), Data Privacy, Electronic Discovery, Incident Response SDLC, Binary Analysis, Scanners, Web App Firewalls, Transactional Security Data storage, use, archival destruction Incident Response, Notification and Remediation Interoperability and movement of data between different Service providers External perimeter, Structural internal barriers, Access control, Surveillance, Power backup, fire Business impact analysis, plan, Redundancy, Backup, Archival

Cloud Controls Matrix for Compliance List Of Controls *** Compliance Independent Audits Data Governance Retention Delivery Model? Iaas Paas Saas Data Governance - Secure Disposal Data Governance Risk Assessments Scope? Service Provider Tenant Facility Security Information Security Policy Information Security Baseline Requirements Information Security Encryption COBIT HIPAA Information Security Incident Management Information Security Incident Reporting ISO/IEC 270001-2005 Information Security Reporting Security Architecture Network Security Security Architecture Segmentation Security Architecture Audit Logging Compliance? NIST PCI DSS GAPP Source: CSA ***

Access Control Does the provider have standardized mechanisms for Authentication, Authorization and Access Control? Are there robust password policies? Is there support for two-factor authentication? Is there support for federated identity management? How are users provisioned and de-provisioned?

Application Security Is security part of the SDLC process? (Esp. for SaaS / PaaS Providers) Are standard vulnerabilities being addressed? Buffer overflows, SQL injection, cross-site scripting Are cloud-specific security issues addressed? Multi-tenancy introduces new attack vectors such as cross-site scripting, cross-site request forgery and hypervisor escape Developing an application for internal or stand-alone use is not the same as developing for the cloud Are all network communications encrypted? Synchronous: SSL / IPSec Asynchronous: Encryption of messages with key management Do applications log all intrusion attempts?

Encryption and Key Management Does service provider encrypt all data, while at rest or in motion? Multi-tenanted architecture makes it easy for data to be leaked unless all data at rest is encrypted Encrypting databases is of no use if SQL injection attacks exist Does customer have a say in the encryption algorithm, key length and key management process? Is the key management process simple to understand? If customer encrypts data, then data will become opaque to provider and no value-added service can be built on it

Architecture Is data crossing trust boundaries? Is data being passed from private to public cloud regularly or through cloud bursts to accommodate spikes? Are there specific safeguards at such boundaries? Enforcement of intrusion detection / prevention, deep packet inspection, limiting DDOS attacks etc Are the platforms hardened? Appropriate patches, up-to-date anti-virus software and locking down of unnecessary services? Virtualization has benefits and risks Cleaner isolation, reduced attack surface, automated deployment Virtual interfaces opaque to traditional network security controls Patch management is more challenging in a virtual environment

Compliance Is the service provider compliant with all the major regulations for my business? SOX, HIPAA, GLBA, Basel II Where will my data be stored? Are there legal restrictions in data going outside the country? Safe Harbor Principles: Companies operating in the European Union are not allowed to send personal data to countries outside the European Economic Area unless there is a guarantee that it will receive equivalent levels of protection. Are there procedures to destroy the data when no longer needed? (Even if encrypted) Does the provider keep adequate records in the event of litigation? Is the data being backed up regularly and available / searchable? Does the provider operate a Security Operations Center (SOC) to provide incident management and response in the event of a breach? Private Cloud: Is there an authorization process to keep track of provisioning / deprovisioning new servers, users etc?

Risk Mitigation Strategies

Risk Mitigation Strategies Deploy additional security wherever needed Encryption, firewalls, Intrusion Detection (IDS), Data Loss prevention (DLP) Supplementary backup Multi-sourcing Insurance, penalties and indemnities Provider negotiation Set Extensive monitoring goals (KPIs) Has the provider been audited? SAS 70 Type II, ISO/IEC 27001:2005 Are you managing residual risks?

Summary Moving to the cloud has both risks and benefits Conflict of interest between provider and consumer Do your home work thoroughly before moving your data or assets Use a standard process to evaluate risks across service providers Ensure maximum coverage through SLAs, Indemnity clauses and other contracts Useful sources: ENISA, Cloud Security Alliance

Thank You 36 2010, Cognizant Technology Solutions. Private & Confidential

Approaches to extending the perimeter Approach Description Benefits Disadvantages Extending the enterprise into the cloud Enterprise will set up an IPSec VPN connection to a server located on the cloud Cloud servers are effectively inside the perimeter, so all the services within the enterprise will extend to the application in the cloud (e.g. Active Directory) Viruses can propagate from the cloud into your enterprise Extending the cloud into the enterprise A cloud service provider will set up and run the service inside the enterprise (e.g. an email service run by a Service Provider within the enterprise) A managed service set up inside your data center and run by the provider Cloud provider will have access to the enterprise s data and applications, and must be trusted

Policy and Organizational Risks Lock-in Loss of governance Compliance challenges Loss of business reputation due to co-tenant activities Cloud service termination or failure Cloud provider acquisition Supply chain failure

Technical Risks Resource exhaustion (under or over provisioning) Isolation failure Malicious insider inside cloud provider Management interface compromise (manipulation, availability of infrastructure) Intercepting data in transit Data leakage on up/download, intra-cloud Insecure or ineffective deletion of data Distributed Denial of Service (DDOS) Economic Denial of Service (EDOS) Loss of encryption keys Undertaking malicious probes or scans Service Engine compromise Conflicts between customer hardening procedures and cloud environment

Legal Risks