Assessing Risks in the Cloud

Similar documents
Cloud Security Alliance: Industry Efforts to Secure Cloud Computing

Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter

Global Efforts to Secure Cloud Computing. Jason Witty President, Cloud Security Alliance Chicago

Security Issues in Cloud Computing

Securing The Cloud With Confidence. Opinion Piece

TOOLS and BEST PRACTICES

Cloud Computing Governance & Security. Security Risks in the Cloud

Building an Effec.ve Cloud Security Program

Cloud Computing Security Issues

The Magical Cloud. Lennart Franked. Department for Information and Communicationsystems (ICS), Mid Sweden University, Sundsvall.

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects

CLOUD STORAGE SECURITY INTRODUCTION. Gordon Arnold, IBM

Cloud Computing Business, Technology & Security. Subra Kumaraswamy Director, Security Architecture, ebay

SECURITY MODELS FOR CLOUD Kurtis E. Minder, CISSP

Cloud Security. DLT Solutions LLC June #DLTCloud

GRC Stack Research Sponsorship

Orchestrating the New Paradigm Cloud Assurance

How To Secure Cloud Computing

Cloud Services Overview

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

What Cloud computing means in real life

Cloud Security. Nantawan Wongkachonkitti Electronic Government Agency, Thailand Cloud Security Alliance, Thailand Chapter October 2014

Cloud Courses Description

How To Protect Your Cloud From Attack

Purpose. Service Model SaaS (Applications) PaaS (APIs) IaaS (Virtualization) Use Case 1: Public Use Case 2: Use Case 3: Public.

Top 10 Cloud Risks That Will Keep You Awake at Night

Addressing Cloud Computing Security Considerations

Cloud Channel Summit #RCCS15

Building an Effective

Cloud Computing: Risks and Auditing

RMS. Privacy Policy for RMS Hosting Plus and RMS(one) Guiding Principles

Cloud Security and Managing Use Risks

Security & Trust in the Cloud

Cloud Courses Description

Cloud Computing: Legal Risks and Best Practices

Cloud Essentials for Architects using OpenStack

Managing Cloud Computing Risk

Cloud computing: benefits, risks and recommendations for information security

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

Key Considerations of Regulatory Compliance in the Public Cloud

John Essner, CISO Office of Information Technology State of New Jersey

A view from the Cloud Security Alliance peephole

Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services

Capturing the New Frontier:

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

A HYPE-FREE STROLL THROUGH CLOUD STORAGE SECURITY

Open Certification Framework. Vision Statement

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

A Comparison of IT Governance & Control Frameworks in Cloud Computing. Jack D. Becker ITDS Department, UNT & Elana Bailey

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

RE Think. IT & Business. Invent. IBM SmartCloud Security. Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

Are You Prepared for the Cloud? Nick Kael Principal Security Strategist Symantec

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Adopting Cloud Computing with a RISK Mitigation Strategy

How To Protect Your Cloud Computing Resources From Attack

Cloud Computing Standards: Overview and ITU-T positioning

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst

Cloud-Security: Show-Stopper or Enabling Technology?

10/25/2012 BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH Agenda. Security Cases What is Cloud? Road Map Security Concerns

SECURE CLOUD COMPUTING

Cloud Computing: Background, Risks and Audit Recommendations

D. L. Corbet & Assoc., LLC

Wrapping Audit Arms around the Cloud Georgia 2013 Conference for College and University Auditors

How to ensure control and security when moving to SaaS/cloud applications

Future of Cloud Computing. Irena Bojanova, Ph.D. UMUC, NIST

Security Issues in Cloud Computing

CLOUD COMPUTING SECURITY ISSUES

Public Cloud Security: Surviving in a Hostile Multitenant Environment

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Security Controls What Works. Southside Virginia Community College: Security Awareness

Emerging Approaches in a Cloud-Connected Enterprise: Containers and Microservices

INTRODUCTION TO CLOUD COMPUTING CEN483 PARALLEL AND DISTRIBUTED SYSTEMS

Transcription:

Assessing Risks in the Cloud Jim Reavis Executive Director Cloud Security Alliance

Agenda Definitions of Cloud & Cloud Usage Key Cloud Risks About CSA CSA Guidance approach to Addressing Risks Research Priorities

Cloud: Dawn of a New Age Art Coviello the most overhyped, underestimated phenomenon since the Internet Compute as a utility Changes everything: Business models, venture capital, R&D,

What is Cloud Computing? Compute as a utility: Third major era of computing Cloud enabled by Moore s Law Hyperconnectivity SOA Provider scale Key characteristics Elastic & on-demand Multi-tenancy Metered service Disrupts Everything!

2011-2014: the Hybrid Enterprise public clouds private clouds Extended Virtual Data Center Dispersal of applications Dispersal of data Dispersal of users Dispersal of endpoint devices cloud of users Notional organizational boundary

Key Cloud Security Problems of Today From CSA Top Threats Research: Trust: Lack of Provider transparency, impacts Governance, Risk Management, Compliance Data: Leakage, Loss or Storage in unfriendly geography Insecure Cloud software Malicious use of Cloud services Account/Service Hijacking Malicious Insiders Cloud-specific Attacks

Key Problems of Tomorrow Globally compatible legislation and policy Compatible private & public clouds Real-time risk management & compliance Identity management Responding to security incidents

Cloud: Reset Security Industry Critical mass of separation between data owners and data processors Cloud customers retain governance responsibility Physical controls must be replaced by virtual controls Opportunity to make security better Requires broad stakeholder perspective Must build the cloud security ecosystem

About the CSA Global, not-for-profit organization 15,000 individual members, 80 corporate members Building best practices and a trusted cloud ecosystem Agile philosophy, rapid development of applied research GRC: Balance compliance with risk management Reference models: Build using existing standards Identity: A key foundation of a functioning cloud economy Champion interoperability Advocacy of prudent public policy To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.

Operating in the Cloud CSA Guidance Research Cloud Architecture Governance and Enterprise Risk Management Legal and Electronic Discovery Popular best practices for securing cloud computing 13 Domains of concern governing & operating groupings Key to assessing and mitigating risks Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization Governing the Cloud Guidance > 200k downloads: cloudsecurityalliance.org/guidance

Governance and ERM A portion of cloud cost savings must be invested into provider scrutiny Third party transparency of cloud provider Supply chain view of cloud provider s services Financial viability of cloud provider Understand provider s key risk & performance indicators and how to monitor More holistic view of provider s business compared to software companies

Legal & ediscovery 3 Interdependent Dimensions: Functional, Jurisdictional, Contractual Distinction from outsourcing: Transient service, anonymity of provider and geography Plan for both an expected and unexpected termination of the relationship and an orderly return of your assets Find conflicts between the laws the cloud provider must comply with and those governing the cloud customer Secondary uses of data Gain a clear expectation of the cloud provider s role and response to legal requests for information Understand logging capabilities and metadata

Compliance & Audit Classify data and systems to understand compliance requirements Cross border data transfers Maintain a right to audit on demand Auditor qualifications Need uniformity in comprehensive certification scoping to beef up SAS 70 II, ISO 2700X Continuous monitoring

Information Lifecycle Management Data security lifecycle Create Store Use Share Archive Destroy Data remanence or persistence Commingling data with other customers Backup and recovery schemes Data discovery Data aggregation and inference

Portability and Interoperability Understand and implement layers of abstraction For PaaS, data should be portable. Careful architecture should be followed to minimize potential lock-in for the customer s application. Loose coupling using SOA principles For IaaS, data and applications should be portable For SaaS, focus is data portability and maintaining application feature requirements Advocate open standards Third-party cloud intermediaries and brokering

Traditional, BCM/DR Greatest concern is insider threat Cloud providers should adopt as a security baseline the most stringent requirements of any customer Compartmentalization of job duties and limit knowledge of customers Inspect cloud provider disaster recovery and business continuity plans

Data Center Operations Know cloud provider s other clients to assess their impact on you Understand how resource sharing occurs within your cloud provider to understand impact during your business fluctuations For IaaS and PaaS, the cloud provider s patch management policies and procedures have significant impact Cloud provider s technology architecture may use new and unproven methods for failover

Incident Response Any data classified as private for the purpose of data breach regulations should always be encrypted to reduce the consequences of a breach incident. Logging: Cloud providers need application layer logging frameworks to provide granular narrowing of incidents to a specific customer. Standard and comprehensive logs Cloud providers and customers need defined collaboration for incident response. Snapshots of entire virtual environment Go back to known good state

Application Security For IaaS, need trusted virtual machine images. Apply best practices available to harden DMZ host systems to virtual machines. Securing inter-host communications must be the rule, there can be no assumption of a secure channel between hosts Understand how malicious actors are likely to adapt their attack techniques to cloud platforms, e.g. increased black box testing Updated threat models New trust domains for SDLC

Encryption and Key Management From a risk management perspective, unencrypted data existent in the cloud may be considered lost by the customer. Use encryption to separate data holding from data usage. Segregate the key management from the cloud provider hosting the data, creating a chain of separation. Stipulate standard encryption in contract language Understand areas of exposure, such as VM swap space

Identity and Access Management Must have a robust federated identity management architecture and strategy internal to the organization Insist upon standards enabling federation: Primarily SAML, WS-Federation and Liberty ID-FF federation Cloud providers should by default be relying parties to trusted identity providers Using cloud-based Identity as a Service providers may be a useful tool for abstracting and managing complexities such as differing versions of SAML, etc.

Virtualization Understand VM attack vectors: Hypervisor, backplane, hardware, provisioning, other management tools Secure by default configuration needs to be assured by following or exceeding available industry baselines Need granular monitoring of traffic crossing VM backplanes Provisioning, administrative access and control of virtualized operating systems is crucial

CSA Research CSA Guidance Version 3 (Security as a Service) GRC Stack CloudAudit Cloud Controls Matrix Consensus Assessments Initiative CloudCERT Trusted Cloud Initiative CCSK Certificate of Cloud Security Knowledge Industry-specific working groups

Public Policy Harmonize global privacy directives Safe Harbor exemptions updated for cloud National strategies aligned with international strategies G20-type Summit to pursue global cloud policy issues Pursuit of criminal organizations

Thank you Help us secure cloud computing www.cloudsecurityalliance.org info@cloudsecurityalliance.org LinkedIn: www.linkedin.com/groups?gid=1864210 Twitter: @cloudsa

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information