• No results found

CONTROLLING CLOUDS: BEYOND SAFETY

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "CONTROLLING CLOUDS: BEYOND SAFETY"

Copied!
30
0
0

Loading.... (view fulltext now)

Download now ( 30 Page )

Full text

(1)

CONTROLLING CLOUDS:

BEYOND SAFETY

GORDON HAFF (@ghaff)

(2)

ABOUT ME

Red Hat Cloud Evangelist Twitter: @ghaff

Google+: Gordon Haff Email: [email protected]

Blog: http://bitmason.blogspot.com

Flickr: http://www.flickr.com/photos/bitmason/

(3)
(4)
(5)
(6)
(7)

WHAT I’LL COVER

What’s new

What isn’t new Certifications

(8)

WHAT’S NEW-ISH

Shared responsibility model

(9)

SHARED RESPONSIBILITY:

CLOUD PROVIDER VIEW

(10)

ABSTRACTIONS HIDE (BY DESIGN)

STORAGE (RHS) HARDWARE (x86) VIRTUALIZATION (RHEV) OPERATING SYSTEM (RHEL) APPLICATION PLATFORM

(JBOSS, PHP, RUBY, ETC)

APPLICATION

Automated and

Managed by the Public or Private Cloud

Offering

Managed and

Controlled by Customer (IT, Dev, or User)

IaaS

PaaS

SaaS

Increased Control

(11)

PERVASIVE

SELF-SERVICE

CONSUMERIZED

EXPECTATIONS

SCALE

CreditJulie Blaustein, cc/flickr

(12)
(13)

BUT MUCH DOESN’T CHANGE

If your security practices suck in the physical realm, you’ll be delighted by the surprising lack of change when you move to cloud.

Chris Hoff

Credit: Michael Rosenstein, cc/flickr

(14)

ITIL BEST PRACTICES HIGHLY

RELEVANT TO SERVICE

DELIVERY THROUGH CLOUD

ITIL Service Strategy provides guidance on

generating a strategy for a major shift in service delivery such as moving to the cloud

ITIL practices can help design cloud computing as appropriate end-to-end services

ITIL service models and examples (managing

(15)

COST/BENEFIT STILL APPLIES

RISK = LIKELIHOOD * IMPACT

(16)
(17)

THE NICE THING ABOUT CERTIFICATIONS

IS THAT THERE ARE SO MANY OF THEM

SAS 70

Specifically created for financial auditors of service organizations

ISO/IEC 27001

Information security management system standard published in 2005

PCI DSS

For organizations processing credit card transactions

FedRAMP Security Controls

Framework for US Federal agencies

HIPAA

(18)

SOC 2 AND 3

Report can be issued on one or more Trust Services Principles Security Availability Processing integrity Confidentiality Privacy

Type 1: Suitability of design

Type 2: Suitability of design and effectiveness SOC 3 is a condensed public version of SOC 2 Mostly in the US today

(19)

EXAMPLE: CSA CLOUD CONTROLS MATRIX

98 “control areas” in 11 categories

Example: Security Architecture - Production / Non-Production Environments

Each mapped to areas of relevance

Examples: IaaS, PaaS, SaaS, corporate governance, and supplier relationships

(20)

A DETAILED EXAMPLE: SECURITY ARCHITECTURE -

PRODUCTION / NON-PRODUCTION ENVIRONMENTS

Definition: “Production and non-production environments shall be separated to prevent

unauthorized access or changes to information assets.”

Applies across all areas of architecture and all cloud service models

Applies to the service provider (internal or external)

but not the customer/tenant

(21)
(22)

11 DOMAINS

Compliance (CO)

Data Governance (DG) Facility Security (FS)

Human Resources (HR) Information Security (IS) Legal (LG)

Operations Management (OM) Risk Management (RI)

Release Management (RM) Resiliency (RS)

(23)

COMPLIANCE

Audit controls

Independent audits of organizational compliance and audits of third-party providers

Limitations of third-party auditability can be a concern for public cloud users

Regulatory mapping

(24)

DATA GOVERNANCE

What is it and who owns it?

Classification is key to establishing data placement policies

Retention and secure disposal policies

“Ensuring data is not recoverable by any computer forensic means”

Do you have controls in place to prevent data leakage or intentional/accidental compromise between tenants in a multi-tenant environment?

(25)

INFORMATION SECURITY

IS-01 includes a requirement for a management program that includes

Administrative, technical, and physical safeguards to protect assets and data from loss, misuse,

unauthorized access, disclosure, alteration, and destruction

Identity and Access Control

Store and manage timely identity information about every person who accesses the cloud resources and determine their level of access

(26)

INFORMATION SECURITY (CONTINUED)

Establishment and implementation of encryption policies

Includes key management, etc.

Preparing for and responding to incidents (including legal response as needed)

(27)

SECURITY ARCHITECTURE

Minimum standards for implementing and enforcing (through automation) user credential and password controls

Multi-factor authentication for all remote access

Segmentation and restricted connections in network environments especially between trusted and

untrusted networks

“Networks shared with external entities shall have a documented plan detailing the compensating

controls used to separate network traffic between organizations”

(28)

SOURCES FOR A BROADER CLOUD

GOVERNANCE VIEW

Deloitte Cloud Computing Risk Intelligence Map Cloud Computing Security Risk Assessment

CSIS 20 Critical Security Controls

(29)
(30)

QUESTIONS?

THANK YOU.

Gordon Haff

[email protected] Twitter: @ghaff

Google+: Gordon Haff

References

Download now ( PDF - 30 Page - 2.49 MB )

Related documents

Impacts of Internal and External Changing Conditions On French and British Labour Market Segmentation

From these surveys we extracted individual and employment variables as monthly wage, length of service, type of initial education, type of job, sex, age, level of education 1 ,

Conflicting logics of online higher education

Senior Manager 1 of University X stated: ‘Through online education [we] offer access on the continent where higher education par- ticipation is even lower than in South Africa,

Cloud Security Certification

areas based on the Cloud Security Alliance Security Guidance for Critical Areas of Focus in Cloud Computing V3, English language version, and the ENISA report "Cloud.

UNITED STATES COURT OF APPEALS FOR THE NINTH CIRCUIT

Marshak quibbles with the district court’s reliance on the res judicata effect of the Nevada actions—the 2011 default judgment against FPI and the 2012 preliminary

Cloud Enterprise Architecture

Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter

Inviting Tenders for Providing Security Services at Temperature Controlled Warehouse at Medchal, Ranga Reddy District, Telangana

https://balmerlawrie.eproc.in and submit their bids online. The bidders shall submit their eligibility and qualification documents, technical bids, financial bid, etc., in

UDM Calendar Authoring Instructions Version 1.1. UDM Calendar

If you need more than three paragraphs to describe your event, you should probably create a full Web page on your site, and link to it from your shorter event calendar

CHC Helicopter Investor Presentation March 2014

¹ Calculated as implied daily cost of helicopter/divided by typical day rate for offshore rig; implied daily cost of helicopter calculated by dividing FY2013 HE rate of $8.73M by