Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

(1)

Insert presenter logo here on slide master

Foundational Best

Practices For Securing

Cloud Computing

Scott Clark

(2)

Agenda

Introduction to Cloud Computing

What is Different in the Cloud?

CSA Guidance

(3)

What is Cloud Computing?

• Compute as a utility: third major era of computing

–

Mainframe

–

PC Client/Server

–

Cloud computing: On demand model for allocation and

consumption of computing

• Cloud enabled by:

–

Moore’s Law: Costs of compute & storage approaching zero

–

Hyperconnectivity: Robust bandwidth from dotcom investments

–

Service Oriented Architecture (SOA)

(4)

How to think about Cloud

• “Perfect storm” convergence of existing technologies in a

new business model

• The next platform for software applications – Disruption!

• Not one “cloud” – many types and deployments of cloud

• Aspects of our legacy we can learn from – but key

differences

–

Mainframes

–

Virtualization

–

Outsourcing

(5)

• Many concepts “in the cloud” are similar to

concepts in standard outsourcing

• There are at least four themes which require a

different mindset when working on security for

cloud services:

–

Role clarity for security controls

–

Legal / jurisdictional / cross-border data movement

–

Virtualization concentration risk

–

Virtualization network security control parity.

5

(6)

(7)

What is Different in the Cloud?

Legal / Jurisdictional Issues Amplified

“Cloud” Provider Datacenter in San Francisco, USA

“Cloud” Provider Datacenter in Tokyo, Japan

“Cloud” Provider Datacenter in Geneva, Switzerland

“Cloud” Provider Datacenter in Sao Paolo, Brazil

“Cloud” Provider Datacenter in London, U.K.

(8)

What is Different in the Cloud?

Virtualization Concentration Risks

“Old Way – Hack a

System”

“New Way – Hack a

Datacenter”

(9)

Virtualized N-Tier Control Equivalence

What is Different in the Cloud?

“Current Way”

“New Way”

(10)

Key Cloud Security Problems

From CSA Top Threats Research:

–

Trust: Lack of Provider transparency, impacts Governance,

Risk Management, Compliance

–

Data: Leakage, Loss or Storage in unfriendly geography

–

Insecure Cloud software

–

Malicious use of Cloud services

–

Account/Service Hijacking

–

Malicious Insiders

(11)

Cloud Security

Alliance Guidance

(12)

Cloud Security Alliance Guidance

Available at

http://www.cloudsecurityalliance.org/Research.html

Governance and Enterprise Risk Management

Legal and Electronic Discovery Compliance and Audit

Information Lifecycle Management Portability and Interoperability

Security, Bus. Cont,, and Disaster Recovery

Data Center Operations

Incident Response, Notification, Remediation Application Security

Encryption and Key Management Identity and Access Management

(13)

Defining Cloud

• On demand provisioning

• Elasticity

• Multi-tenancy

• Key types

–

Infrastructure as a Service

(

IaaS

): basic O/S & storage

–

Platform as a Service (

PaaS

):

IaaS + rapid dev

–

Software as a Service (

SaaS

):

complete application

–

Public, Private, Community &

(14)

Governance and Enterprise Risk Management

• Due Diligence of

providers governance

structure and process in

addition to security

controls. SLA’s

• Risk Assessment

approaches between

provider and user

should be consistent.

Consistency in Impact

Analysis and definition

of likelihood

(15)

Legal and Electronic Discovery

• Mutual understanding of

roles related to litigation,

discovery searches and

expert testimony

• Data in custody of

provider must receive

equivalent guardianship

as original owner

• Unified process for

responding to

subpoenas and service

of process, etc

Legal and Electronic Discovery

Compliance and Audit

(16)

Compliance and Audit

• Right to Audit Clause

• Analyze Impact or

Regulations on data

security

• Prepare evidence of

how each requirement is

being met

• Auditor qualification and

selection

Legal and Electronic Discovery

Compliance and Audit

(17)

Information Lifecycle Management

• How is Integrity

maintained?

• If compromised how its

detected and reported?

• Identify all controls used

during date lifecycle

• Know where you data is!

• Understand provider’s

data search capabilities

and limitations

Information Lifecycle Management

Portability and Interoperability

(18)

Portability and Interoperability

• IaaS - Understand VM

capture and porting to

new provider especially

if different technologies

used.

• PaaS

– Understand how

logging, monitoring and

audit transfers to

another provider

• SaaS

– perform regular

backups into useable

form without SaaS.

Information Lifecycle Management

Portability and Interoperability

(19)

Security, Business Continuity and Disaster Recovery

• Conduct an onsite

inspection whenever

possible

• Inspect cloud providers

disaster recovery and

business continuity

plans

• Ask for documentation

of external and internal

security controls –

adherence to industry

standards?

(20)

Data Center Operations

• Demonstration of

Compartmentalization of

systems, networks,

management,

provisioning and

personnel

• Understanding of

providers patch

management policies

and procedures –

should be reflected in

the contract!

(21)

Incident Response, Notification and Remediation

• May have limited

involvement in Incident

Response, understand

prearranged

communicated path to

providers incident

response team

• What incident detection

and analysis tools

used? Will proprietary

tools make joint

investigations difficult?

Incident Response, Notification, Remediation

Application Security

(22)

Application Security

• S-P-I creates different

trust boundaries in SDLC

– account for in dev, test

and production

• Obtain contractual

permission before

performing remote

vulnerability and

application assessments

–

provider inability to

distinguish testing from an

actual attack

Incident Response, Notification, Remediation

Application Security

(23)

Encryption and Key Management

• Separate key management

from provider hosting the data

creating a chain of separation

• Understand provider’s key

management lifecycle: how

keys are generated, used,

stored, backed up, rotated and

deleted

• Ensure encryption adheres to

industry and government

standards when stipulated in

the contract

Encryption and Key Management

(24)

Identity and Access Management

• IAM is a big challenge today in

secure cloud computing

• Identity – avoid providers

proprietary solutions unique to

cloud provider

• Local authentication service

offered by provider should be

OATH compliant

Encryption and Key Management

Identity and Access Management

(25)

Virtualization

• Understand internal security

controls to VM other than built

in Hypervisor isolation – IDS,

AV, vulnerability scanning etc.

• Understand external security

controls to protect

administrative interfaces

exposed (Web-based, API’s)

• Reporting mechanisms that

provides evidence of isolation

and raises alerts if a breach of

isolation occurs.

(26)

(27)

Cloud Security Alliance Initiatives

1. GRC Stack

2. Security Guidance for Critical Areas of Focus in Cloud

Computing

3. Cloud Controls Matrix (CCM)

4. Consensus Assessments Initiative

5. Cloud Metrics

6. Trusted Cloud Initiative

7. Top Threats to Cloud Computing

8. CloudAudit

9. Common Assurance Maturity Model

10. CloudSIRT

11. Security as a Service

(28)

Cloud Controls Matrix Tool

• Controls derived from

guidance

• Rated as applicable to S-P-I

• Customer vs Provider role

• Mapped to COBIT, HIPAA,

ISO/IEC 27002-2005, NIST

SP800-53 and PCI DSS

• Help bridge the gap for IT &

IT auditors

(29)

Contact

• Help us secure cloud computing

• www.cloudsecurityalliance.org

• Cloud Security Alliance, Chicago Chapter

• [email protected]

(30)