Supporting Business Agility
Secure your cloud applications by building
solid foundations with enterprise (security
) architecture
Vladimir Jirasek, Managing director
Jirasek Consulting Services
About me
• MBA (MSc) degree
• 20 years experience in IT
• 13 years experience in InfoSec
• Worked in various companies in diverse
sectors
• Engaged in security organisations as projects
such as CAMM, CSA
• Technical editor of a cloud security book
• Present at security and IT conferences
Agenda
• Enterprise architecture crash course
• Security architecture overview
• Cloud security models
• Governance in Cloud
• Data security in Cloud
Supporting Business Agility
What is Enterprise Architecture
Enterprise architecture (EA) is the
process of translating business vision
and strategy into effective enterprise
change by creating, communicating
and improving the key requirements,
principles and models that describe
the enterprise's future state and
enable its evolution.
Wikipedia
Common sense to ensure everyone in
a company is pulling in one direction,
maximising ROI, reducing waste,
EA is a business support function
One of the most used architecture
frameworks: TOGAF
Supporting Business Agility
ENTERPRISE SECURITY
ARCHITECTURE
Security model – business drives security
Information Security policies Input Business objectives Compliance requirements Laws & Regulations Business impact Business & information risks Defin e Defin e Defin e Security threats International security standards Information Security standards Information Security guidelines Security intelligence Input Line Management Auditors Security management Risk & Compliance Governance Product Management Program Management Assurance Security Services Security Professionals IT GRC Inform Information Security Processes Techn o lo gy Policy framework Security management P eo p le Ser vices Define security controls Execute security controls Information Security Metrics objectives Metrics framework Measure security maturity External security metrics Mandate Measured by InputCorrection of security processes Feedback: update business requirements
Security architecture domains
• Security architect
work across all
domains
• Stakeholder in EA
• Works with domain
architects (depends
on the size of an
Cloud model maps to Security model
Cloud model
Responsibilities for areas in security
model compared to delivery models
Physical security
Network security
Host security
Application sec.
Data security
SIEM
Identity, Access
Cryptography
Business continuity
GRC
Present
time
Future
Should data security be on CIOs
agendas? Why only CIO?
Not many security breaches so far. Why?
Will become targeted as more enterprises rely on public Cloud computing
Mandatory reading! Cloud provider reputation/costs Your company reputation/costs Consolidation of Cloud providers Cost savings in Enterprises PaaS/SaaS SaaS SaaS
Supporting Business Agility
CLOUD DEPLOYMENT
GOVERNANCE
Governance related to Cloud
• Setting company policy
for Cloud computing
• Risk based decision
which Cloud provider, if
any, to engage
• Assigning
responsibilities for
enforcing and monitoring
of the policy compliance
• Set corrective actions for
Cloud governance::Policy
• Cloud adopted typically by
a) IT directors
– managed relatively consistently and
mostly [I|P]aaS
b) Business managers
– less governance; typically
SaaS
•
Policy should state: It is a policy of …. to manage
the usage of external Cloud computing services,
taking into account risks to business processes,
legal and regulatory compliance when using
external services Cloud services. CIO is
responsible for creating and communicating
external Cloud computing strategy and
Cloud standard structure
•
General statements
– Governance requirements for Cloud
– Enterprise architecture to be ready for
Cloud and Cloud services to plug-in
(IAM, SIEM, Data architecture,
Forensic)
– Discovery of Cloud service use
•
Before Cloud project
– Cloud service to comply with data
classification
– Encrypting all sensitive data in Cloud
– Identity and Access management
(AAA) link to Cloud service
•
During Cloud project
– Due diligence to be performed
– Do not forget “right to audit”
– Know locations of PII
•
During Cloud project (cont)
– Assess availability (SLA and DR) of
Cloud provider
– Assess Cloud provider security controls
– Assess potential for forensic
investigation by company’s team
•
Running a Cloud service
– Limit use of live data for development
and testing
– Monitor cloud provider’s security
controls
– Link Company’s SIEM with Cloud
provider and monitor for incidents
•
Moving out of Cloud
– Data cleansing
– Data portability
Examples:
I have 1TB of CSV files, now what?
• Customer uses well know CRM in Cloud
• SaaS designed to immerse clients into well
defined, bespoke CRM
• No known data mode
• Export of data in CSV.
Tip: Portability is the key in SaaS applications.
Think about leaving the Cloud provider upfront.
Example:
Scaling up/down development
• Large manufacture and service company
• Requirement to support development
needs with seasonal demands – ideal
case for [I|P]aaS
• Security team approached up-front to
perform review
• “Live” data not uploaded to the provider
before on-site sanitising
Supporting Business Agility
Cloud provider: “AES-128 so it
must be secure! Trust me!”
Secret
Secret
0101000 1101010 1010110 1010100 1010101 0101100 110101Cloud service
user
Just because it is encrypted does not
make it secure… Look end to end.
Cloud
Service
Provider
However not all data in the cloud
are secret!
Sometimes too much encryption is
bad though.
Data protection options in cloud
models
Infrastructure as a
Service
Platform as a Service
Software as a Service
Encryption appliance
(e.g. Safe-Net ProtectV)
Application encryption (customer retains keys)
H
o
s
t
Provider dependent and operated host encryption
Ap
p
lic
at
ion
Tokenisation and anonymisation
D
at
a
Extend company file or object
encryption
Encrypting/tokenising reverse
proxy engines
(e.g. CipherCloud)SIEM
Extend company SIEM
Plug-in to Provider’s SIEM
Example of SaaS – Use of Gmail
inside and outside an organisation
• SaaS web based
application. Other standard
interfaces – IMAP, POP3,
SMTP, Web API
• Data in Gmail available to
anyone with proper
authentication
• TLS used on transport layer
• Consider using CipherCloud
like product but be mindful
of traffic flows with external
customers
Sender RecipientIntra company
Recipient Proxy SenderExample of IaaS – Cloud provider offers virtual
computing resources for Internal apps deployment
•
Cloud provider can
theoretically access all
data, if decryption
happens on the virtual
machine! But would they?
•
Use two possible models:
Local crypto operations
with remote key
management. Consider
SafeNet ProtectV
Remote crypto operations
over VPN – speed penalty
Internal user Administrator
Intra company
VPN Key management HSMSupporting Business Agility
IDENTITY AND ACCESS
IAM is a complex domain::closer to
information management then security!
Identity management
Access management
Identity management::mostly
information management
• Principal management
• Credential management
• Attribute management
• Group memberships
• Business and IT roles
• Directory
• Link to HR data
Provision and de-provision
users from cloud services
Entitlements and Access
management
Entitlements
• Managing access policies
• XACML policies –
(Subject, Rule, Resource)
• Bespoke policies
• Based on attributes or
groups
Connects subjects and
resources
Access management
• Uses identity information,
entitlement policies and
context to make access
decisions:
– Grant
– Deny
– Grant but limit
Identity Federation::Let’s trust identity
providers
• Not everyone wants
to have thousands of
username/passwords
• Cloud services are
ideal for identity
federation
• SAML 2.0
• OAUTH 2.0 (do not
confuse with OATH)
Summary
• Create Enterprise Architecture function with dotted line to
CEO
• Appoint Security Architect as part of Enterprise architecture
function
• Have a Cloud policy/standard and update risk management
classification
• Always think of exit from Cloud first!
• Discover usage of Cloud services
• Prepare you enterprise architecture to plug Cloud services in
IAM, SIEM, Key management
• Build IAM that supports changing business. Federate and
Federate…
Classification: Public 34