Cloud Security & Risk Management PRESENTATION AT THE OPEN GROUP CONFERENCE

©2010, Cognizant

Image

Area

PRESENTATION AT THE OPEN GROUP CONFERENCE MARCH 2011

VARAD G. VARADARAJAN ENTERPRISE ARCHITECTURE COE COGNIZANT TECHNOLOGY SOLUTIONS

Cloud Security & Risk

Management

For details please email:

©2010, Cognizant

Agenda

The advantages and disadvantages of cloud computing

Choosing the right cloud model

Migrating to the cloud – A security perspective

Assessing the risks of service providers

Top security domains

Cloud Security

©2010, Cognizant

Ready to move to the cloud?

?

Moving to the cloud offers both benefits and risks !

Conflict of interest between provider and consumer

?

Increased

Risks

©2010, Cognizant

Visual Model of Cloud Computing

Public

Private

Community

Hybrid

Software As A Service

(SAAS)

Platform As A Service

(PAAS)

Infrastructure As A Service

(IAAS)

Broad Network

Access

Rapid Elasticity

©2010, Cognizant

Security benefits in cloud computing

Risk transfer through contractual obligation

Market differentiation

Lowers cost of security

Improves availability

Simplifies governance

Managed Security - Client relies on

©2010, Cognizant

But, are we really secure?

Diminished control (standard APIs)

Vendor lock-in

Provider’s architecture can be a black box

Difficult to access log files

Compliance violations and service outages

Data crossing trust boundaries

Data loss or leakage

Increased attack surface

Loss of reputation or erosion of trust

What about rogue clouds?

?

?

©2010, Cognizant

Risks from Multi-tenancy & Virtualization

Cost

_Risk

Degree of Multitenancy / Virtualization

Da

ta

Elemen

ts

Tab

le

Da

tab

ase

App

lic

ation

Virtu

al

Ser

ver

P

h

ysic

al

Ser

ver

Da

ta

Cen

ter

•Hypervisor escape

•Malicious clients

©2010, Cognizant

Service C

Service B

Data exchanged

between cloud

applications in a

supply chain

Risk In Federated Clouds

Service A

Enterprise

Cloudburst

Sensitive data

crossing trust

boundaries to

accommodate

spike in

demand?

• Need Federated Identity Solution

• Data crossing trust boundaries

• Encrypt data in transit

SAML

Federated

Identity

Software (FIS)

©2010, Cognizant

Clients need to do an in-depth assessment of

the providers with respect to security,

governance, risk and compliance

Choosing the right model involves a trade-off

between the perceived benefits vs. perceived

©2010, Cognizant Pu b lic Par tn e r Pr iv at e No n Clou d 0 50 100 Liability Cost

Assurance Source: ENISA 2009

Public Private Partner (Community) Hybrid

Who owns infrastructure? Third party Organization Organization Both organization and

third party Who manages the infrastructure? Third party Organization or third

party

Organization or third party Both organization and third party

Where is the infrastructure located? Off premise On premise or off premise

On premise or off premise Both on premise and off premise

Who accesses and consumes the data/applications?

All (Un-trusted) Organization (Trusted) Organization and partners (Trusted) Trusted and un-trusted

©2010, Cognizant

Which service model is right for me?

Source: CSA Guide

Presentation

APIs

Applications

Data

Metadata

Content

Integration & Middleware

APIs

Abstraction

Hardware

Facilities

Core Connectivity & Delivery

IaaS

P

aaS

SaaS

IaaS

PaaS

SaaS

Apps

Security

Client

Client

Provider

Platform

Security

Client

Provider

Provider

Infra

Security

Provider

Provider

Provider

Responsibility of securing

underlying infrastructure and abstraction layers rests with the provider

Securing the platform falls onto The provider, while securing the apps Developed on the platform falls on the

client

©2010, Cognizant

Outsourced

LAMP Stack, Amazon EC2, Global access

The Cloud Cube

Source: Jericho Forum

 Internal or External?

 Proprietary or Open?

 Perimeterized or non-Perimeterized?

Whe

re

is it

depl

o

yed?

What is the tech stack?

Insourced

Custom Apps Stack for multiple B.Us, using

Eucalyptus under corporation control Deployed within company

©2010, Cognizant

A wide spectrum of service providers

© Enterprise Architecture COE, Global Technology Office

Migrating to the cloud

©2010, Cognizant

Select the right model, service provider and SLAs

Negotiate / renegotiate contracts, ensure risk mitigation strategies are in place, evaluate residual risk What are the risks of each service provider?

Create threat models

Use checklists, questionnaires, heat maps

Who are the service providers who will fit the requirements?

What are the deployment / service models?

IaaS, PaaS, SaaS, Private, Partner, Public External/Internal Proprietary/Open Perimeterized/Non What are the assets that can be moved to the cloud?

Select Data, Applications, Processes, Functions

Migrating to the cloud

A 5 step model to manage risks [AMPRC]

©2010, Cognizant

Create scenarios and threat models

Con

fiden

ti

ali

ty

Availability

Scenario

Area

What types of attacks can be launched by insiders (within provider)?

C/I

What types of attacks can be launched by outsiders?

C/I

How will the architecture scale to thousands of users and millions of transactions?

A

Will information cross trust boundaries – private to public to partner etc?

C

What events can cause service disruption from provider?

A

©2010, Cognizant

How do we assess the risks?

A client must assess the risks/benefits through questions

and check-lists

Risks must be rated using overall impact and likelihood of

occurrence

Heat maps will help identify the critical risks

©2010, Cognizant

How do we compare risks?

Impact

$0

$100K

$500K

$1 MM

Pr

ob

ab

ili

ty

0

0.25

0.50

1.0

Low impact,

High Probability

High impact,

Low Probability

Fat Tail

©2010, Cognizant

Probability Of Occurrence Scoring Table

Almost Certain

0.8 – 1.0

Definite, one or more impacts expected within

one year

Likely

0.6 – 0.8

Likely, one or more impacts expected within one

year

Moderate

0.4 – 0.6

Likely, one or more impacts expected within

two to three years

Unlikely

0.2 – 0.4

Probable, impact expected within two to three

years

Rare

0.0 – 0.2

Not probable, impact not expected to occur

©2010, Cognizant

Impact Scoring Tables

Technical Impact Description Min Score Max Score

Loss of confidentiality How much data could be disclosed and how sensitive is it? 0 1 Loss of integrity How much data could be corrupted and how damaged is it? 0 1 Loss of availability How much service could be lost and how vital is it? 0 1 Loss of accountability Are the threat agents' actions traceable to an individual? 0 1

Business Impact Description Min Score Max Score

Financial damage How much financial damage will result from an exploit? 0 1 Reputation damage Would an exploit result in reputation damage that would

harm the business?

0 1

Non-compliance How much exposure does non-compliance introduce? 0 1 Privacy violation How much personally identifiable information could be

disclosed?

0 1

Source: OWASP

Technical Impact

Business Impact

©2010, Cognizant

Sample Risk Heat Map

Impact Score

Pr

obab

ili

ty

Of

Occ

urr

ence

Sc

or

e

Negligible Very High

Unlikely Likely 1.0

1

1

1

1

3

2

6

1

4

2

3

1

1

1

1

7

1

1

20

11

16

©2010, Cognizant

Important Security Domains

Business impact analysis, plan, Redundancy, Backup, Archival Multi factor, Federated Identity, Provisioning, Deprovisioning Algorithm, Key Length, Key Management External perimeter, Structural internal barriers, Access control, Surveillance, Power backup, fire

Risk identification, analysis, evaluation, Treatment, monitor and review

Data storage, use, archival destruction

Multitenancy risk Hypervisor vulnerabilities

Incident Response,

Notification and Remediation

Security breach disclosure laws, regulatory, privacy, international laws

Interoperability and movement of data between different

Service providers

Regulations (SOX, HIPAA),

Data Privacy, Electronic Discovery, Incident Response

SDLC, Binary Analysis, Scanners, Web App Firewalls,

©2010, Cognizant

Cloud Controls Matrix for Compliance

Service Provider

Tenant

Scope?

COBIT

HIPAA

ISO/IEC 270001

-2005

NIST

PCI DSS

GAPP

Compliance ?

List Of Controls

Compliance – Independent Audits Data Governance – Retention Data Governance - Secure Disposal Data Governance – Risk Assessments Facility Security

Information Security – Policy

Information Security – Baseline Requirements Information Security – Encryption

Information Security – Incident Management Information Security – Incident Reporting Information Security – Reporting

Security Architecture – Network Security Security Architecture – Segmentation Security Architecture – Audit Logging ***

Delivery Model?

©2010, Cognizant

Access Control

Does the provider have standardized mechanisms for Authentication,

Authorization and Access Control?

Are there robust password policies?

Is there support for two-factor authentication?

©2010, Cognizant

Application Security

Is security part of the SDLC process? (Esp. for SaaS / PaaS Providers)

Are standard vulnerabilities being addressed?

Buffer overflows, SQL injection, cross-site scripting

Are cloud-specific security issues addressed?

Multi-tenancy introduces new attack vectors such as cross-site scripting, cross-site

request forgery and hypervisor escape

Developing an application for internal or stand-alone use is not the same as developing

for the cloud

Are all network communications encrypted?

Synchronous: SSL / IPSec

©2010, Cognizant

Encryption and Key Management

Does service provider encrypt all data, while at rest or in

motion?

Multi-tenanted architecture makes it easy for data to be

leaked unless all data at rest is encrypted

Encrypting databases is of no use if SQL injection attacks

exist

Does customer have a say in the encryption algorithm, key

length and key management process?

©2010, Cognizant

Architecture

Is data crossing trust boundaries?

Is data being passed from private to public cloud regularly or through cloud bursts to

accommodate spikes?

Are there specific safeguards at such boundaries?

Enforcement of intrusion detection / prevention, deep packet inspection, limiting

DDOS attacks etc

Are the platforms hardened?

Appropriate patches, up-to-date anti-virus software and locking down of unnecessary

services?

Virtualization has benefits and risks

©2010, Cognizant

Compliance

Is the service provider compliant with all the major regulations for my business?

SOX, HIPAA, GLBA, Basel II…

Where will my data be stored? Are there legal restrictions in data going outside the country?

Safe Harbor Principles: Companies operating in the European Union are not allowed to

send personal data to countries outside the

European Economic Area

unless there is a

guarantee that it will receive equivalent levels of protection.

Are there procedures to destroy the data when no longer needed? (Even if encrypted)

Does the provider keep adequate records in the event of litigation?

Is the data being backed up regularly and available / searchable?

Does the provider operate a Security Operations Center (SOC) to provide incident

management and response in the event of a breach?

©2010, Cognizant

Risk Mitigation Strategies

Deploy additional security wherever needed

Encryption, firewalls, Intrusion Detection (IDS), Data Loss prevention (DLP)

Supplementary backup

Multi-sourcing

Insurance, penalties and indemnities

Provider negotiation

Set Extensive monitoring goals (KPIs)

Has the provider been audited?

©2010, Cognizant

Summary

Moving to the cloud has both risks and benefits

Conflict of interest between provider and

consumer

Do your home work thoroughly before moving

your data or assets

Use a standard process to evaluate risks across

service providers

Ensure maximum coverage through SLAs,

Indemnity clauses and other contracts

36

Thank You

©2010, Cognizant

Approaches to extending the perimeter

Approach

Extending the enterprise into

the cloud

Extending the cloud into the

enterprise

Description

Enterprise will set up an IPSec VPN

connection to a server located on the

cloud

A cloud service provider will set up and

run the service inside the enterprise

(e.g. an email service run by a Service

Provider within the enterprise)

Benefits

Cloud servers are effectively ‘inside the

perimeter’, so all the services within

the enterprise will extend to the

application in the cloud (e.g. Active

Directory)

A managed service set up ‘inside your

data center’ and run by the provider

Disadvantages

Viruses can propagate from the cloud

into your enterprise

©2010, Cognizant

Policy and Organizational Risks

Lock-in

Loss of governance

Compliance challenges

Loss of business reputation due to co-tenant activities

Cloud service termination or failure

©2010, Cognizant

Technical Risks

Resource exhaustion (under or over provisioning)

Isolation failure

Malicious insider inside cloud provider

Management interface compromise (manipulation, availability of infrastructure)

Intercepting data in transit

Data leakage on up/download, intra-cloud

Insecure or ineffective deletion of data

Distributed Denial of Service (DDOS)

Economic Denial of Service (EDOS)

Loss of encryption keys

Undertaking malicious probes or scans

Service Engine compromise

©2010, Cognizant