Cloud Risks and Opportunities

Cloud Risks and Opportunities

John Howie

COO

Cloud Security Alliance

About  the  Cloud  Security  Alliance  

• 

Global,  not-­‐for-­‐profit  organiza;on  

• 

Building  security  best  prac;ces  for  next  genera;on  IT  

• 

Research  and  Educa;onal  Programs  

• 

Cloud  Provider  Cer;fica;on  

• 

User  Cer;fica;on  

• 

Awareness  and  Marke;ng  

• 

The  globally  authorita;ve  source  for  Trust  in  the  Cloud  

“To  promote  the  use  of  best  prac1ces  for  providing  security  assurance   within  Cloud  Compu1ng,  and  provide  educa1on  on  the  uses  of  Cloud  

CSA  Fast  Facts  

• 

Founded  in  2009  

• 

Membership  stats  

– 

48,000  individual  members,  66  chapters  globally  

– 

170+  corporate  members  

– 

Major  cloud  providers,  tech  companies,  infosec  leaders,  

governments,  financial  ins;tu;ons,  retail,  healthcare  and  more  

• 

Offices  in  SeaWle  USA,  Singapore,  Greece  

• 

Over  30  research  projects  in  25  working  groups  

• 

Strategic  partnerships  with  governments,  research  

Growing  to  serve  the  Industry    

• 

2009  

–  CSA  launch  at  RSA  2009  with  Security  Guidance  for   Cri;cal  Areas  of  Focus  in  Cloud  Compu;ng  

–  6,000  members  

• 

2010  

–  Launch  Cer;ficate  of  Cloud  Security  Knowledge   (CCSK)  

–  15,000  members  

• 

2011  

–  Launch  CSA  Security,  Trust  and  Assurance  Registry   (STAR)  

–  27,000  members  

• 

2012  

–  Launch  CSA  Mobile  and  Big  Data  research  to   address  emerging  needs  

–  42,000  members   Nort h   Amer ica   0   10,000   20,000   30,000   40,000   50,000   Membership  Growth  

•  Top  Threats  WG  formed  in  2009  to  engage   experts  and  the  broader  community  to   iden;fy  top  security  threats  for  Cloud   Compu;ng  

•  Purpose  of  the  series  of  reports  was  to  

educate  cloud  providers/consumers  on  how   to  mi;gate  risk  when  deploying/adop;ng   cloud  compu;ng  

•  Expanded  the  report  from  the  “Seven   Deadly  Sins”  to  the  “Evil  8”  to  the  

“Notorious  9”  in  2013  

•  New  version  mapped  to  Cloud  Controls   Matrix  and  Risk  Matrix  added  (Actual  vs.   Perceived  Risk)  

The  Notorious  Nine  can  be  downloaded  here  

• 

Surveyed  over  300  Security  

Professionals  from  50  countries  

globally  

• 

Validated  that  the  threat  lis;ng  

reflects  the  most  current  

concerns  of  the  industry  

• 

Reflected  current  consensus  

among  experts  about  the  most  

significant  threats  to  cloud  

security  

• 

Experts  iden;fied  nine  cri;cal  

threats  to  cloud  compu;ng  in  

2013  

9 Threats Identified (1 – 4)

• 

#1  Threat:  Data  Breaches  

– 

Ranking  Comparison  

• 

_{#2  Threat:  Data  Loss}  

– 

Ranking  Comparison    

• 

#3  Threat:  Account  or  

Service  Traffic  Hijacking  

– 

Ranking  Comparison    

• 

_{#4  Threat:  Insecure}  

Interfaces  and  APIs  

9 Threats Identified (5 – 9)

•  #

5  Threat:  Denial  of  Service  

–  Ranking  Comparison  

• 

#6  Threat:  Malicious  Insiders  

–  Ranking  Comparison    

• 

#7  Threat:  Abuse  of  Cloud  Services  

–  Ranking  Comparison    

• 

#8  Threat:  Insufficient  Due  

Diligence  

–  Ranking  Comparison  

• 

#9  Threat:  Shared  Technology  

Vulnerabili;es  

Internet  Threats  

• 

_{AWacks  against  internet  infrastructure}  

con;nue  to  plague  us  

– 

Rou;ng  hijacks  (BGP)  

– 

DNS  compromise  

– 

PKI  

• 

_{Some  solu;ons  exist,  but…}  

– 

The  current  protocols  are  fundamentally  broken  

– 

We  need  to  start  over  (IPv6  is  not  a  solu;on)  

Tradi;onal  Approach  

• 

Tradi;onally  development,  test  and  produc;on  

environments  were  strictly  separated  

–  Developers  worked  in  a  dedicated  environment  and  handed   completed  code  over  to  testers  

–  Testers  work  in  a  separate  environment  and  perform  unit,  func;onal   and  end-­‐to-­‐end  tes;ng  

–  Tested  and  built  code  is  handed  over  to  Opera;ons  staff  who  deploy  in   pre-­‐produc;on  environment  to  perform  deployment  and  integra;on   tes;ng  before  signing  release  off  

–  Released  code  is  deployed  into  produc;on  environment  by  Opera;ons   staff  

• 

Developers  and  testers  do  not  have  access  to  

produc;on  environment  

Classic  Solware  Development  

Dev  

Test  

Pre-­‐Prod  

Prod  

Modern  Approach:  DevOps  

• 

Olen  leveraged  in  conjunc;on  with  Agile  Development,  Developer  

Opera;ons  (DevOps)  is  just  what  it  sounds  like  

–  Developers  are  responsible  for  development  and  opera;ons  management  of  their   solware  

–  Separa;on  between  environments  can  be  eroded:  code  is  developed,  tested  and   deployed  in  produc;on  environment  

• 

Ra;onale  behind  DevOps  is  that  developers  can  quickly  roll  out  new  

features  and  fix  problems  as  they  are  discovered  

–  Cited  as  cri;cal  market  advantage  in  highly  compe;;ve  industries  such  as  Search,   Social  Media,  Collabora;on,  etc.  

DevOps  Solware  Development  

• Development  might  be   done  in  situ,  in  the   produc;on  

environment   • Tes;ng  is  usually  done  

by  deploying  to  a   limited  popula;on  of   users  and  watching   their  experiences  

• Feedback  can  be   structured,  ad  hoc,  or   even  a  percep;on   • Deployment  is  

accomplished  by   turning  on  new   features  to  all  users   rather  than  deploying   new  solware  

Deployment   _Feedback  User  

Development   Test  

DevOps  Security  Challenge  

• 

PCI  DSS  v3  

–  6.4.1  Separate  development/test  environments  from  produc;on  

environments,  and  enforce  the  separa;on  with  access  controls.  

–  6.4.2  Separa;on  of  du;es  between  development/test  and  produc;on  

environments  

• 

ISO/IEC  27002:2005  

–  10.1.4  Separa;on  of  development,  test,  and  opera;onal  facili;es   •  Control:  Development,  test,  and  opera;onal  facili;es  should  be  

separated  to  reduce  the  risks  of  unauthorised  access  or  changes  to   the  opera;onal  system.  

Summary  

• 

_{Cloud  compu;ng  is  s;ll  a  developing  field}  

– 

Significant  pressure  on  costs  and  agility  mean  

some  security  issues  might  be  passed  over  

– 

New  technology  will  bring  new  issues  

• 

_{Cloud  providers  are  probably  beWer  than  you}  

at  protec;ng  your  data  

– 

The  problem  is  that  they  might  be  doing  it  in  a  

way  that  violates  your  compliance  obliga;ons  

THANK YOU

[email protected]

[email protected]

[email protected]