1 / 31

Cloud Computing

Cloud Computing. Critical Areas of Focus To Manage Risk Tom Witwicki CIPP INFOSEC Jan 13, 2010. Needing careful consideration of the risks to be managed: Acknowlegement: Cloud Security Alliance. Cloud Architecture and Delivery Models Risk Management Legal Compliance and Audit

salena
Download Presentation

Cloud Computing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cloud Computing Critical Areas of Focus To Manage Risk Tom Witwicki CIPP INFOSEC Jan 13, 2010 Tom Witwicki CIPP

  2. Needing careful consideration of the risks to be managed:Acknowlegement: Cloud Security Alliance • Cloud Architecture and Delivery Models • Risk Management • Legal • Compliance and Audit • Information Lifecycle Management • Portability and Interoperability • Incident Response • Business Continuity • Data Center Operations • Encryption and Key Management • Identity and Access Management • Storage • Virtualization. Tom Witwicki CIPP

  3. Control Disconnect • The rules for managing risk still apply, but the game has changed Enterprise Security Policy Enterprise Control Requirements Controls Compliance/Auditing Cloud Vendor Control Design & Implementation Control Monitoring Tom Witwicki CIPP

  4. Characteristics of Cloud Computing • Abstraction of Infrastructure • Opaque from the application’s perspective • High levels of Virtualization (OS, File Systems) • Democratization of Resources • Pooled resources (shared, dedicated) • Services Oriented Architecture • Focus on delivery of services, not management • Elasticity/Dynamism • rapidly expand or contract resource utilization • Utility Consumption Model • “all-you-can-eat” but “pay-by-the-bite” Tom Witwicki CIPP

  5. Service Delivery Models • SaaS (Software as a Service) • least extensibility and greatest amount of security responsibility taken on by the cloud provider • PaaS (Platform as a Service) • lies somewhere in the middle, with extensibility and security features which must be leveraged by the customer • IaaS (Infrastructure as a Service) • greatest extensibility and least amount of security responsibility taken on by the cloud provider • “Classify” the service to determine security responsibilities of the customer Tom Witwicki CIPP

  6. Deployment Modalities • Private • Single tenant operating environment • On or off premises • “Trusted” consumers • Public • Single or multi-tenant environment • Infrastructure owned and managed by service provider • Consumers considered “untrusted” • Managed • Single or multi-tenant • Infrastructure on premises managed and controlled by service provider • Consumers trusted or untrusted • Hybrid • Combination of public and private offerings • Application portability • Information exchange across disparate cloud offerings Tom Witwicki CIPP

  7. Cloud Reference Model Saas Paas Iaas Tom Witwicki CIPP

  8. Mapping the Cloud to the Security Model Saas SDLC, App Firewalls Data Classification, DLP, Audit Logging, encryption Paas Config and Patch Mgt, Pen Testing Iaas Firewall rules, QoS, Anti-DDos Multi-level Security, Certificates and Key Mgt HIDS/HIPS, Log Mgt, Encryption Data Center Security, Redundancy, DR Tom Witwicki CIPP

  9. Tom Witwicki CIPP

  10. Risk Management • Issues • Ability of the user organization to assess risk • Limited usefulness of certifications (e.g. SAS 70, ISO27001) • Many cloud services providers accept no responsibility for data stored (no risk transference) • User has no view of provider procedures governed by regulation or statute • Access and identity mgt, segregation of duties • Lack of clarity on data controls • Data backup and recovery, offsite storage, virtual provisioning (where is the data?), data removal Tom Witwicki CIPP

  11. Risk Management • Guidance • In depth due diligence prior to executing contractual terms, SLA • Examine creating Private or Hybrid Cloud that provides appropriate level of controls • Comprehensive due diligence before using Public Cloud for mission critical components of business • Request documentation on how the service is assessed for risk and audited for control weaknesses and if results are available to customers • Listing of all 3rd party providers • What regulations and statutes govern site and how compliance is achieved Tom Witwicki CIPP

  12. Legal • Compliance Liabilities • Organizations are custodians of the personal data entrusted to them (in-cloud or off-cloud) • State (data breach), Federal (FTC act), international (EU Data Protection) scope • Mandates that organization impose appropriate security measures on it’s service providers (HIPAA, GLBA, MA 201 CMR 17.00, PCI) • Company relinquishes most controls over data in the cloud • Contract may be in the form of a “click-wrap” agreement which is not negotiated • Data encryption requirements!!! Tom Witwicki CIPP

  13. Legal • Location diligence • Understand in which country it’s data will be hosted (local laws have jurisdiction) – EU data transfer provisions • Contractually limit the service provider to subcontract • May want to ensure against data comingling • Technical/logistical limits to all of the above • Ensuring Privacy Protection • Align with Privacy Notices • Data not used for secondary purposes • Not disclosed to 3rd parties • Comply with individual Opt-in/Opt choices • Disclosure of security breach • May not be mature enough for regulated information! Tom Witwicki CIPP

  14. Legal • Responding to Litigation requests • Identify compliance with E-discovery provisions – routinely not included in cloud service contracts • 3rd party subpoena request notification • Monitoring • Ability to conduct compliance monitoring and testing for vulnerabilities • Termination • Must retrieve the data or ensure it’s destruction Tom Witwicki CIPP

  15. EPIC – Electronic Privacy Information Center • March 09 – filed a complaint with FTC • Urged investigation into Cloud Computing Services such as Google Docs • Determine adequacy of Privacy and Security Safeguards • Computer researchers sent letter to Google CEO • Uphold privacy promises • HTTPS not default security setting • Forces users to “opt-in” for security Tom Witwicki CIPP

  16. Audit • Data Classification a must • Identify and segregate that data which needs the most stringent controls (based on impact assessment) • Match controls to data classification (not all data is created equal) • Protected (regulated) • Confidential (need to know) • Public (approval to make public) • Recommended control: Encrypt all regulated data • In transit and at rest • Network segregation seldom feasible Tom Witwicki CIPP

  17. Portability and Interoperability • What happens when the cloud provider isn’t good enough? • Unacceptable cost increase • Provide goes out of business • One or more cloud services discontinued • Service quality degraded • Onus on customer to have portability as a design goal Tom Witwicki CIPP

  18. Portability and Interoperability • Saas • Ensure easy access to data in a format that is documented • Keep regular backups outside the cloud • Consider best-of-breed providers whose competitors have capabilities to migrate data • IaaS • Application deployment on top of the virtual machine image • Backups kept in a cloud-independent format (e.g. independent of the machine image) • Copies of backups moved out of the cloud regularly • PaaS • Application development architecture employed to create an abstraction layer • Also data backups off-cloud Tom Witwicki CIPP

  19. Business Continuity • Obtain specific written commitments from the provider on recovery objectives • Understand your data and it’s recovery objectives (RTO, RPO) • Identify interdependencies in the provider’s infrastructure • Site risk (earthquake, flood, airport) • Infrastructure risk (redundancy of utilities, communication lines) • Onsite inspections • Integrate provider DR plans into your organization’s BCP Tom Witwicki CIPP

  20. Data Center Operations • You have neighbors! Who are they? • Potential to consume inordinate amount of resources which impacts your performance? • Providers seek to maximize resource utilization • For IaaS and PaaS • Understand providers patch mgt policies (notification, rollbacks, testing) • Compartmentalization of resources (Data mixing) and segregation of duties • Logging practices (what, how long?) • Test customer service function regularly • Indicator for operational quality – presence of staging facilities for both provider and customer Tom Witwicki CIPP

  21. Incident Response • Cloud Computing Community incident database: • Malware infection • Data Breach • Man-in-the-middle discovery • User impersonation • Detection • Application firewalls, proxies and logging tools are key • no standard application level logging framework • Notification • Requires a registry of Application owners by interface • Application shutdown is normally first act taken • appropriate remediation? • Provider and customers need defined process to collaborate on decisions • Criminal investigation – evidence capture? Tom Witwicki CIPP

  22. Application Security • What security controls must the application provide over and above inherent cloud controls? • How must an enterprise SDLC change to accommodate cloud computing? • Issues: • Multi-tenant environment • Lack of direct control over environment • Access to data by cloud vendor • Managing application “secret keys” which identify valid accounts Tom Witwicki CIPP

  23. Application SecurityIaas model • Virtual image • should undergo security verification and hardening • Confirm to enterprise trusted host baselines • Alternative to use trusted 3rd party for virtual image • Inter-host communication • Assume an untrusted network • Authentication and encryption • Codify trust with SLA • Security measures • Security testing Tom Witwicki CIPP

  24. Application SecurityPaas model • Enterprise Service Bus (ESB) • Asynchronous messaging • Message routing • Where multi-tenanted, the ESB will be shared • Segmenting based on classifications not available • Securing messages the responsibility of the application Tom Witwicki CIPP

  25. Application SecuritySaaS model • SDLC • Verify/audit the maturity of the vendor’s SDLC • Custom code extensions • Data exchange via APIs Tom Witwicki CIPP

  26. Encryption and Key Management • Encryption for Confidentiality and Integrity • Data at rest (IaaS, PaaS, SaaS) • Data in transit (within the provider’s network) • On backup media • Key Management • Secure key stores • Access to key stores • Key backup and recoverability • OASIS Key Management Interoperability Protocol (KMIP) – emerging standard Tom Witwicki CIPP

  27. Encryption and Key ManagementRecommendations • Assure regulated and/or sensitive customer data is encrypted in transit over the cloud provider’s internal network, in addition to being encrypted at rest • Segregate the key management from the cloud provider hosting the data, creating a chain of separation • Protects both when compelled by legal mandate • Contractual assurance that encryption adheres to industry or government standards • Understand how cloud providers provide role management and separation of duties (key mgt) • In IaaS environments, understand how sensitive information and key material otherwise protected by traditional encryption may be exposed during usage. • E.g. virtual machine swap files and other temporary data storage locations may also need to be encrypted Tom Witwicki CIPP

  28. Encryption and Key ManagementRecommendations continued • If cloud provider must perform key management • the provider has defined processes for a key management lifecycle: how keys are generated, used, stored, backed up, recovered, rotated, and deleted. • Key sets should be unique per customer Tom Witwicki CIPP

  29. Identity Management • Federated Identity Management • needed to leverage the Enterprise IM and SSO • SAML the leading standard • Many Cloud vendors are immature in adoption of federation standards • With Iaas and Paas, integration will have to be built Tom Witwicki CIPP

  30. Identity Management • User Management • Understand cloud provider’s capabilities • Provisioning • De-Provisioning • Authentication • Password controls • Password strength • Authorization • Usually proprietary • Urge XACML compliant entitlement • Consider “Identity as a Service” Tom Witwicki CIPP

  31. Some Parting Thoughts • New Technology, old vulnerabilities remain and new ones arise • Loss of security by “default” – trust boundaries • Commingling challenges integrity and confidentiality • Jurisdiction control and regulatory issues • Virtualization • Security through isolation but.. • Virtual infrastructure increases the risk • Assesses risk, mitigate, formally accept • http://csrc.nist.gov/groups/SNS/cloud-computing/ Tom Witwicki CIPP

More Related