Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

security and compliance in the cloud

Ajay Rathi
Ajay Rathi

The document discusses security and compliance challenges related to cloud adoption, including concerns around data security, regulatory compliance, and lack of visibility and control over cloud infrastructure. It analyzes predictions that cloud adoption will continue growing rapidly but security concerns will remain a hindrance. Recommendations are provided around conducting risk assessments, deciding what assets to move to the cloud based on sensitivity, and strategies for managing security, compliance, and service level agreements with cloud providers.

1 of 32
Security and compliance in the cloud: A practical case study on risk management AJAY RATHI
IDC Prediction for 2012 • 80% of new commercial enterprise apps will be deployed on cloud platforms • AWS[will] exceed $1 billion in cloud services business in 2012 with Google’s Enterprise business to follow within 18 months • Expects a merger and acquisition (M&A) feeding frenzy.”
Gartner Prediction for 2012 • By 2016, 40 percent of enterprises will make proof of independent security testing a precondition for using any type of cloud service • At year-end 2016, more than 50 percent of Global 1000 companies will have stored customer- sensitive data in the public cloud • By 2016, at least 50 percent of enterprise email users will rely primarily on a browser, tablet or mobile client instead of a desktop client
Forrester Prediction 2012 • Multi-cloud becomes the norm • Cloud commoditization is creeping up the stack • The Wild West of cloud procurement is over • The first cloud brokers will emerge • The lines between cloud and on-premises licensing models are blurring
Inhibition to Cloud Acceptance • Awareness • Security • Compliance • Inertia
Security: Responsible for Slowing Cloud Deployment Abuse and Nefarious Use of Cloud Computing Insecure Interfaces and APIs Malicious Insiders Shared Technology Data Loss or Leakage Unknown risk profile Consolidation, M&A, closures Cloud regulations and SLA
Security: Responsible for Slowing Cloud Deployment • Abuse & Nefarious Use of Cloud Computing – Weak registration process – Anonymity – Fraud detection capabilities. – Common storage Data – Neighbor’s identity, security profile or intentions. – Zeus Botnet command and control infrastructure
Security: Responsible for Slowing Cloud Deployment • Insecure Interfaces and APIs – Provisioning, management, orchestration, and monitoring use interfaces – Authentication and access control to encryption and activity monitoring – Anonymous access and/or reusable tokens or passwords – Clear-text authentication or transmission of content, – Inflexible access controls or improper authorizations,
Security: Responsible for Slowing Cloud Deployment • Malicious Insiders – Transparency in provider process and procedure – Access to physical and virtual assets – No visibility into the hiring standards. – Attractive opportunity for an adversary – The level of access granted
Security: Responsible for Slowing Cloud Deployment • Shared Technology Issues – Hypervisors flaws – Control on administrative access – Standard for recycle and Info creep – Workloads of different trust level – Disk partitions, CPU caches, not designed for strong compartmentalization
Security: Responsible for Slowing Cloud Deployment • Data Loss or Leakage – Insufficient authentication, authorization, and audit (AAA) controls; – Inconsistent use of encryption and software keys; – Persistence and reminisce challenges – Disposal challenges; – Data center reliability and DR
Security: Responsible for Slowing Cloud Deployment Unknown Risk Profile – Compliance of the internal security procedures – Configuration hardening – Patching, Auditing, Logging – Storage and access to logs – Security incidence handling
Security: Responsible for Slowing Cloud Deployment • Consolidation is concentration of risk. – Lehman/Titanic of cloud – Link failures/sabotage against a country • Closing down of cloud provider – ZumoDrive --- closing 01.06.2012 – Megaupload --- closed by FBI • Mergers and Acquisition – CenturyLink acquired Savvis for $2.5 billion. – Verizon acquired Terremark for $1.4 billion. – HP acquired Autonomy for $10.4 billion – SAP- Ariba , Oracle-virtue
Security: Responsible for Slowing Cloud Deployment • Regulations and SLA – SLA not robust enough for enterprise move – No international regulations – EU Privacy law – US Patriot law
How to be build cloud services Strategy Education Security Framework Assessment Managing SLA
security and compliance in the cloud
Deciding What, When and How to Move to the Cloud • Identify the Asset for the cloud deployment – Data – Applications/Functions/Process • Evaluate the Asset – Sensitivity and importance of the asset • Map the Asset to potential CDM – Public, private internal/external, community, hybrid • Evaluate potential CSM and providers – Degree of control at each SPI layer. – Risk management vis-à-vis regulatory controls.
Deciding What, When and How to Move to the Cloud • Sketch the potential data flow – Data flow between organization, cloud service and any other customer nodes – Identify risk exposure points. • Conclusion – Low value asset skip heavy controls – High Value assets look at on-site inspection, discoverability and complex encryption schemes. – High Value assets not subject to regulatory restriction- focus on technical's
security and compliance in the cloud
CSA Guidelines Cloud Architecture Governing the Cloud Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Operating in the Cloud Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization
Governing the Cloud • Governance: Secure the cloud before procurement – contracts, SLAs, architecture • Governance: Know provider’s third parties, financial viability, employee vetting • Legal: Plan for provider termination & return of assets • Compliance: Identify data location when possible • ILM: Persistence, Protection • Portability & Interoperability: SOA “loose coupling” principles
Operating the Cloud • BCM/DR: Provider redundancy Vs your own • DC Ops: Provisioning, patching, logging • Encryption: Encrypt data when possible, segregate Key mgt from cloud provider • AppSec: Adapt secure software development lifecycle • Virtualization: Harden, rollback, port VM images • IdM: Federation & standards e.g. SAML, OpenID
security and compliance in the cloud
Cloud reference model Software as a service Security control on infrastructure, application and data Platform as service Infrastructure as a service Physical, environmental and virtualization security
security and compliance in the cloud
security and compliance in the cloud
Consensus Assessment Initiative • Research tools and processes to perform shared assessments of cloud providers • Integrated with Controls Matrix • CAI Questionnaire approx. 140 provider questions to identify presence of security controls or practices • Use to assess cloud providers today, procurement negotiation, contract inclusion, quantify SLAs www.cloudsecurityalliance.org/cai.html
Managing SLA • Most SLAs are written to Protect Vendor • Augment CSP SLAs with your OWN SLA • Questions on Data protection • Questions on Cost. • Track cloud service usage
Questions on DATA • How is the data encrypted? • Level of account access control • Data storage location. • Use of Subcontractor • Data backup and restore • Security of Data center • Copies of data ( Termination/failure of vendor) • Archival copies of the data to the customer? • Legal Enquiry on the customer data • What types of auditing tools are available? • How are compliance needs addressed?
Questions on DATA • What is the fee structure? • Are there hidden costs? • Are there add on costs or fees for support? • Are charges based upon traffic, usage or storage limits? • Are there taxes or other external fees? • Is there any type of price protection? • Are there licensing fees above and beyond the service fees?
security and compliance in the cloud
Ajay Rathi Q&A ajay.rathi@gmail.com

More Related Content

security and compliance in the cloud

  • 1. Security and compliance in the cloud: A practical case study on risk management AJAY RATHI
  • 2. IDC Prediction for 2012 • 80% of new commercial enterprise apps will be deployed on cloud platforms • AWS[will] exceed $1 billion in cloud services business in 2012 with Google’s Enterprise business to follow within 18 months • Expects a merger and acquisition (M&A) feeding frenzy.”
  • 3. Gartner Prediction for 2012 • By 2016, 40 percent of enterprises will make proof of independent security testing a precondition for using any type of cloud service • At year-end 2016, more than 50 percent of Global 1000 companies will have stored customer- sensitive data in the public cloud • By 2016, at least 50 percent of enterprise email users will rely primarily on a browser, tablet or mobile client instead of a desktop client
  • 4. Forrester Prediction 2012 • Multi-cloud becomes the norm • Cloud commoditization is creeping up the stack • The Wild West of cloud procurement is over • The first cloud brokers will emerge • The lines between cloud and on-premises licensing models are blurring
  • 5. Inhibition to Cloud Acceptance • Awareness • Security • Compliance • Inertia
  • 6. Security: Responsible for Slowing Cloud Deployment Abuse and Nefarious Use of Cloud Computing Insecure Interfaces and APIs Malicious Insiders Shared Technology Data Loss or Leakage Unknown risk profile Consolidation, M&A, closures Cloud regulations and SLA
  • 7. Security: Responsible for Slowing Cloud Deployment • Abuse & Nefarious Use of Cloud Computing – Weak registration process – Anonymity – Fraud detection capabilities. – Common storage Data – Neighbor’s identity, security profile or intentions. – Zeus Botnet command and control infrastructure
  • 8. Security: Responsible for Slowing Cloud Deployment • Insecure Interfaces and APIs – Provisioning, management, orchestration, and monitoring use interfaces – Authentication and access control to encryption and activity monitoring – Anonymous access and/or reusable tokens or passwords – Clear-text authentication or transmission of content, – Inflexible access controls or improper authorizations,
  • 9. Security: Responsible for Slowing Cloud Deployment • Malicious Insiders – Transparency in provider process and procedure – Access to physical and virtual assets – No visibility into the hiring standards. – Attractive opportunity for an adversary – The level of access granted
  • 10. Security: Responsible for Slowing Cloud Deployment • Shared Technology Issues – Hypervisors flaws – Control on administrative access – Standard for recycle and Info creep – Workloads of different trust level – Disk partitions, CPU caches, not designed for strong compartmentalization
  • 11. Security: Responsible for Slowing Cloud Deployment • Data Loss or Leakage – Insufficient authentication, authorization, and audit (AAA) controls; – Inconsistent use of encryption and software keys; – Persistence and reminisce challenges – Disposal challenges; – Data center reliability and DR
  • 12. Security: Responsible for Slowing Cloud Deployment Unknown Risk Profile – Compliance of the internal security procedures – Configuration hardening – Patching, Auditing, Logging – Storage and access to logs – Security incidence handling
  • 13. Security: Responsible for Slowing Cloud Deployment • Consolidation is concentration of risk. – Lehman/Titanic of cloud – Link failures/sabotage against a country • Closing down of cloud provider – ZumoDrive --- closing 01.06.2012 – Megaupload --- closed by FBI • Mergers and Acquisition – CenturyLink acquired Savvis for $2.5 billion. – Verizon acquired Terremark for $1.4 billion. – HP acquired Autonomy for $10.4 billion – SAP- Ariba , Oracle-virtue
  • 14. Security: Responsible for Slowing Cloud Deployment • Regulations and SLA – SLA not robust enough for enterprise move – No international regulations – EU Privacy law – US Patriot law
  • 15. How to be build cloud services Strategy Education Security Framework Assessment Managing SLA
  • 17. Deciding What, When and How to Move to the Cloud • Identify the Asset for the cloud deployment – Data – Applications/Functions/Process • Evaluate the Asset – Sensitivity and importance of the asset • Map the Asset to potential CDM – Public, private internal/external, community, hybrid • Evaluate potential CSM and providers – Degree of control at each SPI layer. – Risk management vis-à-vis regulatory controls.
  • 18. Deciding What, When and How to Move to the Cloud • Sketch the potential data flow – Data flow between organization, cloud service and any other customer nodes – Identify risk exposure points. • Conclusion – Low value asset skip heavy controls – High Value assets look at on-site inspection, discoverability and complex encryption schemes. – High Value assets not subject to regulatory restriction- focus on technical's
  • 20. CSA Guidelines Cloud Architecture Governing the Cloud Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Operating in the Cloud Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization
  • 21. Governing the Cloud • Governance: Secure the cloud before procurement – contracts, SLAs, architecture • Governance: Know provider’s third parties, financial viability, employee vetting • Legal: Plan for provider termination & return of assets • Compliance: Identify data location when possible • ILM: Persistence, Protection • Portability & Interoperability: SOA “loose coupling” principles
  • 22. Operating the Cloud • BCM/DR: Provider redundancy Vs your own • DC Ops: Provisioning, patching, logging • Encryption: Encrypt data when possible, segregate Key mgt from cloud provider • AppSec: Adapt secure software development lifecycle • Virtualization: Harden, rollback, port VM images • IdM: Federation & standards e.g. SAML, OpenID
  • 24. Cloud reference model Software as a service Security control on infrastructure, application and data Platform as service Infrastructure as a service Physical, environmental and virtualization security
  • 27. Consensus Assessment Initiative • Research tools and processes to perform shared assessments of cloud providers • Integrated with Controls Matrix • CAI Questionnaire approx. 140 provider questions to identify presence of security controls or practices • Use to assess cloud providers today, procurement negotiation, contract inclusion, quantify SLAs www.cloudsecurityalliance.org/cai.html
  • 28. Managing SLA • Most SLAs are written to Protect Vendor • Augment CSP SLAs with your OWN SLA • Questions on Data protection • Questions on Cost. • Track cloud service usage
  • 29. Questions on DATA • How is the data encrypted? • Level of account access control • Data storage location. • Use of Subcontractor • Data backup and restore • Security of Data center • Copies of data ( Termination/failure of vendor) • Archival copies of the data to the customer? • Legal Enquiry on the customer data • What types of auditing tools are available? • How are compliance needs addressed?
  • 30. Questions on DATA • What is the fee structure? • Are there hidden costs? • Are there add on costs or fees for support? • Are charges based upon traffic, usage or storage limits? • Are there taxes or other external fees? • Is there any type of price protection? • Are there licensing fees above and beyond the service fees?
  • 32. Ajay Rathi Q&A ajay.rathi@gmail.com

Editor's Notes

  1. 1. completely unaware of a neighbor’s identity, security profile or intentions. The virtual machine running next to the consumer’s environment could be malicious, looking to attack the other hypervisor tenants or sniff communications moving throughout the system.2. Data sits on common storage hardware, it could become compromised through lax access management or malicious attack3. a security bulletin from Amazon Web Services reported that the Zeus Botnet was able to install and successfully run a command and control infrastructure in the cloud environment.Data is very mobile in VMs compared to traditional servers.Storage administrators can easily reassign or replicate users’ information across data centers to facilitate server maintenance, HA/DR or capacity planning.EU Privacy Act forbids data processing or storage of residents’ data within foreign data centersUS Patriot Act allows federal agencies to present vendors with subpoenas and seize data
  2. From authentication and access control to encryption and activity monitoring, these interfaces must be designed to protect against both accidental and malicious attempts to circumvent policy.
  3. provider may not reveal how it grants employees access to physical and virtual assets, how it monitors these employees, or how it analyzes and reports on policy compliance. To complicate matters, there is often little or no visibility into the hiring standards and practices for cloud employees. This kind of situation clearly creates an attractive opportunity for an adversary —ranging from the hobbyist hacker, to organized crime, to corporate espionage, or even nation-state sponsored intrusion. The level of access grantedcould enable such an adversary to harvest confidential data or gain complete control over the cloud services with little or no risk of detection
  4. Workloads of different trust levels are consolidated onto a single physical server without sufficient separationAdequate controls on administrative access to the Hypervisor/VMM layer and to administrative tools are lacking
  5. Elastra’s management servers handle provisioning and operation of the application, adding and removing servers as needed
  6. How would we be harmed if the asset become public and widely distributedIf an employee of our cloud provider accessed the assetIf the process or function were manipulated by an outsiderIf the pocess or function failed to provide expected resultsIf the information/data were unexpectedly changedIf the asset were unavailable for a period of time.