The document discusses security and compliance challenges related to cloud adoption, including concerns around data security, regulatory compliance, and lack of visibility and control over cloud infrastructure. It analyzes predictions that cloud adoption will continue growing rapidly but security concerns will remain a hindrance. Recommendations are provided around conducting risk assessments, deciding what assets to move to the cloud based on sensitivity, and strategies for managing security, compliance, and service level agreements with cloud providers.
2. IDC Prediction for 2012
• 80% of new commercial enterprise apps
will be deployed on cloud platforms
• AWS[will] exceed $1 billion in cloud
services business in 2012 with Google’s
Enterprise business to follow within 18
months
• Expects a merger and acquisition (M&A)
feeding frenzy.”
3. Gartner Prediction for 2012
• By 2016, 40 percent of enterprises will make
proof of independent security testing a
precondition for using any type of cloud service
• At year-end 2016, more than 50 percent of Global
1000 companies will have stored customer-
sensitive data in the public cloud
• By 2016, at least 50 percent of enterprise email
users will rely primarily on a browser, tablet or
mobile client instead of a desktop client
4. Forrester Prediction 2012
• Multi-cloud becomes the norm
• Cloud commoditization is creeping up the stack
• The Wild West of cloud procurement is over
• The first cloud brokers will emerge
• The lines between cloud and on-premises
licensing models are blurring
6. Security: Responsible for Slowing Cloud
Deployment
Abuse and Nefarious Use of Cloud Computing
Insecure Interfaces and APIs
Malicious Insiders
Shared Technology
Data Loss or Leakage
Unknown risk profile
Consolidation, M&A, closures
Cloud regulations and SLA
7. Security: Responsible for Slowing Cloud
Deployment
• Abuse & Nefarious Use of Cloud
Computing
– Weak registration process
– Anonymity
– Fraud detection capabilities.
– Common storage Data
– Neighbor’s identity, security profile or intentions.
– Zeus Botnet command and control infrastructure
8. Security: Responsible for Slowing Cloud
Deployment
• Insecure Interfaces and APIs
– Provisioning, management, orchestration, and
monitoring use interfaces
– Authentication and access control to encryption
and activity monitoring
– Anonymous access and/or reusable tokens or
passwords
– Clear-text authentication or transmission of
content,
– Inflexible access controls or improper
authorizations,
9. Security: Responsible for Slowing Cloud
Deployment
• Malicious Insiders
– Transparency in provider process and
procedure
– Access to physical and virtual assets
– No visibility into the hiring standards.
– Attractive opportunity for an adversary
– The level of access granted
10. Security: Responsible for Slowing Cloud
Deployment
• Shared Technology Issues
– Hypervisors flaws
– Control on administrative access
– Standard for recycle and Info creep
– Workloads of different trust level
– Disk partitions, CPU caches, not designed for
strong compartmentalization
11. Security: Responsible for Slowing Cloud
Deployment
• Data Loss or Leakage
– Insufficient authentication, authorization, and audit
(AAA) controls;
– Inconsistent use of encryption and software keys;
– Persistence and reminisce challenges
– Disposal challenges;
– Data center reliability and DR
12. Security: Responsible for Slowing Cloud
Deployment
Unknown Risk Profile
– Compliance of the internal security procedures
– Configuration hardening
– Patching, Auditing, Logging
– Storage and access to logs
– Security incidence handling
13. Security: Responsible for Slowing Cloud
Deployment
• Consolidation is concentration of risk.
– Lehman/Titanic of cloud
– Link failures/sabotage against a country
• Closing down of cloud provider
– ZumoDrive --- closing 01.06.2012
– Megaupload --- closed by FBI
• Mergers and Acquisition
– CenturyLink acquired Savvis for $2.5 billion.
– Verizon acquired Terremark for $1.4 billion.
– HP acquired Autonomy for $10.4 billion
– SAP- Ariba , Oracle-virtue
14. Security: Responsible for Slowing Cloud
Deployment
• Regulations and SLA
– SLA not robust enough for enterprise move
– No international regulations
– EU Privacy law
– US Patriot law
15. How to be build cloud services
Strategy
Education
Security Framework
Assessment
Managing SLA
17. Deciding What, When and How to Move to the
Cloud
• Identify the Asset for the cloud deployment
– Data
– Applications/Functions/Process
• Evaluate the Asset
– Sensitivity and importance of the asset
• Map the Asset to potential CDM
– Public, private internal/external, community,
hybrid
• Evaluate potential CSM and providers
– Degree of control at each SPI layer.
– Risk management vis-à-vis regulatory controls.
18. Deciding What, When and How to Move to the
Cloud
• Sketch the potential data flow
– Data flow between organization, cloud service and
any other customer nodes
– Identify risk exposure points.
• Conclusion
– Low value asset skip heavy controls
– High Value assets look at on-site inspection,
discoverability and complex encryption schemes.
– High Value assets not subject to regulatory
restriction- focus on technical's
20. CSA Guidelines
Cloud Architecture
Governing the Cloud
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Security, Bus. Cont,, and Disaster Recovery
Operating in the Cloud
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
21. Governing the Cloud
• Governance: Secure the cloud before procurement
– contracts, SLAs, architecture
• Governance: Know provider’s third parties, financial
viability, employee vetting
• Legal: Plan for provider termination & return of
assets
• Compliance: Identify data location when possible
• ILM: Persistence, Protection
• Portability & Interoperability: SOA “loose coupling”
principles
22. Operating the Cloud
• BCM/DR: Provider redundancy Vs your own
• DC Ops: Provisioning, patching, logging
• Encryption: Encrypt data when possible, segregate
Key mgt from cloud provider
• AppSec: Adapt secure software development
lifecycle
• Virtualization: Harden, rollback, port VM images
• IdM: Federation & standards e.g. SAML, OpenID
24. Cloud reference model
Software as a
service
Security control on
infrastructure, application
and data
Platform as
service
Infrastructure as
a service
Physical, environmental
and virtualization security
27. Consensus Assessment Initiative
• Research tools and processes to perform shared
assessments of cloud providers
• Integrated with Controls Matrix
• CAI Questionnaire approx. 140 provider questions to
identify presence of security controls or practices
• Use to assess cloud providers today, procurement
negotiation, contract inclusion, quantify SLAs
www.cloudsecurityalliance.org/cai.html
28. Managing SLA
• Most SLAs are written to Protect Vendor
• Augment CSP SLAs with your OWN
SLA
• Questions on Data protection
• Questions on Cost.
• Track cloud service usage
29. Questions on DATA
• How is the data encrypted?
• Level of account access control
• Data storage location.
• Use of Subcontractor
• Data backup and restore
• Security of Data center
• Copies of data ( Termination/failure of vendor)
• Archival copies of the data to the customer?
• Legal Enquiry on the customer data
• What types of auditing tools are available?
• How are compliance needs addressed?
30. Questions on DATA
• What is the fee structure?
• Are there hidden costs?
• Are there add on costs or fees for support?
• Are charges based upon traffic, usage or storage
limits?
• Are there taxes or other external fees?
• Is there any type of price protection?
• Are there licensing fees above and beyond the
service fees?
1. completely unaware of a neighbor’s identity, security profile or intentions. The virtual machine running next to the consumer’s environment could be malicious, looking to attack the other hypervisor tenants or sniff communications moving throughout the system.2. Data sits on common storage hardware, it could become compromised through lax access management or malicious attack3. a security bulletin from Amazon Web Services reported that the Zeus Botnet was able to install and successfully run a command and control infrastructure in the cloud environment.Data is very mobile in VMs compared to traditional servers.Storage administrators can easily reassign or replicate users’ information across data centers to facilitate server maintenance, HA/DR or capacity planning.EU Privacy Act forbids data processing or storage of residents’ data within foreign data centersUS Patriot Act allows federal agencies to present vendors with subpoenas and seize data
From authentication and access control to encryption and activity monitoring, these interfaces must be designed to protect against both accidental and malicious attempts to circumvent policy.
provider may not reveal how it grants employees access to physical and virtual assets, how it monitors these employees, or how it analyzes and reports on policy compliance. To complicate matters, there is often little or no visibility into the hiring standards and practices for cloud employees. This kind of situation clearly creates an attractive opportunity for an adversary —ranging from the hobbyist hacker, to organized crime, to corporate espionage, or even nation-state sponsored intrusion. The level of access grantedcould enable such an adversary to harvest confidential data or gain complete control over the cloud services with little or no risk of detection
Workloads of different trust levels are consolidated onto a single physical server without sufficient separationAdequate controls on administrative access to the Hypervisor/VMM layer and to administrative tools are lacking
Elastra’s management servers handle provisioning and operation of the application, adding and removing servers as needed
How would we be harmed if the asset become public and widely distributedIf an employee of our cloud provider accessed the assetIf the process or function were manipulated by an outsiderIf the pocess or function failed to provide expected resultsIf the information/data were unexpectedly changedIf the asset were unavailable for a period of time.