01 13 10 cloud computing
TRANSCRIPT
-
8/2/2019 01 13 10 Cloud Computing
1/31
Tom Witwicki CIPPTom Witwicki CIPP 111/13/20101/13/2010
Cloud ComputingCloud Computing
Critical Areas of FocusCritical Areas of Focus
To Manage RiskTo Manage Risk
Tom Witwicki CIPPTom Witwicki CIPP
INFOSEC Jan 13, 2010INFOSEC Jan 13, 2010
-
8/2/2019 01 13 10 Cloud Computing
2/31
3/11/20123/11/2012 Tom Witwicki CIPPTom Witwicki CIPP 22
Needing careful consideration of the risks tobe managed:
Acknowlegement: Cloud Security Alliance
Cloud Architecture and Delivery Models Risk Management Legal
Compliance and Audit Information Lifecycle Management Portability and Interoperability Incident Response Business Continuity Data Center Operations
Encryption and Key Management Identity and Access Management Storage Virtualization.
-
8/2/2019 01 13 10 Cloud Computing
3/31
3/11/20123/11/2012 Tom Witwicki CIPPTom Witwicki CIPP 33
Control DisconnectControl Disconnect
The rules for managing risk still apply, butThe rules for managing risk still apply, butthe game has changedthe game has changed
Enterprise
Security Policy
Enterprise ControlRequirements
ControlsCompliance/Auditing
Cloud Vendor
Control Design &Implementation
Control Monitoring
-
8/2/2019 01 13 10 Cloud Computing
4/31
3/11/20123/11/2012 Tom Witwicki CIPPTom Witwicki CIPP 44
Characteristics of Cloud Computing
Abstraction of InfrastructureAbstraction of Infrastructure Opaque from the applications perspective
High levels of Virtualization (OS, File Systems)
Democratization of Resources Pooled resources (shared, dedicated)
Services Oriented Architecture Focus on delivery of services, not management
Elasticity/Dynamism rapidly expand or contract resource utilization Utility Consumption Model
all-you-can-eat but pay-by-the-bite
-
8/2/2019 01 13 10 Cloud Computing
5/31
3/11/20123/11/2012 Tom Witwicki CIPPTom Witwicki CIPP 55
Service Delivery ModelsService Delivery Models
SaaS (Software as a Service) least extensibility and greatest amount of security responsibility
taken on by the cloud provider PaaS (Platform as a Service) lies somewhere in the middle, with extensibility and security
features which must be leveraged by the customer
IaaS (Infrastructure as a Service) greatest extensibility and least amount of security responsibility
taken on by the cloud provider
Classify the service to determine securityClassify the service to determine securityresponsibilities of the customerresponsibilities of the customer
-
8/2/2019 01 13 10 Cloud Computing
6/31
3/11/20123/11/2012 Tom Witwicki CIPPTom Witwicki CIPP 66
Deployment ModalitiesDeployment Modalities
PrivatePrivate Single tenant operating environmentSingle tenant operating environment On or off premisesOn or off premises Trusted consumersTrusted consumers
PublicPublic Single or multiSingle or multi--tenant environmenttenant environment Infrastructure owned and managed by service providerInfrastructure owned and managed by service provider Consumers considered untrustedConsumers considered untrusted
ManagedManaged Single or multiSingle or multi--tenanttenant Infrastructure on premises managed and controlled by service providerInfrastructure on premises managed and controlled by service provider
Consumers trusted or untrustedConsumers trusted or untrusted HybridHybrid
Combination of public and private offeringsCombination of public and private offerings Application portabilityApplication portability Information exchange across disparate cloud offeringsInformation exchange across disparate cloud offerings
-
8/2/2019 01 13 10 Cloud Computing
7/31
3/11/20123/11/2012 Tom Witwicki CIPPTom Witwicki CIPP 77
Cloud Reference ModelCloud Reference Model
Iaas
P
aas
Saas
-
8/2/2019 01 13 10 Cloud Computing
8/31
3/11/20123/11/2012 Tom Witwicki CIPPTom Witwicki CIPP 88
Mapping the Cloud to the SecurityMapping the Cloud to the Security
ModelModel
SDLC, App Firewalls
Iaas
Paas
Saas
Data Classification, DLP, AuditLogging, encryption
Config and Patch Mgt, Pen Testing
Firewall rules, QoS, Anti-DDos
Multi-level Security, Certificates and KeyMgt
HIDS/HIPS, Log Mgt, Encryption
Data Center Security, Redundancy,DR
-
8/2/2019 01 13 10 Cloud Computing
9/31
3/11/20123/11/2012 Tom Witwicki CIPPTom Witwicki CIPP 99
-
8/2/2019 01 13 10 Cloud Computing
10/31
3/11/20123/11/2012 Tom Witwicki CIPPTom Witwicki CIPP 1010
Risk ManagementRisk Management
IssuesIssues Ability of the user organization to assess riskAbility of the user organization to assess risk Limited usefulness of certifications (e.g. SAS 70,Limited usefulness of certifications (e.g. SAS 70,
ISO27001)ISO27001) Many cloud services providers accept no responsibilityMany cloud services providers accept no responsibility
for data stored (no risk transference)for data stored (no risk transference) User has no view of provider procedures governed byUser has no view of provider procedures governed by
regulation or statuteregulation or statute
Access and identity mgt, segregation of dutiesAccess and identity mgt, segregation of duties Lack of clarity on data controlsLack of clarity on data controls
Data backup and recovery, offsite storage, virtualData backup and recovery, offsite storage, virtualprovisioning (where is the data?), data removalprovisioning (where is the data?), data removal
-
8/2/2019 01 13 10 Cloud Computing
11/31
3/11/20123/11/2012 Tom Witwicki CIPPTom Witwicki CIPP 1111
Risk ManagementRisk Management
GuidanceGuidance In depth due diligence prior to executing contractual terms, SLAIn depth due diligence prior to executing contractual terms, SLA
Examine creating Private or Hybrid Cloud that providesExamine creating Private or Hybrid Cloud that provides
appropriate level of controlsappropriate level of controls Comprehensive due diligence before using Public Cloud forComprehensive due diligence before using Public Cloud for
mission critical components of businessmission critical components of business
Request documentation on how the service is assessed for riskRequest documentation on how the service is assessed for riskand audited for control weaknesses and if results are available toand audited for control weaknesses and if results are available tocustomerscustomers
Listing of all 3Listing of all 3rdrd party providersparty providers
What regulations and statutes govern site and how complianceWhat regulations and statutes govern site and how complianceis achievedis achieved
-
8/2/2019 01 13 10 Cloud Computing
12/31
3/11/20123/11/2012 Tom Witwicki CIPPTom Witwicki CIPP 1212
LegalLegal
Compliance LiabilitiesCompliance Liabilities Organizations are custodians of the personal data entrusted toOrganizations are custodians of the personal data entrusted to
them (inthem (in--cloud or offcloud or off--cloud)cloud)
State (data breach), Federal (FTC act), international (EU DataState (data breach), Federal (FTC act), international (EU DataProtection) scopeProtection) scope
Mandates that organization impose appropriate securityMandates that organization impose appropriate securitymeasures on its service providers (HIPAA, GLBA, MA 201 CMRmeasures on its service providers (HIPAA, GLBA, MA 201 CMR17.00, PCI)17.00, PCI)
Company relinquishes most controls over data in the cloudCompany relinquishes most controls over data in the cloud
Contract may be in the form of a clickContract may be in the form of a click--wrap agreement whichwrap agreement whichis not negotiatedis not negotiated
Data encryption requirements!!!Data encryption requirements!!!
-
8/2/2019 01 13 10 Cloud Computing
13/31
3/11/20123/11/2012 Tom Witwicki CIPPTom Witwicki CIPP 1313
LegalLegal
Location diligenceLocation diligence Understand in which country its data will be hosted (local lawsUnderstand in which country its data will be hosted (local laws
have jurisdiction)have jurisdiction) EU data transfer provisionsEU data transfer provisions Contractually limit the service provider to subcontractContractually limit the service provider to subcontract May want to ensure against data cominglingMay want to ensure against data comingling Technical/logistical limits to all of the aboveTechnical/logistical limits to all of the above
Ensuring Privacy ProtectionEnsuring Privacy Protection Align with Privacy NoticesAlign with Privacy Notices Data not used for secondary purposesData not used for secondary purposes
Not disclosed to 3Not disclosed to 3rdrd partiesparties Comply with individual OptComply with individual Opt--in/Opt choicesin/Opt choices Disclosure of security breachDisclosure of security breach May not be mature enough for regulated information!May not be mature enough for regulated information!
-
8/2/2019 01 13 10 Cloud Computing
14/31
3/11/20123/11/2012 Tom Witwicki CIPPTom Witwicki CIPP 1414
LegalLegal
Responding to Litigation requestsResponding to Litigation requests Identify compliance with EIdentify compliance with E--discovery provisionsdiscovery provisions
routinely not included in cloud service contractsroutinely not included in cloud service contracts 33rdrd party subpoena request notificationparty subpoena request notification
MonitoringMonitoring Ability to conduct compliance monitoring and testingAbility to conduct compliance monitoring and testing
for vulnerabilitiesfor vulnerabilities TerminationTermination
Must retrieve the data or ensure its destructionMust retrieve the data or ensure its destruction
-
8/2/2019 01 13 10 Cloud Computing
15/31
3/11/20123/11/2012 Tom Witwicki CIPPTom Witwicki CIPP 1515
EPICEPIC Electronic PrivacyElectronic Privacy
Information CenterInformation Center March 09March 09 filed a complaint with FTCfiled a complaint with FTC
Urged investigation into Cloud Computing ServicesUrged investigation into Cloud Computing Services
such as Google Docssuch as Google Docs Determine adequacy of Privacy and SecurityDetermine adequacy of Privacy and Security
SafeguardsSafeguards
Computer researchers sent letter to Google CEOComputer researchers sent letter to Google CEO
Uphold privacy promisesUphold privacy promises HTTPS not default security settingHTTPS not default security setting
Forces users to optForces users to opt--in for securityin for security
-
8/2/2019 01 13 10 Cloud Computing
16/31
3/11/20123/11/2012 Tom Witwicki CIPPTom Witwicki CIPP 1616
AuditAudit
Data Classification a mustData Classification a must Identify and segregate that data which needs theIdentify and segregate that data which needs the
most stringent controls (based on impact assessment)most stringent controls (based on impact assessment)
Match controls to data classification (not all data isMatch controls to data classification (not all data iscreated equal)created equal) Protected (regulated)Protected (regulated) Confidential (need to know)Confidential (need to know)
Public (approval to make public)Public (approval to make public) Recommended control: Encrypt all regulated dataRecommended control: Encrypt all regulated data In transit and at restIn transit and at rest Network segregation seldom feasibleNetwork segregation seldom feasible
-
8/2/2019 01 13 10 Cloud Computing
17/31
3/11/20123/11/2012 Tom Witwicki CIPPTom Witwicki CIPP 1717
Portability and InteroperabilityPortability and Interoperability
What happens when the cloud providerWhat happens when the cloud providerisnt good enough?isnt good enough?
Unacceptable cost increaseUnacceptable cost increase
Provide goes out of businessProvide goes out of business
One or more cloud services discontinuedOne or more cloud services discontinued
Service quality degradedService quality degraded Onus on customer to have portability as aOnus on customer to have portability as a
design goaldesign goal
-
8/2/2019 01 13 10 Cloud Computing
18/31
3/11/20123/11/2012 Tom Witwicki CIPPTom Witwicki CIPP 1818
Portability and InteroperabilityPortability and Interoperability
SaasSaas Ensure easy access to data in a format that is documentedEnsure easy access to data in a format that is documented Keep regular backups outside the cloudKeep regular backups outside the cloud Consider bestConsider best--ofof--breed providers whose competitors have capabilities tobreed providers whose competitors have capabilities to
migrate datamigrate data IaaSIaaS
Application deployment on top of the virtual machine imageApplication deployment on top of the virtual machine image Backups kept in a cloudBackups kept in a cloud--independent format (e.g. independent of theindependent format (e.g. independent of the
machine image)machine image) Copies of backups moved out of the cloud regularlyCopies of backups moved out of the cloud regularly
PaaSPaaS Application development architecture employed to create an abstractionApplication development architecture employed to create an abstractionlayerlayer
Also data backups offAlso data backups off--cloudcloud
-
8/2/2019 01 13 10 Cloud Computing
19/31
3/11/20123/11/2012 Tom Witwicki CIPPTom Witwicki CIPP 1919
Business ContinuityBusiness Continuity
Obtain specific written commitments from the providerObtain specific written commitments from the provideron recovery objectiveson recovery objectives Understand your data and its recovery objectives (RTO, RPO)Understand your data and its recovery objectives (RTO, RPO)
Identify interdependencies in the providersIdentify interdependencies in the providersinfrastructureinfrastructure Site risk (earthquake, flood, airport)Site risk (earthquake, flood, airport)
Infrastructure risk (redundancy of utilities, communication lines)Infrastructure risk (redundancy of utilities, communication lines)
Onsite inspectionsOnsite inspections Integrate provider DR plans into your organizations BCPIntegrate provider DR plans into your organizations BCP
-
8/2/2019 01 13 10 Cloud Computing
20/31
3/11/20123/11/2012 Tom Witwicki CIPPTom Witwicki CIPP 2020
Data Center OperationsData Center Operations
You have neighbors! Who are they?You have neighbors! Who are they? Potential to consume inordinate amount of resources which impactsPotential to consume inordinate amount of resources which impacts
your performance?your performance? Providers seek to maximize resource utilizationProviders seek to maximize resource utilization
For IaaS and PaaSFor IaaS and PaaS Understand providers patch mgt policies (notification, rollbacks, testing)Understand providers patch mgt policies (notification, rollbacks, testing)
Compartmentalization of resources (Data mixing) and segregation ofCompartmentalization of resources (Data mixing) and segregation ofdutiesduties
Logging practices (what, how long?)Logging practices (what, how long?) Test customer service function regularlyTest customer service function regularly
Indicator for operational qualityIndicator for operational quality presence of staging facilities forpresence of staging facilities forboth provider and customerboth provider and customer
-
8/2/2019 01 13 10 Cloud Computing
21/31
3/11/20123/11/2012 Tom Witwicki CIPPTom Witwicki CIPP 2121
Incident ResponseIncident Response
Cloud Computing Community incident database:Cloud Computing Community incident database: Malware infectionMalware infection Data BreachData Breach ManMan--inin--thethe--middle discoverymiddle discovery
User impersonationUser impersonation DetectionDetection Application firewalls, proxies and logging tools are keyApplication firewalls, proxies and logging tools are key no standard application level logging frameworkno standard application level logging framework
NotificationNotification Requires a registry of Application owners by interfaceRequires a registry of Application owners by interface
Application shutdown is normally first act takenApplication shutdown is normally first act taken appropriate remediation?appropriate remediation? Provider and customers need defined process to collaborate on decisionsProvider and customers need defined process to collaborate on decisions
Criminal investigationCriminal investigation evidence capture?evidence capture?
-
8/2/2019 01 13 10 Cloud Computing
22/31
3/11/20123/11/2012 Tom Witwicki CIPPTom Witwicki CIPP 2222
Application SecurityApplication Security
What security controls must the applicationWhat security controls must the applicationprovide over and above inherent cloud controls?provide over and above inherent cloud controls?
How must an enterprise SDLC change toHow must an enterprise SDLC change toaccommodate cloud computing?accommodate cloud computing?
Issues:Issues: MultiMulti--tenant environmenttenant environment Lack of direct control over environmentLack of direct control over environment
Access to data by cloud vendorAccess to data by cloud vendor Managing application secret keys which identifyManaging application secret keys which identify
valid accountsvalid accounts
-
8/2/2019 01 13 10 Cloud Computing
23/31
3/11/20123/11/2012 Tom Witwicki CIPPTom Witwicki CIPP 2323
Application SecurityApplication Security
Iaas modelIaas model Virtual imageVirtual image
should undergo security verification and hardeningshould undergo security verification and hardening Confirm to enterprise trusted host baselinesConfirm to enterprise trusted host baselines
Alternative to use trusted 3Alternative to use trusted 3rdrd party for virtual imageparty for virtual image InterInter--host communicationhost communication
Assume an untrusted networkAssume an untrusted network Authentication and encryptionAuthentication and encryption
Codify trust with SLACodify trust with SLA Security measuresSecurity measures Security testingSecurity testing
-
8/2/2019 01 13 10 Cloud Computing
24/31
3/11/20123/11/2012 Tom Witwicki CIPPTom Witwicki CIPP 2424
Application SecurityApplication Security
Paas modelPaas model Enterprise Service Bus (ESB)Enterprise Service Bus (ESB)
Asynchronous messagingAsynchronous messaging
Message routingMessage routing
Where multiWhere multi--tenanted, the ESBtenanted, the ESB willwill be sharedbe shared
Segmenting based on classifications notSegmenting based on classifications not
availableavailable Securing messages the responsibility of theSecuring messages the responsibility of the
applicationapplication
-
8/2/2019 01 13 10 Cloud Computing
25/31
3/11/20123/11/2012 Tom Witwicki CIPPTom Witwicki CIPP 2525
Application SecurityApplication Security
SaaS modelSaaS model SDLCSDLC
Verify/audit the maturity of the vendors SDLCVerify/audit the maturity of the vendors SDLC
Custom code extensionsCustom code extensions Data exchange via APIsData exchange via APIs
-
8/2/2019 01 13 10 Cloud Computing
26/31
3/11/20123/11/2012 Tom Witwicki CIPPTom Witwicki CIPP 2626
Encryption and Key ManagementEncryption and Key Management
Encryption for Confidentiality and IntegrityEncryption for Confidentiality and Integrity Data at rest (IaaS, PaaS, SaaS)Data at rest (IaaS, PaaS, SaaS)
Data in transit (within the providers network)Data in transit (within the providers network) On backup mediaOn backup media
Key ManagementKey Management Secure key storesSecure key stores
Access to key storesAccess to key stores
Key backup and recoverabilityKey backup and recoverability
OASIS Key Management Interoperability Protocol(KMIP) emerging standard
-
8/2/2019 01 13 10 Cloud Computing
27/31
3/11/20123/11/2012 Tom Witwicki CIPPTom Witwicki CIPP 2727
Encryption and Key ManagementEncryption and Key Management
RecommendationsRecommendations Assure regulated and/or sensitive customer data is encrypted in
transit over the cloud providers internal network, in addition tobeing encrypted at rest
Segregate the key management from the cloud provider hosting the
data, creating a chain of separation Protects both when compelled by legal mandate
Contractual assurance that encryption adheres to industry orgovernment standards
Understand how cloud providers provide role management andseparation of duties (key mgt)
In IaaS environments, understand how sensitive information andkey material otherwise protected by traditional encryption may beexposed during usage. E.g. virtual machine swap files and other temporary data storage
locations may also need to be encrypted
-
8/2/2019 01 13 10 Cloud Computing
28/31
3/11/20123/11/2012 Tom Witwicki CIPPTom Witwicki CIPP 2828
Encryption and Key ManagementEncryption and Key Management
Recommendations continuedRecommendations continued If cloud provider must perform key
management
the provider has defined processes for a keymanagement lifecycle: how keys aregenerated, used, stored, backed up,recovered, rotated, and deleted.
Key sets should be unique per customer
-
8/2/2019 01 13 10 Cloud Computing
29/31
3/11/20123/11/2012 Tom Witwicki CIPPTom Witwicki CIPP 2929
Identity ManagementIdentity Management
Federated Identity ManagementFederated Identity Management needed to leverage the Enterprise IM andneeded to leverage the Enterprise IM and
SSOSSO SAML the leading standardSAML the leading standard
Many Cloud vendors are immature in adoptionMany Cloud vendors are immature in adoption
of federation standardsof federation standards With Iaas and Paas, integration will have toWith Iaas and Paas, integration will have tobe builtbe built
-
8/2/2019 01 13 10 Cloud Computing
30/31
3/11/20123/11/2012 Tom Witwicki CIPPTom Witwicki CIPP 3030
Identity ManagementIdentity Management
User ManagementUser Management Understand cloud providers capabilitiesUnderstand cloud providers capabilities
ProvisioningProvisioning
DeDe--ProvisioningProvisioning AuthenticationAuthentication
Password controlsPassword controls
Password strengthPassword strength
AuthorizationAuthorization Usually proprietaryUsually proprietary
Urge XACML compliant entitlementUrge XACML compliant entitlement
Consider Identity as a ServiceConsider Identity as a Service
-
8/2/2019 01 13 10 Cloud Computing
31/31
3/11/20123/11/2012 Tom Witwicki CIPPTom Witwicki CIPP 3131
Some Parting ThoughtsSome Parting Thoughts
New Technology, old vulnerabilities remain and newNew Technology, old vulnerabilities remain and newones ariseones arise
Loss of security by defaultLoss of security by default trust boundariestrust boundaries
Commingling challenges integrity and confidentialityCommingling challenges integrity and confidentiality Jurisdiction control and regulatory issuesJurisdiction control and regulatory issues VirtualizationVirtualization
Security through isolation but..Security through isolation but..
Virtual infrastructure increases the riskVirtual infrastructure increases the risk Assesses risk, mitigate, formally acceptAssesses risk, mitigate, formally accept http://csrc.nist.gov/groups/SNS/cloudhttp://csrc.nist.gov/groups/SNS/cloud--computing/computing/