01 13 10 cloud computing

8/2/2019 01 13 10 Cloud Computing

1/31

Tom Witwicki CIPPTom Witwicki CIPP 111/13/20101/13/2010

Cloud ComputingCloud Computing

Critical Areas of FocusCritical Areas of Focus

To Manage RiskTo Manage Risk

Tom Witwicki CIPPTom Witwicki CIPP

INFOSEC Jan 13, 2010INFOSEC Jan 13, 2010


2/31

3/11/20123/11/2012 Tom Witwicki CIPPTom Witwicki CIPP 22

Needing careful consideration of the risks tobe managed:

Acknowlegement: Cloud Security Alliance

Cloud Architecture and Delivery Models Risk Management Legal

Compliance and Audit Information Lifecycle Management Portability and Interoperability Incident Response Business Continuity Data Center Operations

Encryption and Key Management Identity and Access Management Storage Virtualization.


3/31


Control DisconnectControl Disconnect

The rules for managing risk still apply, butThe rules for managing risk still apply, butthe game has changedthe game has changed

Enterprise

Security Policy

Enterprise ControlRequirements

ControlsCompliance/Auditing

Cloud Vendor

Control Design &Implementation

Control Monitoring


4/31


Characteristics of Cloud Computing

Abstraction of InfrastructureAbstraction of Infrastructure Opaque from the applications perspective

High levels of Virtualization (OS, File Systems)

Democratization of Resources Pooled resources (shared, dedicated)

Services Oriented Architecture Focus on delivery of services, not management

Elasticity/Dynamism rapidly expand or contract resource utilization Utility Consumption Model

all-you-can-eat but pay-by-the-bite


5/31


Service Delivery ModelsService Delivery Models

SaaS (Software as a Service) least extensibility and greatest amount of security responsibility

taken on by the cloud provider PaaS (Platform as a Service) lies somewhere in the middle, with extensibility and security

features which must be leveraged by the customer

IaaS (Infrastructure as a Service) greatest extensibility and least amount of security responsibility

taken on by the cloud provider

Classify the service to determine securityClassify the service to determine securityresponsibilities of the customerresponsibilities of the customer


6/31


Deployment ModalitiesDeployment Modalities

PrivatePrivate Single tenant operating environmentSingle tenant operating environment On or off premisesOn or off premises Trusted consumersTrusted consumers

PublicPublic Single or multiSingle or multi--tenant environmenttenant environment Infrastructure owned and managed by service providerInfrastructure owned and managed by service provider Consumers considered untrustedConsumers considered untrusted

ManagedManaged Single or multiSingle or multi--tenanttenant Infrastructure on premises managed and controlled by service providerInfrastructure on premises managed and controlled by service provider

Consumers trusted or untrustedConsumers trusted or untrusted HybridHybrid

Combination of public and private offeringsCombination of public and private offerings Application portabilityApplication portability Information exchange across disparate cloud offeringsInformation exchange across disparate cloud offerings


7/31


Cloud Reference ModelCloud Reference Model

Iaas

P

aas

Saas


8/31


Mapping the Cloud to the SecurityMapping the Cloud to the Security

ModelModel

SDLC, App Firewalls

Iaas

Paas

Saas

Data Classification, DLP, AuditLogging, encryption

Config and Patch Mgt, Pen Testing

Firewall rules, QoS, Anti-DDos

Multi-level Security, Certificates and KeyMgt

HIDS/HIPS, Log Mgt, Encryption

Data Center Security, Redundancy,DR


9/31



10/31


Risk ManagementRisk Management

IssuesIssues Ability of the user organization to assess riskAbility of the user organization to assess risk Limited usefulness of certifications (e.g. SAS 70,Limited usefulness of certifications (e.g. SAS 70,

ISO27001)ISO27001) Many cloud services providers accept no responsibilityMany cloud services providers accept no responsibility

for data stored (no risk transference)for data stored (no risk transference) User has no view of provider procedures governed byUser has no view of provider procedures governed by

regulation or statuteregulation or statute

Access and identity mgt, segregation of dutiesAccess and identity mgt, segregation of duties Lack of clarity on data controlsLack of clarity on data controls

Data backup and recovery, offsite storage, virtualData backup and recovery, offsite storage, virtualprovisioning (where is the data?), data removalprovisioning (where is the data?), data removal


11/31


Risk ManagementRisk Management

GuidanceGuidance In depth due diligence prior to executing contractual terms, SLAIn depth due diligence prior to executing contractual terms, SLA

Examine creating Private or Hybrid Cloud that providesExamine creating Private or Hybrid Cloud that provides

appropriate level of controlsappropriate level of controls Comprehensive due diligence before using Public Cloud forComprehensive due diligence before using Public Cloud for

mission critical components of businessmission critical components of business

Request documentation on how the service is assessed for riskRequest documentation on how the service is assessed for riskand audited for control weaknesses and if results are available toand audited for control weaknesses and if results are available tocustomerscustomers

Listing of all 3Listing of all 3rdrd party providersparty providers

What regulations and statutes govern site and how complianceWhat regulations and statutes govern site and how complianceis achievedis achieved


12/31


LegalLegal

Compliance LiabilitiesCompliance Liabilities Organizations are custodians of the personal data entrusted toOrganizations are custodians of the personal data entrusted to

them (inthem (in--cloud or offcloud or off--cloud)cloud)

State (data breach), Federal (FTC act), international (EU DataState (data breach), Federal (FTC act), international (EU DataProtection) scopeProtection) scope

Mandates that organization impose appropriate securityMandates that organization impose appropriate securitymeasures on its service providers (HIPAA, GLBA, MA 201 CMRmeasures on its service providers (HIPAA, GLBA, MA 201 CMR17.00, PCI)17.00, PCI)

Company relinquishes most controls over data in the cloudCompany relinquishes most controls over data in the cloud

Contract may be in the form of a clickContract may be in the form of a click--wrap agreement whichwrap agreement whichis not negotiatedis not negotiated

Data encryption requirements!!!Data encryption requirements!!!


13/31


LegalLegal

Location diligenceLocation diligence Understand in which country its data will be hosted (local lawsUnderstand in which country its data will be hosted (local laws

have jurisdiction)have jurisdiction) EU data transfer provisionsEU data transfer provisions Contractually limit the service provider to subcontractContractually limit the service provider to subcontract May want to ensure against data cominglingMay want to ensure against data comingling Technical/logistical limits to all of the aboveTechnical/logistical limits to all of the above

Ensuring Privacy ProtectionEnsuring Privacy Protection Align with Privacy NoticesAlign with Privacy Notices Data not used for secondary purposesData not used for secondary purposes

Not disclosed to 3Not disclosed to 3rdrd partiesparties Comply with individual OptComply with individual Opt--in/Opt choicesin/Opt choices Disclosure of security breachDisclosure of security breach May not be mature enough for regulated information!May not be mature enough for regulated information!


14/31


LegalLegal

Responding to Litigation requestsResponding to Litigation requests Identify compliance with EIdentify compliance with E--discovery provisionsdiscovery provisions

routinely not included in cloud service contractsroutinely not included in cloud service contracts 33rdrd party subpoena request notificationparty subpoena request notification

MonitoringMonitoring Ability to conduct compliance monitoring and testingAbility to conduct compliance monitoring and testing

for vulnerabilitiesfor vulnerabilities TerminationTermination

Must retrieve the data or ensure its destructionMust retrieve the data or ensure its destruction


15/31


EPICEPIC Electronic PrivacyElectronic Privacy

Information CenterInformation Center March 09March 09 filed a complaint with FTCfiled a complaint with FTC

Urged investigation into Cloud Computing ServicesUrged investigation into Cloud Computing Services

such as Google Docssuch as Google Docs Determine adequacy of Privacy and SecurityDetermine adequacy of Privacy and Security

SafeguardsSafeguards

Computer researchers sent letter to Google CEOComputer researchers sent letter to Google CEO

Uphold privacy promisesUphold privacy promises HTTPS not default security settingHTTPS not default security setting

Forces users to optForces users to opt--in for securityin for security


16/31


AuditAudit

Data Classification a mustData Classification a must Identify and segregate that data which needs theIdentify and segregate that data which needs the

most stringent controls (based on impact assessment)most stringent controls (based on impact assessment)

Match controls to data classification (not all data isMatch controls to data classification (not all data iscreated equal)created equal) Protected (regulated)Protected (regulated) Confidential (need to know)Confidential (need to know)

Public (approval to make public)Public (approval to make public) Recommended control: Encrypt all regulated dataRecommended control: Encrypt all regulated data In transit and at restIn transit and at rest Network segregation seldom feasibleNetwork segregation seldom feasible


17/31


Portability and InteroperabilityPortability and Interoperability

What happens when the cloud providerWhat happens when the cloud providerisnt good enough?isnt good enough?

Unacceptable cost increaseUnacceptable cost increase

Provide goes out of businessProvide goes out of business

One or more cloud services discontinuedOne or more cloud services discontinued

Service quality degradedService quality degraded Onus on customer to have portability as aOnus on customer to have portability as a

design goaldesign goal


18/31


Portability and InteroperabilityPortability and Interoperability

SaasSaas Ensure easy access to data in a format that is documentedEnsure easy access to data in a format that is documented Keep regular backups outside the cloudKeep regular backups outside the cloud Consider bestConsider best--ofof--breed providers whose competitors have capabilities tobreed providers whose competitors have capabilities to

migrate datamigrate data IaaSIaaS

Application deployment on top of the virtual machine imageApplication deployment on top of the virtual machine image Backups kept in a cloudBackups kept in a cloud--independent format (e.g. independent of theindependent format (e.g. independent of the

machine image)machine image) Copies of backups moved out of the cloud regularlyCopies of backups moved out of the cloud regularly

PaaSPaaS Application development architecture employed to create an abstractionApplication development architecture employed to create an abstractionlayerlayer

Also data backups offAlso data backups off--cloudcloud


19/31


Business ContinuityBusiness Continuity

Obtain specific written commitments from the providerObtain specific written commitments from the provideron recovery objectiveson recovery objectives Understand your data and its recovery objectives (RTO, RPO)Understand your data and its recovery objectives (RTO, RPO)

Identify interdependencies in the providersIdentify interdependencies in the providersinfrastructureinfrastructure Site risk (earthquake, flood, airport)Site risk (earthquake, flood, airport)

Infrastructure risk (redundancy of utilities, communication lines)Infrastructure risk (redundancy of utilities, communication lines)

Onsite inspectionsOnsite inspections Integrate provider DR plans into your organizations BCPIntegrate provider DR plans into your organizations BCP


20/31


Data Center OperationsData Center Operations

You have neighbors! Who are they?You have neighbors! Who are they? Potential to consume inordinate amount of resources which impactsPotential to consume inordinate amount of resources which impacts

your performance?your performance? Providers seek to maximize resource utilizationProviders seek to maximize resource utilization

For IaaS and PaaSFor IaaS and PaaS Understand providers patch mgt policies (notification, rollbacks, testing)Understand providers patch mgt policies (notification, rollbacks, testing)

Compartmentalization of resources (Data mixing) and segregation ofCompartmentalization of resources (Data mixing) and segregation ofdutiesduties

Logging practices (what, how long?)Logging practices (what, how long?) Test customer service function regularlyTest customer service function regularly

Indicator for operational qualityIndicator for operational quality presence of staging facilities forpresence of staging facilities forboth provider and customerboth provider and customer


21/31


Incident ResponseIncident Response

Cloud Computing Community incident database:Cloud Computing Community incident database: Malware infectionMalware infection Data BreachData Breach ManMan--inin--thethe--middle discoverymiddle discovery

User impersonationUser impersonation DetectionDetection Application firewalls, proxies and logging tools are keyApplication firewalls, proxies and logging tools are key no standard application level logging frameworkno standard application level logging framework

NotificationNotification Requires a registry of Application owners by interfaceRequires a registry of Application owners by interface

Application shutdown is normally first act takenApplication shutdown is normally first act taken appropriate remediation?appropriate remediation? Provider and customers need defined process to collaborate on decisionsProvider and customers need defined process to collaborate on decisions

Criminal investigationCriminal investigation evidence capture?evidence capture?


22/31


Application SecurityApplication Security

What security controls must the applicationWhat security controls must the applicationprovide over and above inherent cloud controls?provide over and above inherent cloud controls?

How must an enterprise SDLC change toHow must an enterprise SDLC change toaccommodate cloud computing?accommodate cloud computing?

Issues:Issues: MultiMulti--tenant environmenttenant environment Lack of direct control over environmentLack of direct control over environment

Access to data by cloud vendorAccess to data by cloud vendor Managing application secret keys which identifyManaging application secret keys which identify

valid accountsvalid accounts


23/31



Iaas modelIaas model Virtual imageVirtual image

should undergo security verification and hardeningshould undergo security verification and hardening Confirm to enterprise trusted host baselinesConfirm to enterprise trusted host baselines

Alternative to use trusted 3Alternative to use trusted 3rdrd party for virtual imageparty for virtual image InterInter--host communicationhost communication

Assume an untrusted networkAssume an untrusted network Authentication and encryptionAuthentication and encryption

Codify trust with SLACodify trust with SLA Security measuresSecurity measures Security testingSecurity testing


24/31



Paas modelPaas model Enterprise Service Bus (ESB)Enterprise Service Bus (ESB)

Asynchronous messagingAsynchronous messaging

Message routingMessage routing

Where multiWhere multi--tenanted, the ESBtenanted, the ESB willwill be sharedbe shared

Segmenting based on classifications notSegmenting based on classifications not

availableavailable Securing messages the responsibility of theSecuring messages the responsibility of the

applicationapplication


25/31



SaaS modelSaaS model SDLCSDLC

Verify/audit the maturity of the vendors SDLCVerify/audit the maturity of the vendors SDLC

Custom code extensionsCustom code extensions Data exchange via APIsData exchange via APIs


26/31


Encryption and Key ManagementEncryption and Key Management

Encryption for Confidentiality and IntegrityEncryption for Confidentiality and Integrity Data at rest (IaaS, PaaS, SaaS)Data at rest (IaaS, PaaS, SaaS)

Data in transit (within the providers network)Data in transit (within the providers network) On backup mediaOn backup media

Key ManagementKey Management Secure key storesSecure key stores

Access to key storesAccess to key stores

Key backup and recoverabilityKey backup and recoverability

OASIS Key Management Interoperability Protocol(KMIP) emerging standard


27/31



RecommendationsRecommendations Assure regulated and/or sensitive customer data is encrypted in

transit over the cloud providers internal network, in addition tobeing encrypted at rest

Segregate the key management from the cloud provider hosting the

data, creating a chain of separation Protects both when compelled by legal mandate

Contractual assurance that encryption adheres to industry orgovernment standards

Understand how cloud providers provide role management andseparation of duties (key mgt)

In IaaS environments, understand how sensitive information andkey material otherwise protected by traditional encryption may beexposed during usage. E.g. virtual machine swap files and other temporary data storage

locations may also need to be encrypted


28/31



Recommendations continuedRecommendations continued If cloud provider must perform key

management

the provider has defined processes for a keymanagement lifecycle: how keys aregenerated, used, stored, backed up,recovered, rotated, and deleted.

Key sets should be unique per customer


29/31


Identity ManagementIdentity Management

Federated Identity ManagementFederated Identity Management needed to leverage the Enterprise IM andneeded to leverage the Enterprise IM and

SSOSSO SAML the leading standardSAML the leading standard

Many Cloud vendors are immature in adoptionMany Cloud vendors are immature in adoption

of federation standardsof federation standards With Iaas and Paas, integration will have toWith Iaas and Paas, integration will have tobe builtbe built


30/31


Identity ManagementIdentity Management

User ManagementUser Management Understand cloud providers capabilitiesUnderstand cloud providers capabilities

ProvisioningProvisioning

DeDe--ProvisioningProvisioning AuthenticationAuthentication

Password controlsPassword controls

Password strengthPassword strength

AuthorizationAuthorization Usually proprietaryUsually proprietary

Urge XACML compliant entitlementUrge XACML compliant entitlement

Consider Identity as a ServiceConsider Identity as a Service


31/31


Some Parting ThoughtsSome Parting Thoughts

New Technology, old vulnerabilities remain and newNew Technology, old vulnerabilities remain and newones ariseones arise

Loss of security by defaultLoss of security by default trust boundariestrust boundaries

Commingling challenges integrity and confidentialityCommingling challenges integrity and confidentiality Jurisdiction control and regulatory issuesJurisdiction control and regulatory issues VirtualizationVirtualization

Security through isolation but..Security through isolation but..

Virtual infrastructure increases the riskVirtual infrastructure increases the risk Assesses risk, mitigate, formally acceptAssesses risk, mitigate, formally accept http://csrc.nist.gov/groups/SNS/cloudhttp://csrc.nist.gov/groups/SNS/cloud--computing/computing/

01 13 10 cloud computing

Documents