extending security in the cloud network box - v4
Post on 16-Jan-2015
229 Views
Preview:
DESCRIPTION
TRANSCRIPT
Extending Security in the Cloud
Steven WolfordDirector, Information Security
6fusion
Chad WalterDirector, Channel Development
Network Box USA
Today’s Agenda
• Introduction• IT Infrastructure Models • Common Cloud Security Myths• Cloud Security Basics• Cloud Security Challenges
• Access• Protection• Segregation• Recovery
• Cloud Security Best Practices
Who We Are
Network Box USA
This is the first in a series of webinars on cloud security. We will let you shape the content of the next webinar at the end of this webinar.
6fusion provides a utility-metered cloud platform that enables global workload distribution by turning public, private and hybrid clouds into pay-per-use billable utilities. The unique metering algorithm, Workload Allocation Cube (WAC), creates a commercial standard to quantify supply and demand for compute resources.
6fusion
Network Box USA provides comprehensive, fully managed perimeter internet security solutions. The Network Box Unified Threat Management (UTM) solution combines numerous applications such as firewall, intrusion prevention and detection, anti-virus, content filtering, anti-span, anti-phishing, anti-spyware and VPN into one single, sophisticated mix of hardware and software. Network Box USA enables businesses of all sizes to secure their networks easily and cost effectively.
IT Infrastructure Models
Cloud Security Myths
• Cloud cannot be secure• All Cloud models are not created equal
- Private, Hybrid, Public- IaaS, PaaS, SaaS
• All Cloud providers are not created equal- Look for independent audit reports
• Cloud security is new• The security concepts remain unchanged• Unfortunately many used network defenses to compensate for
weak application security
• Cloud requires more effort or tools to be as secure• NIST used the existing SP 800-53 and SP 800-37 to develop FedRAMP• Oh by the way, Department of Homeland Security recently announced it is moving services
to a cloud provider that has been reviewed under FedRAMP
• The only reason enterprises move to the cloud is cost reduction, reallocation, etc.• Security can also be enhanced if you incorporate the following in your migration
- Security by Design, Active Monitoring, Incident Response Plan
A Quick Cloud Analogy
Your data happily in the cloud
PIIProcurement
FinancialEmail
HRPayroll
An incident beyond your
control occursYour data no longer just in the cloud
PII
Procurement FinancialEmail
HR
Payroll
Data Loss in Summary
• Trade Secrets• Account
Numbers• Social Security
Numbers• Intellectual
Property• Health
Records• Other
Personal Information
Data
• Stored on the network or shared drives
• Copied on removable media
• Transferred electronically
Can Leak
• Thieves, mobsters, other nefarious characters
• Competitors• Regulators• Unauthorized
Internal Users• Press/Media
To an Outsider
• Company defamation
• Monetary expense per record lost
• Loss of assets• Breach of
customer trust
Resulting in Breach
Top Reasons for Data Loss
Hardware Failure
35%Human Error 28%
Theft/Malicious Employee
Action17%
Software Failure
14%
Virus 6%
Cloud Security Challenges
Main areas of concern specific to data security include:
There are a number of security issues associated with cloud computing, but data security is arguably the biggest issue.
Access Protection Segregation Recovery
Access
• What type and level of security checks are enforced on those individuals?
• How are those checks enforced? • What policies are in place to ensure roles and
privileges are enforced?
Access
Data placed in the cloud are accessed and managed by persons other than privileged users within the customer’s organization.
Protection
• Apart from some cloud service providers such as Amazon who offers their customers the option of choosing between different zones in which to store their data, it is uncommon to see a cloud computing service contract where the customer is guaranteed that their data would not be transferred outside a specified region.
• Customers need to be aware that local laws may apply to data held on servers within the cloud, and that it is their responsibility to comply with data protection laws under various jurisdictions worldwide where their data is held.
The nature of cloud computing means data can be stored at any geographical location at any given time.
Protection
Segregation
• While it is difficult to assure data segregation, customers should review the cloud vendor’s architecture to ensure proper data segregation is available and that data leak prevention (DLP) measures are in place.
Data in the cloud is typically stored in a shared environment whereby one customer’s data is stored alongside another customer’s data.
Segregation
Recovery
• What plan is in place to recover customer’s data in event of a disaster, how long will data restoration take and the impact on business continuity?
As with traditional IT systems, unexpected problems can and will occur with cloud computing.
Recovery
Cloud Security Best Practices
• Ask where data will be kept and enquire the details of data protection laws in the relevant jurisdictions.
• Include clauses in the cloud service contract that your data always belong to you, that you can reclaim your data at any time and that your data shall not be disclosed to any third party.
• Make it as hard as possible to gain access to your systems and then to your data by implementing two-factor user authentication.
• Ensure that data is encrypted both ways across the Internet by using, for example, mutual SSL. Ensure that data is encrypted when at rest, as well as when in motion from one location to another. You, the customer, should have control of key materials used for encrypting and decrypting data.
• Develop good password policies – how they’re created, changed and protected.
• Seek an independent security audit of the cloud vendor.
Where do you go from here?
Risk-based Framework
Iden
tify
Asse
ss
Esta
blis
h
Gov
ern
Loosely based on NIST RMF
Security by DESIGN
• Understand your security philosophy• Know all of the
components for each information system• Implement the
controls that bring risk down to the level acceptable to your organization
Implement Active MONITORING
• Customers would rather hear bad news from you than from the media• Mitigation cannot
happen if you do not know adverse events are occurring• What, How, Who
Develop a RESPONSE Team and Plan
• Security is not a guarantee• Most events can be
categorized with operational, technical, and legal responses planned • Training and
awareness are key
Questions?
Thank You!
2nd Webinar in the Series• Timing: Early March• Topic: How to advance your
organizational security• Details: You tell us…
What do you want to hear about in the next webinar?
Email us at marketing@6fusion.com with your ideas!
FedRAMP
http://www.gsa.gov/portal/category/102371
Cloud Security Alliancehttps://cloudsecurityalliance.org/
FFIEC (not really cloud but outsourced providers)
http://ithandbook.ffiec.gov/it-booklets/outsourcing-technology-services/appendix-d-managed-security-service-providers.aspx
NIST (SP800-144)
http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909494
Resources What’s next?
top related