http://clean-clouds.com

Cloud Securityhttp://clean-clouds.com

http://clean-clouds.com

Objectives

Security Objectives Cloud Characteristics & Security

Implications Cloud Security Challenges Control & Cloud Service Model Roles & Responsibilities Security Guidelines Documents & Checklists

Security Objectives

Cloud security is about 3 objectives: ◦ Confidentiality (C): keeping data

private ◦ Integrity (I): data in the cloud is

what is supposed to be ◦ Availability (A): availability of

Information

http://clean-clouds.com

Cloud Computing~ Economy of Scale & Security

All kinds of security measures, are cheaper when implemented on a larger scale.◦(e.g. filtering, backup patch management,

hardening of virtual machine instances and hypervisors, etc)

The same amount of investment in security buys better protection.

Cloud Security - Overview

Cloud computing presents an added level of risk

◦Services are outsourced to a third party.

◦Off-Premise◦Multi-tenant architecture◦Loss of Governance -

Less control over data and operations

◦Legal and Contractual Risks

Source: Unknown / Missing

http://clean-clouds.com

Cloud Characteristics -> Outsourced

Source: Unknown / Missing

http://clean-clouds.com

Cloud Characteristics -> Off-Premise

Source: Unknown / Missing

http://clean-clouds.com

Multi-Tenant Architecture~ Shared Resources

Source: Unknown / Missing

Loss of Governance

The client cedes control to the Provider on a number of issues effecting security: External pen testing not permitted.◦ Very limited logs available.◦ Usually no forensics service offered◦ Not possible to inspect hardware◦ No information on

location/jurisdiction of data.◦ Outsource or sub-contract services

to third-parties (fourth parties?)

Source: Unknown / Missing

Legal and Contractual Risks

Data in multiple jurisdictions, some of which may be risky.◦ Multiple transfers of data exacerbate

the problem Subpoena and e-discovery Intellectual Property Risk Allocation and limitation of

liability Compliance challenges–how to

provide evidence of compliance.

Source: Unknown / Missing

11

Cloud Security Challenges - Part 1

Data dispersal and international privacy laws◦ Exposure of data to foreign

government and data subpoenas◦ Data retention issues

Need for isolation management Multi-tenancy Logging challenges Data ownership issues Quality of service guarantees

Source: Unknown / Missing

12

Cloud Security Challenges - Part 2

Dependence on secure hypervisors

Attraction to hackers (high value

target)

Security of virtual OSs in the cloud

Possibility for massive outages

Encryption needs for cloud computing

◦ Encrypting administrative access to OS

instances

◦ Encrypting application data at rest

◦ Encrypting application data at transits

Public cloud vs internal cloud security

Source: Unknown / Missing

http://clean-clouds.com13

Additional Issues

Issues with moving PII and sensitive data to the cloud◦ Privacy impact assessments

Using SLAs to obtain cloud security◦ Suggested requirements for cloud SLAs◦ Issues with cloud forensics

Contingency planning and disaster recovery for cloud implementations Handling compliance

◦ FISMA ◦ HIPAA ◦ FDA◦ PCI ◦ SAS 70 Audits

http://clean-clouds.com

Control & Cloud Service ModelSource: Unknown / Missing

http://clean-clouds.com

Responsibilities

http://clean-clouds.com

CIA & Cloud Service ModelSource: Unknown / Missing

http://clean-clouds.com

Why Security is “X” factor for Cloud Service Provider?

Skin in the Game & Cloud Service Provider

Skin in the Game is term by investor “warren buffet” referring to situation in which high ranking insiders uses their own money to buy stock in the company they are running.

Source: Unknown / Missing

http://clean-clouds.com

Security Guidelines for Application Migration on Cloud

http://clean-clouds.com

How Security Guidelines can help?

Source: Unknown / Missing

http://clean-clouds.com

Cloud Security Areas

http://clean-clouds.com

Identity & Access Management

Authentication◦ Existing authentication or Cloud providers’

authentication service?SSO

◦Single sign on for applications on cloud and on premise?

Authorization◦User Provision and De-Provisioning Service

User directory & Federation Services◦How trust is maintained across cloud and on

premise domain?

Directory Services

Fedreration Service like ADFS 2.0 implements standards such as WS-Trust, WS-Federation which is useful.

Using the WS-Federation standard, Novell Access Manager supports multiple identity stores out of the box, including Novell eDirectory, Microsoft Active Directory and Sun ONE Directory Server.

IBM Tivoli Federated Identity Manager is used for federation services.

Source: Unknown / Missing

Data Security

Hardware, database, memory, etc... –like buying a hotel room or booking an aircraft.

Source: Unknown / Missing

http://clean-clouds.com

Information Security Life-Cycle

Data Confidentiality Data Integrity Availability Backup & Archive Key Management

Encryption is sufficient?

Encryption technique e.g. 128/256-bit AES symmetric/Asymmetric encryption

File system or disk encryption techniques

Does the encryption meet FIPS 140-2?

Practical processing operations on encrypted data are not possible

Source: Unknown / Missing

Network Security

Concerns

◦Security for Data in transit

◦Perimeter Security◦N/W Security Threats

(DoS, Man in the middle , Packet sniffing)

Solutions

◦Virtual Private Cloud◦IPSec networks ◦Stateful firewall

Source: Unknown / Missing

http://clean-clouds.com

Virtualization Security

Virtualization / Hypervisor Threats - How is your data and application isolated from

other customers?

Host Operating System - How to protect Host Operating System?

OS hardening - How OS level security like OS hardening are maintained?

Anti-virus - ensure security from Malware & Spyware?

Physical Security

Environmental Safeguards - (SAS70) Type II

audit procedures

◦ Redundancy

◦ Climate and Temperature

◦ Fire Detection and Suppression

Physical Security - (SAS70) Type II audit

procedures

◦ Professional security staff utilizing video

surveillance,

◦ Authorized staff must pass two-factor

authentication

◦ Access to datacenters by employees must be

logged and audited routinely

Source: Unknown / Missing

http://clean-clouds.com

Incident response in the Cloud

What constitutes a cloud-based incident?

◦ Customer vs. Provider definitions

What technologies play a key role in incident detection and response?

◦ Network security, host controls, monitoring/alerting

What do cloud customers need to ask/know about provider incident

response?

◦ Will consumer organizations be provided an audit trail? Maybe.

http://clean-clouds.com

Download with Linkedin Username/Password

http://clean-clouds.com

Download with Linkedin Username/Password

http://clean-clouds.com

Download with Linkedin Username/Password

http://clean-clouds.com

Download with Linkedin Username/Password

http://clean-clouds.com

Download with Linkedin Username/Password

http://clean-clouds.com

Thank You