data security in cloud
DESCRIPTION
TRANSCRIPT
![Page 1: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/1.jpg)
Data Security in the Cloud
Chris Richter, CISSP, CISM, VP Security Services, Savvis
Brian Contos, CISSP, Chief Security Strategist, Imperva
![Page 2: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/2.jpg)
Agenda
1.
Background2.
Data Security– Threatscape
Evolution
– Data: The New‐new Target– The Industrialization of Hacking
3.
The Cloud – a Primer4.
Eight Steps to Securing Data in the Cloud
5.
Q&A
![Page 3: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/3.jpg)
Savvis Background
• Headquartered in St. Louis, Missouri
• FY 2009 Revenue of $874 million
• 28 Data Centers extending reach to US, Europe and Asia• Tier 1 Internet backbone—ranked #4 globally (more than 20%
of the IP traffic traverses our network)*
• 1.4 million square feet of raised floor space
• ~2,200 Employees
• ~2,500 unique Global Enterprise and Government Agencies
*Source: Renesys
Blog, http://www.renesys.com/blog/2009/12/a‐bakers‐dozen‐in‐2009.shtml, December 31, 2009
![Page 4: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/4.jpg)
Savvis Background
• Savvis has more than 2,500 unique customers worldwide including:
– 30 of Fortune’s top 100 companies – 9 of Fortune’s top 15 commercial banks (including all 5 of
the top 5)– 9 of Fortune’s top 20 telecommunications firms– 7 of Fortune’s top 10 software companies – 8 of Fortune’s top 14 securities firms
![Page 5: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/5.jpg)
Who is Imperva?
• A Data Security Company
• Founded in 2002 by Check Point Founder
• Headquartered in Redwood Shores CA
• Growing in R&D, Support, Sales/Channel, & PS
• Installed in 50+ Countries
• 5,000+ direct and cloud‐protected customers– 3 of the top 5 US banks– 3 of the top 5 Telecoms
– 3 of the top 5 specialty retailers– 2 of the top 5 food & drug stores
![Page 6: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/6.jpg)
Imperva
Solutions
ASSESSMENT AND
MONITORING
REAL‐TIME
PROTECTION
PCICOMPLIANCE
DATABASE
AUDITING
WEB APPLICATION
SECURITY
ENTERPRISE
APPLICATION
SECURITY
AUTOMATED
COMPLIANCE
REPORTING
DATABASE
SECURITY
PCI
DATABASE
VULNERABILITY
ASSESSMENT
DATA RISK
MANAGEMENT!
![Page 7: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/7.jpg)
![Page 8: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/8.jpg)
Threatscape Evolution Circa 1805
![Page 9: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/9.jpg)
Threatscape Evolution Late 1960s and Early 1970s
![Page 10: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/10.jpg)
Threatscape Evolution 1988
![Page 11: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/11.jpg)
Threatscape Evolution 2001‐2003
![Page 12: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/12.jpg)
Threatscape Evolution Recent Activity
![Page 13: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/13.jpg)
Threatscape Evolution Recent Activity
![Page 14: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/14.jpg)
Threatscape Evolution Solution Delivery Has Changed
Local Resources ‐
Local Management
Local Resources ‐
Remote Management
Remote Resources ‐
Local Management
Remote Resources ‐
Remote Management
Hybrid
![Page 15: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/15.jpg)
![Page 16: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/16.jpg)
Information Digitization
Information Sharing
The Good Changes in How We Work, Communicate & Live
![Page 17: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/17.jpg)
The Bad Cyber Attacks
![Page 18: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/18.jpg)
The Ugly We Are Not Prepared
![Page 19: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/19.jpg)
With Great Power Comes Great Responsibility ‐
Stan Lee (Spider‐man )
AS
Easier access to multiple targets for attackers
A successful attack can bring down an entire service
and can
impact many
Risks around financially motivated attacks are amplified
– i.e.
extort many instead of few
More: Digitization | Access | Utility | Locations | Value | Complexity
![Page 20: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/20.jpg)
![Page 21: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/21.jpg)
The Industrialization of Hacking: Lay of the Land
![Page 22: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/22.jpg)
The Industrialization of Hacking: Maturity
Hacking is a Profitable IndustryRoles
Optimization Automation
![Page 23: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/23.jpg)
The Industrialization of Hacking: Competition
![Page 24: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/24.jpg)
The Industrialization of Hacking: Enhanced ROI
Goods, Services, eGold Size, Duration, Task Updates, Support Templates, Kits
![Page 25: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/25.jpg)
Industrialized Attack Mitigation Automated Attacks
Non‐browser, Non‐ human Activity Detected
(Automation)
Humans and Bots are Separated
Human Impact: MinimalBot Impact: Failure
![Page 26: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/26.jpg)
Industrialized Attack Mitigation Adaptive Reputation‐based Defense
Global Information Feeds
Feeds are Translated
into Security Policies for
Adaptive Defense
Block Re‐directMulti‐factor Authentication Challenge‐response ‐
Captcha
![Page 27: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/27.jpg)
Industrialized Attack Mitigation Virtual Patching Part I
• Ideally
– Custom code is immediately fixed by programmers and application is redeployed
– Patches for 3rd
party components are immediately installed
– Fixes can be applied anywhere at anytime (no freeze period)
– There are never business operations that get in the way of security; the business case
is
always clear
• The above is of course a very romantic and unrealistic view of application
development
![Page 28: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/28.jpg)
Industrialized Attack Mitigation Virtual Patching Part II
SQL injectionXSS
Directory Traversal
Vulnerability Information In
Security Controls Out
In‐line Protection
Application
SQL InjectionDirectory
Traversal
XSS
![Page 29: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/29.jpg)
Five Cloud Value Points for Data Security
1.
Reputation done better
2.
Virtual patching done better
3.
Data‐centric and network‐centric
controls unified
4.
Rapid and exacting response
procedures
5.
Talent: data security + network
security expertise
![Page 30: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/30.jpg)
“Be Careful Up There!”
The Fear of Cloud Computing:
•
“Privacy, security issues darken cloud computing plans.”
–
IDG
•
“It is a security nightmare and it can't be handled in
traditional ways."
– John Chambers, CEO, Cisco
•
“Analysts warn that the cloud is becoming particularly
attractive to cyber crooks.”
–
ComputerWeekly
•
“Corporate use of cloud services slowed by concerns
about data security, reliability.”
–
Computerworld
![Page 31: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/31.jpg)
Security Tops Cloud Concerns
Source: IDC eXchange, New IDC IT Cloud Services Survey: Top Benefits and Challenges, (http://blogs.idc.com/ie/?p=730) December 2009
87.5%
83.3%
82.9%
81.0%
80.2%
79.8%
76.8%
76.0%
Q: Rate the challenges/issues of the ‘cloud’/on‐demand model
Security
Availability
Performance
On‐demand paym’t model may cost more
Lack of interoperability standards
Bringing back in‐house may be difficult
Hard to integrate within‐house IT
Not enough ability to customize
(Scale: 1 = Not at all concerned; 5 = Very concerned)
(% responding 3, 4, or 5)
![Page 32: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/32.jpg)
What is the Biggest Barrier to Adoption of Cloud Services?
497 responses
Cost/benefit unclear (23.69%)
Unknown management headaches (21.89%)
Lack of security (17.07%)
Lack of reliability (6.03%)
No standard way to switch providers (6.43%)
Limited reference cases (6.02%)
Disruption to IT org chart/politics (4.22%)
Other (13.85%)
Source: Tech Target: Cloud Computing Readership Survey, 2009
![Page 33: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/33.jpg)
Not All Clouds Are The Same
Multiple models. Multiple vendors. Multiple policies.
• Each cloud provider takes a different approach to security
• No official security industry‐standard has been ratified
• Some cloud providers do not allow vulnerability scanning
• Some cloud providers are not forthcoming about their
security architectures and policies
• Compliance auditors are wary of the cloud, and are
awaiting guidelines on audit testing procedures
![Page 34: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/34.jpg)
What the Industry is Doing
Several initiatives are underwayCloud Security Alliance• A non‐profit organization formed to promote the use of standardized practices for
providing security assurance within cloud computing
Center for Internet Security• A non‐profit enterprise whose mission is to help organizations reduce risk resulting from
inadequate technical security controls
PCI Security Standards Council• Has created a special interest group (SIG) to help shape requirements for
virtual‐
and cloud‐based cardholder‐data environments
NIST• The National Institute of Standards and Technology has created a new team to determine
the best way to provide security for agencies that want to adopt
cloud computing.
VMware• Has issued guidelines for secure VM configurations and hardening.
![Page 35: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/35.jpg)
Cloud Architectures and Models
ESSENTIAL CHARACTERISTICS
ARCHITECTURES
DEPLOYMENT MODELS
Broad Network
AccessRapid
ElasticityMeasured
ServiceOn‐Demand
Self‐Service
Resource Pooling
Software‐
as‐a‐Service (SaaS)Platform‐
as‐a‐Service (PaaS)Infrastructure‐
as‐a‐Service (IaaS)
Public Private Hybrid Community
![Page 36: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/36.jpg)
Challenges In Bridging Security Requirements to the Cloud
• Dedicated Compute, Storage & Network Infrastructure
• Defined Locations for Data Storage & Backup
• Proprietary Security Controls & Policies
• Compliance Standards Designed For Traditional IT
• Complex, Shared Deployment Models
• Data Location Varies
• Security Controls & Policies Defined by Service Provider
• Compliance Standards Must Be Interpreted
Traditional IT Cloud Computing
![Page 37: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/37.jpg)
1
Corporate
Systemse‐CommerceTest &
Development
ERP CRMPayment
Processing
Company Web Site
An Eight‐Step Journey To A Secure Cloud
Contemplate Your Application’s Suitability For The Cloud
? ??
??
![Page 38: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/38.jpg)
Marketing
Financial
Government
Newsfeeds/Blogs
EU Citizens
Customer Records
Healthcare/PHI
An Eight‐Step Journey To A Secure Cloud
Classify Your Data2
![Page 39: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/39.jpg)
An Eight‐Step Journey To A Secure Cloud
Software‐as‐a‐Service (SaaS)
Determine Cloud Type (Think about applications)3
Infrastructure‐as‐a‐Service (IaaS)
Platform‐as‐a‐Service (PaaS)
![Page 40: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/40.jpg)
• Self‐Managed• Outsourced
• Commodity• Enterprise
• Private + Public• Private + Exchange• Private + Customer• Cloud Bursting
An Eight‐Step Journey To A Secure Cloud
Private:
Select a Delivery Model (Think about data classification)4
Public:
Hybrid:
![Page 41: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/41.jpg)
Storage & Backup
Network & Routing
Virtualization vs.
Dedicated
Data Center Ethernet
Fabric
API/System Call
System Device
Drivers
An Eight‐Step Journey To A Secure Cloud
Compute
Specify Platform Architecture5Cloud
Automation
Application
Customer
ApplicationCustomer
Application
VPDC VPDC
Compute
Security
Network Storage
Cloud OS (ex. IaaS)
![Page 42: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/42.jpg)
An Eight‐Step Journey To A Secure Cloud
Intrusion Detection/Prevention
Firewall
Specify Security Controls6
Log Management
Application Protection
Database Protection
Identity & Access ManagementEncryption
Vulnerability Scanning
![Page 43: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/43.jpg)
Policy Creation and Enforcement• What are my service provider’s policies?
Can I specify my own? How do they handle
critical events?
Policy “Bursting”• If I choose a cloud‐bursting model, will my
policies “burst”
along with my VMs?
Policy Migration• If I contract for cloud‐based DR, will my
polices migrate with my VMs?
An Eight‐Step Journey To A Secure Cloud
Determine Policy Requirements7
![Page 44: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/44.jpg)
An Eight‐Step Journey To A Secure Cloud
AutomationDelivery‐Model Integration
Determine Service Provider Requirements8
ScalabilityMonitoringSLAsServicesSecurity ControlsStabilityTermsCompliance
![Page 45: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/45.jpg)
• Will a “compliant service provider”
make me compliant?
• What will most auditors look for?
• How does making the move
to a hosted cloud‐computing
environment change the way
audits will occur?
Compliance & Outsourced Cloud‐Computing
![Page 46: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/46.jpg)
Journey to The Cloud: Key Considerations
Determine service provider requirements
Determine policy requirements
Specify security controls
Specify platform architecture
Select delivery model
Determine type of cloud
Classify data
Understand your application’s applicability to the cloud
![Page 47: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/47.jpg)
Reference Sites
www.cloudsecurityalliance.org
www.cloudsecurity.org
www.cisecurity.org
csrc.nist.gov/groups/SNS/cloud‐computing/
www.vmware.com/pdf/vi3_security_hardening_wp.pdf
www.dmtf.org/about/cloud‐incubator
![Page 48: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/48.jpg)
More Information: Imperva.comMore Information on Savvis
www.savvis.net
www.savvis.net/cloudcompute
blog.savvis.net
![Page 49: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/49.jpg)
More Information: Imperva.comMore Imperva Information
Imperva
![Page 50: Data security in cloud](https://reader034.vdocuments.us/reader034/viewer/2022051411/546d26f8b4af9f612c8b5260/html5/thumbnails/50.jpg)
Questions & Answers