protecting data in the cloud
DESCRIPTION
Presentation given to the Australia Computer Society's QLD Branch Cloud SIG in September 2012.TRANSCRIPT
Protecting Data in the Cloud
Neil Readshaw, CISSPWorldwide Chief Architect – Cloud SecurityIBM Global Technology Services
@readshaw
© 2012 IBM Corporation
A Perfect Storm for Data Protection
Consumerization
of IT
Industrialization
of IT
Big Data
© 2012 IBM Corporation2
of ITof IT
How data protection in the cloud can go wrong
InternetAdministrator
Security Policy
Cloud Infrastructure
Customer Workloads
1. Security policy does not specify appropriate use of public clouds, so users are unguided.
3. No data security controls at the
enterprise boundary.
5. Enterprise workload in the cloud not subject to same security policy as on-premise.
© 2012 IBM Corporation3
EnterpriseCloud Service
Provider
User
Mobile User
Cloud Administrator
enterprise boundary.
2. Without knowing better, user tries to upload confidential data to public cloud service “to do their job”:
6. Mobile employee with BYOD leaks data because device lacks sufficient security to
protect data at rest after
retrieval from the cloud
4. Cloud provider’s data protection controls are neither documented, trusted nor certified.
Risks change when putting data in the cloud
Example Risk What makes it different?
Data LocationInformation may no longer be protected by the same laws and regulations as if it was in your on-premise
environments.
© 2012 IBM Corporation
Multi-tenancyA multi-tenant cloud may contain vulnerabilities at any level in the architecture that compromise the isolation principle.
Cloud Provider
Administration
A cloud provider’s administrators are not necessarily
subject to the same security controls and regulations as in
the on-premise case.
4
While the extent of risks may vary from on-premise data protection, the way to approach data protection is no different.
To protect data in the cloud requires:
• A balanced approach:• Governance, policy and process
• User awareness
• Technical security controls
• Trust, compliance and assurance
© 2012 IBM Corporation
• Trust, compliance and assurance
• Meeting or exceeding what is already available in the enterprise IT environments
5
Governance, policy and process
• How effective is current your enterprise data protection policy?
• And how accurate is the perception of its effectiveness?
• Make your CIO Office/Cybersecurity policies and procedures cloud aware
© 2012 IBM Corporation
procedures cloud aware• System inventory• Endpoint security and compliance management• Incident response• Automation is a must
• Taking a risk based approach allows for a balanced consideration of business opportunities
• Cloud is not one-size-fits-all, nor should the evaluation of workloads and their suitability
6
User awareness
• The division of security and privacy responsibilities between the cloud service provider and cloud consumer should be clearly and consistently understood by all parties
• Include end users, not just owners/admins
© 2012 IBM Corporation
• Demarcation of responsibilities will vary according to the cloud service and its delivery model
• A program of ongoing education and awareness to users provides an opportunity to update users as the cybersecurity and compliance landscape changes
7
Technical security controls
What
• Identity and access management (IAM)
• Encryption and key management
Where
• Within the enterprise (desktops, servers)
• At the enterprise boundary
© 2012 IBM Corporation
• Tokenization
• Secure delete
• Anti-malware
• Data loss prevention (DLP)
• Security and compliance management
• Audit
• Secure software engineering
• At the enterprise boundary
• At the cloud boundary
• In the cloud infrastructure
• In the workloads/VMs running in the cloud
8
Trust, compliance and assurance
• How is trust built between a cloud service provider and cloud service consumer?
• Infrastructure certifications, e.g. ISO 27001,
SSAE 16
• Industry regulations, e.g. PCI-DSS
• History and experience of a vendor to provide
© 2012 IBM Corporation
• History and experience of a vendor to provide
cloud/IT services
• Providing visibility into the operation of the cloud is important for assurance
• Directly with the cloud service provider or
through a trusted third party
9
When data protection in the cloud goes well
InternetAdministrator
Security Policy
Cloud Infrastructure
Customer Workloads
1. Security policy specifies appropriate use of public clouds, including incremental security controls, by workload.
3. Boundary security devices performs malware detection,
policy based data
5. Enterprise treats cloud hosted workloads as per on-premise, with the same security controls, e.g. IAM, AV, SCM.
© 2012 IBM Corporation10
EnterpriseCloud Service
Provider
User
Mobile User
Cloud Administrator
policy based data filtering/tokenization.
2. User has been educated to know that confidential data cannot be put in public clouds without encryption, and that SPI cannot be put in a cloud outside of the home country.
6. Mobile devices (enterprise supplied or BYOD) are managed, including security configuration management.
4. Cloud provider can demonstrate compliance with industry regulations and standards.
Conclusion
• Data protection in the cloud starts with data protection in the enterprise
• A balanced approach is needed• Governance, policy and process
© 2012 IBM Corporation
• Governance, policy and process
• User awareness
• Technical security controls
• Trust, compliance and assurance
11
Thank you!
© 2012 IBM Corporation
Thank you!
12