secure cloud reference architecture
TRANSCRIPT
Secure Cloud Reference Architecture
By - Mithilesh Kumar ([email protected])
1 Reference :- cloudsecurityalliance.org
Guiding Principles
Define protections that enable trust in the cloud. Develop cross-platform capabilities and patterns for proprietary and open-source providers. Will facilitate trusted and efficient access, administration and resiliency to the
customer/consumer. Provide direction to secure information that is protected by regulations. The Architecture must facilitate proper and efficient identification, authentication,
authorization, administration and auditability. Centralize security policy, maintenance operation and oversight functions. Access to information must be secure yet still easy to obtain. Delegate or Federate access control where appropriate. Must be easy to adopt and consume, supporting the design of security patterns. The Architecture must be elastic, flexible and resilient supporting multi-tenant, multi-
landlord platforms. The architecture must address and support multiple levels of protection, including network,
operating system, and application security needs.
2
High Level Use case
3
Secure Cloud Delivery Model
4
Secure Cloud Reference Architecture
SRM
5
SRMSecurity & Risk Management
6
When every business is a digital business, IT security and business risk become one and the same.
Gateway to Secure Cloud Reference Architecture
Security & Risk Management Layers
Privilege Management InfrastructureThreat and Vulnerability Management Infrastructure Protection ServicesData ProtectionPolicies and StandardsGovernance Risk & Compliance InfoSec Management
7
Privilege Management Infrastructure
Identity ManagementDomain Unique IdentifierIdentity ProvisioningAttribute ProvisioningFederated IDM
Authentication Services
SAML TokenRisk Based AuthMultifactorOTPSmart CardPassword ManagementBiometricsNetwork AuthenticationSingle Sign OnWS-SecurityMiddleware AuthenticationIdentity VerificationOTB AutN
Authorization Services
Entitlement ReviewPolicy EnforcementPolicy DefinitionPolicy ManagementPrincipal Data ManagementResource Data ManagementXACMLRole ManagementObligationOut of the Box (OTB) AutZ
Privilege Usage Management
Keystroke/Session LoggingPassword VaultingPrivilege Usage GatewayResource ProtectionHypervisor Governance and Compliance 8
Threat and Vulnerability Management
Compliance Testing
Network
Server
Database
Penetration Testing
Internal
External
Vulnerability Management
Application
Database
Infrastructure
Threat Management
Source Code Scanning
Risk Management
9
Infrastructure Protection Services
Server
Behavioral Malware PreventionWhite ListingSensitive File ProtectionAnti- VirusHIPS / HIDSHost Firewall
End-Point
Anti-Virus, Anti-Spam, Anti-MalwareHIPS /HIDSHost FirewallMedia LockdownHardware Based Trusted AssetsBehavioral Malware PreventionInventory ControlContent FilteringForensic ToolsWhite Listing
Network
Behavioral Malware PreventionFirewallContent FilteringDeep Packet InspectionNIPS / NIDSWireless ProtectionLink Layer Network SecurityBlack Listing Filtering
Application
Application FirewallSecure MessagingSecure CollaborationReal Time FilteringXML Application
10
Data Protection
Data lifecycle management
Meta Data ControlData De-IdentificationData MaskingData TaggingData ObscuringData SeedingLife cycle managementeSignature (Unstructured data)
Data Loss Prevention
Data DiscoveryNetwork (Data in Transit)End-Point (Data in Use)Server (Data at Rest)
Intellectual Property ProtectionIntellectual PropertyDigital Rights Management
Cryptographic Services
Symmetric Key ManagementAsymmetric Key ManagementPKISignature ServicesData-in-use Encryption (Memory)Data-in-Transit Encryption (Transitory, Fixed)Data-at-Rest Encryption (DB, File, SAN, Desktop, Mobile)
11
Policies and Standards
Operational Security Baselines
Job Aid Guidelines
Role Based Awareness
Information Security Policies
Technical Security Standards
Data/Asset Classification
Best Practices & Regulatory correlation
12
Governance Risk & Compliance
Compliance Management
Policy Management
Exceptions
Self Assessment
Vendor Management
Audit Management
IT Risk Management
Technical Awareness and Training
13
InfoSec Management
Capability Mapping
Risk Portfolio Management
Risk Dashboard
Residual Risk Management
14