The cloud is in the details –policy and requirements in the era of cloud computing

Ben Rothke, CISSP CISABT Global Services

Senior Security Consultant

About me

• Ben Rothke (too many certifications)• Senior Security Consultant – British

Telecom• Frequent writer and speaker• Author - Computer Security: 20 Things

Every Employee Should Know

Agenda/Key take-away thought

• Agenda– Overview of the need to create specific

requirements & policies for a cloud initiative

• Take-away– Contractors would never start building without

plans and designs; a cloud project similarly shouldn’t be started without appropriate plans and designs and requirements definition

The cloud is here to stay

Don’t let your cloud project drive you bananas

Cloud computing-choose your definition

• Definition #1– Process you don’t full understand, manage poorly and is out

of control, that you give to a cloud provider, with the hope and prayer that they can make sense of it and miraculously make it work; and be HIPAA, SoX and PCI compliant

• Definition #2– Corporate strategic decision to use service-oriented

architecture and utility computing to on-demand network access to a shared pool of configurable computing resources; that support the firm’s tactical IT plans and long-term goals

Cloud challenges

• Making cloud meet business requirements• integrating cloud into applications• producing documentation to deliver trust• management and reliability• planning and deployment• managing migration and scalability

Cloud security challenges

• Authentication, identity management• compliance and regulatory• access control• trust management• policy• logging and accounting• privacy and data protection

CSA Top Threats

1. Abuse and Nefarious Use of Cloud Computing

2. Insecure Interfaces and APIs 3. Malicious Insiders4. Shared Technology Issues5. Data Loss or Leakage6. Account or Service Hijacking7. Unknown Risk Profile

The $64,000 cloud question

What is your security problem and how do you expect cloud services to solve it?

• Biggest mistake with cloud computing is that firms run to it without knowing why

• Then they use it with no plan for deployment

Other ill-defined projects

• Information Week, Computer World, etc., continuously have stories about large projects ($25 - $200 million) that fail

• Why do these large Oracle, ERP, cloud, SAP projects continuously fail?– often inadequate, changing or conflicting

requirements

Cloud success metrics

Cloud success is measured with the following business questions:

– does it deliver real business benefits?– was it deployed quickly and cost-effectively?– is it secure and does it provide trust?– is it reliable and easy to use?– can it be managed?– can it evolve and scale?

What is your deployment plan?

• Typical cloud project is likely to be more complex than previous experience of typical IT projects may suggest

• As well as project management, technical and operational aspects, there are many policy, legal and security issues which must not be neglected

• By understanding and defining appropriate requirements, many of the potential traps and pitfalls can be avoided

• The risks to the business and the project are reduced and those that remain are quantified at an early stage

Successful cloud deployment steps1. Requirements Analysis

– Identify business, operational, commercial and security requirements2. Architecture Definition

– Detailed definition of the operating model and cloud architecture3. Operations

– Production of operational policies and procedures4. Security Review

– Security review of the proposed system design, architecture and operations5. Integration

– System piloting, integration of cloud enabled applications and testing6. Deployment

– Operational deployment and production roll-out7. Post-Deployment

– Management of upgrades and change processes for the production cloud

Step 1 - Requirements Analysis

• First step in implementing any cloud based solution is to understand the requirements:– what’s the problem and how do you expect a

cloud to solve it?– what are the business drivers?– what level of security is appropriate?– where are the system vulnerabilities?– what are the legal and regulatory compliance

constraints?

Step 1 - Requirements Analysis

• These requirements must be clearly identified and analyzed

• Analysis of the costs and business benefits and the provision of suitable project planning schemes are integral to step 1 – If the requirements aren’t clear, do not go

forward

Step 1 - Requirements Analysis – Project Planning

• Project manager is essential– Some large-scale projects may need multiple

managers

• PM must be given the resources, responsibility and authority to successfully deliver the cloud project

• Attempts to implement a cloud without PM have invariably resulted in failed projects

Step 2 - Architecture Definitions

• Once the requirements are known, the next step is to produce an operating model and to design the chosen cloud architecture

• At this stage, cloud enabling of end user applications is also considered, allowing parallel development

Step 2 - Architecture Definitions

Create set of documentation templates and checklists to:

– define how the cloud will be operated– define how trust will be passed between entities– define the cloud architecture, taking account of practical issues

such as resilience, management, performance, security, scalability and current industry standards and best practices

– specify what the architecture will comprise – specify how end-entity applications are to be cloud-enabled – specify how the complete cloud will be tested and supported – produce a detailed project plan

Step 2 – Cloud architecture

• Public• private • hybrid• community

• What is the best architecture for you?• The one that meets your specific

requirements and needs

Step 3 � Operations

• Identify the policies, procedures, support issues and SLA

• Organizational issues delineate who is responsible for the various parts of the cloud

• Any security system is only as effective to the degree it is correctly operated – define the operating procedures and controls

necessary to make sure that that the cloud security system remains effective

Step 4 – Security Review

• With any system it is important to understand where the risks are and where the system is most vulnerable – Nothing will ever be 100% secure

• At this stage, the cloud is well specified and therefore it is important that the proposed system is subjected to an independent review and risk analysis and, where appropriate, corrective action is taken

Step 4 – Security Review

• The cloud is inherently unsafe and untrusted

• your job is to add the controls necessary to be a safe and trusted environment

Step 4 – Security Review

• Detailed lists of the threats, vulnerabilities and countermeasures– If you have an insecure infrastructure, then

you will have an insecure cloud

• Creation of the system security policy provides a baseline level of security controls that must be implemented during cloud deployment

Step 4 - Risk analysis & assessment

• Effective risk assessment and analysis ensures you are worrying about the right things

• Ultimate outcome of a risk analysis should be to see if you really can benefit from the product – Don’t worry about missing the bus

• Some companies have determined at Step 4 that they really do not want to / can’t move forward

• Don’t be afraid to cancel a cloud project if there is not a business need for it, or if the security risks are too great

Step 4 - Risk analysis & assessment

Step 4 – Cloud web applications

• Browsers are very complicated security environments

• understand how malware can thrive in a cloud environment

Step 4 - Policy

• Create and maintain policies on how you will address the many cloud security issues– identify threats to the cloud environment & its

contents; ensure you address current threats– metrics for monitoring – accountability– incident response– adequate training for new/transitioned staff

Step 4 – Shared responsibilities

• Cloud provider– Responsible for security from the data center

to the hypervisor

• Client– Responsible for security for the operating

system and all applications

• But Saas, PaaS & IaaS will have different shared responsibility models

Step 5 � Integration

• Integration of all the cloud components and the building of a pilot system against which all the functional, performance and operational requirements can be tested

• Integration testing of any cloud-enabled applications is also performed

• DR/BCP– Enterprise cloud be available 24 x 7 x 365

Step 6 � Deployment

• This step involves the installation and validation of the operational cloud, followed by acceptance testing

• A security review and penetration test is included to ensure that the actual implementation meets all the security requirements

• Documentation is finalized and published• Acceptance testing

Step 6 � Deployment

• Project closure meeting and report– Customer agrees that all planned project

activities have been completed, project performance information has been captured and the cloud project is properly closed

– Projects have a defined duration, but without a formal project closure activity, a project can drift and never be satisfactorily concluded

Step 7 � Post-deployment

• All systems are subject to change and cloud is no exception – Well-designed cloud should be able to

integrate new requirements without having to be re-engineered

References• Cloud Computing Risk Assessment

– www.enisa.europa.eu/act/rm/files/deliverables/loud-computing-risk-assessment

• Security Guidance for Critical Areas of Focus– www.cloudsecurityalliance.org/csaguide.pdf

• Cloud Security Guidance– www.redbooks.ibm.com/redpapers/pdfs/redp4614.pdf

• Top Threats to Cloud Computing– www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf

• Cloud Security and Compliance: A Primer– www.sans.org/reading_room/analysts_program/mcafee_carbird_08_2010.pdf

Conclusion

• Cloud computing is a powerful platform• But don’t attempt to roll-out an enterprise-

wide cloud without a well-defined plan and adequate security requirements

Contact information

• Ben Rothke, CISSP CISA • Senior Security Consultant• BT Professional Services• ben.rothke@bt.com

• www.linkedin.com/in/benrothke• www.twitter.com/benrothke• www.slideshare.net/benrothke

���������Click on the questions tab on your screen, type in your question, name

and e-mail address; then hit submit.