what is cloud security, and can i have some?
DESCRIPTION
TRANSCRIPT
What is Cloud Security, andCan I have Some?
Introduction
• John Kinsella - CISSP, CCSK• BoD – Silicon Valley Cloud Security Alliance• Co-chair, CSA Portability and App Sec• New secure cloud product in alpha testing
Where I’m from
Overview
o Definition and issueso Legalo Operationso Best Practices
Essential Characteristics
• NIST Definition:– On demand, self service– Broad network access– Resource pooling– Rapid elasticity– Measured service
No cloudwashing
3 Types of clouds
3 Types of Clouds:
Software as a Service (SaaS)
• A system that is fully hosted and managed• Less flexible for end user• More trust involved• Best example: webmail
Platform as a Service (PaaS)
• Provides framework for user to develop final solution
• More flexible than SaaS, requires developers• Possibly still shared information• Potentially less portable
Infrastructure as a Service (IaaS)
• A system that is fully hosted and managed• Most Flexibility• Most control, but not complete• Best example: “Virtual Private Servers”
How IaaS, PaaS, and SaaS fit
Deployment Models
• Public• Private• Hybrid
Legal
o Discoveryo Governanceo Compliance
It’s a Global Stage
Geopolitical Issues
Legal Discovery
• Frequently overlooked• Jurisdiction• Shared environment
Governance
• It’s your problem.– SLAs– Contract negotiation (see: Eli Lilly)– No physical control– Risk Management– Metrics
Compliance/audit
• Regulation hasn’t changed – just implementation• Understand your compliance requirements –
then apply them to the cloud.• Don’t blindly trust provider’s audit – what was
audited?• Right to audit
It’s a Mapping Thing
From CSA Guidance v2.1
Operations
o Where does your information go?o Does your data travel with you?o Who should have access to your cloud?o Incident response and forensicso Encryption
Information Lifecycle Management
• Cloud requires high awareness of data location, sharing, archival and destruction
• Your data, not your equipment• “Delete” doesn’t mean what you think it
means
Portability
• Ability to quickly pull anchor and move providers
• Interoperability between clouds is a plus
Portability smells of hype.
Identity Management
• Scale – single VM or 10,000 email users?• In-house or 3rd party ID provider?• Federation• Authentication• Authorization
Business Continuity
• Don’t forget about backups or DR sites• Cloud is only as good as network attached• An attack on your cloud-neighbor is an attack
on you
Incident Response
• The dance of incident response varies based off…– Providers– Cloud type– Client type– Data sensitivity– Jurisdictions/regulations
Forensics
• Cloud brings us some great advantages from a forensics point of view:
– Very easy to image system for evidence– Can monitor users without detection– Very easy to spin up a new VM to replace
compromised system
Cons to Cloud-Forensics
• Hardware-based tools suddenly inefficient• In shared environments, tracking compromise
across customers may become difficult
Encryption and Key Management
• One of the most important aspects of cloud security
• Security of encryption depends on protection of key
Best Practices
• Encrypt data at rest and in transit• Understand and practice good key management• Consider everyone circumspect• Monitor and gather statistics on everything• Understand your privacy and information laws• Understand where your data lives – what
geographical areas your cloud covers, and where backups reside
• Do not re-invent wheels
Should I Move to The Public Cloud?
• It’s a risk management question:– How valuable is my data (to others)?– Am I willing to to the significant effort to correctly
secure my data in-house?
Questions?
www.protectedindustries.com [email protected] @johnlkinsella