What is Cloud Security, andCan I have Some?

Introduction

• John Kinsella - CISSP, CCSK• BoD – Silicon Valley Cloud Security Alliance• Co-chair, CSA Portability and App Sec• New secure cloud product in alpha testing

Where I’m from

Overview

o Definition and issueso Legalo Operationso Best Practices

Essential Characteristics

• NIST Definition:– On demand, self service– Broad network access– Resource pooling– Rapid elasticity– Measured service

No cloudwashing

3 Types of clouds

3 Types of Clouds:

Software as a Service (SaaS)

• A system that is fully hosted and managed• Less flexible for end user• More trust involved• Best example: webmail

Platform as a Service (PaaS)

• Provides framework for user to develop final solution

• More flexible than SaaS, requires developers• Possibly still shared information• Potentially less portable

Infrastructure as a Service (IaaS)

• A system that is fully hosted and managed• Most Flexibility• Most control, but not complete• Best example: “Virtual Private Servers”

How IaaS, PaaS, and SaaS fit

Deployment Models

• Public• Private• Hybrid

Legal

o Discoveryo Governanceo Compliance

It’s a Global Stage

Geopolitical Issues

Legal Discovery

• Frequently overlooked• Jurisdiction• Shared environment

Governance

• It’s your problem.– SLAs– Contract negotiation (see: Eli Lilly)– No physical control– Risk Management– Metrics

Compliance/audit

• Regulation hasn’t changed – just implementation• Understand your compliance requirements –

then apply them to the cloud.• Don’t blindly trust provider’s audit – what was

audited?• Right to audit

It’s a Mapping Thing

From CSA Guidance v2.1

Operations

o Where does your information go?o Does your data travel with you?o Who should have access to your cloud?o Incident response and forensicso Encryption

Information Lifecycle Management

• Cloud requires high awareness of data location, sharing, archival and destruction

• Your data, not your equipment• “Delete” doesn’t mean what you think it

means

Portability

• Ability to quickly pull anchor and move providers

• Interoperability between clouds is a plus

Portability smells of hype.

Identity Management

• Scale – single VM or 10,000 email users?• In-house or 3rd party ID provider?• Federation• Authentication• Authorization

Business Continuity

• Don’t forget about backups or DR sites• Cloud is only as good as network attached• An attack on your cloud-neighbor is an attack

on you

Incident Response

• The dance of incident response varies based off…– Providers– Cloud type– Client type– Data sensitivity– Jurisdictions/regulations

Forensics

• Cloud brings us some great advantages from a forensics point of view:

– Very easy to image system for evidence– Can monitor users without detection– Very easy to spin up a new VM to replace

compromised system

Cons to Cloud-Forensics

• Hardware-based tools suddenly inefficient• In shared environments, tracking compromise

across customers may become difficult

Encryption and Key Management

• One of the most important aspects of cloud security

• Security of encryption depends on protection of key

Best Practices

• Encrypt data at rest and in transit• Understand and practice good key management• Consider everyone circumspect• Monitor and gather statistics on everything• Understand your privacy and information laws• Understand where your data lives – what

geographical areas your cloud covers, and where backups reside

• Do not re-invent wheels

Should I Move to The Public Cloud?

• It’s a risk management question:– How valuable is my data (to others)?– Am I willing to to the significant effort to correctly

secure my data in-house?

Questions?

www.protectedindustries.com jlk@protectedindustries.com @johnlkinsella