A Risk Based Approach to Cloud Security Assessment...William Varma A Risk Based Approach to Cloud...
Transcript of A Risk Based Approach to Cloud Security Assessment...William Varma A Risk Based Approach to Cloud...
![Page 1: A Risk Based Approach to Cloud Security Assessment...William Varma A Risk Based Approach to Cloud Security Assessment This session will guide you through a risk assessment model to](https://reader034.fdocuments.in/reader034/viewer/2022050601/5fa825e3624815261a40709b/html5/thumbnails/1.jpg)
William Varma
A Risk Based Approach to Cloud Security Assessment
This session will guide you through a risk
assessment model to evaluate
organization’s use case scenario of cloud,
potential risks and available compensating
controls to determine and potentially
mitigate the trust requirements from the
CSPs. Organizations can apply the results
of this risk assessment exercise along
with use case analysis and emerging
standard control frameworks to draw an
assessment compliance framework for
evaluation of CSPs
E‐mail: [email protected]: 613.612.0677
LinkedIn: William Varmaca.linkedin.com/pub/william‐varma/9/935/836/
![Page 2: A Risk Based Approach to Cloud Security Assessment...William Varma A Risk Based Approach to Cloud Security Assessment This session will guide you through a risk assessment model to](https://reader034.fdocuments.in/reader034/viewer/2022050601/5fa825e3624815261a40709b/html5/thumbnails/2.jpg)
What is the Same
Same concept as outsourcing
Similar technical controls: federated identity management
Similar security controls: compliance audits, authentication controls, encryption in transit, patch management
Vendor management: SLAs, contract
CapEx
What is Different
VM layer: shared control over virtual machine, load balancers, hypervisors
Multi‐tenancy: incident response, key management, log management
Security exposure: firewall ports, APIs & web interfaces
OpEx: billing models: pay‐as‐you‐go, change management (due to agile development methodology)
Data privacy, regulatory and jurisdictional issues, e‐discovery & forensics
Data management, retention, recovery, and destruction
![Page 3: A Risk Based Approach to Cloud Security Assessment...William Varma A Risk Based Approach to Cloud Security Assessment This session will guide you through a risk assessment model to](https://reader034.fdocuments.in/reader034/viewer/2022050601/5fa825e3624815261a40709b/html5/thumbnails/3.jpg)
Recognize the business needs and corresponding cloud usage
Conduct risk assessment of individual cloud usage case
Customize and frame a CSP assessment criteria
Adopt an assessment model and perform continuous monitoring
Cloud Risk Modeling:
Pick an individual cloud usage case and conduct its risk analysis
Find out the inherent risk associated with itDetermine the potential countermeasures or compensating controls to lower the inherent riskCost‐Benefit Analysis: Assess the cost‐effectiveness of these controlsDerive the residual risks after implementation of the controlsThe residual risk derived will determine the trust requirement for the CSP
Cloud Risk Methodology
![Page 4: A Risk Based Approach to Cloud Security Assessment...William Varma A Risk Based Approach to Cloud Security Assessment This session will guide you through a risk assessment model to](https://reader034.fdocuments.in/reader034/viewer/2022050601/5fa825e3624815261a40709b/html5/thumbnails/4.jpg)
Recognize the business needs and corresponding cloud usage
Conduct risk assessment of individual cloud usage case
Customize and frame a CSP assessment criteria
Adopt an assessment model and perform continuous monitoring
Business needs & Security Requirements
Business needs & Security Requirements
Business requirements bring out cloud usage needsSecurity requirements in‐house > Outsourcing security requirements > Evolve to frame cloud security requirements > Monitor the technology evolution and reflect these in specs updateUpdate the above specs with industry specific or business specific compliance framework
![Page 5: A Risk Based Approach to Cloud Security Assessment...William Varma A Risk Based Approach to Cloud Security Assessment This session will guide you through a risk assessment model to](https://reader034.fdocuments.in/reader034/viewer/2022050601/5fa825e3624815261a40709b/html5/thumbnails/5.jpg)
Recognize the business needs and corresponding cloud usage
Conduct risk assessment of individual cloud usage case
Customize and frame a CSP assessment criteria
Adopt an assessment model and perform continuous monitoring
Cloud Risk Modeling:
Pick an individual cloud usage case and conduct its risk analysis
Find out the inherent risk associated with itDetermine the potential countermeasures or compensating controls to lower the inherent riskCost‐Benefit Analysis: Assess the cost‐effectiveness of these controlsDerive the residual risks after implementation of the controlsThe residual risk derived will determine the trust requirement for the CSP
Cloud Risk Methodology
![Page 6: A Risk Based Approach to Cloud Security Assessment...William Varma A Risk Based Approach to Cloud Security Assessment This session will guide you through a risk assessment model to](https://reader034.fdocuments.in/reader034/viewer/2022050601/5fa825e3624815261a40709b/html5/thumbnails/6.jpg)
Application
Middleware
Data
Servers
Storage
Networking
Data Center & Operations
• Location, jurisdiction, time zone
Business Process
• Internal user and customer interaction
Technology
• Logical Security, Multi‐tenancy, Configuration Management
IT Process Management &
System Software
•Confidentiality, Integrity, Availability
IT Management Processes
• CMM, ISO 2700X, Cobit 5
Change Analysis: Where is the Impact?
![Page 7: A Risk Based Approach to Cloud Security Assessment...William Varma A Risk Based Approach to Cloud Security Assessment This session will guide you through a risk assessment model to](https://reader034.fdocuments.in/reader034/viewer/2022050601/5fa825e3624815261a40709b/html5/thumbnails/7.jpg)
Inherent Risk
Compen‐sating Controls
Residual Risk
Trust on CSP
•Unscheduled outages for a CRM SaaS could impact customer/clients relation, DR/BCP• Loss of productivity, SLA violation, loss of reputation, significant unexpected costs• Lock‐in: API calls (import routines) to export data back to in‐house
•Unscheduled outages for a CRM SaaS could impact customer/clients relation, DR/BCP• Loss of productivity, SLA violation, loss of reputation, significant unexpected costs• Lock‐in: API calls (import routines) to export data back to in‐house
Availability
• Information breach: PII, Business Sensitive, Proprietary, intellectual property violations • Regulatory & compliance breach, Penalties, loss of reputation, legal disputes• Key management, Sniffing, spoofing, side channel and replay attacks
• Information breach: PII, Business Sensitive, Proprietary, intellectual property violations • Regulatory & compliance breach, Penalties, loss of reputation, legal disputes• Key management, Sniffing, spoofing, side channel and replay attacks
Confidentiality
• Failure to hold regulated financial data for x number of years, Issues out of multi‐tenancy: corruption/co‐mingling of data/data leaks, privilege escalation, resource isolation
• Legal sanctions, Loss of productivity, Rework/Outages, compromised service engine
• Failure to hold regulated financial data for x number of years, Issues out of multi‐tenancy: corruption/co‐mingling of data/data leaks, privilege escalation, resource isolation
• Legal sanctions, Loss of productivity, Rework/Outages, compromised service engineIntegrity
• Inadequate Logical Security: leading to information/data compromise, billing disputes and in extreme cases exploitation of access control vulnerabilities leading to reputation damage, Legal issues, exploits by spammers causing suspension of service by ISP's heuristic traffic analyzers
• Inadequate Logical Security: leading to information/data compromise, billing disputes and in extreme cases exploitation of access control vulnerabilities leading to reputation damage, Legal issues, exploits by spammers causing suspension of service by ISP's heuristic traffic analyzers
Usage Control
• Compromise of user ID's leading to information/data compromise, Multi‐tenancy: data/information comingling/corruption, Incident Management: Log Management
• Compromise of user ID's leading to information/data compromise, Multi‐tenancy: data/information comingling/corruption, Incident Management: Log ManagementAccountability
Inherent Risks
![Page 8: A Risk Based Approach to Cloud Security Assessment...William Varma A Risk Based Approach to Cloud Security Assessment This session will guide you through a risk assessment model to](https://reader034.fdocuments.in/reader034/viewer/2022050601/5fa825e3624815261a40709b/html5/thumbnails/8.jpg)
Recognize the business needs and corresponding cloud usage
Conduct risk assessment of individual cloud usage case
Customize and frame a CSP assessment criteria
Adopt an assessment model and perform continuous monitoring
Cloud Risk Modeling:
Pick an individual cloud usage case and conduct its risk analysis
Find out the inherent risk associated with itDetermine the potential countermeasures or compensating controls to lower the inherent riskCost‐Benefit Analysis: Assess the cost‐effectiveness of these controlsDerive the residual risks after implementation of the controlsThe residual risk derived will determine the trust requirement for the CSP
Cloud Risk Methodology
![Page 9: A Risk Based Approach to Cloud Security Assessment...William Varma A Risk Based Approach to Cloud Security Assessment This session will guide you through a risk assessment model to](https://reader034.fdocuments.in/reader034/viewer/2022050601/5fa825e3624815261a40709b/html5/thumbnails/9.jpg)
Risk Model for a SaaS Application
Compensating Controls
• Availability‐related:• Exit strategy, SaaS: in‐house data back‐up, For PaaS/IaaS: disaggregate among multiple CSPs
• Confidentiality‐related: • IaaS/PaaS: Sensitive data stored encrypted, (never processed)
• SaaS: Dedicated Hosts and all VMs• SaaS: You control encryption & key mgmt.., Tokenizing, Format‐preserving encryption, Runtime data aliasing
• Private cloud: critical roles, critical/sensitive modules• Accountability‐related:• Stronger user authentication, authorization, and audit
•Usage Control‐related:•Monitoring and access control• Private cloud: critical roles, critical/sensitive modules
• Integrity‐related:• You only opt up to IaaS or PaaS: You provide and control host security and services.
• You design the App and control/manage
• Availability‐related:• Exit strategy, SaaS: in‐house data back‐up, For PaaS/IaaS: disaggregate among multiple CSPs
• Confidentiality‐related: • IaaS/PaaS: Sensitive data stored encrypted, (never processed)
• SaaS: Dedicated Hosts and all VMs• SaaS: You control encryption & key mgmt.., Tokenizing, Format‐preserving encryption, Runtime data aliasing
• Private cloud: critical roles, critical/sensitive modules• Accountability‐related:• Stronger user authentication, authorization, and audit
•Usage Control‐related:•Monitoring and access control• Private cloud: critical roles, critical/sensitive modules
• Integrity‐related:• You only opt up to IaaS or PaaS: You provide and control host security and services.
• You design the App and control/manage
Residual Risk
• Threat from a rogue administrator or a co‐tenant
• Compromise of access control and identity management
• Compromise of runtime data aliasing proxy mechanism
• Social engineering
• Threat from a rogue administrator or a co‐tenant
• Compromise of access control and identity management
• Compromise of runtime data aliasing proxy mechanism
• Social engineering
CSP Trust Requirement
• Baseline security• Identity & access management
• Administrative controls
• Application controls
• Advanced infrastructure controls
• Cyber risk insurance
• Baseline security• Identity & access management
• Administrative controls
• Application controls
• Advanced infrastructure controls
• Cyber risk insurance
![Page 10: A Risk Based Approach to Cloud Security Assessment...William Varma A Risk Based Approach to Cloud Security Assessment This session will guide you through a risk assessment model to](https://reader034.fdocuments.in/reader034/viewer/2022050601/5fa825e3624815261a40709b/html5/thumbnails/10.jpg)
Inherent Risk
Compensating Controls
ResidualRisk
Trust on CSP
SaaS Hiring
Information/data: not business sensitiveCompromise of C I A: No adverse repercussions
Basic Controls
Access Controls, Monitoring Controls, SLAs
Residual Risk
Low
Trust on CSP
Low
Low Risk Use Case: In‐House Designed Compensating Controls
Availability:Incident ManagementPerformance Management Confidentiality:Account/Service HijackingData Leakage Integrity:Malicious VM creationInsecure VM migration
Availability: Exit strategy
Accountability: Stronger user authentication, authorization: Federated IM
Usage Control: Monitoring and access control
![Page 11: A Risk Based Approach to Cloud Security Assessment...William Varma A Risk Based Approach to Cloud Security Assessment This session will guide you through a risk assessment model to](https://reader034.fdocuments.in/reader034/viewer/2022050601/5fa825e3624815261a40709b/html5/thumbnails/11.jpg)
Availability: Exit strategy, SaaS: in‐house data back‐up, For PaaS/IaaS: disaggregate among multiple CSPs
Confidentiality: IaaS/PaaS: Sensitive data stored encrypted, (never processed)SaaS: Dedicated Hosts and all VMsSaaS: You control Encryption & key Mgmt., Tokenizing, Format‐preserving encryption, Runtime data aliasing
Integrity:You only opt up to IaaS or PaaS: You provide and control host security and services. You design the App and control/manage
Availability:IM, PMSLAs, DR, BCP
Confidentiality:Account/Service HijackingData Leakage, Sniffing/Spoofing V Networks
Integrity:VM creation/VM MigrationData ManipulationVM Escape
Unexpected costsLoss of reputation
Compromise on confidentiality
Regulatory & compliancebreachPenalties
Inherent Risk Compensating
Controls
ResidualRisk
Trust on CSP
SaaS CRM Compensating Controls Residual Risk Trust on CSP
Medium
Medium Risk Use Case: In‐House Designed Compensating Controls
![Page 12: A Risk Based Approach to Cloud Security Assessment...William Varma A Risk Based Approach to Cloud Security Assessment This session will guide you through a risk assessment model to](https://reader034.fdocuments.in/reader034/viewer/2022050601/5fa825e3624815261a40709b/html5/thumbnails/12.jpg)
Recognize the business needs and corresponding cloud usage
Conduct risk assessment of individual cloud usage case
Customize and frame a CSP assessment criteria
Adopt an assessment model and perform continuous monitoring
Cloud Risk Modeling:
Pick an individual cloud usage case and conduct its risk analysis
Find out the inherent risk associated with it
Determine the potential countermeasures or compensating controls to lower the inherent risk
Cost‐Benefit Analysis: Assess the cost‐effectiveness of these controls
Derive the residual risks after implementation of the controls
The residual risk derived will determine the trust requirement for the CSP
Cloud Risk Methodology
![Page 13: A Risk Based Approach to Cloud Security Assessment...William Varma A Risk Based Approach to Cloud Security Assessment This session will guide you through a risk assessment model to](https://reader034.fdocuments.in/reader034/viewer/2022050601/5fa825e3624815261a40709b/html5/thumbnails/13.jpg)
Recognize the business needs and corresponding cloud usage
Conduct risk assessment of individual cloud usage case
Customize and frame a CSP assessment criteria
Adopt an assessment model and perform continuous monitoring
Frame an Assessment Criteria:
An expansive and exhaustive approach is unacceptable
Start with concise SAG and ENISA, then CSA’s matrix, and FedRAMP/NIST
Identify the security control requirements that are part of the industry specific regulatory compliance requirements
Gap analysis: Security controls identified above vs. internal security controls identified in phase one
Re‐visit Security: Frame the Assessment Criteria
![Page 14: A Risk Based Approach to Cloud Security Assessment...William Varma A Risk Based Approach to Cloud Security Assessment This session will guide you through a risk assessment model to](https://reader034.fdocuments.in/reader034/viewer/2022050601/5fa825e3624815261a40709b/html5/thumbnails/14.jpg)
Shared AssessmentGroup
ENISA
FedRAMP
CSA
NISTCAMM
PCI
ISO/IEC27036
Control Frameworks for Cloud Security
![Page 15: A Risk Based Approach to Cloud Security Assessment...William Varma A Risk Based Approach to Cloud Security Assessment This session will guide you through a risk assessment model to](https://reader034.fdocuments.in/reader034/viewer/2022050601/5fa825e3624815261a40709b/html5/thumbnails/15.jpg)
HIPPA
GLBA
PIPEDA
Cross Border
PHIPAPCI
European PrivacyDirective
FISMA
Industry Related Regulations
![Page 16: A Risk Based Approach to Cloud Security Assessment...William Varma A Risk Based Approach to Cloud Security Assessment This session will guide you through a risk assessment model to](https://reader034.fdocuments.in/reader034/viewer/2022050601/5fa825e3624815261a40709b/html5/thumbnails/16.jpg)
Inherent Risk
Compensating Controls
ResidualRisk
Trust on CSP
SaaS Hiring
Information/data: not business sensitive
Compromise of C I A: No adverse repercussions
Basic Controls
Access Controls, Monitoring Controls, SLAs
Residual Risk
Low
Trust on CSP
Low
Availability:Incident ManagementPerformance Management
Confidentiality:Account/Service HijackingData Leakage
Integrity:Malicious VM creationInsecure VM migration
Response timeLoad. e.g. transactions/min
Federated IM, Data classification & segregation,Encryption @ rest/transit, Dig Sig
Mirage, Protection Aegis for live Migration of VMs (PALM), VNSS
Availability: Exit strategy
Accountability: Stronger user authentication, authorization: Federated IM
Usage Control: Monitoring and access control
Low Risk Use Case: Final Risk Analysis
![Page 17: A Risk Based Approach to Cloud Security Assessment...William Varma A Risk Based Approach to Cloud Security Assessment This session will guide you through a risk assessment model to](https://reader034.fdocuments.in/reader034/viewer/2022050601/5fa825e3624815261a40709b/html5/thumbnails/17.jpg)
Unexpected costsLoss of reputation
Compromise on confidentiality
Regulatory & compliancebreachPenalties
Inherent Risk Compensating
Controls
ResidualRisk
Trust on CSP
SaaS CRM Compensating Controls Residual Risk Trust on CSP
MediumAvailability:IM, PM, SLAsDR, BCP
Confidentiality:Account/Service HijackingData Leakage, Sniffing/Spoofing V Networks
Integrity:VM creation/VM MigrationData ManipulationVM Escape
Response time, LoadRTO, RPOData Center Failover/Load BalIn‐House Import
Federated IM, Dynamic Credentials Data classification &segregation,Encryption@rest/transit, Data Aliasing, Tokenizing, Format Preserving Encryption, FRSV Network Security
Mirage, PALM, VNSSWeb Application ScannersHypersafe, TCCP, TVDc
Availability: Exit strategy, SaaS: in‐house data back‐up, For PaaS/IaaS: disaggregate among multiple CSPs
Confidentiality: IaaS/PaaS: Sensitive data stored encrypted, (never processed)SaaS: Dedicated Hosts and all VMsSaaS: You control Encryption & key Mgmt., Tokenizing, Format‐preserving encryption, Runtime data aliasingIntegrity:You only opt up to IaaS or PaaS: You provide and control host security and services.You design the App and control/manage
Medium Risk Use Case: Final Risk Analysis
![Page 18: A Risk Based Approach to Cloud Security Assessment...William Varma A Risk Based Approach to Cloud Security Assessment This session will guide you through a risk assessment model to](https://reader034.fdocuments.in/reader034/viewer/2022050601/5fa825e3624815261a40709b/html5/thumbnails/18.jpg)
• Interruption of service, change of CSP, data extraction interface
• SLAs: uptime, issue resolution•CSPs cyber‐risk insurance, liability/accountability for failures to honor SLAs
•Real‐time event notification and log management
•DDoS, Penetration testing• ‘How do you’ vs. ‘Do you’
• Interruption of service, change of CSP, data extraction interface
• SLAs: uptime, issue resolution•CSPs cyber‐risk insurance, liability/accountability for failures to honor SLAs
•Real‐time event notification and log management
•DDoS, Penetration testing• ‘How do you’ vs. ‘Do you’
Baseline Controls
•Access entitlement remediation
• Log notification: privileged user access, exceptions
•Access entitlement remediation
• Log notification: privileged user access, exceptions
Administrative Controls
• Federation standards: SAML, SPML, WS federation•Data entitlement: Role‐based and context‐based • Interoperability: federations, 3rd party identity services, trust brokers
•Real‐time event notification and log management•Multifactor authentication: digital certs, tokens, biometrics, etc.
• Federation standards: SAML, SPML, WS federation•Data entitlement: Role‐based and context‐based • Interoperability: federations, 3rd party identity services, trust brokers
•Real‐time event notification and log management•Multifactor authentication: digital certs, tokens, biometrics, etc.
Identity Controls
•Application vulnerability scans
•Application vulnerability scans
Application Controls
Examples of Controls for Low to Moderate Risks
![Page 19: A Risk Based Approach to Cloud Security Assessment...William Varma A Risk Based Approach to Cloud Security Assessment This session will guide you through a risk assessment model to](https://reader034.fdocuments.in/reader034/viewer/2022050601/5fa825e3624815261a40709b/html5/thumbnails/19.jpg)
•Restriction & monitoring of utilities that manage virtualized partitions
•Detect attacks on virtual infrastructure: e.g. shimming, blue pill, hyperjumping, etc.
• Restriction & monitoring of utilities that manage virtualized partitions
•Detect attacks on virtual infrastructure: e.g. shimming, blue pill, hyperjumping, etc.
Host Security
•Network firewall rules for hosted VMs and Apps
•Network subzones for isolating VMs and Apps
•Network firewall rules for hosted VMs and Apps
•Network subzones for isolating VMs and Apps
Network Security
•Multi‐tenancy: controls to prevent data leakage or data mix‐up
•Encryption: unique key per tenant, tenant generated keys, identity‐based encryption
•Encryption: data in storage, of VM images during transit, key management
•Multi‐tenancy: controls to prevent data leakage or data mix‐up
•Encryption: unique key per tenant, tenant generated keys, identity‐based encryption
•Encryption: data in storage, of VM images during transit, key management
Data Security
•Multi‐tenancy: logical segmentation/separation of data
•Data recovery for a single client
•Multi‐tenancy: logical segmentation/separation of data
•Data recovery for a single client
Regulatory Controls
•Backup mechanism•Backed up data: storage, number of copies, protection mechanism
•Recovery: process and testing intervals
•Backup mechanism•Backed up data: storage, number of copies, protection mechanism
•Recovery: process and testing intervals
Backup & Recovery
Examples of Controls for Moderate to High Risks
![Page 20: A Risk Based Approach to Cloud Security Assessment...William Varma A Risk Based Approach to Cloud Security Assessment This session will guide you through a risk assessment model to](https://reader034.fdocuments.in/reader034/viewer/2022050601/5fa825e3624815261a40709b/html5/thumbnails/20.jpg)
Recognize the business needs and corresponding cloud usage
Conduct risk assessment of individual cloud usage case
Customize and frame a CSP assessment criteria
Adopt an assessment model and perform continuous monitoring
Continuous Monitoring:
Monitor service levels: availability, performance
Monitor service levels: Integrity, service quality, security
Monitor service levels: confidentiality, change management, security audit logs, vulnerability management
Monitor service levels: identity and access management, security audit logs, access control reviews
Continuous Monitoring
![Page 21: A Risk Based Approach to Cloud Security Assessment...William Varma A Risk Based Approach to Cloud Security Assessment This session will guide you through a risk assessment model to](https://reader034.fdocuments.in/reader034/viewer/2022050601/5fa825e3624815261a40709b/html5/thumbnails/21.jpg)
Low • Delivered
security from CSP is trusted
• SOC2 audit report is enough
• Security built into a virtual machine (VM) is used
• Vender security features are trusted
Med
ium • Best of the breed
security in cloud is used
• Custom/best practice’s security assessment
• Best of the breed security running on VM is used
• Certification/ accreditation assessment
High • Security is
steered from outside the cloud
• Cloud security is not trusted
• Security is performed outside the VM
• Security product certification
Three Models of Handling Security in Cloud
![Page 22: A Risk Based Approach to Cloud Security Assessment...William Varma A Risk Based Approach to Cloud Security Assessment This session will guide you through a risk assessment model to](https://reader034.fdocuments.in/reader034/viewer/2022050601/5fa825e3624815261a40709b/html5/thumbnails/22.jpg)
Low •When data
excludes business sensitive information or PII
• Suited for small/medium sized companies in unregulated business
•Well designed and protected private cloud infrastructure
Med
ium • Public cloud
applications that are consuming infrastructure as a service
• Suited for medium/large sized companies in regulated business
• Consolidated private cloud infrastructures
High •When data involves
business sensitive information or PII
• Suited for medium/large sized companies in regulated business w/o firm guidance for cloud envs
• Companies using consumer‐grade private cloud services
Three Models of Handling Security in Cloud