Bringing Cloud Security Down to Earth · SaaS - Browser patching, endpoint security, access reports...
Transcript of Bringing Cloud Security Down to Earth · SaaS - Browser patching, endpoint security, access reports...
Bringing Cloud Security Down to Earth
Andreas M Antonopoulos
Senior Vice President & Founding Partner
www.nemertes.com
© Copyright 2010 Nemertes Research
About Nemertes
Cloud Dynamics and Adoption
Assessing Risk of Cloud Services
Controls to Address Risk
Establishing Trust
Identity Management Recommendations
Summary and Conclusions
Agenda
© Copyright 2010 Nemertes Research
Quantifies the business impact of
emerging technologies
Conducts in-depth interviews with
IT professionals
Advises businesses on critical issues such
as:
Unified Communications
Social Computing
Data Centers & Cloud Computing
Security
Next-generation WANs
Cost models, RFPs, Architectures, Strategies
Nemertes: Bridging the Gap Between Business & IT
© Copyright 2010 Nemertes Research
Cloud Dynamics and Adoption
IaaS & PaaS adoption < 1%
SaaS adoption = 60%
Limitation of IaaS and PaaS adoption is concern over security and compliance
Virtualization provides agility, flexibility and scalability for cloud offerings
Virtualization Security (VirtSec) is a fundamental aspect of cloud security for all cloud models
*Based on Cloud Security Alliance CSA Guide service model (www.cloudsecurityalliance.org)
© Copyright 2010 Nemertes Research
Assessing Risk of Cloud Services
Impact
Pro
ba
bility
Low
Medium
High
Asset Assessment
• Define assets
• Assign values of asset loss or compromise
Vulnerability Assessment
• Define vulnerabilities
• Assess probability of exploit
Risk Assessment
• Define all risks
• Risk probability
• Risk impact
Risk Mitigation
• Preventive and detective controls
• Compensating controls
• Residual risk
© Copyright 2010 Nemertes Research
Public Cloud Risks: Top 10
Loss of governance
CSP may prohibit vulnerability testing and visibility to internal procedures
Incompatibility with in-house provisioning and management tools
Service provider lock-in
Minimal portability between providers
Custom APIs, runtime, databases, applications and storage semantics
Compliance risks
CSP may not be compliant with specific requirements
Auditors have little visibility into CSP internal controls
e-Discovery and litigation support
CSP has limited responsibility
Shared tenancy complicates process
© Copyright 2010 Nemertes Research
Public Cloud Risks: Top 10 Continued
Management interface compromise
Hijacking management interface for control of tenant resources
Compromise management interface for CSP
Network management failure
Mis-configuration leading to service outage (DNS, network, application)
Application performance issues
Isolation Failure
Multi-tenancy increases risk of hopping resource pools
Denial of Service (DoS) attack against co-resident tenant
© Copyright 2010 Nemertes Research
Public Cloud Risks: Top 10 Continued
Data protection
Lack of visibility into breaches of confidential/sensitive data
Risk of co-resident unlawful data
Insecure/incomplete data deletion
Data deletion policies may not be compatible with CSP
No guarantee that true wiping of data occurs
Malicious insider
CSP administrator has access to multiple tenant services
CSP security team has visibility to all event logs
© Copyright 2010 Nemertes Research
Controls to Address Risk
Model Preventive Controls Detective Controls
SaaS • Identity Management including multi-factor authentication
• Browser patching and hardening
• Endpoint security
• Access reports
PaaS • User authentication (multi-factor)
• User privilege management
• Browser patching and hardening
• Endpoint security
• Access reports
• Vulnerability scanning (application and user access)
IaaS • VPN for management access and movement of VMs
• Configuration and patch management
• Access controls and multi-factor authentication
• Host IDS/IPS
• VirtSec appliance
• Access reports
• Event logging and correlation
• Vulnerability scanning (application and user access)
© Copyright 2010 Nemertes Research
Preventive Control: Identity Management
The concept of trust changes with cloud model
Trust must extend into the cloud (SaaS, PaaS and IaaS)
Three key identity management areas
User management, Authentication management, Authorization management
Evolving standards
SAML – Secure Assertion Markup Language Single Sign-on (SSO)
XACML – eXtensible Access Control Markup Language least privilege
OAuth – Open Authentication share cloud data
© Copyright 2010 Nemertes Research
User Access Management (SAML)
Time
Cloud Service Provider (CSP)
User
Identity Manager (IM)
User attempts log-on
1 2CSP
generates SAML
request and redirects
browser to IM
3
4
IM parses SAML
request and generates
SAML response
5
User sends SAML
response to CSP
Assertion Consumer
Service (ACS)
ACS verifies SAML
response and
redirects user to
destination URL
6
© Copyright 2010 Nemertes Research
Authorization Management (XACML)
Time
User
Policy Enforcement Point (PEP)
Policy Decision Point (PDP)
Access Request
1
2
PEP sends XACML
request to PDP 4
PDP requests
policy info from PAP
5PDP requests info on subject,
resource & environment
attributes from PIP
PDP responds
with authorization
decision
Policy Access Point (PAP)
Policy Information Point (PIP)
3
6
Allow or deny
access
© Copyright 2010 Nemertes Research
Authentication Management (OAuth)
Time
Web App
CSP
User
Request token for
CSP service
1 2CSP
verifies web app and
responds
3
4
User prompted to login to account
and verify web app
5
User redirected to web app auth. page along with authorized
request token
Web app sends
request for access token to
CSP auth. service
6
User redirected to
CSP authorization
page
Web app sends
request including
access token to
CSP service
7
8
CSP provides
requested data
© Copyright 2010 Nemertes Research
Identity Management Recommendations
IAM Area Challenge Recommendation
User Management
• Secure and timely management of onboarding and offboarding cloud users
• Extending enterprise IAM systems into cloud
• Avoid building custom interfaces for user provisioning
• Push cloud provider to use open standards
Authentication Management
• Credential management
• Strong authentication
• Delegated authentication
• Manage credentials in own identity solution and federate with cloud provider
• When users self-provision services a decentralized standard like OpenID provides authentication to multiple services
• For IaaS establish a dedicated VPN or use standard assertion (SAML) with encryption (SSL)
• For IaaS, PaaS and SaaS push cloud provider to delegate authentication to the enterprise via SAML or WS-Federation
• Multi-factor authentication is essential
© Copyright 2010 Nemertes Research
Identity Management Recommendations, Continued
IAM Area Challenge Recommendation
Authorization Management
• Establishing standard authorization model for multiple cloud providers
• Passing authorization information between cloud providers
• Enforcing and monitoring enforcement of authorization
• Identity authoritative sources of user and policy information
• Determine privacy policies for type of data
• Establish mechanism to transfer policy information from policy administration point (PAP) to policy decision point (PDP)
• Establish mechanism to transfer policy information from policy information point (PIP) to PDP
• Establish mechanism to request policy decision from PDP
• Establish policy enforcement point (PEP) to enforce policy
• Implement logging of all authorization management actions
© Copyright 2010 Nemertes Research
Summary
A risk-based approach is the only way to assess a cloud computing deployment decision
Most offerings are currently too risky for sensitive data
Establish detective and preventive controls specific to each cloud deployment model:
SaaS - Browser patching, endpoint security, access reports
PaaS – Browser patching, hardening, endpoint security, access reports and vulnerability scanning
IaaS – VPN, configuration and patch management, host IDS/IPS, VirtSec appliance, access reports, vulnerability scanning, logging & event management
Identity management is a key area of preventive control focus for all service models
This starts internally
© Copyright 2010 Nemertes Research
Conclusion: What Should You Be Doing?
Urgent: Act Now
Short-Term Plans
Long-Term Plans
Overall Focus
Inventory all CSP relationships. Assess CSP against top 10 risks. Meet with auditors to assess compliance issues.
Implement VirtSec and identity management in-house (or via third-party service) before moving to IaaS and PaaS.
Push for open standards for APIs, platforms, user provisioning, authentication and authorization
Keep focus on cloud goals of increasing flexibility and agility and providing a strong ROI.