Cloud Security

58
Cloud Security and Audit Issues 1 Rapp Consulting [email protected]

TAGS:

description

This is the ISACANE - Metrowest Breakfast Meeting held on December 18, 2009.

Transcript of Cloud Security

Page 1: Cloud Security

Rapp Consulting [email protected]

1

Cloud Security and Audit Issues

Page 2: Cloud Security

Rapp Consulting [email protected]

2

Agenda Cloud Computing 101

Reality Check

Security Issues

ISACA Member Responsibilities

What’s Missing

Page 3: Cloud Security

Rapp Consulting [email protected]

3

Cloud Computing 101

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

- NIST Definition of Cloud Computing

Page 4: Cloud Security

Rapp Consulting [email protected]

4

Cloud Computing 101 History - Definitions

1970

Applications

System Platform

Hardware

Dis

trib

ute

d

Cen

traliz

ed

De-C

en

traliz

ed

Re-C

en

traliz

ed

2010

Per Novell Cloud Presentation 09/09

Page 5: Cloud Security

Rapp Consulting [email protected]

5

Cloud Computing 101 History - Definitions

Page 6: Cloud Security

Rapp Consulting [email protected]

6

Basic Concepts – Cloud Enabling Technologies / Functions

Cloud Computing is the attemtped

commercialization of Virtual computing

Server Partitioning #1

Server Partitioning #2

Page 7: Cloud Security

Rapp Consulting [email protected]

7

Basic Concepts – Cloud Enabling Technologies / Functions

SOA - XML – API Hypervisor Dynamic Partitioning API - Application Programming Interface Server Optimization OS / Application / Data Server Migration Client CPU/Memory Utilization Monitoring

Server Partitioning #1

Server Partitioning #2

Page 8: Cloud Security

Rapp Consulting [email protected]

Basic Concepts – Enabling Technologies

Dynamic Partitioning – the variable allocation of cpu processing and memory to multiple OS’s, applications, and data within one server

Server Partitioning #1

Lawson / UNIXHR / WINeCom / JAVAERP / Sun OS

Server Partitioning #2Lawson

/ UnixHR / WINeCom / JavaERP / SUN OS

Page 9: Cloud Security

Rapp Consulting [email protected]

9

Cloud Computing 101 History - Definitions

Page 10: Cloud Security

Rapp Consulting [email protected]

10

Cloud Computing 101ASPs vs SaaS

ASPs are traditional, single-tenant applications, hosted by a third party.SaaS applications are multi-tenant, user facing, web-based applications hosted by a vendor

Page 11: Cloud Security

Rapp Consulting [email protected]

11

Cloud Computing 101PaaS

A Development Environment (Platform) as a Service.

Developer Tool Kits provided. “Pay as you develop/test” business modelRapid Propagation of Software Applications – Low Cost of Entry

Page 12: Cloud Security

Rapp Consulting [email protected]

12

Cloud Computing 101IaaS

The “Bare Metal” Infrastructure as a Service

•Clients provide all OS, security andapplication software

•Used for quick-implementation, as-needed data processing / data storage

Page 13: Cloud Security

Rapp Consulting [email protected]

13

Cloud Computing 101 - Service Delivery Models

IAAS Infrastructure as a

Service

PaaSPlatform as a Service

SaaSSoftware as a Service

Page 14: Cloud Security

Rapp Consulting [email protected]

14

Cloud Deployment Models

Public cloud Sold to the public, mega-scale infrastructures

Private cloud Enterprise-owned or leased to a Single Client

Community cloud Shared infrastructure for a Specific

Community Hybrid cloud

Composition of two or more Cloud Models

Page 15: Cloud Security

Rapp Consulting [email protected]

15

Cloud Computing 101

Page 16: Cloud Security

Rapp Consulting [email protected]

16

Reality Check

The Cloud Is and Will Happen

Current Major Players – IaaS, PaaS Amazon Web Services, ATT, IBM Rackspace, Terramark, Savvis

Current Major Players - SaaS FaceBook, Salesforce.com, Google (Gmail), Netsuite

Page 17: Cloud Security

Rapp Consulting [email protected]

17

Reality Check

Not d

iscus

sing

the

cloud

Lear

ning

abo

ut th

e te

chno

logy

Desig

ning

a p

lan

Impl

emen

ting

a pl

an

Cloud

impl

emen

tatio

n in

pla

ce

Unsur

e0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

16%

46%

10%7%

13%

8%

21%

48%

8% 8%

13%

2%

Cloud Status in the US

US GovtIndustry

InternetNews.com, “Obama CIO: Government Can Lead in IT,”March 12, 2009

Page 18: Cloud Security

Rapp Consulting [email protected]

18

Reality Check Spending Forecasts

Page 19: Cloud Security

Rapp Consulting [email protected]

19

Claimed Cloud Computing Business Advantages

Optimizes Server Utilization Cost Savings Dynamic Scalability Time Savings for New Programs Right-sizes your enterprise Outsources IT Transitions CAPEX to OPEX

Page 20: Cloud Security

Rapp Consulting [email protected]

20

Excellent Cloud Examples

NASDAQ / NYT

SalesForce.com Signiant ThinLaunch Software Intuit QuickBase Webroot

Page 21: Cloud Security

Rapp Consulting [email protected]

21

A Disruptive Technology

The Cloud Reshuffles the IT deck

Shrink Wrapped Application s and Enterprise-Sized will migrate to Online Apps, Possibly Open-Sourced

OS will tend towards web-partial systems Desktops and Notebooks Lose Hard

Drives Businesses’ IT Staffing Requirements Will

Drop

Page 22: Cloud Security

Rapp Consulting [email protected]

22

Current Press Status

The Majority of Press Coverage supports Service Providers attempting to gain mindshare.

Most IT Analysis is very positive about (hyping) the merits of the cloud.

Very little is written of Cloud Security or its Audit- ability

Page 23: Cloud Security

Rapp Consulting [email protected]

23

The Gartner Hype Curve

Page 24: Cloud Security

Rapp Consulting [email protected]

24

Reality Check

Greatest concerns surrounding cloud adoption at your

company (per CIO) Security 45%

Page 25: Cloud Security

Rapp Consulting [email protected]

25

Security Issues

“Cyber Crime in 2008 measured more to be a larger societal loss than illegal drugs.

“The main objective of most attackers is to makemoney. The underground prices for stolen bank login accounts range from $10–$1000 (depending on theavailable amount of funds), $0.40–$20 for credit cardnumbers, $1–$8 for online auction site accounts and $4–$30 for email passwords.”

Symantec Global Internet Security Threat Report – April 2009

Page 26: Cloud Security

Rapp Consulting [email protected]

26

Security Issues

“Cybersecurity risks pose some of the most serious economic and national security challengesof the 21st Century. The digital infrastructure’sarchitecture was driven more by considerations ofinteroperability and efficiency than of security.”

White House Cyberspace Security Review May 2009

Page 27: Cloud Security

Rapp Consulting [email protected]

27

Security Issues

Page 28: Cloud Security

Rapp Consulting [email protected]

28

Reality Check

Greatest concerns surrounding cloud adoption at your

company (per CIO) Security 45% Integration with existing systems 26% Loss of control over data 26% Availability concerns 25% Performance issues 24% IT governance issues 19% Regulatory/compliance concerns 19%

Page 29: Cloud Security

Rapp Consulting [email protected]

29

Cloud Security & Control Groups

ENISACloud Security Alliance – CSA

ISACA

DMTF

NIST

Jericho Forum

Apps.gov

OWASP

Page 30: Cloud Security

Rapp Consulting [email protected]

30

Cloud Security Alliance Members

http://www.ogf.org/
http://www.dmtf.org/
Page 31: Cloud Security

Rapp Consulting [email protected]

31

Cloud Security Alliance

Page 32: Cloud Security

Rapp Consulting [email protected]

32

ISACA

Page 33: Cloud Security

Rapp Consulting [email protected]

33

ENISA

Page 34: Cloud Security

Rapp Consulting [email protected]

34

DMTF

Page 35: Cloud Security

Rapp Consulting [email protected]

35

Security Issues Data Location

SaaS Clients’ data co-mingled

Accuracy and Authenticity of both Data and Applications transferred between servers

Penetration Detection & Multi-Client UA

Public Cloud-Server Owner – Due Diligence? Data Erasure?

Page 36: Cloud Security

Rapp Consulting [email protected]

36

Current Regulations

PCI Compliance

States’ PII requirements

Sarbanes Oxley

HIPAA

Page 37: Cloud Security

Rapp Consulting [email protected]

37

Current Regulations & Standards

Page 38: Cloud Security

Rapp Consulting [email protected]

38

ISACA Member Responsibilities – Opportunities

Greatest concerns surrounding cloud adoption at your

company (per CIO) Security 45% Integration with existing systems 26% Loss of control over data 26% Availability concerns 25% Performance issues 24% IT governance issues 19% Regulatory/compliance concerns 19%

Page 39: Cloud Security

Rapp Consulting [email protected]

39

ISACA Member Responsibilities – Opportunities

Ensure Organization’s Key Players Aware of Cloud Security Issues

Audit Data / Applications targeted for Cloud Computing

Input / Review Cloud Provider’s SLA Agreement

Strengthen internal IAM ProgramRapp Consulting

Page 40: Cloud Security

Rapp Consulting [email protected]

40

ISACA Member Responsibilities – Opportunities

Ensure Organization’s Key Players Aware of Cloud Security Issue

Target respected type “A”champions Business Application Owners Corporate Attorneys CxOs HR

Page 41: Cloud Security

Rapp Consulting [email protected]

41

ISACA Member Responsibilities – Opportunities

Audit Data/Applications targeted for Cloud ComputingData MappingWhat is the application data’s

internal security level? Who are the Data Owners?What Type of Cloud (public,

private, etc) is targeted?

Page 42: Cloud Security

Rapp Consulting [email protected]

42

ISACA Member Responsibilities – Opportunities

Input / Review Cloud Provider’s SLA

Open Sourced API’s, etcXACML-based IAM programSecurity Transparency Ownership of DataAudit at WillDR/BC policy and practiceReturn of application and data policy

Page 43: Cloud Security

Rapp Consulting [email protected]

43

ISACA Member Responsibilities – Opportunities

Strengthen IAM Program

Page 44: Cloud Security

Rapp Consulting [email protected]

ISACA Member Responsibilities – Opportunities

Rapp Consulting

Strengthen Identity – Access Management Program

XACML Based IAM program Federated User Access – integrated

across both cloud and internal enterprise

Aligned with compliance requirements SSO – (Single Sign On) IAM Security Monitoring – Reporting Oppty to implement risk-based

provisioning

Page 45: Cloud Security

Rapp Consulting [email protected]

45

ISACA Member Responsibilities – Opportunities

KEY TAKE-AWAY #1

Cloud Computing should provide organizations

sufficient- enough costs-savings to afford investments in required best – practice IS

security measures.

Page 46: Cloud Security

Rapp Consulting [email protected]

46

ISACA Member Responsibilities – Opportunities

KEY TAKE-AWAY #2

Employ the same best-practice audit and risk management

principles for cloud computing as you have been trained for and have used (or should be using)

your entire career.

Page 47: Cloud Security

Rapp Consulting [email protected]

47

ISACA Member Responsibilities – Opportunities

Key Take Away #3

Develop an Overarching Business Impact

Analysis Moving an Application / Data to the cloud

Page 48: Cloud Security

Rapp Consulting [email protected]

48

ISACA Member Responsibilities – Opportunities

Cloud computing can be evaluated much in the same way as a new operating system. And yet, it's somethng more as well. It has the usual system services but also some fantastic ones -- unlimited memory, unlimited storage, unlimited network bandwidth, unlimited (and on-demand) scalability and parallelism

http://www.ddj.com/web-development/220300736?pgno=4

http://www.ddj.com/web-development/220300736?pgno=4
http://www.ddj.com/web-development/220300736?pgno=4
Page 49: Cloud Security

Rapp Consulting [email protected]

49

ISACA Member Responsibilities – Opportunities

This fundamental difference between probabilistic riskand risk introduced by an intelligent adversary (or adaptive threats) leads to the conclusion that more understanding of the cyber security issues and impactsthat are possible on the electric grid is needed. Indeed,there really is no statistical norm for the behavior of cyber attackers and information systems and components failure, and their potential impacts to grid reliability.

NERC - 2009 Long-Term Reliability Assessment

Page 50: Cloud Security

Rapp Consulting [email protected]

50

ISACA Member Responsibilities – Opportunities

Internal Enterprise

Distribution Reseller

s

Suppliers

CRM Cloud App

ERP Cloud App

Page 51: Cloud Security

Rapp Consulting [email protected]

51

ISACA Member Responsibilities – Opportunities

Internal Enterprise

Distribution Reseller

s

Suppliers

HR

Stock Opt

Advrtz

CRM Cloud App

Cust Servic

eERP Cloud App

Page 52: Cloud Security

Rapp Consulting [email protected]

52

ISACA Member Responsibilities – Opportunities

There needs to be rock-solid security, and annual (or when

changes occure) audit-to-certification standards developed

for Cloud Service Providers (CSPs)

Page 53: Cloud Security

Rapp Consulting [email protected]

53

ISACA Member Responsibilities – Opportunities

Summary –

•Become a Weatherman – Learn the Clouds

•Educate Key Organization Decision makers

• Internal risk assessment of Apps and Data

•Insist on Seat in SDLC Group

•Insist on open source or open standard cloud tools

Page 54: Cloud Security

Rapp Consulting [email protected]

54

ISACA Member Responsibilities – Opportunities

Summary –

•Audit CSP’s Security and DR/BC Policies

•Is CSP promoting best security practices?

•Upgrade Current Internal IAM program

•Insist on “SAS70” type audit from partners and outsource providers of their cloud enterprises

Page 55: Cloud Security

Rapp Consulting [email protected]

55

What’s Still Needed

Commercial Cloud Applications Security Standards.

Training & Certification requirements for Individual Cloud Developers Cloud Service Providers Cloud Security Tool Providers

Page 56: Cloud Security

Rapp Consulting [email protected]

56

What’s Still Needed

Best Practice Standards for Internal Audits of Enterprises Employing Cloud Applications. Combination of the ENISA cloud risk

assessment with the financial Shared Assessment program

Implement an annual Know Your Client (KYC) type audit/certification for all clients and cloud services providers.

Page 57: Cloud Security

Rapp Consulting [email protected]

57

questions

Page 58: Cloud Security

Rapp Consulting [email protected]

58

Thank you

Peet Rapp – MBA, [email protected]

mailto:[email protected]

Security Challenges in Cloud Integration - Cloud Security Alliance, Austin Chapter

Security Challenges in Cloud Integration - Cloud Security Alliance, Austin Chapter

Federated Cloud Security Architecture for Secure and … · Federated Cloud Security Architecture 171 2 Cloud Security We briefly review cloud security [40] and related prior work

Federated Cloud Security Architecture for Secure and … · Federated Cloud Security Architecture 171 2 Cloud Security We briefly review cloud security [40] and related prior work

CLOUD SECURITY SPOTLIGHT - Alert Logic · concerned about cloud security, up 11 percentage points from last year’s cloud security survey. The top three cloud security challenges

CLOUD SECURITY SPOTLIGHT - Alert Logic · concerned about cloud security, up 11 percentage points from last year’s cloud security survey. The top three cloud security challenges

Cloud Security

Cloud Security

Cloud Security & Cloud Encryption Explained

Cloud Security & Cloud Encryption Explained

Professional Cloud security Manager - wiselearner.com Cloud Security Manager.pdf · Understanding Cloud Computing Vulnerabilities Vulnerability Vulnerabilities and Cloud Risk Cloud

Professional Cloud security Manager - wiselearner.com Cloud Security Manager.pdf · Understanding Cloud Computing Vulnerabilities Vulnerability Vulnerabilities and Cloud Risk Cloud

Cyber Security and Cloud Security

Cyber Security and Cloud Security

Cloud Security - Security Aspects of Cloud Computing

Cloud Security - Security Aspects of Cloud Computing

Cloud Insights Security : Cloud Insights...Cloud Insights Security Product and customer data security is of utmost importance at NetApp. Cloud Insights follows security best practices

Cloud Insights Security : Cloud Insights...Cloud Insights Security Product and customer data security is of utmost importance at NetApp. Cloud Insights follows security best practices

Transforming Security Part 1: Cloud & Virtualization · Transforming Security Part 1: Cloud ... Practitioners Vendors Cloud Infrastructure ... Transforming Security Part 1: Cloud

Transforming Security Part 1: Cloud & Virtualization · Transforming Security Part 1: Cloud ... Practitioners Vendors Cloud Infrastructure ... Transforming Security Part 1: Cloud

Scaling the Cloud - Cloud Security

Scaling the Cloud - Cloud Security

Cloud Security Certification - Certified Cloud Security ...

Cloud Security Certification - Certified Cloud Security ...

Navigating the Changing Cloud Security Landscape · Navigating the Changing Cloud Security Landscape Dell cloud security white paper | September 2013 As cloud security threat levels

Navigating the Changing Cloud Security Landscape · Navigating the Changing Cloud Security Landscape Dell cloud security white paper | September 2013 As cloud security threat levels

Cloud security and security architecture

Cloud security and security architecture

Cloud Security Alliance Guide to Cloud Security

Cloud Security Alliance Guide to Cloud Security

National Cyber Security Centre (NCSC) Cloud Security ... · Cloud Security Principle 4: Governance 23 Cloud Security Principle 5: Operational Security 25 Cloud Security Principle

National Cyber Security Centre (NCSC) Cloud Security ... · Cloud Security Principle 4: Governance 23 Cloud Security Principle 5: Operational Security 25 Cloud Security Principle

Securing a Large Project with Private Cloud Computing · Cloud Computing Security Challenges • Addressing Security via Private Cloud ... Cloud Computing Security Challenges •

Securing a Large Project with Private Cloud Computing · Cloud Computing Security Challenges • Addressing Security via Private Cloud ... Cloud Computing Security Challenges •

CLOUD STORAGE SECURITY INTRODUCTION - SNIA Security Concerns with Cloud Understanding how Cloud services provide for the ... cloud computing environment, ... Cloud Storage Security

CLOUD STORAGE SECURITY INTRODUCTION - SNIA Security Concerns with Cloud Understanding how Cloud services provide for the ... cloud computing environment, ... Cloud Storage Security

Identifying Cloud Security Threats to Strengthen Cloud ...usir.salford.ac.uk/40807/1/1-s2.0-S1877050916318257-main.pdf · systems, cloud security, SaaS security, PaaS security, IaaS

Identifying Cloud Security Threats to Strengthen Cloud ...usir.salford.ac.uk/40807/1/1-s2.0-S1877050916318257-main.pdf · systems, cloud security, SaaS security, PaaS security, IaaS

Security kaizen cloud security

Security kaizen cloud security