Cloud Security by Sanjay Willie
-
Upload
microsoft-techdays-apac -
Category
Documents
-
view
217 -
download
0
Transcript of Cloud Security by Sanjay Willie
-
8/3/2019 Cloud Security by Sanjay Willie
1/44
Cloud Security
What you need to know
SanjayW (v1.1)
-
8/3/2019 Cloud Security by Sanjay Willie
2/44
Cloud computingWhere were you when cloud
computing took over?
-
8/3/2019 Cloud Security by Sanjay Willie
3/44
I was..
on
-
8/3/2019 Cloud Security by Sanjay Willie
4/44
Agenda
Cloud The birth of..
Define cloud
The general fears and perceptions
Cloud security considerations Conclusion
-
8/3/2019 Cloud Security by Sanjay Willie
5/44
When it existed? It existed long before the term
coined
Typical cloud examples Hosted (a lot of them are free) email Online applications
Office365
Salesforce.com Skype (VoIP) Social media (Youtube, Facebook,
Twitter)
File storage/storage hosting
Microsoft SkyDrive Dropbox
And.and.and
-
8/3/2019 Cloud Security by Sanjay Willie
6/44
So this CLOUD ....
Is it repackaging?
Is it truly new?
Is this the future?
How does it differ,security wise..?
-
8/3/2019 Cloud Security by Sanjay Willie
7/44
Hype or not?
-
8/3/2019 Cloud Security by Sanjay Willie
8/44
Cloud is here to stay..
Its no longer in just a hype
BUT. Theres still a lot of work inprogress
Security is still a pressing thought Cloud computing is elusive..?
Old skool..infrastructure and security wise?
Fear of the unknown?
-
8/3/2019 Cloud Security by Sanjay Willie
9/44
Ada udang di sebalik
awan
-
8/3/2019 Cloud Security by Sanjay Willie
10/44
Gartners 7 top Cloud Security
Concerns/Considerations..
Privilege user access
Compliance
Data Location
Data Segregation Recovery
Support Long term factor (LTF)
-
8/3/2019 Cloud Security by Sanjay Willie
11/44
Network stance Indifferent except
It may be hosted outside your environment
Probably better (quicker) scale factor
Takes away CAPEX quite a bit
It is as you would publish to WWW
-
8/3/2019 Cloud Security by Sanjay Willie
12/44
Security on LAN is.. Physical
Network
Application
Legislation Etc
-
8/3/2019 Cloud Security by Sanjay Willie
13/44
Security Stance It is (still) as strong as the weakest link
(yet again) It may as well ENHANCE security
Nonetheless, if its public facing raisesRED flag
Takes away CAPEX quite a bit
-
8/3/2019 Cloud Security by Sanjay Willie
14/44
Security on LAN is..
-
8/3/2019 Cloud Security by Sanjay Willie
15/44
Security on WAN is..(still) Physical
Network Application
Legislation
Etc
What are the factors that makes it different?Exposure/threat vectors
-
8/3/2019 Cloud Security by Sanjay Willie
16/44
Security on WAN is..
-
8/3/2019 Cloud Security by Sanjay Willie
17/44
Security on Cloud is.. Physical
Network Application
Legislation
Etc
What are the factors that makes it different?Responsibilities, threat vectors, control
-
8/3/2019 Cloud Security by Sanjay Willie
18/44
Security on Cloud is..
-
8/3/2019 Cloud Security by Sanjay Willie
19/44
Why? Fear ofknown unknowns
Fear ofnewunknowns
Lack of tangibility
Lack of visibilityTransparency of operations
Legislative factors
Policy changes
-
8/3/2019 Cloud Security by Sanjay Willie
20/44
To love cloud is to know cloud
-
8/3/2019 Cloud Security by Sanjay Willie
21/44
Cloud computing 101..
-
8/3/2019 Cloud Security by Sanjay Willie
22/44
Lets break it down Software as a service
Platform as a service Infrastructure as a
service
Each, have their own
problems.. Lets analyze them
-
8/3/2019 Cloud Security by Sanjay Willie
23/44
Lets break it down.. Public
Private Community
A combination of the above (hybrid)
-
8/3/2019 Cloud Security by Sanjay Willie
24/44
Cloud security band wagon.. You inherit the benefits/problems of the
internet You inherit the benefits/problems of the
provider
You inherit the benefits/problems of therespective country/laws
You inherit the benefits/problems of yourneighbors (co-hosting)
-
8/3/2019 Cloud Security by Sanjay Willie
25/44
Software As A Service - Problems You do not know what are they doing
Bad software or APIs Shared model could mean shared domain
security
You cannot dictate the software codes
-
8/3/2019 Cloud Security by Sanjay Willie
26/44
Platform As A Service - Problems
Poorly developed middleware
May not work with your appsMay lead to a loophole to a good app sitting
above it
The case of one size do not fit all Flexible may not be good here means
room for errors
-
8/3/2019 Cloud Security by Sanjay Willie
27/44
Infra As A Service - Problems Skill sets of programmers and infra guys
are unequal Most flexible. Again, not necessarily good
Possibly inherit the {insert good/bad} fromyour existing network
-
8/3/2019 Cloud Security by Sanjay Willie
28/44
The responsibility hierarchy
-
8/3/2019 Cloud Security by Sanjay Willie
29/44
Responsibility segregation SaaS Mostly them
PaaS You and moderately them
IaaS You and little them
-
8/3/2019 Cloud Security by Sanjay Willie
30/44
A wise man once said..Its okay to believe, just as long
as you know!
-
8/3/2019 Cloud Security by Sanjay Willie
31/44
Know!... Using {insert provider here}
Where they are deployedHow they are deployed
Type of built-in controls
Compliance
Where they are consumed?
Need for re-perimeterizationSure, love thy neighbor, not necessarily
trusting them..
-
8/3/2019 Cloud Security by Sanjay Willie
32/44
The Models, are the same, theapplication is different..
-
8/3/2019 Cloud Security by Sanjay Willie
33/44
Fear not the CLOUD..
-
8/3/2019 Cloud Security by Sanjay Willie
34/44
Security and Privacy Considerations
-
8/3/2019 Cloud Security by Sanjay Willie
35/44
Technical Factors Information/Data LifeCycle
Confidentiality, Integrity, Availability,Authenticity, Authorization, Authentication,and Non-Repudiation
-
8/3/2019 Cloud Security by Sanjay Willie
36/44
Technical Factors Security, DR and BCP
Since cloud is relatively new, legacy securityimplementation should be used
See their network and security devices physically
See their NOC/team hierarchy
This also include legacy DR and BCP
Legacy includes physical security Go visit them
-
8/3/2019 Cloud Security by Sanjay Willie
37/44
Technical Factors Data center
With cloud at a boom, come more Data Centers
They may have certification of compliance some sort But still request possibility of audit
Their cloud architecture and offering should be clearly defined
Compartmentalization
Network architecture
Resources redundancy
And. And.And
Customer service
-
8/3/2019 Cloud Security by Sanjay Willie
38/44
Technical FactorsApplication security
SDLC Based Apps
Hardening of prebuilt OSes
Inter-host communication policy
Credential storage
Where logs are stored should have similar quality as theactual data itself
Backdoor accounts for support?
Auditing rightsBlackbox testing evasion
Vulnerability assessment
-
8/3/2019 Cloud Security by Sanjay Willie
39/44
Technical FactorsEncryption and key management
Should we encrypt? Keep private keys out where possible (use your own)
Exposure of key files risk analysis in case keys cannot beseparated
Ensure the encryption complies to industrialstrengths and standards
Data transmitted should also be encrypted
-
8/3/2019 Cloud Security by Sanjay Willie
40/44
Technical FactorsIdentity and access management
Proprietary solutions for provisioning i.e. do not use defaults
Authentication
Consider federation instead of decentralized Consider authentication means provided by the big
boys like LIVE-ID, Yahoo, OpenID etc..
Use VPNs as pre-authentication OATH compliance if you want to write your own..
-
8/3/2019 Cloud Security by Sanjay Willie
41/44
Technical FactorsVirtualization
Identify the type, do your research Take advantage of quality VM platforms security and controls
Prebuilt VMs Identify their built in IDS/IPS, antivirus,vulnerability management
Get a compliancy for Secure by Default
Protect admin user/interfaces, use strong authentication
Validate VMs pedigree and integrity of the OS templates
Segment and group security boundaries, dmz servers vsdata servers
-
8/3/2019 Cloud Security by Sanjay Willie
42/44
By the way, have we considered.. Legal
Risk Management
Compliance
Information Lifecycle Management
Portability and Interoperability
-
8/3/2019 Cloud Security by Sanjay Willie
43/44
Conclusion Adopt cloud technology after much
research Use credible providers
You have the right to question
Do not compromise, instead write thecontracts of what you NEED
Plan, plan plan
-
8/3/2019 Cloud Security by Sanjay Willie
44/44
Cloud security