Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data...
Transcript of Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data...
![Page 1: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/1.jpg)
events.techtarget.com
Rich Mogull, Analyst & CEO, Securosis, LLC
@rmogull
Data Security for
Cloud Computing
![Page 2: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/2.jpg)
To Steal a Data Center
Old School Cloud School
![Page 3: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/3.jpg)
![Page 4: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/4.jpg)
How
Clouds
Store Data
![Page 5: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/5.jpg)
Cloud Data Architectures
Abstraction/Management
Compute Instances
IaaS
PaaS
SaaS
![Page 6: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/6.jpg)
Cloud vs. Trad
● Pooled physical storage
● Management by API
● Slower read/write, faster
snapshot/migration
● Multitenancy
![Page 8: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/8.jpg)
The
Pragmatic
Process
![Page 9: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/9.jpg)
![Page 10: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/10.jpg)
Assess
![Page 11: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/11.jpg)
![Page 12: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/12.jpg)
Manage
Cloud
Migrations
![Page 13: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/13.jpg)
![Page 14: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/14.jpg)
Secure
Transfers
![Page 15: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/15.jpg)
Encryption
● Link/Network
● Client/Application
● Proxy
Photo by mbrand - http://flic.kr/p/61DP51
![Page 16: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/16.jpg)
Encrypt
![Page 17: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/17.jpg)
Encryption Matrix
Components Locations
![Page 18: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/18.jpg)
Encryption Layers
![Page 19: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/19.jpg)
Instance-Managed
Instance
Key Management
Encryption Engine Storage Volume
![Page 20: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/20.jpg)
External Key Management
Key Mgmt Server
Storage Instance
Crypto
Client
HSM, SECaaS, VM, or Server
Public/Private Cloud (IaaS)
![Page 21: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/21.jpg)
Proxy
(Proxy)
![Page 22: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/22.jpg)
How to Choose
● Instance is easiest. Built into most operating systems.
● External more secure/flexible; easy to tie to existing
infrastructure. Go with agent-based.
● Proxy for databases and more-complex storage
situations.
![Page 23: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/23.jpg)
Encrypting Object Storage
• File/Folder
• Client/Application
• Proxy
![Page 24: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/24.jpg)
Object Storage Controllers
Container Container Container
Cloud Storage Gateway
Datacenter
Cloud
Server/Workst
ation
Server/Workst
ation
API
API
![Page 25: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/25.jpg)
How to Choose
● Try to find storage services that support encryption in the
client.
● Use file/folder for public cloud object storage (e.g.
DropBox, box.net, S3), or when extra protection needed
in private cloud.
● Consider proxy for server-to-object sync.
![Page 26: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/26.jpg)
Encrypting PaaS/SaaS
SaaS
PaaS
![Page 27: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/27.jpg)
Tokenization
![Page 28: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/28.jpg)
How to Choose
● PaaS is freaking hard to get right. Code into your
application if you can. Use a proxy if you can’t. Watch the
key management.
● Prefer a SaaS provider you trust.
● Proxy (encryption or tokenization) for SaaS if you have to,
but keep it simple.
![Page 29: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/29.jpg)
Application Encryption Architecture
![Page 30: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/30.jpg)
Monitor
![Page 31: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/31.jpg)
Content Discovery
● DLP
● DAM
● Cloud awareness and
limitations
Photo by ...-Wink-... - http://flic.kr/p/6hTHYH
![Page 32: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/32.jpg)
Data Loss Prevention
● Agent or hypervisor-based for
private cloud.
● Good for content discovery, less
good for in-cloud monitoring.
● SaaS for discovery should be
available soon.
![Page 33: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/33.jpg)
Database Activity Monitoring
● Must be agent based.
● Physical server okay for
private, not good for
public.
● Virtual appliance for
public.
● Watch that performance.
![Page 34: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/34.jpg)
Digital Rights Management?
● Maybe for consumer.
● Enterprise DRM complex beyond
workgroups, never mind cloud.
● It will happen... maybe in 5-10
years.
![Page 35: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/35.jpg)
What We Skipped
● Hardening the management plane.
● Internal segregations for private cloud.
● Authentication and Authorization.
● All the little details- encrypting an IaaS volume is
easy; encrypting a distributed cloud application is
hard.
● The future.
![Page 36: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/36.jpg)
What to Do
● Control data migrations with DLP, DAM, and FAM.
● Use the lifecycle to define your controls.
● Spend most of your cloud data security time on getting
encryption right.
![Page 37: Data Security for Cloud Computingcdn.ttgtmedia.com › rms › editorial › Rich Mogull_Data Decurity for Cl… · events.techtarget.com Rich Mogull, Analyst & CEO, Securosis, LLC](https://reader033.fdocuments.in/reader033/viewer/2022060500/5f1aaa05364d0820f11f116d/html5/thumbnails/37.jpg)
Thank You!
●Rich Mogull
●Analyst/CEO
●nexus.securosis.com
●@rmogull