Keys to success and security in the cloud
-
Upload
scalar-decisions -
Category
Technology
-
view
469 -
download
2
Transcript of Keys to success and security in the cloud
Scalar leads Canadian Business to
the Next Generation of IT through
Innovation, Expertise & Service
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 3
Established in 2004
8Locations
300MRevenue
800Clients
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 4
Key Cloud Partnerships
“The” Cloud…
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Lets Define “Cloud”…
“Cloud Computing” by the NIST Definition is:
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network
access to a shared pool of configurable computing resources (e.g., networks, servers,
storage, applications, and services) that can be rapidly provisioned and released with
minimal management effort or service provider interaction. This cloud model is composed of
five essential characteristics, three service models, and four deployment models.
Which really means…..
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Cloud…
The “Cloud” revolution is largely about a few key things:
1. Automation
2. Elasticity
3. Flexible Costing*
4. Organization Attitude & Change
Largely, beyond these basics everyone adds their “flavour” to a cloud definition, but the vast
bulk of the benefits of cloud come from the above, coupled with standardization.
Most importantly, our view is that most organizations would see the vast majority of the
benefit of “cloud computing” by ensuring they adhere to most of these elements.
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 8
Cloud Primer
Broad
Network AccessAutomation Flexible Costing
On-Demand
Self-Service
Resource Pooling
Cloud
Characteristics
Software as a Service
(SaaS)
Platform as a Service
(PaaS)
Infrastructure as a
Service (IaaS)
Service Models
Deployment
ModelsPublic Cloud Hybrid Cloud Private Cloud
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Cloud Landscape (IaaS)
© Gartner, sourced from https://aws.amazon.com/resources/analyst-reports/
Limited key players, in any domain (example
here is IaaS providers, actually a surprisingly
small mix of vendors).
Clients need to align themselves with a leader,
the entire bottom left quadrant has changed
rapidly with each release, the top right has
remained largely static.
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Path to the Cloud
© 2016 Amazon Web Services, inc
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Challenge with migrations…
© 2016 Amazon Web Services, inc
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
But what is lost in this discussion…
Somehow, almost all of the examples of “great success” in “cloud” has been around cost
cases (O365 vs. running a large on-premise Exchange infrastructure, Box vs. running a
large file sharing environment, Netflix not needing to own hardware, etc.) with two elements
only discussed in passing:
1) Security
a) Of information
b) Of operations
c) Of environments
2) Privacy
a) Protection
b) Compliance
c) Assurance
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Which highlights the key challenges…
Keeping pace with cloud changes
Globally incompatible legislation and policy
Non-standard Private & Public clouds
Lack of continuous Risk Management & Compliance monitoring
Incomplete Identity Management implementations
Haphazard response to security incidents
Lack of data classification policies & rigour
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Our Focus Today
To shine a light on getting to Cloud in a safe, secure and privacy compliant manner.
To ensure attendees understand the key terms and elements required to enact a proper
structure for:
Information Governance
Policy Compliance
Security Awareness & Actions
Leveraging “cloud” technologies while adhering to all of the above and still leveraging the
benefits.
Importantly, leveraging cloud providers can make you *more* secure and compliant than
you could ever be using your own on-premise systems. However improperly leveraging
those technologies can destroy all of your security and privacy controls in an instant.
“With great power, comes great responsibility.” -- Peter Parker aka Spiderman
Cloud & Security
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Process & Governance
16
Cloud & Security
Cloud Technologies don’t really change the security challenges we’ve faced over
the last 20 years, but they amplify and make necessary even higher degrees of
expedited, automated response.
Cloud systems foundationally demonstrate the need for increased:
Automation, Intelligence and
Analytics
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 17
Today’s Security Landscape
Traditional
Countermeasures are
Proving Ineffective
Rapidly Changing Threat
Types
Regulatory Compliance
& Corporate Governance
Demands are Increasing
Security Budgets are
Often Insufficient
Many Organizations are
Blind to Security Threats
that are Already Known
Hackers are Increasingly
Motivated
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 18
Why Security Breaches Continue to be Prevalent
Every technology
eventually fails
Compliance programs
often ignore business risk
Trying to keep hackers
out is a losing battle
A cloud
architecture /
design truism
If you even have one… Especially if you
don’t see them
coming
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 19
Cloud Security Elements
Global Threat Intelligence &
Research
Advanced Analytics
Protect Critical
Assets
Robust Incident
Handling
Understand Business
Impact
Continuous Validation of
Controls
Architecture & Design
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Understand the Security Continuum
Cloud Provider
Responsibility
Your
responsibility
Foundation Services
Global Infrastructure
Endpoin
ts
Compute Storage Database Netw orking
RegionsAvailability
ZonesEdge Locations
Operating System & Network Configuration at Rest
Platform & Application Management
Customer Data
Optional –
Opaque Data
OS (in transit
/ at rest)
Client-side Data Encryption & Data Integrity
Authentication
Server-side Encryption Provided by the
Platform / Protection of Data at Rest
Network Traffic Protection Provided by the
Platform / Protection of Data in Transit
Identity
& A
ccess M
anagem
ent
Unmanaged Shared Responsibility Model
Cloud Provider
Responsibility
Your
Responsibility
Foundation Services
Global Infrastructure
Endpoin
ts
Compute Storage Database Netw orking
RegionsAvailability
ZonesEdge Locations
Operating System & Network Configuration at Rest
Platform & Application Management
Customer Data
Client-side Data Encryption & Data Integrity
Authentication
Server-side Encryption Provided by the
Platform / Protection of Data at Rest
Network Traffic Protection Provided by the
Platform / Protection of Data in Transit
Optional –
Opaque Data OS (in
transit / at rest)
Identity
& A
ccess M
anagem
ent
Managed Shared Responsibility Model
Security Design
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 25
Getting Started
PreparePerform a risk
assessment
Build an effective
security program
DefendDeploy security
infrastructure
Properly configure
and continuously
tune security tools
RespondDetect & respond to
incidents quickly
Continuously validate the
effectiveness of security
controls
Getting Started
1. Ensure effective governance, risk, and compliance processes exist
2. Audit operational & business processes
3. Manage, people, roles and identities
4. Ensure proper protection of data
5. Enforce privacy policies
6. Assess security provisions for cloud applications
7. Ensure secure cloud networks and connections
8. Evaluate security of physical infrastructure and facilities
9. Manage security terms in the service agreement
10. Understand the security requirements of the exit process
- 26-
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Start with Principles First
Assess Risk Refine and Validate
Controls
Secure by Design
Assess vendors,
applications, processes
and policies against a
formalized threat-risk-
assessment process.
Refine and validate
internal processes to align
with the realities of cloud
(highly dynamic systems,
microservices based
development).
The rapid deployment
elements of cloud computing
provide more time in a
business cycle for
architecture, engineering and
security – through less time
spent in procurement.
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. - 28
-
Confidentiality
“Preserving authorized restriction on information access and disclosure, including means for protecting personal privacy and proprietary information.”
Integrity
“Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.”
Availability
“Ensuring timely and reliable access and use of information.”
Focus for Security
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. - 29
-
Need-to-know
Users should only have access to information (or systems) that enable them to perform their assigned job functions.
Least privilege
Users should only have sufficient access privilege that allow them to perform their assigned work.
Separation of duties
No person should be responsible for completing a task involving sensitive, valuable or critical information from the beginning to end.
No single person should be responsible for approving his/her own work.
Benchmarks and Guidelines:
NIST National Checklist, DISA STIGs, CIS
Benchmarks, etc.
Law, Regulations, and Policies:
FISMA, SOX, GBL, National Security Act,
USA PATRIOT ACT, etc.
OMB A-130, A-11, etc.
E.O. 13292, 12968, etc.
DoD 5200.1-R, etc.
Standards and Best Practices
NIST FIPS, SP 800-x, etc.
COBIT, ITIL, Common Criteria
ISO/IEC 27001, 21827, etc.
DoDI 8500.2, 8510.01
Security Objectives:
Confidentiality
Integrity
Availability
Security Implementation
Principles:
Confidentiality, Integrity,
Availability
Need-to-Know
Least Privilege
Separation of Duties
Implementation Principles
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. - 30
-
Risks & Countermeasures
Threat Agent. An entity that may act on a
vulnerability.
Threat. Any potential danger to information life
cycle.
Vulnerability. A weakness or flaw that may provide
an opportunity for a threat agent.
Risk. The likelihood of a threat agent exploits the
discovered vulnerability.
Exposure. An instance of being compromised by a
threat agent.
Countermeasure / safeguard. An administrative,
operational, or logical mitigation against potential
risk(s).
Threat Agent
Threat
Vulnerability
Risk
Asset
Exposure
Counter
measure
Give rise to
Exploits
Leads to
Can damage
And causes an
Can be countered by a
Ind
ire
ctly a
ffe
cts
Reduces/
Eliminates
Reference: Information Assurance Technical Framework (IATF), Release 2.3
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Cloud Security & Data
Proper cloud security combined with
privacy hinges on a clear understanding
of the standard Data Lifecycle and how
to apply it both technically and from a
compliance perspective within a cloud
context.
As a general rule, data is never
destroyed in many cloud provider
platforms and therefor we must both
protect it differently and destroy it
differently.
Creation
Use
Transfer
TransformationStorage
Archival
Destruction
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Privacy Implications…
In Ontario, there is no legislative prohibition against the storing of personal
information outside of the province or Canada. However, the Acts and their
regulations require government institutions to ensure that reasonable measures
are in place to protect the privacy and security of the personal information in
their custody or control.
Ontario Information and Privacy Commissioner, Ann Cavoukian
British Columbia and Nova Scotia have more restrictive terminology and
requirements. With Amazon, Microsoft and Softlayer all offering datacenter “in-
country” within this coming public sector fiscal year there are few barriers remaining
to broad public sector cloud adoption for appropriate services.
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Mapping to Provided Controls & Measures
With an understanding of required compliance elements, and an outline
of identified & required controls we can then map to appropriate security
implementations.
1) Identity controls via provider toolsets (such as Azure AD, or AWS IAM) or
external tooling (Ping Identity or Okta)
2) Configuration scanning tools (such as CloudCheckr or Evident.io)
3) Cloud Access Security Brokers (Skyhigh, Netskope) for SaaS applications
4) Data inspection devices (provider supplied firewalls, PAN Virtual Edition, F5
virtual editions)
5) Encryption providers (provider based, or external key managers such as
HyTrust, Gemmalto, etc.)
……
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Encryption…
A quick note on encryption…
Encryption is critical for cloud security & data controls. It should be widespread. The
Cloud Security Alliance recommends all sensitive data be:
a) Encrypted for data privacy with approved algorithms and long, random keys;
b) Encrypted before it passes from the enterprise to the cloud provider;
c) Should remain encrypted in transit, at rest, and in use;
d) The cloud provider and its staff should never have access to decryption keys.
But it is important to note that encryption should be viewed mostly as a time-lock.
Destroying encryption keys is widely accepted as one possible form of data
protection & destruction when using cloud providers however there is a reasonable
possibility that with enough time (computational or technology advancement) and
funding (state sponsored) most encryption can be broken eventually. Whether there
is a reasonable concern associated with this depends on the data classification.
Specific Suggested Practices
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Service Agreements, SLA’s and other fun….
Read them! Understand them!
Regardless of deployment type (IaaS, PaaS, SaaS) there are a few constants:
1. Largely often non-negotiable, unless you are a very, very large scale user (most of us aren’t)
2. Largely deflect most liability back to the consumer
3. Largely define “jurisdictions” of best option to the provider, not consumer, your jurisdictional
requirements WILL vary
4. May contain IP/data ownership clauses needing careful scrutiny
5. Often define rights to audit, disclosures, etc.
6. Contain minimum SLA’s, but often with minimally useful penalties or “make good” clauses
…………
These are all very scary, and can quickly be used as an option to NOT pursue the
cloud… but realistically these are all manageable, in the right context. The important
element is risk management and contract management associated with them. Cloud
is partially cheaper because of risk moved to clients, now you need to spend a bit to
manage the risks moved to you!
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Advanced, Cloud-Enabled Security Services
Defense based on:
1) Log, API and Analytics across environments, both on-premise and in-the-cloud
2) Rapid application of correlation analytics, with threat-feed intelligence across
systems
3) Business-context driven escalations and prioritization
4) Comprehensive incident response with 7x24 reaction team, and access to
deeply technical resources across both traditional and cloud-based
environments
5) Leveraging top tier & native as appropriate tooling for both on-premise
deployments and in-the-cloud deployments (ie: Splunk, Logrhythm, Cloudtrail,
Cloudwatch)
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Public Cloud Defense - Automation & Recovery
Architect for:
1) Defend the root account – common weakness in public-cloud deployments –
through continuous monitoring & credential inspection
2) Rapid re-instantiation of resources through highly automated deployments
(infrastructure-as-code)
3) Design for capture & forensics as a secondary aspect to recovery (get your
environment back running rapidly, but capture the necessary elements to
determine root-cause)
4) Rapidly iterate environments to enable rapid patching & remediation and
leverage the power of infrastructure-on-demand environments
5) Perform offline forensics to adjust & harden configurations
Vendor Documentation
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Amazon Web Services (AWS) - Resources
Critical Documents:
1) https://aws.amazon.com/security/
2) https://aws.amazon.com/compliance/
3) https://cloudsecurityalliance.org/star-registrant/amazon-aws/
4) https://d0.awsstatic.com/whitepapers/compliance/Intro_to_Security_by_Design.pdf
5) https://d0.awsstatic.com/whitepapers/compliance/AWS_Security_at_Scale_Governance_in_
AWS_Whitepaper.pdf
6) https://www.youtube.com/watch?v=YYiV_z9D2CE
© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.
Microsoft Azure
Critical Documents:
1) https://azure.microsoft.com/en-us/support/trust-center/
2) http://download.microsoft.com/download/2/0/A/20A1529E-65CB-4266-8651-
1B57B0E42DAA/Protecting-Data-and-Privacy-in-the-Cloud.pdf
3) http://download.microsoft.com/download/1/6/0/160216AA-8445-480B-B60F-
5C8EC8067FCA/WindowsAzure-SecurityPrivacyCompliance.pdf