Keys to success and security in the cloud

Neil Bunn, CTO -- [email protected]

October, 2015

Cloud - Security & Success

Scalar leads Canadian Business to

the Next Generation of IT through

Innovation, Expertise & Service

© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. 3

Established in 2004

8Locations

300MRevenue

800Clients


Key Cloud Partnerships

“The” Cloud…

© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience.

Lets Define “Cloud”…

“Cloud Computing” by the NIST Definition is:

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network

access to a shared pool of configurable computing resources (e.g., networks, servers,

storage, applications, and services) that can be rapidly provisioned and released with

minimal management effort or service provider interaction. This cloud model is composed of

five essential characteristics, three service models, and four deployment models.

Which really means…..


Cloud…

The “Cloud” revolution is largely about a few key things:

1. Automation

2. Elasticity

3. Flexible Costing*

4. Organization Attitude & Change

Largely, beyond these basics everyone adds their “flavour” to a cloud definition, but the vast

bulk of the benefits of cloud come from the above, coupled with standardization.

Most importantly, our view is that most organizations would see the vast majority of the

benefit of “cloud computing” by ensuring they adhere to most of these elements.


Cloud Primer

Broad

Network AccessAutomation Flexible Costing

On-Demand

Self-Service

Resource Pooling

Cloud

Characteristics

Software as a Service

(SaaS)

Platform as a Service

(PaaS)

Infrastructure as a

Service (IaaS)

Service Models

Deployment

ModelsPublic Cloud Hybrid Cloud Private Cloud


Cloud Landscape (IaaS)

© Gartner, sourced from https://aws.amazon.com/resources/analyst-reports/

Limited key players, in any domain (example

here is IaaS providers, actually a surprisingly

small mix of vendors).

Clients need to align themselves with a leader,

the entire bottom left quadrant has changed

rapidly with each release, the top right has

remained largely static.


Path to the Cloud

© 2016 Amazon Web Services, inc


Challenge with migrations…

© 2016 Amazon Web Services, inc


But what is lost in this discussion…

Somehow, almost all of the examples of “great success” in “cloud” has been around cost

cases (O365 vs. running a large on-premise Exchange infrastructure, Box vs. running a

large file sharing environment, Netflix not needing to own hardware, etc.) with two elements

only discussed in passing:

1) Security

a) Of information

b) Of operations

c) Of environments

2) Privacy

a) Protection

b) Compliance

c) Assurance


Which highlights the key challenges…

Keeping pace with cloud changes

Globally incompatible legislation and policy

Non-standard Private & Public clouds

Lack of continuous Risk Management & Compliance monitoring

Incomplete Identity Management implementations

Haphazard response to security incidents

Lack of data classification policies & rigour


Our Focus Today

To shine a light on getting to Cloud in a safe, secure and privacy compliant manner.

To ensure attendees understand the key terms and elements required to enact a proper

structure for:

Information Governance

Policy Compliance

Security Awareness & Actions

Leveraging “cloud” technologies while adhering to all of the above and still leveraging the

benefits.

Importantly, leveraging cloud providers can make you *more* secure and compliant than

you could ever be using your own on-premise systems. However improperly leveraging

those technologies can destroy all of your security and privacy controls in an instant.

“With great power, comes great responsibility.” -- Peter Parker aka Spiderman

Cloud & Security


Process & Governance

16

Cloud & Security

Cloud Technologies don’t really change the security challenges we’ve faced over

the last 20 years, but they amplify and make necessary even higher degrees of

expedited, automated response.

Cloud systems foundationally demonstrate the need for increased:

Automation, Intelligence and

Analytics


Today’s Security Landscape

Traditional

Countermeasures are

Proving Ineffective

Rapidly Changing Threat

Types

Regulatory Compliance

& Corporate Governance

Demands are Increasing

Security Budgets are

Often Insufficient

Many Organizations are

Blind to Security Threats

that are Already Known

Hackers are Increasingly

Motivated


Why Security Breaches Continue to be Prevalent

Every technology

eventually fails

Compliance programs

often ignore business risk

Trying to keep hackers

out is a losing battle

A cloud

architecture /

design truism

If you even have one… Especially if you

don’t see them

coming


Cloud Security Elements

Global Threat Intelligence &

Research

Advanced Analytics

Protect Critical

Assets

Robust Incident

Handling

Understand Business

Impact

Continuous Validation of

Controls

Architecture & Design


Understand the Security Continuum

Cloud Provider

Responsibility

Your

responsibility

Foundation Services

Global Infrastructure

Endpoin

ts

Compute Storage Database Netw orking

RegionsAvailability

ZonesEdge Locations

Operating System & Network Configuration at Rest

Platform & Application Management

Customer Data

Optional –

Opaque Data

OS (in transit

/ at rest)

Client-side Data Encryption & Data Integrity

Authentication

Server-side Encryption Provided by the

Platform / Protection of Data at Rest

Network Traffic Protection Provided by the

Platform / Protection of Data in Transit

Identity

& A

ccess M

anagem

ent

Unmanaged Shared Responsibility Model

Cloud Provider

Responsibility

Your

Responsibility

Foundation Services

Global Infrastructure

Endpoin

ts

Compute Storage Database Netw orking

RegionsAvailability

ZonesEdge Locations

Operating System & Network Configuration at Rest

Platform & Application Management

Customer Data

Client-side Data Encryption & Data Integrity

Authentication

Server-side Encryption Provided by the

Platform / Protection of Data at Rest

Network Traffic Protection Provided by the

Platform / Protection of Data in Transit

Optional –

Opaque Data OS (in

transit / at rest)

Identity

& A

ccess M

anagem

ent

Managed Shared Responsibility Model

Security Design


Getting Started

PreparePerform a risk

assessment

Build an effective

security program

DefendDeploy security

infrastructure

Properly configure

and continuously

tune security tools

RespondDetect & respond to

incidents quickly

Continuously validate the

effectiveness of security

controls

Getting Started

1. Ensure effective governance, risk, and compliance processes exist

2. Audit operational & business processes

3. Manage, people, roles and identities

4. Ensure proper protection of data

5. Enforce privacy policies

6. Assess security provisions for cloud applications

7. Ensure secure cloud networks and connections

8. Evaluate security of physical infrastructure and facilities

9. Manage security terms in the service agreement

10. Understand the security requirements of the exit process

- 26-


Start with Principles First

Assess Risk Refine and Validate

Controls

Secure by Design

Assess vendors,

applications, processes

and policies against a

formalized threat-risk-

assessment process.

Refine and validate

internal processes to align

with the realities of cloud

(highly dynamic systems,

microservices based

development).

The rapid deployment

elements of cloud computing

provide more time in a

business cycle for

architecture, engineering and

security – through less time

spent in procurement.

© 2015 Scalar Decisions Inc. Not for distribution outside of intended audience. - 28

-

Confidentiality

“Preserving authorized restriction on information access and disclosure, including means for protecting personal privacy and proprietary information.”

Integrity

“Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.”

Availability

“Ensuring timely and reliable access and use of information.”

Focus for Security


-

Need-to-know

Users should only have access to information (or systems) that enable them to perform their assigned job functions.

Least privilege

Users should only have sufficient access privilege that allow them to perform their assigned work.

Separation of duties

No person should be responsible for completing a task involving sensitive, valuable or critical information from the beginning to end.

No single person should be responsible for approving his/her own work.

Benchmarks and Guidelines:

NIST National Checklist, DISA STIGs, CIS

Benchmarks, etc.

Law, Regulations, and Policies:

FISMA, SOX, GBL, National Security Act,

USA PATRIOT ACT, etc.

OMB A-130, A-11, etc.

E.O. 13292, 12968, etc.

DoD 5200.1-R, etc.

Standards and Best Practices

NIST FIPS, SP 800-x, etc.

COBIT, ITIL, Common Criteria

ISO/IEC 27001, 21827, etc.

DoDI 8500.2, 8510.01

Security Objectives:

Confidentiality

Integrity

Availability

Security Implementation

Principles:

Confidentiality, Integrity,

Availability

Need-to-Know

Least Privilege

Separation of Duties

Implementation Principles


-

Risks & Countermeasures

Threat Agent. An entity that may act on a

vulnerability.

Threat. Any potential danger to information life

cycle.

Vulnerability. A weakness or flaw that may provide

an opportunity for a threat agent.

Risk. The likelihood of a threat agent exploits the

discovered vulnerability.

Exposure. An instance of being compromised by a

threat agent.

Countermeasure / safeguard. An administrative,

operational, or logical mitigation against potential

risk(s).

Threat Agent

Threat

Vulnerability

Risk

Asset

Exposure

Counter

measure

Give rise to

Exploits

Leads to

Can damage

And causes an

Can be countered by a

Ind

ire

ctly a

ffe

cts

Reduces/

Eliminates

Reference: Information Assurance Technical Framework (IATF), Release 2.3


Cloud Security & Data

Proper cloud security combined with

privacy hinges on a clear understanding

of the standard Data Lifecycle and how

to apply it both technically and from a

compliance perspective within a cloud

context.

As a general rule, data is never

destroyed in many cloud provider

platforms and therefor we must both

protect it differently and destroy it

differently.

Creation

Use

Transfer

TransformationStorage

Archival

Destruction


Privacy Implications…

In Ontario, there is no legislative prohibition against the storing of personal

information outside of the province or Canada. However, the Acts and their

regulations require government institutions to ensure that reasonable measures

are in place to protect the privacy and security of the personal information in

their custody or control.

Ontario Information and Privacy Commissioner, Ann Cavoukian

British Columbia and Nova Scotia have more restrictive terminology and

requirements. With Amazon, Microsoft and Softlayer all offering datacenter “in-

country” within this coming public sector fiscal year there are few barriers remaining

to broad public sector cloud adoption for appropriate services.


Mapping to Provided Controls & Measures

With an understanding of required compliance elements, and an outline

of identified & required controls we can then map to appropriate security

implementations.

1) Identity controls via provider toolsets (such as Azure AD, or AWS IAM) or

external tooling (Ping Identity or Okta)

2) Configuration scanning tools (such as CloudCheckr or Evident.io)

3) Cloud Access Security Brokers (Skyhigh, Netskope) for SaaS applications

4) Data inspection devices (provider supplied firewalls, PAN Virtual Edition, F5

virtual editions)

5) Encryption providers (provider based, or external key managers such as

HyTrust, Gemmalto, etc.)

……


Encryption…

A quick note on encryption…

Encryption is critical for cloud security & data controls. It should be widespread. The

Cloud Security Alliance recommends all sensitive data be:

a) Encrypted for data privacy with approved algorithms and long, random keys;

b) Encrypted before it passes from the enterprise to the cloud provider;

c) Should remain encrypted in transit, at rest, and in use;

d) The cloud provider and its staff should never have access to decryption keys.

But it is important to note that encryption should be viewed mostly as a time-lock.

Destroying encryption keys is widely accepted as one possible form of data

protection & destruction when using cloud providers however there is a reasonable

possibility that with enough time (computational or technology advancement) and

funding (state sponsored) most encryption can be broken eventually. Whether there

is a reasonable concern associated with this depends on the data classification.

Specific Suggested Practices


Service Agreements, SLA’s and other fun….

Read them! Understand them!

Regardless of deployment type (IaaS, PaaS, SaaS) there are a few constants:

1. Largely often non-negotiable, unless you are a very, very large scale user (most of us aren’t)

2. Largely deflect most liability back to the consumer

3. Largely define “jurisdictions” of best option to the provider, not consumer, your jurisdictional

requirements WILL vary

4. May contain IP/data ownership clauses needing careful scrutiny

5. Often define rights to audit, disclosures, etc.

6. Contain minimum SLA’s, but often with minimally useful penalties or “make good” clauses

…………

These are all very scary, and can quickly be used as an option to NOT pursue the

cloud… but realistically these are all manageable, in the right context. The important

element is risk management and contract management associated with them. Cloud

is partially cheaper because of risk moved to clients, now you need to spend a bit to

manage the risks moved to you!


Advanced, Cloud-Enabled Security Services

Defense based on:

1) Log, API and Analytics across environments, both on-premise and in-the-cloud

2) Rapid application of correlation analytics, with threat-feed intelligence across

systems

3) Business-context driven escalations and prioritization

4) Comprehensive incident response with 7x24 reaction team, and access to

deeply technical resources across both traditional and cloud-based

environments

5) Leveraging top tier & native as appropriate tooling for both on-premise

deployments and in-the-cloud deployments (ie: Splunk, Logrhythm, Cloudtrail,

Cloudwatch)


Public Cloud Defense - Automation & Recovery

Architect for:

1) Defend the root account – common weakness in public-cloud deployments –

through continuous monitoring & credential inspection

2) Rapid re-instantiation of resources through highly automated deployments

(infrastructure-as-code)

3) Design for capture & forensics as a secondary aspect to recovery (get your

environment back running rapidly, but capture the necessary elements to

determine root-cause)

4) Rapidly iterate environments to enable rapid patching & remediation and

leverage the power of infrastructure-on-demand environments

5) Perform offline forensics to adjust & harden configurations

Vendor Documentation


Amazon Web Services (AWS) - Resources

Critical Documents:

1) https://aws.amazon.com/security/

2) https://aws.amazon.com/compliance/

3) https://cloudsecurityalliance.org/star-registrant/amazon-aws/

4) https://d0.awsstatic.com/whitepapers/compliance/Intro_to_Security_by_Design.pdf

5) https://d0.awsstatic.com/whitepapers/compliance/AWS_Security_at_Scale_Governance_in_

AWS_Whitepaper.pdf

6) https://www.youtube.com/watch?v=YYiV_z9D2CE


Microsoft Azure

Critical Documents:

1) https://azure.microsoft.com/en-us/support/trust-center/

2) http://download.microsoft.com/download/2/0/A/20A1529E-65CB-4266-8651-

1B57B0E42DAA/Protecting-Data-and-Privacy-in-the-Cloud.pdf

3) http://download.microsoft.com/download/1/6/0/160216AA-8445-480B-B60F-

5C8EC8067FCA/WindowsAzure-SecurityPrivacyCompliance.pdf

Thank You

Contacts:

[email protected]@neilbunn,

@scalardecisions

(416) 202-0020

Keys to success and security in the cloud

Technology

Transcript of Keys to success and security in the cloud