Protecting What Matters...An Enterprise Approach to Cloud Security

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Protecting what matters... ... An enterprise approach to cloud security

Ed Reynolds HP Fellow, CISSP, CCSK HP Enterprise Security Services

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2

Today’s agenda

TRENDS PERSPECTIVES GUIDANCE


Worldwide Security Trends & Implications

Cyber threat 56% of organizations have been the target of a cyber attack

Extended supply chain 44% of all data breach involved third-party mistakes

Financial loss $8.6M average cost associated with data breach

Cost of protection 8% of total IT budget spent on security

Reputation damage 30% market cap reduction due to recent events

Source: HP internal data, Forrester Research, Ponemon Institute, Coleman Parkes Research

Key Points

• Security is a board of directors concern

• Security leadership is under immense pressure

• Need for greater visibility of business risks and to make sound security investment choices

Reactive vs. proactive 60% of enterprises spend more time and money on reactive measures vs. proactive risk mgmt


Managing security challenges

Today, security is a board-level agenda item

#1 Board Identified Risk: Reputational Damage

Source: EisnerAmper LLP, February 2011 - Second Annual Board of Directors Survey - 2011: Concerns About Risks Confronting Boards


Managing Risk: Current Challenges

Primary Challenges

Nature & Motivation of Attacks (Fame to national enemies) 1

Transformation of Enterprise IT (Delivery and consumption changes) 2

Traditional DC Private Cloud Managed Cloud Public Cloud

Network Storage Servers

Delivery

Regulatory Pressures (Increasing cost and complexity) 3

A New Type of Adversary

Basel III

Enhanced Regulatory Environment


HP research: Top concerns for IT executives

67% 66% 63% 54%

Extremely concerned Somewhat concerned Not very concerned

Data privacy and information

breaches

Lack of skilled resources to effectively

manage security

Risk associated with more consumption of apps/IT services across public, private & hybrid cloud

Risk associated with more consumption of

apps/IT services

Source: HP 20:20 CIO Report, 2012


Cloud services: adoption is tempered by uncertainty

Security or related component is #1 concern/issue for most enterprises

LOB/IT CIO

Security

Performance

Reliability

Scalability

Service levels

Data security & protection

Compliance

Auditing

Cost

Governance

Control

Availability


CSA: Cloud Computing Top Threats for 2013

Top Threats for 2013 1. Data Breaches 2. Data Loss 3. Account or Service Hijacking 4. Insecure Interfaces and APIs 5. Denial of Service 6. Malicious Insiders 7. Abuse of Cloud Services 8. Insufficient Due Diligence 9. Shared Technology Vulnerabilities

Security for the cloud

http://cloudsecurityalliance.org/

1. HP’s Rafal Los co-chaired the CSA Top Threats working group 2. HP selected by CSA as Master Training Partner in APJ (initial region)

https://cloudsecurityalliance.org/


What do we mean by “cloud security”?

• Security for the cloud? Securely use cloud (consumers)

• Security from the cloud? Security-as-a-Service

• Security in the cloud? Embedded security (providers)

• Security across clouds? Hybrid models, interoperability

1

2

3

4


Cloud models require different security solutions…

Attack surface increases

composition of two or more clouds

Hybrid cloud

Sold to the public, mega-scale infrastructure

Public cloud

Shared infrastructure for specific community

Community cloud

Enterprise-owned or leased

Private cloud


... and different roles & responsibilities regarding security

Cloud

SaaS

PaaS

IaaS

SaaS: Software as a Service, generally provides application, data and infrastructure security, with varying degrees of compliance

PaaS: Platform as a Service, may provide some additional security functions for IDM and secure application development – security falls to app developer and customer IT operations

IaaS: Infrastructure as a Service – providers generally offer basic network & infrastructure security, firewalls, some tools – but customer is generally responsible for implementation, operations, monitoring


But what is really new about “cloud security”?

Many traditional security concerns are recast as a “cloud problem”. . .

• Many “cloud security incidents“ are issues with web apps and data-hosting, but at greater scale…

- e.g. Phishing, downtime, data loss, weak passwords, compromised hosts running botnets, etc …

• Unexpected side channels and covert channels arising from shared-resource environments in public services

- Activity patterns need to be protected in addition to apps and data

• Reputation fate sharing: possible blacklisting or service disruption due to “bad neighbors”

- Need “mutual auditability” (providers need to audit/monitor users)

• Longer trust chains: {SaaS to PaaS to IaaS}

– Y.Chen, et.al, “What’s New About Cloud Computing Security?” UC Berkeley, Jan.20, 2010


“It’s not about cloud security – it’s about securing your enterprise’s use of cloud-based services” “Cloud security begins with, and adds to, well-defined enterprise security”

Perspectives


Enterprise approach to cloud security

HP Enterprise Security Services Whitepaper

1. Establish a risk-based approach

2. Design applications to run in the cloud

3. Ongoing auditing and management


HP approach to complete information security

Establish a risk-based approach

Actionable

Security Intelligence

Moving from Reactive to Proactive Information Security & Risk Management

Assess security investments and posture Transform from silos to a comprehensive view Optimize to proactively improve security posture

Manage security effectively

Establish a risk based approach


HP Cloud Security Risk and Control Assessment

Stage 1: Assessment Workshop

Business Issues

Discovery

Strategic Control Plan

Risk Assessment

Scope

Engagement with senior management

Stage 2: Risk Assessment

Engagement with business-level security

Business Risk

Assessment

Asset Risk Assessment

Assets Prioritized

by Risk

Stage 3: Controls Assessment

Cloud Control

Measures

Consensus Assessment

Prioritized Security

Control Plan

Engagement with operational level security

Establish a risk based approach


Are your applications & data… The path of least resistance?

Design apps to run in cloud


Secure SDLC: protect data & IP Design apps to run in cloud

Attacker Software & data

Hardware

Network

Intellectual property

Customer data

Business processes

Trade secrets


The National Vulnerability Database (DHS/US-CERT)

• Lists >47,000 documented vulnerabilities

Undiscovered/unreported (0-day) vulnerabilities are huge

• 20X1 multiplier • 47,000 x 20 = estimated 940,000 vulnerabilities

replicated in many products

The risks

Vulnerabilities (security defects) Quality issue: many more “underwater” than those reported “above the water”

Greater than 80% of attacks happen at the application layer

Notes: HP research and 1“Public Vulnerabilities Are Tip of the Iceberg,” CNET News, June 1, 2007


http://news.cnet.com/IBM-Public-vulnerabilities-are-tip-of-the-iceberg/2100-1002_3-6188032.html



The National Vulnerability Database (DHS/US-CERT)

• Lists >47,000 documented vulnerabilities

Undiscovered/unreported (0-day) vulnerabilities are huge

• 20X1 multiplier • 47,000 x 20 = estimated 940,000 vulnerabilities

replicated in many products

The risks

Vulnerabilities (security defects) Quality issue: many more “underwater” than those reported “above the water”

But <1% of security spend is allocated to application security !!!

Notes: HP research and 1“Public Vulnerabilities Are Tip of the Iceberg,” CNET News, June 1, 2007





Designing applications to run in the cloud

• Embed security in application architecture

• Address new attack surfaces early in design

• Encrypt “everything” by default – end-to-end

• Adopt new mindset to privacy

• Bounding processes around PII (e.g. PCI tokenization example)

• Build in audit trails for forensics

• Conduct 3rd party reviews (CATA, Pen.Test)



Securing “data-in-process,” in addition to “at rest” and “in motion”

Encryption advances & alternatives∗

Advances

Broadcast encryption: encryption for groups and memberships

Searchable symmetric encryption: securely search encrypted data

Identity-based encryption: ad-hoc PKI, user chooses his own public key

Predicate encryption: fine-grained PKI

Homomorphic encryption: emerging techniques to compute on ciphertext

* Source: CSA Guidance v3.0 Chapter 11

Alternatives*

Tokenization. Data sent to the public cloud is altered (tokenized) and contains a reference to the data residing in the private cloud.

Data anonymization. Personally identifiable information (PII) is stripped before processing. (Watch assumptions)

Utilizing cloud database controls. Using (fine-grained) access controls at database layer to provide segregation.



Architecting Security into Applications

Security assurance thought leadership

Requirements/ architecture & design • Security requirements gap analysis • Security designed in • Dramatically reduces risk of vulnerabilities • More complete and less expensive assurance • Guides late lifecycle assurance • The best response to a greater threat

Reactive Traditional

Proactive Extending security assurance

Higher ROI

The traditional approach is backwards. It can never solve the problem by itself but works great after proactively prioritizing late life cycle assurance focus

Post-release First, people found vulnerabilities, patched, and issued bulletins

Integration/ penetration test • In-house, more proactive • More expensive

in isolation

Coding • Security code scanners • Code review • Better when design

supports security



Applications rationalisation

Cloud-specific workload analysis

Risk analysis & TCO BPA

HP cloud applications transformation

Level 2 transformation strategy determination (x to x)

Level 1 transformation strategy determination (RE’s)

App migration

Cloud service types

Cloud deployment models

IaaS PaaS SaaS

Public Private Virtual private

Dedicated/hosted (retain, retire)

Suitable for SaaS

Suitable for preferred target/

public cloud

Need modernisation

analysis

Not suitable for cloud

Cloud suitability mapping

• Replace • Re-architect • Re-factor • Re-host

App migration

Apps



Applications modernization strategy

Re-factor Re-architect

Re-host Replace

Application cloud

strategy

Codi

ng e

ffor

t

New value generation potential

IaaS SaaS

PaaS

PaaS

SOA



Auditing cloud services

Continuous compliance monitoring is essential to securely delivering cloud services and ensuring compliance

• Cloud Services are inherently dynamic. The dynamic provisioning and de-provisioning of resources is a key part of the Cloud value proposition and business model

• Automation for operations and asset management are essential in this dynamic environment

• Verification of compliance with policy and legislation – such as the EU Data Protection Directive, GLBA, HIPAA, and Export compliance controls like ITAR – requires continuously running automation

Yearly or monthly audits are irrelevant in an environment that changes completely on a daily or hourly basis

Ongoing auditing & management


Are we secure?

Continuous security monitoring Ongoing auditing & management


What about infrastructure and network security?

• Infrastructure and network security are critical areas for cloud-based solutions

• Enterprises have little or no influence on a provider’s implementation and controls in these areas

• A thorough review of the service provider’s policies should be completed as part of the due diligence process during contract negotiation and service sourcing


5 key ways to reduce risk

1. Understand your risk profile

2. Architect for the cloud

3. Robust identity, access management

4. Confirm legal, compliance obligations, due diligence

5. “Clear Responsibility” – CSP, Customer, Both


Cloud security: guidance for critical areas

Architecture 1. Cloud computing architectural framework

Governance 2. Governance and enterprise risk management 3. Legal issues: contracts and electronic discovery 4. Compliance and audit management 5. Information management and data security 6. Interoperability and portability

Operations 7. Traditional security, business continuity,

and disaster recovery 8. Data center operations 9. Incident response 10. Application security 11. Encryption and key management 12. Identity, entitlement, and access management 13. Virtualization

Security for the cloud

http://cloudsecurityalliance.org/

https://ccsk.cloudsecurityalliance.org/

https://cloudsecurityalliance.org/

https://ccsk.cloudsecurityalliance.org/


Final thoughts

Recognize the threats have changed and become ‘industrialized’

Employ comprehensive and integrated approach to enterprise security & risk management

Conduct security threat analyses for all critical applications

Design in security from the beginning: essential for public cloud usage

Be vigilant: continual compliance monitoring and audits, intrusion testing, verifiable backups…


Thank you Whitepaper: bit.ly/hpcloudsecurity Email: [email protected] URL: hp.com/enterprise/security

Protecting What Matters...An Enterprise Approach to Cloud Security

Business

Transcript of Protecting What Matters...An Enterprise Approach to Cloud Security