Security and Privacy Mechanisms - Assured Cloud...
Transcript of Security and Privacy Mechanisms - Assured Cloud...
ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
Security and Privacy Mechanisms: An Analysis of Cloud Service Providers for
the US Government
Presenter: Carlo Di GiulioAdvisor: Dr. Masooda Bashir
April 13, 2016
ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
Security and privacy risks and pitfalls in commercial cloud services
Help the US Airforce to identify the most secure and “convenient” Cloud Service Providers (CSPs) to the US Government among the selected ones
Spot possible market trends
How service providers are addressing government needs
Focus of the Research
ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
The research currently focuses on 5 major CSPs
Focus of the Research
ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
Structure
The research is organized in three pillars
• Norms, regulations, and guidelines
• Products and services
• General privacy and security policies
ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
Pillar I: Norms and Guidelines
Different level of security, different controls and authorizations
ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
Pillar I: Norms and Guidelines
The authorization process to provide a service to the DoD is rather complex
Image: The FedRAMP and CC SRG Roadmap (1)
ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
Pillar II: Offering
We classified products and services of each service provider into 3 main categories (NIST 500-292):
IaaS PaaS SaaS
Each CSP offers a number of services that may be classified and compared to others
ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
Pillar II: Offering
A few examples…
CSP Service AWS
Microsoft (Azure)
Google CSIBM
SoftlayerVMWare
Data Analytics
Event Hubs BigQueryvRealize
OperationsManager
CloudMonitoring
Amazon CloudWatch
Cloud Monitoring
Monitoring & Reporting
Compute Amazon EC2Cloud
ServicesApp Engine
Virtual Servers
Compute
Relational Database
RedshiftSQL
DatabaseCloud SQL Continuent
Identity Management
AWS IAMActive
DirectoryCloud IAM
Identity Manager
ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
NIST 800 – 53
FedRAMP Baseline medium -high
Frameworks issued by credible NGOs
AICPA (SOC 2 criteria) CSA (CCM 3.0.1)
Pillar III: Policies
In order to classify the policies, standardization and classification are required
ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
Pillar III: Policies - Examples
Do you allow tenants/customers to define password and account lockout policies for their accounts? (IAM 12.9 Indicator, CCM 3.0.1)
AWS Identity and Access Management (IAM) lets [the tenant] manage several types of long-term security credentials for IAM users (2)
(…) must at a minimum meet Microsoft internal IT requirements, but an internal organization can increase the strength past this standard (3)
Not at this time (4)
ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
Pillar III: Policies - Examples
Do you leverage encryption to protect data and virtual machine images during transport across and between networks and hypervisor instances? (EKM 03.02 Indicator, CCM 3.0.1)
(…) option of encrypting customer data transmitted to and from Microsoft datacenters over public networks. (…) private networks with encryption for replication of non-public customer data between Microsoft datacenters (3)
"Yes. (…) uses AES-256 encryption to encapsulate in-transit workloads. For in-cloud vMotion activities, a dedicated, secure and encrypted network is used exclusively for this purpose (…) (4)
Tenant Control Consideration (5)
ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
Next Steps
Conclude the policy analysis
Select relevant policy indicators
Cross reference policies and services
Explore features and differences among services more in detail
Collaborate with a Technical SME (CS Grad Student) to specify security criterias for the analysis
ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
For more information:
Dr. Masooda [email protected]
Carlo Di Giulio:[email protected]
Thanks for your Attention!
ASSURED CLOUD COMPUTING CENTER OF EXCELLENCE UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS | INFORMATION TRUST INSTITUTE
assured-cloud-computing.illinois.edu
References
(1) Bockelman, P. and McDermott, A. (2015). DoD-Compliant Implementations in the AWS Cloud. Reference Architectures. Amazon Web Services, April 2015. Retrieved from https://aws.amazon.com/compliance/dod/
(2) Amazon WS (2016). Amazon Web Services: Risk and Compliance. White Paper. Retrieved from http://aws.amazon.com/compliance/aws-whitepapers/
(3) Microsoft (2015). Standard Response to Request for Information Microsoft Azure Security, Privacy, and Compliance. White Paper. Retrieved from https://cloudsecurityalliance.org/
(4) Vmware (2015). VMware vCloud Air IaaS CAIQ v1.0 - Consensus Assessments Initiative Questionnaire v3.0.1. Retrieved fromhttps://cloudsecurityalliance.org/
(5) Softlayer (2016) CAIQ V1.0 - Consensus Assessments Initiative Questionnaire V3.0.1. Retrieved from https://cloudsecurityalliance.org/