Security considerations for the cloud
Click here to load reader
-
Upload
common-europe -
Category
Technology
-
view
226 -
download
1
description
Transcript of Security considerations for the cloud
www.skyviewpartners.com 6/7/2012
(c) SkyView Partners, Inc, 2012. All Rights Reserved. 1
Carol Woodbury, President SkyView Partners, Inc.
www.skyviewpartners.com @carolwoodbury
(c) SkyView Partners, Inc, 2012. All Rights Reserved. 1
(c) SkyView Partners, Inc, 2012. All Rights Reserved. 2
www.skyviewpartners.com 6/7/2012
(c) SkyView Partners, Inc, 2012. All Rights Reserved. 2
Benefits:
Hardware
Support of the hardware
Software licensing
Software maintenance
However:
Must meet requirements of security policy
Legal requirements
Compliance requirements
3 (c) SkyView Partners, Inc, 2012.
All Rights Reserved.
Depends on the type of data
4 (c) SkyView Partners, Inc, 2012.
All Rights Reserved.
www.skyviewpartners.com 6/7/2012
(c) SkyView Partners, Inc, 2012. All Rights Reserved. 3
EU Data Protection Laws ◦ Currently being revised
5 (c) SkyView Partners, Inc, 2012.
All Rights Reserved.
Determines Default access Encryption requirements Retention requirements Storage requirements Disposal method (both printed and online)
While considering Compliance requirements Legal considerations
(c) SkyView Partners, Inc, 2012. All Rights Reserved. 6
www.skyviewpartners.com 6/7/2012
(c) SkyView Partners, Inc, 2012. All Rights Reserved. 4
Data classification requirements don’t change just because the data is now in the cloud
7 (c) SkyView Partners, Inc, 2012.
All Rights Reserved.
Carefully plan the security and privacy aspects of cloud computing solutions before engaging them (a cloud provider.)
Understand the public cloud computing environment offered by the cloud provider.
Ensure that a cloud computing solution satisfies organizational security and privacy requirements.
Ensure that the client-side computing environment meets organizational security and privacy requirements for cloud computing.
Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments.
8 (c) SkyView Partners, Inc, 2012.
All Rights Reserved.
www.skyviewpartners.com 6/7/2012
(c) SkyView Partners, Inc, 2012. All Rights Reserved. 5
Encryption
Auditing (logging)
No passwords in cleartext
Access controls
Reporting
Incident response handling
What will a QSA or auditor say …?
9 (c) SkyView Partners, Inc, 2012.
All Rights Reserved.
Where is the data physically located
Incident response handling ◦ Do you and provider have the same definition of a breach?
Can your SLAs be fulfilled? ◦ (think disaster-recovery)
As well as compliance requirements
10 (c) SkyView Partners, Inc, 2012.
All Rights Reserved.
www.skyviewpartners.com 6/7/2012
(c) SkyView Partners, Inc, 2012. All Rights Reserved. 6
Questions for providers’ security practices: ◦ Is admin (root) power limited to only those users needing it?
◦ Who/What is logged?
◦ Do administrators access systems via encrypted sessions?
◦ What is the patch management strategy?
◦ What anti-virus / anti-malware software is used?
◦ Are the servers in compliance with
PCI
SOX
HIPAA
◦ Who are you audited by and can we see the results?
11 (c) SkyView Partners, Inc, 2012.
All Rights Reserved.
User management: ◦ Process to integrate with HR to remove access?
What about immediate removal for terminated employees/contractors?
◦ Password composition rules?
◦ Password change rules?
12 (c) SkyView Partners, Inc, 2012.
All Rights Reserved.
www.skyviewpartners.com 6/7/2012
(c) SkyView Partners, Inc, 2012. All Rights Reserved. 7
Logging: ◦ Invalid sign on attempts
Lock-out for excess attempts
◦ Reads and changes to HIPAA or PCI data
◦ Access attempts to data
◦ Retention of the logs
◦ Review of the logs
Network logging: ◦ Connections
◦ Data movement – what about DLP?
13 (c) SkyView Partners, Inc, 2012.
All Rights Reserved.
Because the service provider holds so much data, they may become a victim of a targeted attack
However … provider likely has ◦ Network monitoring
◦ Trained personnel to recognize and respond to the attack
◦ Knowledge / Hardware to prevent or limit the attack
14 (c) SkyView Partners, Inc, 2012.
All Rights Reserved.
www.skyviewpartners.com 6/7/2012
(c) SkyView Partners, Inc, 2012. All Rights Reserved. 8
Business level objectives Responsibilities of both parties Business continuity/disaster recovery Redundancy Maintenance Data location Data seizure Provider failure Jurisdiction Brokers and resellers http://www.ibm.com/developerworks/cloud/library/cl-rev2sla.html?ca=drs-
(c) SkyView Partners, Inc, 2012. All Rights Reserved. 15
Security
Data encryption
Privacy
Data retention and deletion
Hardware erasure, destruction
Regulatory compliance
Incident response
Transparency
Certification
Performance definitions
Monitoring
Auditability
Metrics
Human interaction
(c) SkyView Partners, Inc, 2012. All Rights Reserved. 16
www.skyviewpartners.com 6/7/2012
(c) SkyView Partners, Inc, 2012. All Rights Reserved. 9
Determine your organization’s security and compliance requirements for the type of data going to the cloud
Put the appropriate SLA in place ◦ Terminology / Communication is key – make sure you agree to
each others’ definitions
Monitor the results to determine if SLA is being met
17 (c) SkyView Partners, Inc, 2012.
All Rights Reserved.
Find your private and confidential data
Do not assume it doesn’t exist just because it’s not supposed to be a on specific server or in a specific database!
18 (c) SkyView Partners, Inc, 2012.
All Rights Reserved.
www.skyviewpartners.com 6/7/2012
(c) SkyView Partners, Inc, 2012. All Rights Reserved. 10
Many organizations are realizing the benefits of “private” clouds ◦ Reduced hardware / software costs
◦ Quicker patching
◦ Consolidated security expertise
Monitoring (NOC)
Recognition and response to incidents
◦ Consolidated logging (correlated events)
◦ More layers of security (depending on the data requirements)
19 (c) SkyView Partners, Inc, 2012.
All Rights Reserved.
Clouds specializing in meeting compliance needs: ◦ PCI
◦ HIPAA
Significantly more expensive but consider that with public clouds you ‘get what you pay for.’
20 (c) SkyView Partners, Inc, 2012.
All Rights Reserved.
www.skyviewpartners.com 6/7/2012
(c) SkyView Partners, Inc, 2012. All Rights Reserved. 11
Service providers have been providing “cloud” services for many years ◦ Private / Specialized cloud – typically without the dynamic
allocation of new resources
Security/Compliance/Legal requirements you make of them are the same as what we’ve been discussing.
21 (c) SkyView Partners, Inc, 2012.
All Rights Reserved.
Best practices and Certifications for Cloud Security https://cloudsecurityalliance.org/ Guidelines on Security and Privacy in Public Cloud Computing – National Institute of Standards and Technology (NIST) SP 800-144 http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf Cloud Computing Synopsis and Recommendations - – National Institute of Standards and Technology (NIST) SP 800-146 – DRAFT http://csrc.nist.gov/publications/drafts/800-146/Draft-NIST-SP800-146.pdf Articles: www.sans.org www.isaca.org Search ‘European cloud Computing Strategy’
Contact us at: [email protected] @carolwoodbury
22 (c) SkyView Partners, Inc, 2012.
All Rights Reserved.