Security considerations for the cloud

www.skyviewpartners.com 6/7/2012

(c) SkyView Partners, Inc, 2012. All Rights Reserved. 1

Carol Woodbury, President SkyView Partners, Inc.

www.skyviewpartners.com @carolwoodbury



http://www.skyviewpartners.com/



Benefits:

Hardware

Support of the hardware

Software licensing

Software maintenance

However:

Must meet requirements of security policy

Legal requirements

Compliance requirements

3 (c) SkyView Partners, Inc, 2012.

All Rights Reserved.

Depends on the type of data





EU Data Protection Laws ◦ Currently being revised



Determines Default access Encryption requirements Retention requirements Storage requirements Disposal method (both printed and online)

While considering Compliance requirements Legal considerations




Data classification requirements don’t change just because the data is now in the cloud



Carefully plan the security and privacy aspects of cloud computing solutions before engaging them (a cloud provider.)

Understand the public cloud computing environment offered by the cloud provider.

Ensure that a cloud computing solution satisfies organizational security and privacy requirements.

Ensure that the client-side computing environment meets organizational security and privacy requirements for cloud computing.

Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments.





Encryption

Auditing (logging)

No passwords in cleartext

Access controls

Reporting

Incident response handling

What will a QSA or auditor say …?



Where is the data physically located

Incident response handling ◦ Do you and provider have the same definition of a breach?

Can your SLAs be fulfilled? ◦ (think disaster-recovery)

As well as compliance requirements





Questions for providers’ security practices: ◦ Is admin (root) power limited to only those users needing it?

◦ Who/What is logged?

◦ Do administrators access systems via encrypted sessions?

◦ What is the patch management strategy?

◦ What anti-virus / anti-malware software is used?

◦ Are the servers in compliance with

PCI

SOX

HIPAA

◦ Who are you audited by and can we see the results?



User management: ◦ Process to integrate with HR to remove access?

What about immediate removal for terminated employees/contractors?

◦ Password composition rules?

◦ Password change rules?





Logging: ◦ Invalid sign on attempts

Lock-out for excess attempts

◦ Reads and changes to HIPAA or PCI data

◦ Access attempts to data

◦ Retention of the logs

◦ Review of the logs

Network logging: ◦ Connections

◦ Data movement – what about DLP?



Because the service provider holds so much data, they may become a victim of a targeted attack

However … provider likely has ◦ Network monitoring

◦ Trained personnel to recognize and respond to the attack

◦ Knowledge / Hardware to prevent or limit the attack





Business level objectives Responsibilities of both parties Business continuity/disaster recovery Redundancy Maintenance Data location Data seizure Provider failure Jurisdiction Brokers and resellers http://www.ibm.com/developerworks/cloud/library/cl-rev2sla.html?ca=drs-


Security

Data encryption

Privacy

Data retention and deletion

Hardware erasure, destruction

Regulatory compliance

Incident response

Transparency

Certification

Performance definitions

Monitoring

Auditability

Metrics

Human interaction


http://www.ibm.com/developerworks/cloud/library/cl-rev2sla.html?ca=drs-










Determine your organization’s security and compliance requirements for the type of data going to the cloud

Put the appropriate SLA in place ◦ Terminology / Communication is key – make sure you agree to

each others’ definitions

Monitor the results to determine if SLA is being met



Find your private and confidential data

Do not assume it doesn’t exist just because it’s not supposed to be a on specific server or in a specific database!





Many organizations are realizing the benefits of “private” clouds ◦ Reduced hardware / software costs

◦ Quicker patching

◦ Consolidated security expertise

Monitoring (NOC)

Recognition and response to incidents

◦ Consolidated logging (correlated events)

◦ More layers of security (depending on the data requirements)



Clouds specializing in meeting compliance needs: ◦ PCI

◦ HIPAA

Significantly more expensive but consider that with public clouds you ‘get what you pay for.’





Service providers have been providing “cloud” services for many years ◦ Private / Specialized cloud – typically without the dynamic

allocation of new resources

Security/Compliance/Legal requirements you make of them are the same as what we’ve been discussing.



Best practices and Certifications for Cloud Security https://cloudsecurityalliance.org/ Guidelines on Security and Privacy in Public Cloud Computing – National Institute of Standards and Technology (NIST) SP 800-144 http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf Cloud Computing Synopsis and Recommendations - – National Institute of Standards and Technology (NIST) SP 800-146 – DRAFT http://csrc.nist.gov/publications/drafts/800-146/Draft-NIST-SP800-146.pdf Articles: www.sans.org www.isaca.org Search ‘European cloud Computing Strategy’

Contact us at: [email protected] @carolwoodbury



https://cloudsecurityalliance.org/



http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf






http://csrc.nist.gov/publications/drafts/800-146/Draft-NIST-SP800-146.pdf










http://www.sans.org/

http://www.isaca.org/

Security considerations for the cloud

Technology

Transcript of Security considerations for the cloud