The Cloud Security Landscape

The Cloud Security Landscape

Peter WoodChief Executive Officer

First•Base Technologies

An Ethical Hacker’s View

© First Base Technologies 2011

Who am I ?

Worked in computers and electronics since 1969

Founded First•Base in 1989 (one of the first ethical hacking firms)

- Social engineer & penetration tester

- Conference speaker and security ‘expert’- Chair of Advisory board at CSA UK & Ireland

- Vice Chair of BCS Information Risk Management and Audit Group

- ISACA Security Advisory Group and Conference Task Force- Corporate Executive Programme Expert

- IISP Interviewer

- FBCS, CITP, CISSP, MIEEE, M.Inst.ISP

- Registered BCS Security Consultant

- Member of ACM, ISACA, ISSA, Mensa

1969

1989

2


Agenda

• Cloud Computing: Define

• Is Cloud Computing Insecure?

• Cloud Security Guidance

• Q&A

3


Agenda


• Is Cloud Computing Secure?


• Q&A

4


Cloud Service Models

• Software (SaaS) - consumer uses a provider’s applications running on a cloud infrastructure. Consumer does not manage or control the underlying cloud infrastructure (including network, servers, operating systems, storage or even individual application capabilities, with the possible exception of limited user-specific application configuration settings)

• Platform (PaaS) - consumer uses a provider’s infrastructure to run their own applications. Consumer does not manage or control the underlying cloud infrastructure (including network, servers, operating systems or storage)

• Infrastructure (IaaS) consumer uses a provider’s infrastructure to run their own applications and operating systems. Consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls)

5


Cloud Deployment Models

• Public Cloud - available to the general public or a large industry group and owned by an organisation selling cloud services

• Private Cloud - operated for a single organisation. May be managed by the organisation or a third party and may exist on-premises or off-premises

• Community Cloud - shared by several organisations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, or compliance considerations). May be managed by the organisations or a third party and may exist on-premises or off-premises

• Hybrid Cloud - composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardised or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds)

6


Agenda




• Q&A

9


Not the best approach to cloud


Typical cloud security questions

• Your data is … where?

• Which country?

• Who has access?

• Have staff been vetted?

• How well is it segregated from other users?

• Is it encrypted? Who holds the keys?

• How is it backed up (encrypted? where is it?)

• How is it transmitted (encrypted? authenticated?)

• Have the providers been tested by a reputable third party?

11


Amrit Williams BlogObservations of a Digitally Enlightened Mind

• When we allow services to be delivered by a third party, we lose all control over how they secure and maintain the health of their environments - and you simply can't enforce what you can't control.

• The ‘experts’ will tell you otherwise, convince you that their model is 100 per cent secure and that you have nothing to fear. Then again, those experts don't lose their jobs if you fail.

Amrit Williams is CTO at BigFix and was previously a research director in

the Information Security and Risk Research Practice at Gartner, Inc.

http://techbuddha.wordpress.com/

12


Just a little brainstorm

13


Agenda




• Q&A

14


Security Guidance for Critical Areas of Focus in

Cloud ComputingV2.1 -> V3.0

Cloud Security Alliance

http://www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdfhttps://wiki.cloudsecurityalliance.org/guidance/index.php/Main_Page

15


Risk Assessment

Evaluate your tolerance for moving an assetto various cloud computing models

• Identify the asset for the cloud deployment

• Evaluate the asset

• Map the asset to potential cloud deployment models

• Evaluate potential cloud service models and providers

• Sketch the potential data flow

16


Identify the asset

• Determine exactly what data or function is being considered for the cloud- This should include potential uses of the asset once it

moves to the cloud to account for scope creep- Data and transaction volumes are often higher than

expected

• Data and applications don’t need to reside in the same location; can shift only parts of functions to the cloud- For example, host application and data in own data

centre, while outsourcing a portion of its functionality to the cloud through a Platform as a Service

17


Evaluate the asset

How would we be harmed if:

• the asset became widely public and widely distributed?

• an employee of our cloud provider accessed the asset?

• the process or function were manipulated by an outsider?

• the process or function failed to provide expected results?

• the information/data were unexpectedly changed?

• the asset were unavailable for a period of time?

18


Map the asset to potential models

• Public

• Private, internal/on-premises

• Private, external (including dedicated or shared infrastructure)

• Community; taking into account the hosting location, potential service provider, and identification of other community members

• Hybrid. To effectively evaluate a potential hybrid deployment, you must have in mind at least a rough architecture of where components, functions, and data will reside

19


Evaluate models and providers

• In this step focus on the degree of control you’ll have at each SPI tier to implement any required risk management

• If you are evaluating a specific offering, at this point you might switch to a fuller risk assessment

• Your focus will be on the degree of control you have to implement risk mitigation in the different SPI tiers

• If you already have specific requirements (e.g. for handling of regulated data) you can include them in the evaluation

20


Sketch the potential data flow

• If you are evaluating a specific deployment option, map out the data flow between your organisation, the cloud service, and any customers/other nodes

• While most of these steps have been high-level, before making a final decision it’s absolutely essential to understand whether, and how, data can move in and out of the cloud

• If you have yet to decide on a particular offering, you’ll want to sketch out the rough data flow for any options on your acceptable list. This is to insure that as you make final decisions, you’ll be able to identify risk exposure points.

21


Conclusions

• Understand the importance of what you are considering moving to the cloud, your risk tolerance (at least at a high level), and which combinations of deployment and service models are acceptable

• Have a rough idea of potential exposure points for sensitive information and operations

• These together should give you sufficient context to evaluate any other security controls in the Guidance

22


Agenda




• Q&A

23

Peter WoodChief Executive Officer

First•Base Technologies LLP

[email protected]: peterwoodx

Blog: fpws.blogspot.com

http://firstbase.co.ukhttp://white-hats.co.ukhttp://peterwood.com

Need more information?

The Cloud Security Landscape

Technology

Transcript of The Cloud Security Landscape