1 / 33

Securing the Cloud: Masterclass 2

Securing the Cloud: Masterclass 2. Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013. Agenda. Introduction. The Future Cloud?. The Perfect Storm – BYOD, Social Media, Big Data, Cloud. Service Management -> Service Orchestration. ?. Identity in the Cloud.

grady
Download Presentation

Securing the Cloud: Masterclass 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Securing the Cloud: Masterclass 2 Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013

  2. Agenda • Introduction • The Future Cloud? • The Perfect Storm – BYOD, Social Media, Big Data, Cloud • Service Management -> Service Orchestration ? • Identity in the Cloud • Conclusions

  3. Agenda • Introduction • The Future Cloud? • The Perfect Storm – BYOD, Social Media, Big Data, Cloud • Service Management -> Service Orchestration ? • Identity in the Cloud • Conclusions

  4. The Future Cloud Public Cloud Providers likely to continue to be subject to rapid amalgamation Terremark – bought by Verizon Savvis – bought by Century Link Heroku – bought by Salesforce.com Nimbula – bought by Oracle Amalgamation will lead to a smaller set of major public cloud providers Smaller players will exist to serve niche markets (e.g. HMG) Big Outsourcing firms will continue to offer “enterprise” cloud services Likely to continue to struggle to justify premiums over the likes of AWS

  5. Interoperability will remain problematic Niche vendors will continue to exist enable cross-cloud operations Rising importance of service brokers and SIAM capabilities “Cloud First" attitude will become standard – not just in Government Compromises will occur. The sky will fall… but the cloud paradigm will survive. The Future Cloud

  6. Evolving Compliance Requirements The DPA requires the data controller to have a written contract … requiring that the “data processor is to act only on instructions from the data controller” and “the data processor will comply with security obligations equivalent to those imposed on the data controller itself.” Cloud customers should take care if a cloud provider offers a ‘take it or leave it’ set of terms and conditions without the opportunity for negotiation. Such contracts may not allow the cloud customer to retain sufficient control over the data in order to fulfil their data protection obligations. Cloud customers must therefore check the terms of service a cloud provider may offer to ensure that they adequately address the risks discussed in this guidance

  7. Evolving Compliance Requirements It’s important to note that all cloud services are not created equal. Clear policies and procedures should be agreed between client and cloud provider for all security requirements, and responsibilities for operation, management and reporting should be clearly defined and understood for each requirement Without adequate segmentation, all clients of the shared infrastructure, as well as the CSP, would need to be verified as being PCI DSS compliant in order for any one client to be assured of the compliance of the environment. This will likely make compliance validation unachievable for the CSP or any of their clients

  8. Assurance – new Standards SAS70 SSAE16 Requires details of the “system” – not just the controls Requires a written statement of assertion

  9. Cloud Security Alliance OCF https://cloudsecurityalliance.org/research/ocf/

  10. AWS Changes – Evolving Security Release: Amazon EC2 on 2013-03-11 http://aws.amazon.com/releasenotes/4286407650196705

  11. Agenda • Introduction • The Future Cloud? • The Perfect Storm – BYOD, Social Media, Big Data, Cloud • Service Management -> Service Orchestration ? • Identity in the Cloud • Conclusions

  12. The Perfect Storm - BYOD Bring Your Own Disaster Device (BYOD) BYOD or CYOD? Business driven desire for mobile working End point protection Entry point to your trusted domain Holds your data Duress? Data Protection Better in the cloud? Encrypted on device? Remote wipe? Of my device?! Mobile Device Management

  13. The Perfect Storm - Social Media Twitter, LinkedIn, Facebook, Google+, etc the “Consumer Cloud” Reputation Management Damaging Tweets by employees Damaging comments from customers Hacked accounts: Burger King, BBC… Personal vs Business. Identity in the cloud? More later Data exfiltration Are you monitoring the data your users send via these channels?

  14. The Perfect Storm – Big Data Big Data How Big is Big? NoSQL? Pseudonymisation… Anonymisation… Fine so long as you know nothing about your target Fine so long as compute resource remains expensive and exclusive - https://downloads.cloudsecurityalliance.org/initiatives/bdwg/Big_Data_Top_Ten_v1.pdf

  15. Big Data (continued) Where is the data coming from? Trust? Validation? Where are you going to put it? NoSQL vs RDBMS? Cloud or on-premise? How are you going to control access to it? Compliance How much anonymisation is enough? http://www.ico.gov.uk/for_organisations/data_protection/topic_guides/~/media/documents/library/Data_Protection/Practical_application/anonymisation_code.ashx

  16. The Perfect Storm - Cloud Cloud is the ANSWER! But what was the question

  17. Putting it all together… Big Data Social Media usage Research and Development Modelling Device and Data usage (SIEM) Stored and processed in the cloud NoSQL. Not much security either Accessed from users personal devices Anybody see any security issues here?

  18. Putting it all together…to fix it Mobile Device Management DRM? Big Data security… See CSA Paper Anonymisation Security Architecture

  19. Agenda • Introduction • The Future Cloud? • The Perfect Storm – BYOD, Social Media, Big Data, Cloud • Service Management -> Service Orchestration ? • Identity in the Cloud • Conclusions

  20. Systems Integrators Service Integrators Service Service Service Service Service Integration and Management - SIAM Integration Management Orchestration Aggregation • “Service Broker” • Enabler of Cloud propositions • Aggregation and orchestration of many cloud-based services • Management of Infrastructure -owned or client assets • Service consolidation • Opportunity to leverage service desk and management assets

  21. SIAM and Security Sits across the top of the cloud services Responsible for ensuring consistent service levels to the customer across their cloud services Harmonisation/orchestration of disparate SLAs But also a good place to incorporate central set of security capabilities: Security Monitoring Identity and Access Management Certificate Authority Service Monitoring and Management Security Management Consistent content filtering? Consistent network access controls? Potentially a cloud service itself

  22. Agenda • Introduction • The Future Cloud? • The Perfect Storm – BYOD, Social Media, Big Data, Cloud • Service Management -> Service Orchestration ? • Identity in the Cloud • Conclusions

  23. Identity in the Cloud Digital Identity: “a set of claims made by one digital subject about itself or another digital subject.” - Kim Cameron’s Laws of Identity http://www.identityblog.com/?p=354 Jericho Forum Identity Commandments https://collaboration.opengroup.org/jericho/Jericho%20Forum%20Identity%20Commandments%20v1.0.pdf Physical entities can have more than one persona… Employee Husband Father Elven Wizard Citizen Customer Shadowy criminal mastermind

  24. Identity in the Cloud Identities are necessary to: Establish relationships Especially commercial relationships But also citizen and HMG interactions It is not necessary for EVERY relationship I have to know EVERYTHING about all of my identities Identity Providers More like Persona Providers. But IdP is the standard term… Attribute Providers Is my driving licence valid? Is my CLAS membership valid? Am I really tall, dark, handsome and incredibly wealthy? You also need to trust your Attribute Providers.

  25. Federated Identity Management

  26. Cabinet Office Citizen Identity Assurance Model “Our preferred solution suggests the use of ‘hubs’ (technical intersections) which allow identities to be authenticated by contracted private sector organisations without an individual’s data being centrally stored or privacy being breached by unnecessary data and details of the user being openly ‘shared’ with either transacting party.”

  27. Cabinet Office Citizen Identity Assurance Model

  28. Federated Identity Management • Better for your organisations • Establish a single identity repository and federate out across your cloud services • Manage identity and provisioning in one place • Easier to plug’n’play cloud services through identity re-use • Less management overhead – federate with your trusted partners • Better for your customers • Less of their data will be compromised in a single event • Fewer passwords to remember • Consider integration with the consumer cloud via OAuth, OpenID, Facebook Connect etc

  29. Agenda • Introduction • The Future Cloud? • The Perfect Storm – BYOD, Social Media, Big Data, Cloud • Service Management -> Service Orchestration ? • Identity in the Cloud • Conclusions

  30. Conclusions • The Cloud market will change rapidly over the next few years • More accepted • Fewer players • Cloud risks stay much the same • Same threat actors • Same vulnerabilities • Potentially greater impacts as usage increases • The “Perfect Storm” will begin to worry end users • Humans don’t like to be watched • Anonymisation doesn’t often really work for both data controller and data subject • Federated identity management will be the way ahead • Getting your SIAM right is key to successful operation in the Cloud

  31. Q&A

  32. Securing the Cloud: More Workshops! Moving HR to the cloud Moving R&D services to the cloud Retiring and replacing your collaboration platform John Arnold Lee Newcombe John Martinez

More Related