Loading in 2 Seconds...
Loading in 2 Seconds...
Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud. Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information Technology Services Division Department of Administration State of Montana firstname.lastname@example.org. Lynne Pizzini, CISSP, CISM, CIPP
Cloud Computing SecurityKeep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information Technology Services Division Department of Administration State of Montana email@example.com
Lynne Pizzini, CISSP, CISM, CIPP Lyn-nerd the Clown Information Systems Security Officer Information Technology Services Division Department of Administration State of Montana
Overview • What is Cloud Computing? • Types of Clouds • Benefits • Dangers • Protections • Is it Right for You? • Review
What is Cloud Computing? Provides on-demand network access to a shared pool of computing resources such as networks, servers, storage and applications. Scalable to meet customer needs. Provided through a large data center.
Recent Developments • Gartner – cloud computing has moved from #16 to #2 in the annual CIO survey of key technology investments. • Recent NASCIO study of all 50 states ranked cloud computing as #5 in the top 10 technical goals for organizations. • The top concern when it comes to cloud computing in this same NASCIO survey was Security and Privacy.
Types of Clouds • Software as a Service (SAAS) – provides ready for use web-based applications that are maintained centrally by a provider. • Platform as a Service (PAAS) – provides programming languages and tools that can be used by application developers to create and deploy applications on the web • Infrastructure as a Service (IAAS) – provides computing resources whose usage is rented from a provider (VM and storage).
Types Continued • Can be private, public, hybrid, community (group with something in common – local government, healthcare industry, financial industry), or some combination of these models.
Benefits • More expertise if you are a small organization • More ability and resources • Use of VM • Recoverability
Dangers - Concerns VENDOR SECURITY • Cloud computing customers rely on providers to implement appropriate security measures to protect the confidentiality, integrity, and availability of data. • Be wary of providers who are reluctant to share details of their security architecture/practices with customers. • Transparency vs. Secrecy
Dangers - Concerns ISOLATION/SEGREGATION • Users access cloud computing resources via a virtual machine hosted on an unknown physical machine. • The physical machine may be shared with other users. • Providers must ensure that multiple customers do not interfere with each other, maliciously or unintentionally. • How is data isolated or segregated from other organizations’ data? • The cloud provider should provide evidence that encryption is being used and has been tested by experts.
Dangers - Concerns DATA LOCATION • Providers may have data centers located in other countries. • Be sure your vendor contract stipulates any restrictions you may have on the physical location of where your data is stored. • Get a commitment from them to obey your privacy requirements no matter where the data is located.
Dangers - Concerns MANAGEMENT INTERFACE • Customers access the cloud management interface via the Internet, thus increasing exposure to potential attack. • How is the system administered by the company – via the Internet? • Do they use two factor authentication? • Are administrators monitored?
Dangers - Concerns REPUTATION SHARING • Bad behavior by one cloud customer may impact others using the cloud. • For example a customer engaging in spamming may cause a common cloud IP address to be black listed.
Dangers - Concerns PROVIDER VIABILITY • How long has the provider been in business? • What happens to your organization’s applications and data in the event that the provider goes out of business, is purchased by another business, or when the contract runs out?
Dangers - Concerns COMPLIANCE • Placement of data in the cloud does not eliminate an organization’s need to meet legal and regulatory requirements such as PCI or HIPAA. • Organizations will need timely assistance from cloud computing providers to fulfill investigation/audit requirements. • Remember - you will be fined for being out of compliance, not the cloud provider.
Dangers - Concerns DATA LOSS/LEAKAGE • How and where are backups stored? • How is information removed when equipment is cycled?
Dangers - Concerns RECOVERY • How does the provider meet your recovery requirements in the event of a disaster? • What is their capability to do a complete restoration and how long will it take?
Dangers - Concerns LOGGING • What is logged? • Can it be accessed easily for investigative purposes?
Protections • Data Classification: Consider the sensitivity of your data before making a decision of whether or not to put it in the cloud. • Encryption: Encrypt sensitive data before placing it in the cloud. • Authentication: Consider requiring multifactor authentication for access to cloud computing resources. • Vulnerability Assessment: Include a requirement for a security review or vulnerability assessment as part of the service level agreement with the provider. • Monitor: Require close monitoring of cloud computing resources by providers for unauthorized activity. • Backup: Ensure that your backup data is not comingled with other customers. • Notification: Require providers to provide timely notification of any potential data security breach or security incident.
Protections - Continued • SAS-70 Certification • Contract/Agreement • Audit
Is Cloud Computing right for you? Risk Assessment
Resources • CSO Magazine • Gartner • Network World Magazine • Computer World Magazine • Cloudsecurity.org • ISACA • MS-ISAC • NIST • NASCIO
Summary – Story Bag • What is cloud computing • Types of Clouds • Benefits • Dangers • Protections • Is it Right for You? • Review
Final Comment Unofficial motto: “In God we trust, everyone else must have a digital signature.” Author Unknown