1 / 0

Assessing and Auditing Cloud Providers Nikita Reva, CISSP,CISA,M.S . Global Security Assessment Specialist MARS Inc.

Assessing and Auditing Cloud Providers Nikita Reva, CISSP,CISA,M.S . Global Security Assessment Specialist MARS Inc. Topics-Understanding the Cloud. What is Cloud Computing? CSA & NIST definitions What is really Cloud Computing? Practical definitions

laddie
Download Presentation

Assessing and Auditing Cloud Providers Nikita Reva, CISSP,CISA,M.S . Global Security Assessment Specialist MARS Inc.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Assessing and Auditing Cloud Providers Nikita Reva, CISSP,CISA,M.S. Global Security Assessment Specialist MARS Inc.
  2. Topics-Understandingthe Cloud What is Cloud Computing? CSA & NIST definitions What is really Cloud Computing? Practical definitions Cloud Architecture and Characteristics Network Access/Elasticity/Measured Service/On Demand Why Cloud? Why now? Proliferation of Web 2.0 Technological milestones Cloud Vs. The Enterprise Deploying a sales application Practical Examples of Cloud Computing Models Opportunity Vs. Risk Cloud Maturity-Hype Cycle 2010 Where are we now? Where are we going? Operating in the Cloud Security/Data Privacy Concerns What to put in the Cloud? Assessing what can go? Key Areas of Risk to Consider Risk from all directions
  3. Topics-Assessing the cloud A Cloud State of Mind Getting Cloudy Assessing Cloud Vendors-Strategy Beyond the questionnaire Auditing Cloud Vendors-Strategy Questionnaires Practical Insight Best practices Examples of Common Risks and Mitigating Controls Best practices The Overall Security Posture of Cloud Providers Where are we today? Recommendations for Commercial contracts Be specific Cloud Identity Avoiding user silos. Federation Provisioning Advance Just in Time Governing the Cloud Audit/Legal/Regulatory concerns What’s Next Standardization & Transparency
  4. What is Cloud Computing? Few authoritative definitions exist. Cloud Security Alliance has chosen to adopt the NIST definition of Cloud Computing( NIST SP 800-125) Source: Cloud Security Alliance Guidance 2.1 & NIST SP 800-145
  5. What is really Cloud Computing? -Previously known as Grid computing. Cloud Computing is the new marketing euphemism. -Cloud is a fresh, modern take on an the old principle of transferring computing away from the desktop. -Ability to acquire applications and processing power on-demand and paying only for what you use. -Cloud leverages existing technology like virtualization to bring cost savings, efficiency and elasticity. -Leveraging powerful Web 2.0 apps to deliver solutions at economies of scale prices. - Ubiquitous Access-Any device, Anywhere, Anytime
  6. Cloud Architecture and Characteristics -Broad Network Access (Any device, Anywhere, Anytime). -Rapid Elasticity and Agility (Scale up/down). -Measured Services (Transparent resource monitoring) -On-Demand Self-Service (Quick provisioning-3 clicks to bring up a server). Source: Cloud Security Alliance Guidance 2.1
  7. Examples of Cloud Offerings: Source: Cloud Security Alliance Guidance 2.1
  8. Why Cloud? Why now? -Technological advancements leading to more robust VMs, better Open Source, cheaper storage and processing power. Economies of scale. -Web 2.0 technology is enabling the creation of very powerful web applications. Better and cheaper than what the enterprise can offer. -Proliferation of mobile devices is driving the adoption of Any Device, Anywhere, Anytime. Source: Red Hat
  9. Cloud Vs. The Enterprise Objective: Deploy a unified sales application for a global CPG. Access from iPads, Laptops and BBs: Note: Not actual figures, estimates used for illustrative purposes.
  10. Practical Examples of Cloud Computing Models SaaS PaaS IaaS Opportunity Software as-a-Service Software, available on demand, configurable remotely. Largest offering Microsoft Office 365 Salesforce.com Taleo Platform as-a-Service Enables development of new applications Platform.com Microsoft Azure, Google Apps Infrastructure as-a-Service Provisioning of infrastructure (server, storage) Amazon S3 Risks Risks grow as more control is given to the vendor
  11. MaturityCloud Hype Cycle – Gartner 2011 Majority of Cloud Computing Services are 2 to 5+ years away from mainstream adoption New vendors entering market regularly No interoperability standards Limited service levels in contracts Source: Gartner
  12. Risk & BenefitsNew Risks with the Cloud Risk tolerance determines what can go to Cloud
  13. What to put in the Cloud? -Asset & Data Classification is key -Some things don’t belong in the cloud (at least yet). -Using a trusted partner like Microsoft to host Email/OCS (Office 365) -Core competencies should generally not go into the Cloud (SAP ) . Source: Redlegg
  14. Key Areas of risk to consider Regulation Compliance
  15. A Cloud State of Mind -Security No silver bullet for security. Building reasonable assurance through assessments, interviews, and 3rd party assurance documents. Building trust in multiple third parties -Data Privacy Data is beyond your four walls Building trust in multiple third parties Complying with data privacy laws. (Handling of PII. EU 95/46EC). Safe Harbor compliance. Some EU nations like Germany are pushing back on honoring Safe Harbor for US companies. Work councils are pushing their own requirements. Source: Out-Law.com
  16. Assessing Cloud Vendors-Strategy -Have qualified specialists that are knowledgeable in Cloud Security. You need to think beyond ‘traditional’ Information Security. Think far beyond your four walls. The cloud is not a moat. -Most assessments start from a questionnaire and interviews. These are critical but you should look beyond just these aspects. -Focus on building reasonable assurance and a level of trust. -Use a holistic assessment methodology. -Assessment process should be formal and well documented. -Leverage best practices from CSA & ENISA. -Base questionnaires on CSA, ENISA guidance. CSA CCM, ISO-27002 or CoBIT controls. -Assessment should be flexible enough to adopt to different data classifications. -Ask for any and all assurance documents such as SSAE-16 (Legacy SAS-70), ISO-27001/2 Certification, Pen test, Vulnerability assessments, etc.
  17. Auditing Cloud Vendors-Strategy -Must have an explicit right to audit. Include it in your commercial contract if you plan to do this! -SSAE-16 is your primary resource as of today. -Some providers audit against ISO-27001. Ask for this! -Actual customer initiated audits (testing of controls, etc…) are not commonly practiced as of yet. May change as we mature.
  18. Practical Insight -Ask open-ended questions that don’t give away the answer you are looking for. -Be firm but professional. No one likes working with an overly aggressive person. -When explaining things to the business, bring it down to a level that matters to them. -Be mindful of the business need and balance it with security. Be firm but agile. -Be vigilant of hidden threats and vulnerabilities. -It’s usually OK to not approve a vendor or a pause an assessment to build additional assurance. -Consult with others before delivering your findings. -Be transparent on the material risk that you identify.
  19. Ex. of Common Risks & Mitigating Controls
  20. The Overall Security Posture of Cloud Providers -Many vendors are jumping to the cloud to capitalize on the opportunity. -Too many vendors don’t understand security nor do they have dedicated security personnel or consultants. The market opportunity is outweighing security. -Current state is a ‘mash-up’ of various security practices. - Much more work needs to be done to build standardization, transparencyand awareness with organizations like CSA. -Vendors vary greatly in security posture and maturity. -In my professional opinion, the overall maturity and security posture of smaller providers is low-medium. -Some niche providers that deal with high-profile clients or highly confidential and regulation data are taking things seriously. Pension apps, Financial apps. -One of the biggest challenges is getting assurance in the coding practices of SaaS providers as well as identity mgmt. -Larger vendors like Amazon, Rackspace, etc. are higher on the maturity curve and taking things more seriously.
  21. Cloud Identity-Identity Mgmt -Identity Management Problem: Cloud creates user silos within applications. Silos are bad. Passwords are often the weakest link (harvesting via Malware, Social Engineering…) Enterprise cannot effectively provision/de-provision users silos. = RISK. Industry Efforts: Federated access. Using your existing vetted identity store like Active Directory with FIM (Forefront Identity Mgr) or appliances such as Ping Identity. Standards-SAML, Oauth, OPEN ID, SCIM, JWT (Passing a token through an API). Source: Ping Identity, and MSFT.
  22. Provisioning Advance provisioning. Creating user accounts in manually or in batch (XLS, CSV, etc..) OK, but not great. Cannot scale up well, manual processes are required. Just in Time provisioning. User is provisioned at the time of first access. User’s identity is passed by the identity provider. Can be role-based, attribute-based or hinge on a number of different trigger Enabled with SCIM. Binding for SAML that passes user attributes to Service Provider. Source: Oracle and CSA
  23. Practical Recommendations for Commercial Contracts -If you want your provider to be accountable, you must put your requirement in writing. -Leverage the commercial contract to drive security requirements. Providers want your business. -Focus on the details. Be specific. Have commercial/legal resources on hand to review the contract and ground for indemnification. -If your organization is mature enough, include a requirement for ongoing governance of the Cloud Provider (annual re-assessment, Pen test, SSAE-16).
  24. Governing the Cloud -Alignment with frameworks ISO 27001/2 CoBIT 5.0 -Alignment with guidance Cloud Security Guidance 3.0 ENISA Guidance -Audit Assurance SSAE16 SOC 2 Legacy SAS70 Type 2 Vulnerability Assessments Penetration Testing Transparency!
  25. What’s Next -Drastic penetration rates. Gartner estimates that by 2020, 80% of orgs won’t have ‘traditional’ IT. - More robust governance and compliance. CSC and CSA are working on standardization like the CTP (Cloud Trust Protocol). Currently in R&D -More maturity and research around Identity management and transparency. - Cloud Insurance Establishing an identity store to vet user identities is paramount. AD(FIM), Identity Appliances (Enterprise Customers) Google/Facebook ? (www.accountchooser.com)
  26. Questions, More Information? Join Us! Your Chicago Cloud Security Resources: -www.cloudsecurityalliance.org -Join our group on LinkedIN -Nikita Reva, www.security-decisions.com @sec_decisions & @ipsec LinkedIN- http://www.linkedin.com/in/nikitareva
  27. Appendix-Cloud Computing Myths
  28. Appendix-Deciding what can go in the Cloud? -Asset & Data Classification is key -Some things don’t belong in the cloud (at least yet). -Using a trusted partner like Microsoft to host our Email/OCS (BPOS) -Core competencies should generally not go into the Cloud (i.e. SAP )
  29. Appendix: Your rights as a consumer of Cloud Services
  30. Appendix-Cloud Service & Deployment Models Service Models- SaaS: Software as a Service PaaS: Platform as a Service IaaS: Infrastructure as a Service Deployment Models- Public (SalesForce.com) Multiple Tenant Apt. External. Private (BPOS-D) Single Tenant Home. Internal or External. Hybrid (Mixed) Community (Fermi Labs)
  31. Appendix: Clarifying cloud terminology The Cloud:This is a purely abstract concept, originating in the presentation representations of the Internet and networks for many years. No one can buy or sell a cloud. The cloud comes into existence when one or more cloud services are delivered to one or more customers. Because of this, there is only one public cloud, because the only way to distinguish between them would be to look at one of the other terms as the line of demarcation. There may be many private clouds, and there certainly are numerous cloud infrastructures and platforms, but only one public cloud. A Cloud:Used only in the private sense to describe the entire set of cloud services delivered privately. We should avoid using this term because it is too vague to add value and can cause significant confusion. For example, a private cloud service could be delivered using public cloud infrastructure and still remain private. However, there are risks associated with this that should not be obscured by using the generic term "a cloud" to describe the private services. When private services are delivered on public infrastructure, there is an impact on the service-level agreement (SLA) that may be in place. The SLA would need to be guaranteed by both the private services provider and the public infrastructure cloud provider. For example, if a bank issues private services only to its agents, but the servers that host these services are delivered from Amazon cloud infrastructure, who owns the SLA? It's best to be specific. Cloud Services: IT-enabled capabilities delivered to a set of consumers from some set of providers. They must have a well-defined interface and be able to be provisioned programmatically.
  32. Appendix:Clarifying cloud terminology…continued Cloud Platforms: Collections of cloud services. These provide access to the capabilities enabled (for example, storage, processing, data, formats and application programming interfaces) and exist at multiple levels. Cloud platforms are also known as cloud/Web platforms. Cloud Infrastructure: Technically a relative term, like "cloud platform," that refers to the unexposed enabling technologies. It is often used to refer to the sum of cloud application infrastructure services and system infrastructure services as well. It is also sometimes used to refer to the underlying hardware and OS-level capabilities. A Cloud Application:An application specifically designed to take advantage of cloud characteristics, such as scalability, elasticity, multitenancy and shared resources. Salesforce.com is an example of a cloud application based on the use of the Force cloud platform. An Application in the Cloud: An application running on a cloud infrastructure service which has not been designed to take advantage of cloud-style characteristics or attributes. Synonymous with "hosted in the cloud" or "hosted on cloud infrastructure." Most applications delivered as an Amazon Machine Image are applications in the cloud, not cloud applications. However, one of these applications could be used to deliver a cloud service, such as billing.
  33. Appendix: Other Cloud Computing Benefits
  34. Appendix: Other Recommendations
More Related