securing the cloud masterclass 1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Securing the Cloud: Masterclass 1 PowerPoint Presentation
Download Presentation
Securing the Cloud: Masterclass 1

Loading in 2 Seconds...

play fullscreen
1 / 31

Securing the Cloud: Masterclass 1 - PowerPoint PPT Presentation


  • 269 Views
  • Uploaded on

Securing the Cloud: Masterclass 1. Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013. Agenda. Introduction. Establishing a common point of view. Cloud Threats – who may attack your services?. Cloud Risks. And Benefits?. ?.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Securing the Cloud: Masterclass 1' - lucius


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
securing the cloud masterclass 1

Securing the Cloud: Masterclass 1

Lee Newcombe (lee.newcombe@capgemini.com)

Infrastructure Services

April 2013

agenda
Agenda
  • Introduction
  • Establishing a common point of view
  • Cloud Threats – who may attack your services?
  • Cloud Risks. And Benefits?

?

  • An approach to secure adoption of cloud services
  • Conclusions
introduction
Introduction
  • Capgemini’s lead on Cloud Security since 2009
  • Named contributor to versions 2 and 3 of the Cloud Security Alliance Security Guidance on Critical Areas of Focus in Cloud Computing
  • Member of the Editorial Board of the Springer Journal of Cloud Computing
  • Member of the Program Committee for the CLOSER academic conference
  • Author of numerous articles: Computer Weekly, SC Magazine, Data Centre Solutions, Computing…
  • Regular speaker, e.g. CloudCamp, Cloud Circle Forum, sponsored Breakfast Briefings etc
  • Sole industry security SME on the HMG Data Centre Consolidation Strategy project – which gave rise to the G-cloud
  • Extensive shared services background – e.g. security lead for the Police National Database (PND) from inception to operation
agenda1
Agenda
  • Introduction
  • Establishing a common point of view
  • Cloud Threats – who may attack your services?
  • Cloud Risks. And Benefits?

?

  • An approach to secure adoption of cloud services
  • Conclusions
cloud computing nist
Cloud Computing – NIST

Cloud Computing:“…a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction…”

csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

Essential Characteristics of Cloud Computing

• On-demand self-service

• Broad network access

• Resource pooling

• Rapid elasticity; and

• Measured service.

service models
Service Models

Software as a Service

Platform as a Service

Infrastructure as a Service

Cloud Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g. web-based e-mail), or a program interface…

Cloud Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider…

Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications…

nist deployment models and jericho cloud cube
NIST Deployment Models and Jericho Cloud Cube

The Jericho Forum® Cloud Model represents an alternative mechanism to represent deployment models.

http://www.opengroup.org/jericho/cloud_cube_model_v1.0.pdf

a little about you
A little about you…

Are you are currently using cloud-based services within your organisation?

Are you currently using cloud-based services for production?

IaaS?

PaaS?

SaaS?

Combination of the above?

How many of you have tried the cloud but reverted to a more traditional approach?

agenda2
Agenda
  • Introduction
  • Establishing a common point of view
  • Cloud Threats – who may attack your services?
  • Cloud Risks. And Benefits?

?

  • An approach to secure adoption of cloud services
  • Conclusions
national security letters nsl microsoft
National Security Letters (NSL) - Microsoft

However… Judge Susan Illston of the US District Court in San Francisco found that the "gag order" provision of the NSL law violates the First Amendment protections on freedom of speech

https://www.eff.org/document/nsl-ruling-march-14-2013

http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/

csa notorious nine
CSA “Notorious Nine”

http://www.cloudsecurityalliance.org/topthreats/

agenda3
Agenda
  • Introduction
  • Establishing a common point of view
  • Cloud Threats – who may attack your services?
  • Cloud Risks. And Benefits?

?

  • An approach to secure adoption of cloud services
  • Conclusions
cloud risks
Cloud Risks
  • Compliance
  • Multi-tenancy
  • Assurance
  • Supply chain – cloud, on cloud, on cloud, on…

?

  • Lock-in
  • Standard Terms and Conditions
pci dss payment card industry data security standard
PCI-DSS (Payment Card Industry – Data Security Standard)

Penalties

$25 for each account reissued

$5 for each account monitored but not reissued

Severity of fine will depend upon Acquirer / Merchant progress, co-operation, number of accounts at risk, what sensitive data has been stored i.e. CSC, Track 2

Failure by Acquirer to comply with ‘Acquirer Responsibilities’ defined in the Rules can incur a further $25k per day until compliant. The assessments for Wrongful Disclosure and Failure to Secure Data are up to USD 100,000 per violation. The assessments for Retention of Prohibited Data (mag stripe, CVC 2) are up to USD 100,000 per violation.

http://ask.barclaycard.co.uk/business/allfaqs/1_fraud_security/fines_2

“A sports apparel retailer is fighting back against the arbitrary multi-million-dollar penalties that credit card companies impose on banks and merchants for data breaches by filing a first-of-its-kind $13 million lawsuit against Visa.

… Visa is not the only card company to go after Genesco and its banks. MasterCard did as well. The two companies combined imposed $15.6 million in fines and assessments, but Genesco has so far only sued Visa.”

http://www.wired.com/threatlevel/2013/03/genesco-sues-visa

compliance process
Compliance Process

Include stamp of approval from Legal here…

cloud risks1
Cloud Risks
  • Compliance
  • Multi-tenancy
  • Assurance
  • Supply chain – cloud, on cloud, on cloud, on…

?

  • Lock-in
  • Standard Terms and Conditions
cloud benefits
Cloud Benefits?
  • Cost-effective datacentre security
  • Improved resilience
  • More efficient security patching
  • Improved security expertise, including application-specific expertise, at the centre

?

  • Cloud data storage and sharing vs removable media
  • Encourages adoption of Jericho principles
agenda4
Agenda
  • Introduction
  • Establishing a common point of view
  • Cloud Threats – who may attack your services?
  • Cloud Risks. And Benefits?

?

  • An approach to secure adoption of cloud services
  • Conclusions
security architecture
Security Architecture

“The fundamental security organization of a system, embodied in its components, their relationships to each other and the environment, and the security principles governing its design and evolution”

Adapted from: ISO/IEC 42010:2007

modelling different delivery responsibilities
Modelling Different Delivery Responsibilities

The delivery responsibilities for the security services shifts from the consumer to the provider as you move from IaaS to SaaS.

Interfaces between consumer and provider present a risk of gaps in capability and poor/no/mis-communication between provider and consumer.

agenda5
Agenda
  • Introduction
  • Establishing a common point of view
  • Cloud Threats – who may attack your services?
  • Cloud Risks. And Benefits?

?

  • An approach to secure adoption of cloud services
  • Conclusions
conclusions
Conclusions
  • All delivery models are unique. Cloud computing models have unique security challenges. So do other delivery models including on-premise and traditional outsourcing.
  • Cloud is an evolution not a revolution.
  • The threat actors remain mostly the same, cloud or on-premise
  • The risks remain mostly the same, whether your applications are hosted on-premise or on-cloud, however
    • increased sharing of resources due to multi-tenancy introduces new attack surfaces
    • assurance difficulties can cause compliance issues (data residency, data deletion, segregation etc)
conclusions1
Conclusions
  • The security architecture approach can help to enable cloud adoption:
    • Architecture methodologies help to enforce consistency across an enterprise, no matter the IT delivery model.
    • Architecture methodologies help to identify the security services required from a Provider
    • Architecture helps to identify areas of overlap or interface (or confusion or omission) between Provider and Consumer
    • Architecture helps to inform service procurement
slide30

Securing the Cloud: Workshops!

Security preparation:

Getting ready for cloud adoption

Security planning:

Architecting for cloud services

Security in practice:

Operating in the cloud

John Arnold

Lee Newcombe

John Martinez