Loading in 2 Seconds...
Loading in 2 Seconds...
What mitigation strategies can we implement that will increase our assurance in the cloud. Lauren Eckert and Matt Parson. Definitions. Definitions . Risk- a combination of the probability of an event occurring and its consequences Can be an opportunity Can be a threat
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
What mitigation strategies can we implement that will increase our assurance in the cloud Lauren Eckert and Matt Parson
Definitions • Risk- a combination of the probability of an event occurring and its consequences • Can be an opportunity • Can be a threat • Risk Mitigation- a systematic reduction in the extent of exposure to a risk and/or the likelihood of its occurrence
Definitions Continued • Service Level Agreement (SLA) – agreement between an end-user/customer and a service provider • Confidence – the expectation of a successful fulfillment of an SLA
Optimized Infrastructure Services (OPTIMIS) • Project focused on enabling an open and dependable Cloud Service Ecosystem • Delivers adaptable, reliable, auditable and sustainable services • Three actors: • End-user • Service Provider • Infrastructure Provider
Five OPTIMUS Cloud Use Cases • Private • Bursting • Multi-cloud • Federated • Brokerage
Private Cloud • Service Provider and Infrastructure Provider • Within the same administrative domain • Provision resources for services using internal infrastructure
Cloud Bursting • Infrastructure Provider initiates the SLA negotiation process with another Infrastructure Provider • Occurs when additional capacity is needed to manage increases in demand above that which its local infrastructure can accommodate.
Mutli-Cloud • Infrastructure provider makes use of multiple Infrastructure providers • Functional and non-functional SLA requirements determine which IP is appropriate at the component level
Federated Cloud • Infrastructure Provider provides resources for a Service Provider on behalf of (and across) a collection of Infrastructure Providers working together • Mutual SLA between all involved members
Cloud Brokerage • Broker acts as an intermediary that facilitates the Cloud and adds value through maintaining a historic database of encounters with SPs and IPs • Gauge past performance of an actor and how it is able to adhere to an SLA
Initial Assessment • Gather data over time • Use a scale of 1 to 10 • There are sub-criteria, scale of 0 to 1 • Allows end-user preferences • Able to handle missing data • Each provider is mapped onto a belief and plausibility interval
Initial Infrastructure Provider Assessment • Assessment of an IP by an SP is based on • Past SLA Performance • Geography Information • Certifications and Standards Compliance • Business Stability • General Infrastructure Practice • General Security Practice • General Privacy Practice
Initial Service Provider Assessment • Assessment of an SP by an IP is based on • Past SLA Performance • Business Stability • General Security Practice
Risk Inventory • Anticipate and manage risk • Positive and negative risks • Steps of determination: • Target use case (cloud scenario) • Stage in service (deployment, etc.) • Assets to be protected (agreements, hardware, data, etc.) • Risk items that may jeopardize the assets • Identify relationships between assets and risks
Risk Categories • Technical • Hardware, VM failure • Policy • Data jurisdiction policies • General • Security, data applications or processes • Legal • SLA
Risk Models • Probabilistic • Compound probability and impact of occurrence • Possibilistic • Stochastic processes (Gamma) • Hybrid • Combination of the above two
Third Party Service Level Agreement Monitor • Third-Party group • Monitors performance based on SLA • Two Assessment Modules • Reputation/Trust (pre-deployment) • Transactional (post-deployment)
Transactional • Performance & Financial risks • TP SLA monitor obtains run-time values to compare with thresholds and the determines the PoF • Convolution results in the Actual Resource Investment Curve
Insurance Model • Insurance is a legal agreement (or policy) with a company that provides for reimbursement in the case of “loss” • Idea is the same as car insurance
Security Guidance for Critical Areas of Focus in Cloud Computing v3.0
Domain 2: Governance and Enterprise Risk Management Items such as legal precedence for agreement breaches, ability of user organizations to adequately assess risk of a cloud provider, responsibility to protect sensitive data when both user and provider may be at fault, and how international boundaries may affect these issues.
Recommendations • Reinvest savings into: • Scrutiny of security of the provider • Application of security controls • Ongoing detailed assessments and audits • Review security governance structure, processes, and specific security controls of prospective providers for: • Sufficiency • Maturity • Consistency • Identify and incorporate collaborative governance structures/processes • Engage security departments for Service Level Agreements (SLA’s) • Establish metrics and standards for performance • Identify and evaluate assets, threats and vulnerabilities • Jointly develop risk scenarios for the cloud service
Requirements • Provide transparency • Identify interdependency of risks • Account for inherited risks
Domain 3:Legal Issues: Contracts and Electronic Discovery This section includes protection requirements for information and computer systems, security breach disclosure laws, regulatory requirements, privacy requirements, and international laws.
Domain 4:Compliance and Audit Management Issues dealing with evaluating how cloud computing affects compliance with internal security policies, as well as various compliance requirements (regulatory, legislative, and otherwise). This domain includes some direction on proving compliance during an audit.
Recommendations • Involve the legal, procurement, and contracts teams • Consider compliance for regulations • Determine which and how cloud partners use data • Agree how to collect, store, and share compliance evidence • Prefer auditors that are "cloudaware" • Request cloud Provider’s SSAE 16 SOC2 or ISAE 3402 Type 2 report • Provide for third-party review of SLA metrics and compliance
Requirements • Right to audit clause • Right to transparency clause • Review, update, and publish information security documents and GRC processes regularly • Select third-party auditors • Use a common certification assurance framework
Domain 5:Information Management and Data Security Items surrounding the identification and control of data in the cloud, as well as compensating controls that can be used to deal with the loss of physical control when moving data to the cloud.
Recommendations • Understand the cloud storage architecture • Choose storage with data dispersion • Use the Data Security Lifecycle • Monitor internal databases and file repositories • Consider using filtering to block unapproved activity
Recommendations Continued • Encrypt all sensitive data • Use content discovery • Encryption keys stored externally • SLA should document data removal of: • User accounts • Primary/redundant storage • Transfer of keys
Requirements • Data Security Lifecycle • Understand logical and physical locations of data. • Monitor employee Internet access • Encrypt all sensitive data
Domain 6:Interoperability and Portability The ability to move data/services from one provider to another, or bring it entirely back in-house as well as issues surrounding interoperability between providers.
Recommendations Hardware – Physical Computer Hardware • Use virtualization • Ensure same or better security controls Physical Network Devices • Network physical hardware and the network and security abstraction should be in a virtual domain Virtualization • Use open virtualization formats • Document and understand the virtualization hooks
Recommendations Continued Frameworks • Investigate the API’s to: • Determine where differences lie • Plan for necessary changes • Use open and published API’s • Determine how failure in one component will impact others Storage • Store unstructured data in an established portable format • Assess the need for encryption for data in transit • Check for compatible database systems
Recommendations Continued Security • Use SAML or WS-Security for authentication • Encrypt data before it is placed into the cloud • Investigate how and where keys are stored • Understand your responsibilities and liabilities should a compromise occur • Define log file information security • Delete all data, logs, etc. from the original systemwhen moving
Recommendations Continued Portability: • Service Level • Different architectures • Security integration • Authentication and identity mechanisms for user or process access • Encryption keys should be escrowed/maintained locally • Ensure copies of file metadata are securely removed