Cloud computing
1 / 31

Cloud Computing - PowerPoint PPT Presentation

  • Uploaded on

Cloud Computing. Critical Areas of Focus To Manage Risk Tom Witwicki CIPP INFOSEC Jan 13, 2010. Needing careful consideration of the risks to be managed: Acknowlegement: Cloud Security Alliance. Cloud Architecture and Delivery Models Risk Management Legal Compliance and Audit

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Cloud Computing' - salena

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Cloud computing l.jpg

Cloud Computing

Critical Areas of Focus

To Manage Risk

Tom Witwicki CIPP

INFOSEC Jan 13, 2010

Tom Witwicki CIPP

Needing careful consideration of the risks to be managed acknowlegement cloud security alliance l.jpg
Needing careful consideration of the risks to be managed:Acknowlegement: Cloud Security Alliance

  • Cloud Architecture and Delivery Models

  • Risk Management

  • Legal

  • Compliance and Audit

  • Information Lifecycle Management

  • Portability and Interoperability

  • Incident Response

  • Business Continuity

  • Data Center Operations

  • Encryption and Key Management

  • Identity and Access Management

  • Storage

  • Virtualization.

Tom Witwicki CIPP

Control disconnect l.jpg
Control Disconnect

  • The rules for managing risk still apply, but the game has changed


Security Policy

Enterprise Control Requirements

Controls Compliance/Auditing

Cloud Vendor

Control Design & Implementation

Control Monitoring

Tom Witwicki CIPP

Characteristics of cloud computing l.jpg
Characteristics of Cloud Computing

  • Abstraction of Infrastructure

    • Opaque from the application’s perspective

    • High levels of Virtualization (OS, File Systems)

  • Democratization of Resources

    • Pooled resources (shared, dedicated)

  • Services Oriented Architecture

    • Focus on delivery of services, not management

  • Elasticity/Dynamism

    • rapidly expand or contract resource utilization

  • Utility Consumption Model

    • “all-you-can-eat” but “pay-by-the-bite”

Tom Witwicki CIPP

Service delivery models l.jpg
Service Delivery Models

  • SaaS (Software as a Service)

    • least extensibility and greatest amount of security responsibility taken on by the cloud provider

  • PaaS (Platform as a Service)

    • lies somewhere in the middle, with extensibility and security features which must be leveraged by the customer

  • IaaS (Infrastructure as a Service)

    • greatest extensibility and least amount of security responsibility taken on by the cloud provider

  • “Classify” the service to determine security responsibilities of the customer

Tom Witwicki CIPP

Deployment modalities l.jpg
Deployment Modalities

  • Private

    • Single tenant operating environment

    • On or off premises

    • “Trusted” consumers

  • Public

    • Single or multi-tenant environment

    • Infrastructure owned and managed by service provider

    • Consumers considered “untrusted”

  • Managed

    • Single or multi-tenant

    • Infrastructure on premises managed and controlled by service provider

    • Consumers trusted or untrusted

  • Hybrid

    • Combination of public and private offerings

    • Application portability

    • Information exchange across disparate cloud offerings

Tom Witwicki CIPP

Cloud reference model l.jpg
Cloud Reference Model




Tom Witwicki CIPP

Mapping the cloud to the security model l.jpg
Mapping the Cloud to the Security Model


SDLC, App Firewalls

Data Classification, DLP, Audit Logging, encryption


Config and Patch Mgt, Pen Testing


Firewall rules, QoS, Anti-DDos

Multi-level Security, Certificates and Key Mgt

HIDS/HIPS, Log Mgt, Encryption

Data Center Security, Redundancy, DR

Tom Witwicki CIPP

Risk management l.jpg
Risk Management

  • Issues

    • Ability of the user organization to assess risk

    • Limited usefulness of certifications (e.g. SAS 70, ISO27001)

    • Many cloud services providers accept no responsibility for data stored (no risk transference)

    • User has no view of provider procedures governed by regulation or statute

      • Access and identity mgt, segregation of duties

    • Lack of clarity on data controls

      • Data backup and recovery, offsite storage, virtual provisioning (where is the data?), data removal

Tom Witwicki CIPP

Risk management11 l.jpg
Risk Management

  • Guidance

    • In depth due diligence prior to executing contractual terms, SLA

    • Examine creating Private or Hybrid Cloud that provides appropriate level of controls

    • Comprehensive due diligence before using Public Cloud for mission critical components of business

    • Request documentation on how the service is assessed for risk and audited for control weaknesses and if results are available to customers

    • Listing of all 3rd party providers

    • What regulations and statutes govern site and how compliance is achieved

Tom Witwicki CIPP

Legal l.jpg

  • Compliance Liabilities

    • Organizations are custodians of the personal data entrusted to them (in-cloud or off-cloud)

    • State (data breach), Federal (FTC act), international (EU Data Protection) scope

    • Mandates that organization impose appropriate security measures on it’s service providers (HIPAA, GLBA, MA 201 CMR 17.00, PCI)

    • Company relinquishes most controls over data in the cloud

    • Contract may be in the form of a “click-wrap” agreement which is not negotiated

    • Data encryption requirements!!!

Tom Witwicki CIPP

Legal13 l.jpg

  • Location diligence

    • Understand in which country it’s data will be hosted (local laws have jurisdiction) – EU data transfer provisions

    • Contractually limit the service provider to subcontract

    • May want to ensure against data comingling

    • Technical/logistical limits to all of the above

  • Ensuring Privacy Protection

    • Align with Privacy Notices

    • Data not used for secondary purposes

    • Not disclosed to 3rd parties

    • Comply with individual Opt-in/Opt choices

    • Disclosure of security breach

    • May not be mature enough for regulated information!

Tom Witwicki CIPP

Legal14 l.jpg

  • Responding to Litigation requests

    • Identify compliance with E-discovery provisions – routinely not included in cloud service contracts

    • 3rd party subpoena request notification

  • Monitoring

    • Ability to conduct compliance monitoring and testing for vulnerabilities

  • Termination

    • Must retrieve the data or ensure it’s destruction

Tom Witwicki CIPP

Epic electronic privacy information center l.jpg
EPIC – Electronic Privacy Information Center

  • March 09 – filed a complaint with FTC

    • Urged investigation into Cloud Computing Services such as Google Docs

    • Determine adequacy of Privacy and Security Safeguards

  • Computer researchers sent letter to Google CEO

    • Uphold privacy promises

    • HTTPS not default security setting

    • Forces users to “opt-in” for security

Tom Witwicki CIPP

Audit l.jpg

  • Data Classification a must

    • Identify and segregate that data which needs the most stringent controls (based on impact assessment)

    • Match controls to data classification (not all data is created equal)

      • Protected (regulated)

      • Confidential (need to know)

      • Public (approval to make public)

    • Recommended control: Encrypt all regulated data

      • In transit and at rest

      • Network segregation seldom feasible

Tom Witwicki CIPP

Portability and interoperability l.jpg
Portability and Interoperability

  • What happens when the cloud provider isn’t good enough?

    • Unacceptable cost increase

    • Provide goes out of business

    • One or more cloud services discontinued

    • Service quality degraded

    • Onus on customer to have portability as a design goal

Tom Witwicki CIPP

Portability and interoperability18 l.jpg
Portability and Interoperability

  • Saas

    • Ensure easy access to data in a format that is documented

    • Keep regular backups outside the cloud

    • Consider best-of-breed providers whose competitors have capabilities to migrate data

  • IaaS

    • Application deployment on top of the virtual machine image

    • Backups kept in a cloud-independent format (e.g. independent of the machine image)

    • Copies of backups moved out of the cloud regularly

  • PaaS

    • Application development architecture employed to create an abstraction layer

    • Also data backups off-cloud

Tom Witwicki CIPP

Business continuity l.jpg
Business Continuity

  • Obtain specific written commitments from the provider on recovery objectives

    • Understand your data and it’s recovery objectives (RTO, RPO)

  • Identify interdependencies in the provider’s infrastructure

    • Site risk (earthquake, flood, airport)

    • Infrastructure risk (redundancy of utilities, communication lines)

  • Onsite inspections

  • Integrate provider DR plans into your organization’s BCP

Tom Witwicki CIPP

Data center operations l.jpg
Data Center Operations

  • You have neighbors! Who are they?

    • Potential to consume inordinate amount of resources which impacts your performance?

    • Providers seek to maximize resource utilization

  • For IaaS and PaaS

    • Understand providers patch mgt policies (notification, rollbacks, testing)

  • Compartmentalization of resources (Data mixing) and segregation of duties

  • Logging practices (what, how long?)

  • Test customer service function regularly

  • Indicator for operational quality – presence of staging facilities for both provider and customer

Tom Witwicki CIPP

Incident response l.jpg
Incident Response

  • Cloud Computing Community incident database:

    • Malware infection

    • Data Breach

    • Man-in-the-middle discovery

    • User impersonation

  • Detection

    • Application firewalls, proxies and logging tools are key

    • no standard application level logging framework

  • Notification

    • Requires a registry of Application owners by interface

  • Application shutdown is normally first act taken

    • appropriate remediation?

    • Provider and customers need defined process to collaborate on decisions

  • Criminal investigation – evidence capture?

Tom Witwicki CIPP

Application security l.jpg
Application Security

  • What security controls must the application provide over and above inherent cloud controls?

  • How must an enterprise SDLC change to accommodate cloud computing?

  • Issues:

    • Multi-tenant environment

    • Lack of direct control over environment

    • Access to data by cloud vendor

    • Managing application “secret keys” which identify valid accounts

Tom Witwicki CIPP

Application security iaas model l.jpg
Application SecurityIaas model

  • Virtual image

    • should undergo security verification and hardening

    • Confirm to enterprise trusted host baselines

    • Alternative to use trusted 3rd party for virtual image

  • Inter-host communication

    • Assume an untrusted network

    • Authentication and encryption

  • Codify trust with SLA

    • Security measures

    • Security testing

Tom Witwicki CIPP

Application security paas model l.jpg
Application SecurityPaas model

  • Enterprise Service Bus (ESB)

    • Asynchronous messaging

    • Message routing

    • Where multi-tenanted, the ESB will be shared

    • Segmenting based on classifications not available

    • Securing messages the responsibility of the application

Tom Witwicki CIPP

Application security saas model l.jpg
Application SecuritySaaS model

  • SDLC

    • Verify/audit the maturity of the vendor’s SDLC

  • Custom code extensions

  • Data exchange via APIs

Tom Witwicki CIPP

Encryption and key management l.jpg
Encryption and Key Management

  • Encryption for Confidentiality and Integrity

    • Data at rest (IaaS, PaaS, SaaS)

    • Data in transit (within the provider’s network)

    • On backup media

  • Key Management

    • Secure key stores

    • Access to key stores

    • Key backup and recoverability

    • OASIS Key Management Interoperability Protocol (KMIP) – emerging standard

Tom Witwicki CIPP

Encryption and key management recommendations l.jpg
Encryption and Key ManagementRecommendations

  • Assure regulated and/or sensitive customer data is encrypted in transit over the cloud provider’s internal network, in addition to being encrypted at rest

  • Segregate the key management from the cloud provider hosting the data, creating a chain of separation

    • Protects both when compelled by legal mandate

  • Contractual assurance that encryption adheres to industry or government standards

  • Understand how cloud providers provide role management and separation of duties (key mgt)

  • In IaaS environments, understand how sensitive information and key material otherwise protected by traditional encryption may be exposed during usage.

    • E.g. virtual machine swap files and other temporary data storage locations may also need to be encrypted

Tom Witwicki CIPP

Encryption and key management recommendations continued l.jpg
Encryption and Key ManagementRecommendations continued

  • If cloud provider must perform key management

    • the provider has defined processes for a key management lifecycle: how keys are generated, used, stored, backed up, recovered, rotated, and deleted.

  • Key sets should be unique per customer

Tom Witwicki CIPP

Identity management l.jpg
Identity Management

  • Federated Identity Management

    • needed to leverage the Enterprise IM and SSO

    • SAML the leading standard

    • Many Cloud vendors are immature in adoption of federation standards

    • With Iaas and Paas, integration will have to be built

Tom Witwicki CIPP

Identity management30 l.jpg
Identity Management

  • User Management

    • Understand cloud provider’s capabilities

    • Provisioning

    • De-Provisioning

  • Authentication

    • Password controls

    • Password strength

  • Authorization

    • Usually proprietary

    • Urge XACML compliant entitlement

  • Consider “Identity as a Service”

Tom Witwicki CIPP

Some parting thoughts l.jpg
Some Parting Thoughts

  • New Technology, old vulnerabilities remain and new ones arise

  • Loss of security by “default” – trust boundaries

  • Commingling challenges integrity and confidentiality

  • Jurisdiction control and regulatory issues

  • Virtualization

    • Security through isolation but..

    • Virtual infrastructure increases the risk

  • Assesses risk, mitigate, formally accept


Tom Witwicki CIPP