Professional Documents
Culture Documents
Control Disconnect
The rules for managing risk still apply, but the game has changed
Enterprise Security Policy Enterprise Control Requirements Controls Compliance/Auditing Cloud Vendor Control Design & Implementation Control Monitoring
3/11/2012
Democratization of Resources
Pooled resources (shared, dedicated)
Elasticity/Dynamism
rapidly expand or contract resource utilization
3/11/2012
Deployment Modalities
Private
Single tenant operating environment On or off premises Trusted consumers
Public
Single or multi-tenant environment multiInfrastructure owned and managed by service provider Consumers considered untrusted
Managed
Single or multi-tenant multiInfrastructure on premises managed and controlled by service provider Consumers trusted or untrusted
Hybrid
Combination of public and private offerings Application portability Information exchange across disparate cloud offerings
3/11/2012
Saas
3/11/2012
Firewall rules, QoS, Anti-DDos Multi-level Security, Certificates and Key Mgt HIDS/HIPS, Log Mgt, Encryption Data Center Security, Redundancy, DR
Paas
Iaas
Tom Witwicki CIPP
3/11/2012
Risk Management
Issues
Ability of the user organization to assess risk Limited usefulness of certifications (e.g. SAS 70, ISO27001) Many cloud services providers accept no responsibility for data stored (no risk transference) User has no view of provider procedures governed by regulation or statute
Access and identity mgt, segregation of duties
3/11/2012
10
Risk Management
Guidance
In depth due diligence prior to executing contractual terms, SLA Examine creating Private or Hybrid Cloud that provides appropriate level of controls Comprehensive due diligence before using Public Cloud for mission critical components of business Request documentation on how the service is assessed for risk and audited for control weaknesses and if results are available to customers Listing of all 3rd party providers What regulations and statutes govern site and how compliance is achieved
3/11/2012
11
Legal
Compliance Liabilities
Organizations are custodians of the personal data entrusted to them (in-cloud or off-cloud) (inoffState (data breach), Federal (FTC act), international (EU Data Protection) scope Mandates that organization impose appropriate security measures on it s service providers (HIPAA, GLBA, MA 201 CMR 17.00, PCI) Company relinquishes most controls over data in the cloud Contract may be in the form of a click-wrap agreement which clickis not negotiated Data encryption requirements!!!
3/11/2012
12
Legal
Location diligence
Understand in which country it s data will be hosted (local laws have jurisdiction) EU data transfer provisions Contractually limit the service provider to subcontract May want to ensure against data comingling Technical/logistical limits to all of the above
Legal
Responding to Litigation requests
Identify compliance with E-discovery provisions Eroutinely not included in cloud service contracts 3rd party subpoena request notification
Monitoring
Ability to conduct compliance monitoring and testing for vulnerabilities
Termination
Must retrieve the data or ensure it s destruction
3/11/2012 Tom Witwicki CIPP 14
Audit
Data Classification a must
Identify and segregate that data which needs the most stringent controls (based on impact assessment) Match controls to data classification (not all data is created equal)
Protected (regulated) Confidential (need to know) Public (approval to make public)
IaaS
Application deployment on top of the virtual machine image Backups kept in a cloud-independent format (e.g. independent of the cloudmachine image) Copies of backups moved out of the cloud regularly
PaaS
Application development architecture employed to create an abstraction layer Also data backups off-cloud off-
3/11/2012
18
Business Continuity
Obtain specific written commitments from the provider on recovery objectives
Understand your data and it s recovery objectives (RTO, RPO)
3/11/2012
19
Compartmentalization of resources (Data mixing) and segregation of duties Logging practices (what, how long?) Test customer service function regularly Indicator for operational quality presence of staging facilities for both provider and customer
3/11/2012
20
Incident Response
Cloud Computing Community incident database:
Malware infection Data Breach Man-in-the-middle discovery Man-in-theUser impersonation
Detection
Application firewalls, proxies and logging tools are key no standard application level logging framework
Notification
Requires a registry of Application owners by interface
Criminal investigation
evidence capture?
3/11/2012
21
Application Security
What security controls must the application provide over and above inherent cloud controls? How must an enterprise SDLC change to accommodate cloud computing? Issues:
Multi-tenant environment MultiLack of direct control over environment Access to data by cloud vendor Managing application secret keys which identify valid accounts
3/11/2012
22
InterInter-host communication
Assume an untrusted network Authentication and encryption
3/11/2012
23
3/11/2012
25
Key Management
Secure key stores Access to key stores Key backup and recoverability OASIS Key Management Interoperability Protocol (KMIP) emerging standard
3/11/2012 Tom Witwicki CIPP 26
Contractual assurance that encryption adheres to industry or government standards Understand how cloud providers provide role management and separation of duties (key mgt) In IaaS environments, understand how sensitive information and key material otherwise protected by traditional encryption may be exposed during usage.
E.g. virtual machine swap files and other temporary data storage locations may also need to be encrypted
3/11/2012
27
3/11/2012
28
Identity Management
Federated Identity Management
needed to leverage the Enterprise IM and SSO SAML the leading standard Many Cloud vendors are immature in adoption of federation standards With Iaas and Paas, integration will have to be built
3/11/2012 Tom Witwicki CIPP 29
Identity Management
User Management
Understand cloud provider s capabilities Provisioning De-Provisioning De-
Authentication
Password controls Password strength
Authorization
Usually proprietary Urge XACML compliant entitlement
3/11/2012
31