cloud security alliance q2-2012 atlanta meeting
DESCRIPTION
Cloud Computing, Virtualization & Data Security (and the Occasional Intersection of the Three)TRANSCRIPT
![Page 1: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/1.jpg)
virtualization, cloud & data security
and the occasional intersection of the threeFriday, April 6, 2012
![Page 2: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/2.jpg)
@taylorbanksHi, I’m Taylor.
‣ I’m a control freak.
‣ I do #security. I advocate for #privacy.
‣ I build virtual datacenters and cloud infrastructure.
‣ I keep my data in the cloud.2
Friday, April 6, 2012
![Page 3: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/3.jpg)
3Copyright © 2010 by L. Taylor Banks
"Cloud computing is about gracefully losing control while maintaining accountability even if the!operational responsibility falls upon one or more third parties. "
From the CSA’s Security Guidance for Critical Areas of Focus in Cloud Computing
Wednesday, March 10, 2010Friday, April 6, 2012
![Page 4: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/4.jpg)
4
*These statements have not been evaluated by the CSA.This presentation is not designed to diagnose, prevent, treat or cure any cloud security problems or conditions.
Friday, April 6, 2012
![Page 5: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/5.jpg)
5
CloudSec
Friday, April 6, 2012
![Page 6: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/6.jpg)
6
FundamentalsCloud security doesn’t happen in a vacuum
Secure VirtualizationUnique architectures present unique challenges
Data in the CloudPublic or private, understanding your data is the key to securing it
1
2
3
Friday, April 6, 2012
![Page 7: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/7.jpg)
7
Cloud May Magnify RiskSimply put, if you’re not securing your data effectively before moving it into the cloud, you’re in for a rude awakening when you do.
Friday, April 6, 2012
![Page 8: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/8.jpg)
8
I hate to disappoint you, really I do.But most of what I’m about to tell you,
you should already know.
Friday, April 6, 2012
![Page 9: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/9.jpg)
9
Access ControlA mechanism which enables an authority to control access to data in a given information system
Friday, April 6, 2012
![Page 10: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/10.jpg)
10
AAA:AuthenticationAuthorizationAccounting
Friday, April 6, 2012
![Page 11: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/11.jpg)
RBACHello, my name is:
11Friday, April 6, 2012
![Page 12: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/12.jpg)
Data Considerations
• Data classification• Data at rest• On-premise
• Data sensitivity • Data in motion• Off-premise
Friday, April 6, 2012
![Page 13: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/13.jpg)
Classification has become synonymous with ‘censored for,’ arguably to the detriment of effective categorization.
Categorization vs. Sensitivity
13
Classification(Categorization)
Classification(Sensitivity)
The purpose of classification is to protect information from being used to damage or
endanger organizational security.
Simply possessing a clearance should not automatically authorize an individual to
view all data classified at or below that level.
Friday, April 6, 2012
![Page 14: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/14.jpg)
14
From Understanding Data Classification Based on Business and Security RequirementsBy Rafael Etges, CISA, CISSP, and Karen McNeil from ISACA Journal Online
Friday, April 6, 2012
![Page 15: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/15.jpg)
Data Classification Example Properties
‣ Relative importance
‣ Frequency of use
‣ Topical content
‣ File type
‣ Operating platform
‣ Average file size
‣ MAC times
‣ Departmental ownership15
Friday, April 6, 2012
![Page 16: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/16.jpg)
Data by Fred G. Moore of HorISon Information StrategiesRTO-based Classification Example
16
AttributesMission-Critical
Vital Sensitive Non-Critical
RTO
Availability
Retention
Immediate Seconds Minutes Hours, days
99.999+ 99.99 99.9 <99
Hours Days Years Infinite
Friday, April 6, 2012
![Page 17: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/17.jpg)
Both important yet distinct considerationsData at Rest vs. Data in Motion
17
Data at Rest Data in Motion
“On the Internet, communications security is much less important than the security of
the endpoints.” - Bruce Schneier
However, anyone can read what’s going across the wire when it is sent unencrypted.
Friday, April 6, 2012
![Page 18: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/18.jpg)
Requires encryption to protect any data containing electronic protected health information (EPHI).
18
CA Office of HIPAA Implementation
‣ DATA AT REST
• Data at rest should be protected by one of the following:
- Encryption, or
- Firewalls with strict access controls that authenticate the identity of those individuals accessing _____ [system/data].
• The use of password protection instead of encryption is not an acceptable alternative to protecting EPHI.
• Systems that store or transmit personal information must have proper security protection, such as antivirus software, with unneeded services or ports turned off and subject to needed applications being properly configured.
Friday, April 6, 2012
![Page 19: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/19.jpg)
Requires encryption to protect any data containing electronic protected health information (EPHI).
19
CA Office of HIPAA Implementation
‣ TRANSMISSION SECURITY
• All emails with EPHI transmitted outside of State (or county) departments’ networks must be encrypted.
• Any EPHI transmitted through a public network to and from vendors, customers, or entities doing business with ___ [name of the org in the State of California, or a county] must be encrypted or be transmitted through an encrypted tunnel. EPHI must be transmitted through a tunnel encrypted with ___ [specify type of encryption to be used, such as virtual private networks (VPN) or point-to-point tunnel protocols (PPTP) like Secure Shells (SSH) and secure socket layers (SSL)].
• Transmitting EPHI through the use of web email programs is not allowed.
• Using chat programs or peer-to-peer file sharing programs is not allowed.
• Wireless (Wi-fi) transmissions must be encrypted using ___.Friday, April 6, 2012
![Page 20: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/20.jpg)
New trust models will likely have a direct impact on the effectiveness of pre-existing security policies.
On-premise vs. Off-premise
20
On-premise Off-premise
You need only trust those vetted, hired and managed by your organization, and
according to your own security policies.
Trust model now includes external entities, plus potential additional considerations
around governance, regulations and compliance.
Friday, April 6, 2012
![Page 21: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/21.jpg)
21
FundamentalsCloud security doesn’t happen in a vacuum
Secure VirtualizationUnique architectures present unique challenges
Data in the CloudPublic or private, understanding your data is the key to securing it
1
2
3
Friday, April 6, 2012
![Page 22: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/22.jpg)
...a broad term with many uses
22
Virtualization is
‣ Abstraction of the characteristics of physical compute resources from systems, users, applications
‣ Typically, one of:• Resource (virtual memory, RAID, SAN)
• Platform (virtual machines, instances)
Friday, April 6, 2012
![Page 23: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/23.jpg)
23
VirtSec
‣ Security of virtual infrastructure and the virtual machines running therein.
‣ While many security considerations are the same within physical and virtual, ...
‣ Virtualization does introduce unique architectures & a few unique challenges
Friday, April 6, 2012
![Page 24: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/24.jpg)
24
Unique Challenges, you say?
‣ VMs are highly-mobile & often short-lived
‣ VM sprawl vs. VM stall
‣ Most orgs have poor change control & patch management systems for virtual
‣ Introspection mechanisms available, but not widely deployed
Friday, April 6, 2012
![Page 25: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/25.jpg)
25
Compute resources 1
Network resources 2
Storage resources 3
Hypervisor 4
Virtual machines 5
Management console 6
Networking layer 7
Administrators 8
Friday, April 6, 2012
![Page 26: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/26.jpg)
26Copyright © 2010 by L. Taylor Banks
Simpler is Better
• Keep It Simple, Stupid (KISS)
• Make Your Architecture Simpler to Secure!
• More moving pieces means more time, effort and money required to implement security completely and effectively
• Don’t let the capabilities of your platform fool you into believing you need all of them
(MYASS)
Copyright © 2010 by L. Taylor Banks
Wednesday, March 10, 2010Friday, April 6, 2012
![Page 27: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/27.jpg)
27Copyright © 2010 by L. Taylor Banks
Secure Your Resources
• Your virtual infrastructure is only as secure as the resources that comprise it!
• Securing your compute, network and storage infrastructure is as important as securing the hypervisor and guests
Wednesday, March 10, 2010Friday, April 6, 2012
![Page 28: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/28.jpg)
28Copyright © 2010 by L. Taylor Banks
The Malignant OS
• Needs to be hardened / secured just like on physical machines
• Principles of minimization will lead to smaller, faster, more secure vm’s
Wednesday, March 10, 2010Friday, April 6, 2012
![Page 29: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/29.jpg)
29Copyright © 2010 by L. Taylor Banks
Guest OS Hardening
• Consider automated assessment tools, checklists and/or hardening scripts
• nmap, Nessus, Metasploit, CANVAS
• “15 Steps to Hardening WS2003”
• Microsoft Baseline Security Analyzer
• Bastille Linux
Wednesday, March 10, 2010Friday, April 6, 2012
![Page 30: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/30.jpg)
Inspecting a virtual machine from the outside (typically by way of the hypervisor) for the purpose of analyzing [its behavior]
30
VM Introspection
‣ Introspective firewalling
‣ Introspective malware detection
‣ Introspective DLP
‣ Traditionally, distinct products
• Catbird, Hytrust, Juniper, Reflex Systems,Trend Micro, VMware, etc.
Friday, April 6, 2012
![Page 31: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/31.jpg)
31
FundamentalsCloud security doesn’t happen in a vacuum
Secure VirtualizationUnique architectures present unique challenges
Data in the CloudPublic or private, understanding your data is the key to securing it
1
2
3
Friday, April 6, 2012
![Page 32: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/32.jpg)
Without context, cloud security is undefined.
32
What is “Cloud Security?”
‣ Network security?
‣ Virtualization security?
‣ Application security?
‣ Governance, Risk & Compliance?
‣ YesPls!
• Depends on service and deployment models
• Determined mostly by your DATA!Friday, April 6, 2012
![Page 33: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/33.jpg)
33Copyright © 2010 by L. Taylor Banks
4 8 15 16 23 42
• Five characteristics
• On-demand self-service, Broad network access, Resource pooling, Rapid elasticity, Measured service
• Three service models
• SaaS, PaaS, IaaS
• Four deployment models
• Public, Community, Private, Hybrid
Wednesday, March 10, 2010Friday, April 6, 2012
![Page 34: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/34.jpg)
34
Private IaaS? Public IaaS? It matters!In public IaaS, the likelihood of having control over virtual infrastructure comprising ‘your cloud’ is slim.
Friday, April 6, 2012
![Page 35: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/35.jpg)
35
Cloud Security Fundamentals
‣ See: K.I.S.S. M.Y.A.S.S.
‣ Classify your data; consider trust models
‣ Understanding what your org means by ‘cloud’ is key to securing data in the cloud:
• 5 characteristics
• 3 service models
• 4 deployment models
Friday, April 6, 2012
![Page 36: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/36.jpg)
CSA’s Top Threats to Cloud Computing v1.0Cloud Security Risks
‣ Abuse and Nefarious Use of Cloud Computing
‣ Insecure Interfaces and APIs
‣ Malicious Insiders
‣ Shared Technology Issues
‣ Data Loss or Leakage
‣ Account or Service Hijacking
‣ Unknown Risk Profile36
Friday, April 6, 2012
![Page 37: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/37.jpg)
37Copyright © 2010 by L. Taylor Banks
Mitigation
• Encrypt locally before storing in the cloud
• Ensure external key storage and management
• Keep private data out of cloud
• Build protection mechanisms directly into your resources in the cloud
• Host private cloud
Wednesday, March 10, 2010Friday, April 6, 2012
![Page 38: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/38.jpg)
38
Cloud Security Fundamentals
‣ Network, infrastructure, virtual and application security are no less important than before
‣ Compliance is important, but useless taken out of context (SAS 70 TII, but with which controls?)
‣ Compliance doesn’t fully address governance, residency or access
Friday, April 6, 2012
![Page 39: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/39.jpg)
39
Understand your DataHow will your data be used, accessed and modified?How and when will it be removed? By whom?
Friday, April 6, 2012
![Page 40: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/40.jpg)
(...in which your data is a vortex of bits across multiple jurisdictions, tossing data around like a doublewide.)
40
Avoiding the Data Tornado
‣ Deep knowledge of your data
‣ Data flow and threat modeling
‣ AAA, IAM & RBAC FTW
‣ Effective security policies
‣ Tested security procedures
‣ Proven security controlsFriday, April 6, 2012
![Page 41: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/41.jpg)
Required Reading
‣ CSA’s Secure Guidance for Critical Areas of Focus in Cloud Computing
‣ ENISA’s Cloud Computing: Benefits, Risks and Recommendations for Information Security
‣ CSA’s Cloud Controls Matrix
‣ ENISA’s Procure Secure: A guide to monitoring of security service levels in cloud contracts
‣ NIST SP 800-145 Definition of Cloud Computing and 800-137 on Information Security Continuous Monitoring
41Friday, April 6, 2012
![Page 42: Cloud Security Alliance Q2-2012 Atlanta Meeting](https://reader033.vdocuments.site/reader033/viewer/2022052410/555b66afd8b42a932e8b52c8/html5/thumbnails/42.jpg)
http://www.linkedin.com/in/taylorbanksTaylor @ Cloud in 48.com
42Friday, April 6, 2012