cloud security and security architecture
DESCRIPTION
Presentation that I gave at ISC2 SecureLondon conference in London on 11th December 2012.TRANSCRIPT
Security architecture and Cloud computing, are these
mutually exclusive?(Introduction to Cloud Security Guidance)
Vladimir JirasekDirector of Research, CSA UK
11 December 2012
https://cloudsecurityalliance.org.ukCopyright © 2012 Cloud Security Alliance
Agenda
Cloud risk assessment x compared to traditional risk assessments
Cloud security architectures x compared to security architectures
CSA domains
https://cloudsecurityalliance.org.ukCopyright © 2012 Cloud Security Alliance
Cloud risk assessment
Identify assets
Evaluate assets
Map to Cloud
deployments models
Evaluate Cloud
models and
Providers
Map the data flows
Context establishmen
t
Risk assessment
Risk treatment
Risk communicati
on
https://cloudsecurityalliance.org.ukCopyright © 2012 Cloud Security Alliance
Cloud model
Public
Private
Hybrid Community
Software as a Service (SaaS)
Platform as a Service (SaaS)
Infrastructure as a Service
(SaaS)
Broad network access
Rapid elasticity
Measured service
On-demand service
Resource pooling
https://cloudsecurityalliance.org.ukCopyright © 2012 Cloud Security Alliance
Cloud computing deployment models
Infrastructure managed
by
Infrastructure owned by
Infrastructure located
Accessible and
consumed by
Public Third party provider
Third party provider
Off-premise Untrusted
Private/Community
or
Organisation Organisation On-premiseTrusted
3rd party provider
3rd party provider
Off-Premise
Hybrid
Both Organisation &
Third party provider
Both Organisation &
Third party provider
Both On-Premise & Off-Premise
Trusted & Untrusted
https://cloudsecurityalliance.org.ukCopyright © 2012 Cloud Security Alliance
Cloud model maps to Security model
Cloud model
Physical security
Network security
Host security
Application sec.
Data security
SIEM
Iden
tity
, A
ccess
Cry
pto
gra
phy
Business continuity
GRC
Direct map
https://cloudsecurityalliance.org.ukCopyright © 2012 Cloud Security Alliance
Responsibilities for areas in security model compared to delivery models
Physical security
Network security
Host security
Application sec.
Data security
SIEM
Identity, Access
Cryptography
Business continuity
GRC
Provider responsible Customer responsible
IaaS PaaS SaaS IaaS PaaS SaaS
https://cloudsecurityalliance.org.ukCopyright © 2012 Cloud Security Alliance
Cloud Security DomainsGovernance
Governance and Enterprise Risk Management
Legal Issues: Contracts and Electronic Discovery
Compliance and Audit
Information Management and Data Security
Portability and Interoperability
Operational
Traditional Security, Business Continuity and Disaster Recovery
Data Center Operations
Incident Response, Notification and Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
Security as a Service
https://cloudsecurityalliance.org.ukCopyright © 2012 Cloud Security Alliance
Cloud Security Alliance supports number of projects related to cloud
Get involved at https://cloudsecurityalliance.org/
research/
https://cloudsecurityalliance.org.ukCopyright © 2012 Cloud Security Alliance
How to manage cloud security• Have a cloud security standard
• What to do on an Enterprise level
• Before your Cloud project
• During your Cloud project
• BAU
• Exit from the Cloud provider
• Risks cannot be outsourced
• Manage lock-in and exit up-front – especially in SaaS
How to drive out the 'seven deadly sins' of cloud computing - new Information Security Forum report
https://cloudsecurityalliance.org.ukCopyright © 2012 Cloud Security Alliance
Contact
Help us secure cloud computing – Get involved
• http://cloudsecurityalliance.org.uk
• LinkedIn: http://www.linkedin.com/groups/Cloud-Security-Alliance-UK-Chapter-3745837
• Twitter: @CSAUKResearch