Cloud Security Challenges Today and Tomorrow
Post on 25-Feb-2016
DESCRIPTIONCloud Security Challenges Today and Tomorrow. Name Title February 2011. Cloud: Dawn of a New Age. Cloud overhyped in the short run, underestimated in the long term Compute becoming a utility Changes everything: business models, venture capital, R&D, . What is Cloud Computing?. - PowerPoint PPT Presentation
Cloud Security Alliance
Cloud Security Challenges Today and TomorrowNameTitle
February 20111Cloud: Dawn of a New AgeCloud overhyped in the short run, underestimated in the long termCompute becoming a utilityChanges everything: business models, venture capital, R&D,
www.cloudsecurityalliance.orgCopyright 2011 Cloud Security AllianceCloud computing is one of the most significant trends in the history of technology. It may be overhyped today, but it is likely underhyped in the future. Turning computing into a pay as you go utility allows a user to align costs with usage, and this will cause all businesses to rethink how they will invest in the development of new products. It is not about saving money as much as it is being agile, and much, much faster.
What is Cloud Computing?Compute as a utility: third major era of computingCloud enabled byMoores LawHyperconnectivitySOAProvider scaleKey characteristicsElastic & on-demandMulti-tenancyMetered servicewww.cloudsecurityalliance.orgCopyright 2011 Cloud Security AllianceWe think that cloud is the third generation of computing, after mainframes and client server. It actually represents the maturation of the Internet. It is important to have a common definition of the cloud. CSA likes to point out key enablers of cloud: Moores law makes the raw MIPS and storage costs cheapBroadband connectivity provides flexibility to move data and applications to different locationsSOA (Service Oriented Architecture) simplifies integrating multiple software applicationsLarge Internet Companies have developed economies of scale in dealing with hundreds of millions of users, which allows them to provide cloud service more economically than what enterprises can provide
We use NISTs cloud definition as the standard. It is important to understand that there are many different types of clouds: SaaS, a full business application, PaaS, a rapid application development environment, IaaS, basic compute and storage. They can be deployed in different ways, but they are all characterized as resource pooling with elasticity, multi-tenancy and metered service
342011-2014: the Hybrid Enterprise
enterprise boundarypublic cloudsExtended Virtual Data Centerprivate cloudscloud of usersNotional organizational boundaryDispersal of applicationsDispersal of dataDispersal of usersDispersal of endpoint deviceswww.cloudsecurityalliance.orgCopyright 2011 Cloud Security Alliance4For an enterprise, the reality is that they will use many different clouds, which must have some base level of interoperability. When you factor in the growth of mobile computing, you actually have a cloud of users some of which will never be in an office, and will use their own personal devices for business use. This has created the Hybrid Enterprise, where applications, data, users and devices are not within an organizations boundary or perimeter
Cloud Forcing Key IssuesCritical mass of separation between data owners and data processorsAnonymity of geography of data centers & devicesAnonymity of providerTransient provider relationshipsPhysical controls must be replaced by virtual controlsIdentity management has a key role to playCloud WILL drive change in the security status quoReset button for security ecosystemwww.cloudsecurityalliance.orgCopyright 2011 Cloud Security AllianceThis virtual, hybrid enterprise and the nature of how cloud must operate to be efficient is driving the need for new security controls and will eventually lead to a completely new information security industry. It is our chance to do things better.
5Key Cloud Security Problems of TodayFrom CSA Top Threats Research:Trust: Lack of Provider transparency, impacts Governance, Risk Management, Compliance Data: Leakage, Loss or Storage in unfriendly geographyInsecure Cloud softwareMalicious use of Cloud servicesAccount/Service HijackingMalicious InsidersCloud-specific attackswww.cloudsecurityalliance.orgCopyright 2011 Cloud Security AllianceCSA did some research to understand what threats cloud computing brings. In these early days, the biggest issue is trusting your provider to have the transparency required to assure your governance, risk and compliance requirements are being met.
6Key Problems of TomorrowGlobally incompatible legislation and policyNon-standard Private & Public cloudsLack of continuous Risk Mgt & Compliance monitoringIncomplete Identity Mgt implementationsHaphazard response to security incidentswww.cloudsecurityalliance.orgCopyright 2011 Cloud Security AllianceIn the future, cloud computing will not be efficient and economical if we do not harmonize legislation, have globally recognized standards, and operate in real-time.7About the Cloud Security AllianceGlobal, not-for-profit organizationOver 17,000 individual members, 90 corporate membersBuilding best practices and a trusted cloud ecosystemAgile philosophy, rapid development of applied researchGRC: Balance compliance with risk managementReference models: build using existing standardsIdentity: a key foundation of a functioning cloud economyChampion interoperabilityAdvocacy of prudent public policyTo promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.www.cloudsecurityalliance.orgCopyright 2011 Cloud Security Alliance8Helpful research from CSA
www.cloudsecurityalliance.orgCopyright 2011 Cloud Security Alliance9CSA Guidance ResearchGuidance > 100k downloads: cloudsecurityalliance.org/guidanceGovernance and Enterprise Risk ManagementLegal and Electronic DiscoveryCompliance and AuditInformation Lifecycle ManagementPortability and InteroperabilitySecurity, Bus. Cont,, and Disaster RecoveryData Center OperationsIncident Response, Notification, RemediationApplication SecurityEncryption and Key ManagementIdentity and Access ManagementVirtualizationCloud ArchitectureOperating in the CloudGoverning the CloudPopular best practices for securing cloud computingV2.1 released 12/2009V3 target Q3 2011wiki.cloudsecurityalliance.org/guidance
www.cloudsecurityalliance.orgCopyright 2011 Cloud Security AllianceThe CSA Guidance is our flagship research that provides a broad catalog of best practices. It contains 13 domains to address both broad governance and specific operational issues. This Guidance is used as a foundation for the other research projects in the following slides that relate to compliance.10Sample Guidance - GovernanceBest opportunity to secure cloud engagement is before procurement contracts, SLAs, architectureKnow providers third parties, BCM/DR, financial viability, employee vettingIdentify data location when possiblePlan for provider termination & return of assetsPreserve right to audit where possibleReinvest provider cost savings into due diligencewww.cloudsecurityalliance.orgCopyright 2011 Cloud Security AllianceFrom a governance perspective, here are a few highlights from our guidance document. Definitely read the entire document for the full picture.11Sample Guidance - OperatingEncrypt data when possible, segregate key mgt from cloud providerAdapt secure software development lifecycleUnderstand providers patching, provisioning, protectionLogging, data exfiltration, granular customer segregationHardened VM imagesAssess provider IdM integration, e.g. SAML, OpenIDwww.cloudsecurityalliance.orgCopyright 2011 Cloud Security AllianceFrom an operational perspective, greater use of encryption, granular logging, VM hardening and Federated IdM are key success factors you will find in the guidance
12Cloud Controls Matrix ToolControls derived from guidanceRated as applicable to S-P-ICustomer vs Provider roleMapped to ISO 27001, COBIT, PCI, HIPAAHelp bridge the cloud gap for IT & IT auditors
www.cloudsecurityalliance.orgCopyright 2011 Cloud Security AllianceWe have also developed a cloud-specific controls framework. It is mapped to existing frameworks, standards and regulations, so you can leverage your existing ISMS program to the greatest degree possible when securing the cloud.
13Consensus Assessment InitiativeResearch tools and processes to perform shared assessments of cloud providersLightweight common criteria conceptIntegrated with Controls MatrixVer 1 CAI Questionnaire released Oct 2010, approx 140 provider questions to identify presence of security controls or practices use to assess cloud providers today
www.cloudsecurityalliance.orgCopyright 2011 Cloud Security AllianceBased on controls matrix, CAI provides a set of yes/no questions which can be used to perform cloud provider assessments or even can be included in RFPs or contracts
14CloudAuditOpen standard and API to automate provider audit assertionsChange audit from data gathering to data analysis Necessary to provide audit & assurance at the scale demanded by cloud providersUses Cloud Controls Matrix as controls namespace Use to instrument cloud for continuous controls monitoring
www.cloudsecurityalliance.orgCopyright 2011 Cloud Security AllianceCloudAudit is a CSA project to automate the process of making security assertions that an auditor would evaluate. We think in the future it is very important that we enable continuous controls monitoring to have a realtime GRC view. Annual certifications and audits will be insufficient for enterprises who make dynamic changes in their cloud usage
CSA GRC StackSuite of tools, best practices and enabling technologyConsolidate industry research & simplify GRC in the cloudFor cloud providers, enterprises, solution providers and audit/complianceControls Framework, Questionnaire and Continuous Controls Monitoring Automationwww.cloudsecurityalliance.org/grcstack
Control RequirementsProvider AssertionsPrivate & Public Clouds
www.cloudsecurityalliance.orgCopyright 2011 Cloud Security AllianceThe previous 3 projects are integrated into a suite of tools you can use. Several key solution providers announced their support for these tools at the RSA 2011 conference, and a large number of enterprises already use these tools for cloud vendor management.
CCSK Certificate of Cloud Security KnowledgeOnly user certification for cloud securityWeb-based test for competency in CSA guidance$295 USD pricewww.cloudsecurityalliance.org/certifyme Training courses under developmentwww.cloudsecurityalliance.orgCopyright 2011 Cloud Security AllianceThe CCSK was launch in September of 2010. All leading cloud providers and security companies have CSSK professionals on staff. Increasingly, enterprises are getting individuals trained to better understand the customer responsibilities in cloud. The test is based on the CSA Guidance, the ENISA guidance and some practical knowledge questions.
17Trusted Cloud InitiativeComprehensive Cloud Security Reference ArchitectureSecure & interoperable Identity in the cloudGetting SaaS, PaaS to be Relying Parties for corporate directoriesScalable federationOutline responsibilities for Identity ProvidersAssemble reference architectures with existing standardsIdentity Mgt best practices whitepaper: http://www.cloudsecurityalliance.org/guidance/csaguide-dom12-v2.10.pdf www.cloudsecurityalliance.orgCopyright 2011 Cloud Security AllianceCSA is also developing a technical reference architecture for cloud security. We published a first draft at the RSA conference 2011. It uses popular models and standards such as TOGAF, Jericho Forum, SAML, OpenID, etc. We previously published an extensive whitepaper of IdM best practices
18The need for the Security as a Service InitiativeInformation assurance challenged by disruptive trends (cloud, mobility, social networking, etc)Cloud provides opportunity to rethink security (economics, architecture, service delivery models, etc)Fulfill 2nd half of mission statement:To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.www.cloudsecurityalliance.orgCopyright 2011 Cloud Security AllianceOur goal is to define Information Security of the future, what types of products and services will we see? We will also try to provide practical advice to safely adopt these services.
19Security as a Service ScopeInformation Security Industry Re-inventedDefine Security as a ServiceArticulate solution categories within Security as a ServiceGuidance for adoption of Security as a ServiceAlign with other CSA research
Develop deliverables as a proposed 14th domain within CSA Guidance version 3.
www.cloudsecurityalliance.orgCopyright 2011 Cloud Security AllianceWe have accomplished a lot, but we have much yet to doDo visit the websiteDo join the LinkedIn Groups you will receive regular email updates
20CloudSIRTConsensus research for emergency response in CloudEnhance communitys ability to respond to incidentsStandardized processesSupplemental best practices for SIRTsHosted Community of Cloud SIRTswww.cloudsecurityalliance.org/cloudsirt.html
www.cloudsecurityalliance.orgCopyright 2011 Cloud Security AllianceAsk yourself. When a large enterprise in the future has critical systems in 20 different clouds, will those cloud providers have an efficient and collaborative response when the enterprise is attacked? CloudSIRT seeks the answer to that question.21ContactHelp us secure cloud email@example.comLinkedIn: www.linkedin.com/groups?gid=1864210Twitter: @cloudsawww.cloudsecurityalliance.orgCopyright 2011 Cloud Security AllianceDo visit the websiteDo join the LinkedIn Groups you will receive regular email updates22Thank you!www.cloudsecurityalliance.org23