Cloud Security Challenges Today and Tomorrow

Download Cloud Security Challenges Today and Tomorrow

Post on 25-Feb-2016




1 download

Embed Size (px)


Cloud Security Challenges Today and Tomorrow. Name Title February 2011. Cloud: Dawn of a New Age. Cloud overhyped in the short run, underestimated in the long term Compute becoming a utility Changes everything: business models, venture capital, R&D, . What is Cloud Computing?. - PowerPoint PPT Presentation


Cloud Security Alliance

Cloud Security Challenges Today and TomorrowNameTitle

February 20111Cloud: Dawn of a New AgeCloud overhyped in the short run, underestimated in the long termCompute becoming a utilityChanges everything: business models, venture capital, R&D,

www.cloudsecurityalliance.orgCopyright 2011 Cloud Security AllianceCloud computing is one of the most significant trends in the history of technology. It may be overhyped today, but it is likely underhyped in the future. Turning computing into a pay as you go utility allows a user to align costs with usage, and this will cause all businesses to rethink how they will invest in the development of new products. It is not about saving money as much as it is being agile, and much, much faster.


What is Cloud Computing?Compute as a utility: third major era of computingCloud enabled byMoores LawHyperconnectivitySOAProvider scaleKey characteristicsElastic & on-demandMulti-tenancyMetered servicewww.cloudsecurityalliance.orgCopyright 2011 Cloud Security AllianceWe think that cloud is the third generation of computing, after mainframes and client server. It actually represents the maturation of the Internet. It is important to have a common definition of the cloud. CSA likes to point out key enablers of cloud: Moores law makes the raw MIPS and storage costs cheapBroadband connectivity provides flexibility to move data and applications to different locationsSOA (Service Oriented Architecture) simplifies integrating multiple software applicationsLarge Internet Companies have developed economies of scale in dealing with hundreds of millions of users, which allows them to provide cloud service more economically than what enterprises can provide

We use NISTs cloud definition as the standard. It is important to understand that there are many different types of clouds: SaaS, a full business application, PaaS, a rapid application development environment, IaaS, basic compute and storage. They can be deployed in different ways, but they are all characterized as resource pooling with elasticity, multi-tenancy and metered service

342011-2014: the Hybrid Enterprise

enterprise boundarypublic cloudsExtended Virtual Data Centerprivate cloudscloud of usersNotional organizational boundaryDispersal of applicationsDispersal of dataDispersal of usersDispersal of endpoint deviceswww.cloudsecurityalliance.orgCopyright 2011 Cloud Security Alliance4For an enterprise, the reality is that they will use many different clouds, which must have some base level of interoperability. When you factor in the growth of mobile computing, you actually have a cloud of users some of which will never be in an office, and will use their own personal devices for business use. This has created the Hybrid Enterprise, where applications, data, users and devices are not within an organizations boundary or perimeter

Cloud Forcing Key IssuesCritical mass of separation between data owners and data processorsAnonymity of geography of data centers & devicesAnonymity of providerTransient provider relationshipsPhysical controls must be replaced by virtual controlsIdentity management has a key role to playCloud WILL drive change in the security status quoReset button for security ecosystemwww.cloudsecurityalliance.orgCopyright 2011 Cloud Security AllianceThis virtual, hybrid enterprise and the nature of how cloud must operate to be efficient is driving the need for new security controls and will eventually lead to a completely new information security industry. It is our chance to do things better.

5Key Cloud Security Problems of TodayFrom CSA Top Threats Research:Trust: Lack of Provider transparency, impacts Governance, Risk Management, Compliance Data: Leakage, Loss or Storage in unfriendly geographyInsecure Cloud softwareMalicious use of Cloud servicesAccount/Service HijackingMalicious InsidersCloud-specific attackswww.cloudsecurityalliance.orgCopyright 2011 Cloud Security AllianceCSA did some research to understand what threats cloud computing brings. In these early days, the biggest issue is trusting your provider to have the transparency required to assure your governance, risk and compliance requirements are being met.

6Key Problems of TomorrowGlobally incompatible legislation and policyNon-standard Private & Public cloudsLack of continuous Risk Mgt & Compliance monitoringIncomplete Identity Mgt implementationsHaphazard response to security incidentswww.cloudsecurityalliance.orgCopyright 2011 Cloud Security AllianceIn the future, cloud computing will not be efficient and economical if we do not harmonize legislation, have globally recognized standards, and operate in real-time.7About the Cloud Security AllianceGlobal, not-for-profit organizationOver 17,000 individual members, 90 corporate membersBuilding best practices and a trusted cloud ecosystemAgile philosophy, rapid development of applied researchGRC: Balance compliance with risk managementReference models: build using existing standardsIdentity: a key foundation of a functioning cloud economyChampion interoperabilityAdvocacy of prudent public policyTo promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.www.cloudsecurityalliance.orgCopyright 2011 Cloud Security Alliance8Helpful research from CSA

www.cloudsecurityalliance.orgCopyright 2011 Cloud Security Alliance9CSA Guidance ResearchGuidance > 100k downloads: and Enterprise Risk ManagementLegal and Electronic DiscoveryCompliance and AuditInformation Lifecycle ManagementPortability and InteroperabilitySecurity, Bus. Cont,, and Disaster RecoveryData Center OperationsIncident Response, Notification, RemediationApplication SecurityEncryption and Key ManagementIdentity and Access ManagementVirtualizationCloud ArchitectureOperating in the CloudGoverning the CloudPopular best practices for securing cloud computingV2.1 released 12/2009V3 target Q3

www.cloudsecurityalliance.orgCopyright 2011 Cloud Security AllianceThe CSA Guidance is our flagship research that provides a broad catalog of best practices. It contains 13 domains to address both broad governance and specific operational issues. This Guidance is used as a foundation for the other research projects in the following slides that relate to compliance.10Sample Guidance - GovernanceBest opportunity to secure cloud engagement is before procurement contracts, SLAs, architectureKnow providers third parties, BCM/DR, financial viability, employee vettingIdentify data location when possiblePlan for provider termination & return of assetsPreserve right to audit where possibleReinvest provider cost savings into due diligencewww.cloudsecurityalliance.orgCopyright 2011 Cloud Security AllianceFrom a governance perspective, here are a few highlights from our guidance document. Definitely read the entire document for the full picture.11Sample Guidance - OperatingEncrypt data when possible, segregate key mgt from cloud providerAdapt secure software development lifecycleUnderstand providers patching, provisioning, protectionLogging, data exfiltration, granular customer segregationHardened VM imagesAssess provider IdM integration, e.g. SAML, OpenIDwww.cloudsecurityalliance.orgCopyright 2011 Cloud Security AllianceFrom an operational perspective, greater use of encryption, granular logging, VM hardening and Federated IdM are key success factors you will find in the guidance

12Cloud Controls Matrix ToolControls derived from guidanceRated as applicable to S-P-ICustomer vs Provider roleMapped to ISO 27001, COBIT, PCI, HIPAAHelp bridge the cloud gap for IT & IT auditors

www.cloudsecurityalliance.orgCopyright 2011 Cloud Security AllianceWe have also developed a cloud-specific controls framework. It is mapped to existing frameworks, standards and regulations, so you can leverage your existing ISMS program to the greatest degree possible when securing the cloud.

13Consensus Assessment InitiativeResearch tools and processes to perform shared assessments of cloud providersLightweight common criteria conceptIntegrated with Controls MatrixVer 1 CAI Questionnaire released Oct 2010, approx 140 provider questions to identify presence of security controls or practices use to assess cloud providers today

www.cloudsecurityalliance.orgCopyright 2011 Cloud Security AllianceBased on controls matrix, CAI provides a set of yes/no questions which can be used to perform cloud provider assessments or even can be included in RFPs or contracts

14CloudAuditOpen standard and API to automate provider audit assertionsChange audit from data gathering to data analysis Necessary to provide audit & assurance at the scale demanded by cloud providersUses Cloud Controls Matrix as controls namespace Use to instrument cloud for continuous controls monitoring

www.cloudsecurityalliance.orgCopyright 2011 Cloud Security AllianceCloudAudit is a CSA project to automate the process of making security assertions that an auditor would evaluate. We think in the future it is very important that we enable continuous controls monitoring to have a realtime GRC view. Annual certifications and audits will be insufficient for enterprises who make dynamic changes in their cloud usage

CSA GRC StackSuite of tools, best practices and enabling technologyConsolidate industry research & simplify GRC in the cloudFor cloud providers, enterprises, solution providers and audit/complianceControls Framework, Questionnaire and Continuous Controls Monitoring

Control RequirementsProvider AssertionsPrivate & Public