Extending Security To The Cloud !30th January 2013 – Cloud Expo Europe!!Lee Biggenden!

NEPHOS TECHNOLOGIES Cloud Services Broker!

1.  Realistic Expectations!2.  Identifying Risks!3.  Considerations & Steps To Take!4.  Where Can We Get Some Help?!5.  Q & A !!!

EXTENDING SECURITY TO THE CLOUD!

02/01/2013! Nephos Technologies Ltd.! 2!

+   -­‐  

EXPECT   DON’T  EXPECT  YOUR  CSP  

To  Be  Given  Informa=on  Your  CSP  should  share  informa3on  on  their  accredita3ons,  geographies'  and  security  measures  

Blurred  Boundaries  The  “network  perimeter”  is  blurred  in  the  Cloud  so  be  prepared  for  it  

A  Different  Approach  to  Security  For  example,  typically  CSPs  won’t  provide  security  measures  like  Firewalls  as  standard  

To  Have  To  Do  Your  Homework!  You  need  to  research  your  providers,  and  to  understand  the  impact  of  one  over  another  

Image  Valida=on  Typically  CSP’s  will  not  validate  server  images,  the  

responsibility  will  be  on  you  

Perimeter  Security  or  Tiered  Security  CSP’s  don’t  normally  provide  a  perimeter  Firewall,  or  services  like  IPS  as  standard  

Dedicated  Infrastructure    Typically  dedicated  Cloud  services  are  not  the  standard  but  they  are  available  at  extra  cost  

The  CSP  To  Take  Ownership  Public  CSPs  typically  don’t  offer  complex  solu3ons  –  

YOUR  DATA  IS  YOUR  RESPONSIBILITY!  

JUST BECAUSE THEY DON’T PROVIDE IT DIRECTLY DOESN’T MEAN ITS NOT POSSIBLE!

02/01/2013! Nephos Technologies Ltd.! 3!

WHAT SHOULD YOU EXPECT FROM YOUR CSP?!

•  Unknown risk!–  What standards do your providers follow (if any) !

!•  Abuse & nefarious use of Cloud services!

–  Consumable in nature !–  Weak validation of user credentials !

•  Insecure interfaces, API’s & open perimeters!–  Important application layer control point between systems !–  Lack of perimeter security = open target for professional hackers!

•  Multitenancy and shared technology!–  Understand shared infrastructure and the potential risk!–  Limited isolation methods as standard!

•  Data loss and leakage !–  Who has access to what data and where is it?!–  Malicious corruption of data !

•  Account or service hijacking !–  Data access to account information !–  Weak portal authentication !

CLOUD: WHERE ARE THE POTENTIAL RISKS?!

02/01/2013! Nephos Technologies Ltd.! 4!

Pre-Deployment!

Post-Deployment!

02/01/2013! Nephos Technologies Ltd.! 5!

Ask Yourself!

Ask Your CSP!

1.  Why are we moving?!

2.  Who does have access?!

3.  Who should have access?!

4.  Data sovereignty?!

5.  Regulatory compliance?!

6.  What’s the application flow?!

1.  Accreditations?!

2.  Customer segregation?!

3.  Perimeter security?!

4.  Known partners?!

5.  Monitoring/audit capabilities?!

6.  Failover scenarios?!

WHAT QUESTIONS SHOULD YOU ASK OF CSP’S AND YOURSELF?!

02/01/2013! Nephos Technologies Ltd.! 6!

INCLUDE SECURITY AS PART OF YOUR PLANNING PROCESS (EARLY)!

1.  Identify!•  Business Priorities!

•  Workloads!

•  Regulatory Requirements!

2.  Evaluate!•  Sensitivity of assets !

•  Provider services!3.  Map!•  Security workload to Cloud delivery model!

•  Data flow between tiers!4.  Analyse!•  Dataflows, security and delivery models against

requirements!

•  Gap analysis !5.  Investigate !•  User behaviours and access requirements!•  Data classification requirements!

!Example  text  

PLANNING  

Identify!

Evaluate!

Map!Analyse!

Investigate!

•  Physical & Operating System!–  Build trusted compute pools & create secure connections!–  Enable service and security monitoring / auditing !–  Patch management process needs to be applied !

•  Data!–  Classify your data (and what risks you can afford to take with it)!–  Move your security closer to your data !–  Encrypt your data – in motion and at rest !–  Compliance and regulatory requirements!

•  Users!–  Create strong access policy – you still need to control data access !

–  Understand the access risks and the devices that you’re exposing to your data!

02/01/2013! Nephos Technologies Ltd.! 7!

WHAT SECURITY STEPS SHOULD YOU CONSIDER?!

Independent  Advice  and  Service  Is  a  Must  When  You  Choose  to  Deploy…  

02/01/2013! Nephos Technologies Ltd.! 8!

WHO CAN OFFER INDEPENDENT ADVICE?!

Cloud Security Alliance!Independent consortium that identifies and promotes the use of cloud security assurance best practices.!

DMTF!Working on cloud infrastructure management interface specifications to improve management interoperability. !

ODCA!Independent consortium of Global IT leaders from over 300 companies working on a unified customer vision for deployments.!

TCG!Independent consortium developing, defining, and promoting open, vendor-neutral industry standards for interoperable trusted computing platforms!

Cloud Industry Forum!Established to provide transparency through certification to a Code of Practice and to assist end users in gaining access to core information .!

Cloud Brokers / Aggregators!Independent advisors for Cloud, providing advice and value added services!

02/01/2013! Nephos Technologies Ltd.! 9!

THE CLOUD SERVICES BROKER MODEL!

02/01/2013! Nephos Technologies Ltd.! 10!

HOW DO NEPHOS TECHNOLOGIES DELIVER SERVICE !

4  

3  

2  

1  

CLOUD  FUNDAMENTALS  

Support  &  Management    •  SLA  management    •  Service  restora3on  •  Managed  service  •  Infrastructure  monitoring  •  Capacity  planning  •  Cost  certainty        

 

Strategy  &  Planning  •  The  right  provider  •  The  right  services    •  The  business  opportunity    •  How  do  you  measure  success    •  The  business  case      

 

Cloud  Migra=on  •  P-­‐to-­‐V,  V-­‐to-­‐C  •  Applica3on/Data  Migra3on  •  Tes3ng    •  Project  Management  •  Service  Transi3on  Management    

 

Architectural  Design  •  Public,  Private  or  Hybrid    •  Security  considera3ons    •  Performance  certainty  •  Architect  for  the  Cloud,  not  the  DC      

 

•  1,500 Users across 8 European datacenter locations !•  Circa $1bn turnover 2012 (Europe)!•  Under UK, European and US regulations (SOX, PCIDSS)!

02/01/2013! Nephos Technologies Ltd.! 11!

CUSTOMER USE CASE: UK BASED B2B RETAILER!

Phase 1:!

•  Engaged QSA!

•  Gap Analysis of existing infrastructure Vs. requirements!

•  Identified Cloud provider!

•  Identfied Gaps and overlay technologies !

Phase 2:!

•  Solution deployment!

•  SA and OHO!

!

SOLUTION  

•  Weak and antiquated security mechanisms !

•  No consistant security models across Europe!

•  Not currently meeting PCIDSS requirements !

•  No Cloud experience in-house!

•  Limited security expertise in-house!

•  Tight timescales (< 6 months)!

PROBLEM    

•  Initial feaisbility work!

•  Benefits of Cloud identified!

•  Inconsistant European delivery of service!

•  Develop a strategy/solution to enable a PCIDSS compliant migration to a Hybrid Cloud environment!

!

SCENARIO  

Encrypted network extension to public Cloud, data encryption, NGFW, key management, AAA, a compliant provider!

THANK  YOU!  

LinkedIn: http://linkd.in/TKYmyR!Twitter: @NephosTech / @LeeBiggenden!Online: www.nephostechnologies.com !Email: lee@nephostechnologies.com !

!WE’RE ALSO AVAILABLE AT STAND 719!