cloud security and privacy
Post on 12-May-2015
2.347 Views
Preview:
DESCRIPTION
TRANSCRIPT
Cloud Security and Privacy:Cloud Security and Privacy:An Enterprise Perspective on Risks and ComplianceAn Enterprise Perspective on Risks and Compliance
Tim MatherTim MatherSubra Kumaraswamy, SunSubra Kumaraswamy, SunShahed Latif, KPMGShahed Latif, KPMG
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
What We Do What We Do NotNot DiscussDiscuss
•• Existing aspects of information security Existing aspects of information security which are not impacted by which are not impacted by ‘‘cloud computingcloud computing’’
•• Consumer aspects of cloud computingConsumer aspects of cloud computing
22
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
What We Do DiscussWhat We Do Discuss•• Infrastructure SecurityInfrastructure Security
•• NetworkNetwork--levellevel•• HostHost--levellevel•• ApplicationApplication--levellevel
•• Data SecurityData Security•• Identity and Access Management (IAM)Identity and Access Management (IAM)•• Privacy Considerations Privacy Considerations •• Audit & Compliance ConsiderationsAudit & Compliance Considerations•• SecuritySecurity--asas--aa-- [Cloud] Service (SaaS)[Cloud] Service (SaaS)•• Impact on the Role of Corporate ITImpact on the Role of Corporate IT
Where Risk Has Changed: ±33
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
Components of Information SecurityComponents of Information Security
Information Security – Infrastructure
Network-level
Host-level
Application-level
Information Security – DataEncryption (transit, rest, processing), lineage, provenance, remanence
Security Management ServicesManagement – ACL, hygiene, patching, VA, incident response
Identity services – AAA, federation, provisioning
44
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
Cloud Computing: EvolutionCloud Computing: Evolution
55
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
Cloud Pyramid of FlexibilityCloud Pyramid of Flexibility
66
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
Infrastructure Security Infrastructure Security –– currentlycurrently
• Trust boundaries have moved• Specifically, customers are unsure where those
trust boundaries have moved to• Established model of network tiers or zones no
longer exists• Domain model does not fully replicate previous
model• No viable, scalable model for host-to-host trust• Data labeling / tagging required at application-
level• Data separation is logical not physical
77
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
Infrastructure SecurityInfrastructure Security –– going forwardgoing forward
•• Need for greater transparency regarding Need for greater transparency regarding which party (CSP or customer) provides which party (CSP or customer) provides which security capabilitywhich security capability
•• InterInter--relationships between systems, relationships between systems, services, and people needs to be addressed services, and people needs to be addressed by identity managementby identity management
88
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
Data SecurityData Security –– currentlycurrently
•• ProviderProvider’’s data collection efforts and s data collection efforts and monitoring of such monitoring of such (e.g., IPS, NBA)(e.g., IPS, NBA)
•• Use of encryptionUse of encryption•• PointPoint--toto--multipoint datamultipoint data--inin--transit an issuetransit an issue•• DataData--atat--rest possibly not encryptedrest possibly not encrypted•• Data being processed definitely not encryptedData being processed definitely not encrypted•• Key management is a Key management is a significantsignificant issueissue•• Advocated alternative methods Advocated alternative methods (e.g., obfuscation, (e.g., obfuscation,
redaction, truncation)redaction, truncation) are nonsenseare nonsense•• Data lineageData lineage•• Data provenanceData provenance•• Data remanenceData remanence
99
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
Data SecurityData Security –– going forwardgoing forward
LargeLarge--scale multiscale multi--entity key managemententity key management•• Must scale past multiMust scale past multi--enterprise to interenterprise to inter--cloudcloud
•• Not just hundreds of thousands of systems or even millions of Not just hundreds of thousands of systems or even millions of virtual machine images, but billions of files or objectsvirtual machine images, but billions of files or objects
•• Must not only handle key management lifecycle Must not only handle key management lifecycle (per NIST (per NIST SP 800SP 800--57, Recommendation for Key Management)57, Recommendation for Key Management), but also, but also
•• Key recoveryKey recovery•• Key archivingKey archiving•• Key hierarchies / chaining for legal entitiesKey hierarchies / chaining for legal entities
•• Fully homomorphic encryptionFully homomorphic encryption•• Potentially huge boon to cloud computingPotentially huge boon to cloud computing•• Will increase need for better key managementWill increase need for better key management
1010
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
IAMIAM –– currentlycurrently
• Generally speaking, poor situation today:
• Federated identity widely not available• Strong authentication available only through
delegation• Provisioning of user access is proprietary to
provider• User profiles are limited to “administrator” and
“user”• Privilege management is coarse, not granular
1111
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
IAMIAM –– going forwardgoing forward
•• Emerging identityEmerging identity--asas--aa--service (IDaaS) service (IDaaS) needs to evolve beyond authenticationneeds to evolve beyond authentication
•• SAML, SPML and XACML (especially) need SAML, SPML and XACML (especially) need to be more fully leveragedto be more fully leveraged
•• Increasing need for userIncreasing need for user--toto--service and service and serviceservice--toto--service authentication and service authentication and authorization authorization (OAuth)(OAuth)
1212
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
PrivacyPrivacy –– currentlycurrently
•• Transborder data issues may be exacerbatedTransborder data issues may be exacerbated•• Specifically, where are cloud computing activities Specifically, where are cloud computing activities
occurring?occurring?
•• Data governance is weakData governance is weak•• Encryption is not pervasiveEncryption is not pervasive•• Data remanence receives inadequate attentionData remanence receives inadequate attention•• Cusps absolve themselves of privacy concerns: Cusps absolve themselves of privacy concerns:
‘‘We donWe don’’t look at your datat look at your data’’
1313
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
PrivacyPrivacy –– going forwardgoing forward
•• Privacy laws are inconsistent across Privacy laws are inconsistent across jurisdictions; need global standardjurisdictions; need global standard
•• Need specific requirements for auditing Need specific requirements for auditing (e.g., (e.g., AICPA/CICA Generally Accepted Privacy Principles AICPA/CICA Generally Accepted Privacy Principles –– GAPP)GAPP)
1414
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
Audit & ComplianceAudit & Compliance –– currentlycurrently
•• Effectiveness of current audit frameworks Effectiveness of current audit frameworks questionable questionable (e.g., SAS 70 Type II)(e.g., SAS 70 Type II)
•• CSP users need to define:CSP users need to define:• their control requirements• understand their CSP’s internal control monitor-
ing processes• analyze relevant external audit reports
•• Issue is Issue is assuranceassurance of complianceof compliance1515
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
Audit & ComplianceAudit & Compliance –– going forwardgoing forward
•• InterInter--cloud cloud (i.e., cross(i.e., cross--CSP)CSP) solutions will solutions will demand unified compliance frameworkdemand unified compliance framework
•• Volume, multiVolume, multi--tenancy of cloud computing, tenancy of cloud computing, demand that CSP compliance programs be demand that CSP compliance programs be more realmore real--time and have greater coverage time and have greater coverage than most traditional compliance programsthan most traditional compliance programs
1616
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
SecuritySecurity--asas--aa--ServiceService –– currentlycurrently
1717
•• Some offerings matureSome offerings mature•• EE--mail filtering, archivingmail filtering, archiving•• Web content filteringWeb content filtering
•• Some offerings still emergingSome offerings still emerging•• (E(E--mail) eDiscoverymail) eDiscovery•• IdentityIdentity--asas--aa--Service (IDaaS)Service (IDaaS)•• Encryption, key managementEncryption, key management
•• TodayToday’’s securitys security--asas--aa--service providers sell service providers sell to CSP customers, not CSPsto CSP customers, not CSPs
•• None of todayNone of today’’s CSPs offer securitys CSPs offer security--asas--aa--service as integrated offeringservice as integrated offering
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
SecuritySecurity--asas--aa--ServiceService –– going forwardgoing forward
•• Horizontal integrationHorizontal integration•• Pure play SaaS providers will broaden offerings Pure play SaaS providers will broaden offerings
beyond ebeyond e--mail + Web content filteringmail + Web content filtering•• Vertical integrationVertical integration
•• CSPs will offer SaaS as integrated offeringCSPs will offer SaaS as integrated offering•• IDaaS has to scale effectively for cloud IDaaS has to scale effectively for cloud
computing to truly take offcomputing to truly take off•• Complexity of key management screams for Complexity of key management screams for
SaaS offeringSaaS offering
1818
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
Impact on Role of Corporate ITImpact on Role of Corporate IT –– currentlycurrently
• Governance issue as internal IT becomes “consultants” and business analysts to business units
• Delineation of responsibilities between providers and customers much more nebulous than between customers and outsourcers, collocation facilities, or ASPs
• Cloud computing likely to involve much more direct business unit interaction with CSPs than with other providers previously
1919
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
Impact on Role of Corporate ITImpact on Role of Corporate IT –– going forwardgoing forward
2020
• Relationship between business units and corporate IT departments vis-à-vis CSPs will shift greater power to business units from IT
• Number of functions performed today by corporate IT departments will shift to CSPs, along with corresponding job positions
• Functions performed by corporate IT departments will shift from those who do (i.e., practitioners who build or operate) to those who define and manage
• IT itself will become more of a commodity as practices and skills are standardized and automated
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
ConclusionsConclusions• Part of customers’ infrastructure security
moves beyond their control• Provider’s infrastructure security may
(enterprise) or may not (SMB) be less robust than customers’ expectations
• Data security becomes significantly more important – yet provider capabilities are inadequate (except for simple storage which can be encrypted, and processing of non-sensitive (unregulated and unclassified) data
2121
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
ConclusionsConclusions (continued)(continued)• IAM is less than adequate for enterprises –
weak authentication unless delegated back to customers or federated, weak authoriza-tion, proprietary provisioning
• Because of above, expect significant business unit pressure to desensitize or anonymize data; expect this to become a chokepoint• No established standards for obfuscation,
redaction, or truncation
2222
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
WhatWhat’’s Good about the Cloud?s Good about the Cloud?
•• A lot! Both for enterprises and SMBs A lot! Both for enterprises and SMBs –– for for handling of nonhandling of non--sensitive (unregulated and sensitive (unregulated and unclassified) dataunclassified) data
•• CostCost•• FlexibilityFlexibility•• ScalabilityScalability•• SpeedSpeed
2323
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
Developments to WatchDevelopments to Watch
2424
•• VMwareVMware’’s vCloud API s vCloud API −− submitted to DMTFsubmitted to DMTF•• AmazonAmazon’’s Virtual Private Cloud s Virtual Private Cloud −− hybrid hybrid
cloud that extends private cloud through cloud that extends private cloud through ““cloud burstingcloud bursting””
•• SecuritySecurity--asas--aa--Service offered by CSPs (e.g., Service offered by CSPs (e.g., AmazonAmazon’’s Multis Multi--Factor Authentication)Factor Authentication)
•• Cloud Security Alliance v2 white paperCloud Security Alliance v2 white paper•• Slow transparency and assurance from CSP Slow transparency and assurance from CSP
(e.g., ISO 27002(e.g., ISO 27002--based assurance)based assurance)•• IT governance framework that blends ITIL, IT governance framework that blends ITIL,
ISO 27002, CObIT ISO 27002, CObIT
© 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
Cloud Security and Privacy:Cloud Security and Privacy:An Enterprise Perspective on Risks and ComplianceAn Enterprise Perspective on Risks and Compliance
Continue the discussion onContinue the discussion on--line at: cloudsecurityandprivacy.comline at: cloudsecurityandprivacy.com2525
top related