Download - Cloud Security Strategy
Cloud security strategy: understanding and evaluating the real risks in the cloud Lee Newcombe ([email protected]) Infrastructure Services November 2012
2 Copyright © Capgemini 2012. All Rights Reserved
12th Cloud Circle Forum
Session Agenda
Introduction 5 minutes Presentation 15 minutes “Securing Cloud Services”
Facilitated Round Table Discussions 20 minutes What are the genuine security issues that hold back Cloud adoption? Are services in the cloud less secure than those on-premise? How much of the threat is human (malicious or accidental), and how much IT, devices and hardware? What is the best way to manage security in a world of self‐service IT,
mobile devices and social media?
Sharing of outcomes from Discussions 20 minutes
3 Copyright © Capgemini 2012. All Rights Reserved
12th Cloud Circle Forum
Agenda
Establishing a common point of view
Cloud Threats – who may attack your services?
An approach to secure adoption of cloud services
Introduction
Conclusions
Cloud Risks. And Benefits? ?
4 Copyright © Capgemini 2012. All Rights Reserved
12th Cloud Circle Forum
The questions you asked…
What are the genuine security issues that hold back Cloud adoption? Where do the main security threats come from and where should you focus your attention? Are services in the cloud less secure than those on-premise? How much of the threat is human (malicious or accidental), and how much IT, devices and hardware? Eliminating the human security risk: educating your workforce What is the best way to manage security in a world of self‐service IT,
mobile devices and social media? How do emerging social business technologies complicate security strategies?
5 Copyright © Capgemini 2012. All Rights Reserved
12th Cloud Circle Forum
The ones I will tackle!
What are the genuine security issues that hold back Cloud adoption? Where do the main security threats come from and where should you focus your attention? Are services in the cloud less secure than those on-premise? How much of the threat is human (malicious or accidental), and how much IT, devices and hardware? Eliminating the human security risk: educating your workforce What is the best way to manage security in a world of self‐service IT,
mobile devices and social media? How do emerging social business technologies complicate security strategies?
6 Copyright © Capgemini 2012. All Rights Reserved
12th Cloud Circle Forum
Agenda
Introduction
Cloud Threats – who may attack your services?
An approach to secure adoption of cloud services
Establishing a common point of view
Conclusions
Cloud Risks. And Benefits? ?
7 Copyright © Capgemini 2012. All Rights Reserved
12th Cloud Circle Forum
Cloud Computing – NIST
Cloud Computing: “…a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction…”
• On-demand self-service • Broad network access • Resource pooling • Rapid elasticity; and • Measured service.
Essential Characteristics of Cloud Computing
csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
8 Copyright © Capgemini 2012. All Rights Reserved
12th Cloud Circle Forum
Service Models
9 Copyright © Capgemini 2012. All Rights Reserved
12th Cloud Circle Forum
NIST Deployment Models and Jericho Cloud Cube
Model Strengths Weaknesses
Public Agile, cost-effective, “Illusion of infinite resource”
Multi-tenant Data residency Assurance Standard contracts
Private Dedicated use Assurance Scope to negotiate SLAs etc
Expensive cf Public No “illusion of infinite resource”
Community Designed for a specific, shared, set of security requirements
Difficult to govern; need to manage all stakeholders
Hybrid “Best of breed” suppliers can be switched in and out.
“Weakest link” Must cater for security issues across ALL suppliers
The Jericho Forum® Cloud Model represents an alternative mechanism to represent deployment models.
http://www.opengroup.org/jericho/cloud_cube_model_v1.0.pdf
10 Copyright © Capgemini 2012. All Rights Reserved
12th Cloud Circle Forum
Agenda
Introduction
Establishing a common point of view
An approach to secure adoption of cloud services
Cloud Threats – who may attack your services?
Conclusions
Cloud Risks. And Benefits? ?
11 Copyright © Capgemini 2012. All Rights Reserved
12th Cloud Circle Forum
“Where do the main security threats come from and where should you focus your attention?” -> Cloud Threats
12 Copyright © Capgemini 2012. All Rights Reserved
12th Cloud Circle Forum
Agenda
Introduction
Establishing a common point of view
An approach to secure adoption of cloud services
Cloud Risks. And Benefits?
Conclusions
Cloud Threats – who may attack your services?
?
13 Copyright © Capgemini 2012. All Rights Reserved
12th Cloud Circle Forum
“What are the genuine security issues that hold back Cloud adoption?” -> Cloud Risks
Multi-tenancy
Compliance
Lock-in
Standard Terms and Conditions
Supply chain – cloud, on cloud, on cloud, on… ?
Assurance
14 Copyright © Capgemini 2012. All Rights Reserved
12th Cloud Circle Forum
“Are services in the cloud less secure than those on-premise?” -> Cloud Benefits?
Improved resilience
Cost-effective datacentre security
Cloud data storage and sharing vs removable media
Encourages adoption of Jericho principles
Improved security expertise, including application-specific expertise, at the centre ?
More efficient security patching
15 Copyright © Capgemini 2012. All Rights Reserved
12th Cloud Circle Forum
Agenda
Introduction
Establishing a common point of view
Cloud Threats – who may attack your services?
An approach to secure adoption of cloud services
Conclusions
Cloud Risks. And Benefits? ?
16 Copyright © Capgemini 2012. All Rights Reserved
12th Cloud Circle Forum
“What is the best way to manage security in a world of self‐service IT, mobile devices and social media?” -> Security Architecture
“The fundamental security organization of a system, embodied in its components, their relationships to each other and the environment, and the security principles governing its design and evolution”
Adapted from: ISO/IEC 42010:2007
17 Copyright © Capgemini 2012. All Rights Reserved
12th Cloud Circle Forum
Security Reference Model
18 Copyright © Capgemini 2012. All Rights Reserved
12th Cloud Circle Forum
Modelling Different Delivery Responsibilities
The delivery responsibilities for the security services shifts from the consumer to the provider as you move from IaaS to SaaS.
Interfaces between consumer and provider present a risk of gaps in capability and poor/no/mis-communication between provider and consumer.
19 Copyright © Capgemini 2012. All Rights Reserved
12th Cloud Circle Forum
Procurement Usage
20 Copyright © Capgemini 2012. All Rights Reserved
12th Cloud Circle Forum
Agenda
Introduction
Establishing a common point of view
Cloud Threats – who may attack your services?
Conclusions
An approach to secure adoption of cloud services
Cloud Risks. And Benefits? ?
21 Copyright © Capgemini 2012. All Rights Reserved
12th Cloud Circle Forum
Conclusions
• All delivery models are unique. Cloud computing models have unique security challenges. So do other delivery models including on-premise and traditional outsourcing.
• Cloud is an evolution not a revolution.
• The threat actors remain mostly the same, cloud or on-premise
• The risks remain mostly the same, whether your applications are hosted on-premise or on-cloud, however
• increased sharing of resources due to multi-tenancy introduces new attack surfaces
• assurance difficulties can cause compliance issues (data residency, data deletion, segregation etc)
• Security architecture approach can help to enable cloud adoption.
• Architecture methodologies help to enforce consistency across an enterprise, no matter the IT delivery model.
• Architecture methodologies help to identify the security services required from a Provider
• Architecture helps to identify areas of overlap or interface (or confusion or omission) between Provider and Consumer
• Architecture helps to inform service procurement
22 Copyright © Capgemini 2012. All Rights Reserved
12th Cloud Circle Forum
Conclusions
• What are the genuine security issues that hold back Cloud adoption?
• Compliance
• Assurance
• Where do the main security threats come from and where should you focus your attention?
• The usual…
• Are services in the cloud less secure than those on-premise?
• It depends!
• How much of the threat is human (malicious or accidental), and how much IT, devices and hardware?
• Confidentiality? Human. Availability? Mixture.
•What is the best way to manage security in a world of self‐service IT, mobile devices and social media?
• Adopt an architectural approach.
23 Copyright © Capgemini 2012. All Rights Reserved
12th Cloud Circle Forum
Session Agenda
Introduction 5 minutes Presentation 15 minutes “Securing Cloud Services”
Facilitated Round Table Discussions 20 minutes What are the genuine security issues that hold back Cloud adoption? Are services in the cloud less secure than those on-premise? How much of the threat is human (malicious or accidental), and how much IT, devices and hardware? What is the best way to manage security in a world of self‐service IT,
mobile devices and social media?
Sharing of outcomes from Discussions 20 minutes
The information contained in this presentation is proprietary.
Rightshore® is a trademark belonging to Capgemini
© 2012 Capgemini. All rights reserved.
www.capgemini.com
About Capgemini
With more than 120,000 people in 40 countries, Capgemini is one
of the world's foremost providers of consulting, technology and
outsourcing services. The Group reported 2011 global revenues
of EUR 9.7 billion.
Together with its clients, Capgemini creates and delivers
business and technology solutions that fit their needs and drive
the results they want. A deeply multicultural organization,
Capgemini has developed its own way of working, the
Collaborative Business ExperienceTM, and draws on Rightshore ®,
its worldwide delivery model.