Cloud Securityfrom risk to business advantage
Moshe Ferber, CCSK
CSACloudSecurity
AllianceAbout me:•Moshe Ferber, 37, lives in Modiin (+2).• Information security professional for over 15 years.•Managed the security department for Ness Technologies.• Founded Cloud7, Israel based MSSP (currently owned by Matrix).• Shareholder at Clarisite• Shareholder at FortyCloud•Member of the board at Macshava Tova•Certified instructor for the Cloud Security Alliance
2
CSACloudSecurity
AllianceAgendaIntroduction to cloud computing
Creating Trust
Security in the development phase
Security in the Operation phase
CSACloudSecurity
AllianceAgendaIntroduction to cloud computing
Evaluating your cloud solution
Operating in the cloud
Virtualization security
CSACloudSecurity
Alliance Hitler and Cloud Comput
ing
CSACloudSecurity
AllianceWhat is cloud computing?
“Cloud computing is nothing more than a faddish term for the established concept of computers linked by
networks.”Larry Ellison, ORACLE
CSACloudSecurity
Alliance
7
What is cloud computing?
Broad Network AccessRapid ElasticityMeasured ServiceOn-Demand Self-ServiceResource Pooling
NIST Model of Cloud Computing
CSACloudSecurity
Alliance
8
Cloud computing does not mean virtualization *
* Although they usually go hand in hand…
CSACloudSecurity
Alliance
9
Cloud Service Models
CSACloudSecurity
Alliance
11
Security Impact of the SPI stack
• The lower down the stack the cloud service provider stops, the more security capabilities and management consumers are responsible for implementing and managing themselves.
SaaS
IaaS
PaaS
Security ResponsibilityProviderCustomer
CSACloudSecurity
Alliance
Public Cloud Private Cloud
Community Hybrid
Cloud Deployment
Models
12
CSACloudSecurity
AllianceAgendaIntroduction to cloud computing
Creating Trust
Operating in the cloud
Virtualization security
CSACloudSecurity
AllianceSecurity in Cloud
computing is a major concern
CSACloudSecurity
AllianceBut Cloud Providers can
make it an advantage
CSACloudSecurity
Alliance3 steps for turning security risks into
security advantage
Creating Trust
Security in the development
processSecurity in the
Operation process
CSACloudSecurity
AllianceCreate common trust •Make sure that you and your customers speak the
same language. • Transparency, planning and taking risks are key
success factors for this process.• Standards are great way for establishing common
ground for discussion.•Contracts and SLA will define the partnership.
CSACloudSecurity
AllianceCreating trust
Transparent Legal documents
Know your regulation
Define who does what
CSACloudSecurity
AllianceWho does what?
Taken from: Ponemon Institute: security of cloud computing users study 2013
Research show that many organization don’t understand the shared responsibilities between customer and provider in
cloud computing .
CSACloudSecurity
Alliance
Responsibilities
• .
20
SaaS
IaaS
PaaS
ProviderCustomer
All Guest and App
security
App Security
Contractual controls
Infrastructure & Application security
Platform Security
InfrastructureOnly
CSACloudSecurity
AlliancePCI Cloud guidelines:
22
CSACloudSecurity
AllianceLegal documents•Adjust your contracts to reflect the nature of
the cloud (This is not a software licensing agreement).•Do not over complicate.• Provide security policy statement.• Specify how you help customer to avoid
Vendor lock-in and unexpected termination.
CSACloudSecurity
Alliance
Don’t forget liabilities as provider:•Responsible for actions of his providers. •Compliance in the service.• Answer to subpoena and e-discovery•Data loss / recovery.•Conform with specification. • Fix break down.• SLA: uptime, downtime notice &POC.• Indemnity
Location of
services
Contract jurisdictio
n
Standard of care
Applicable legislation
Treaties
CSACloudSecurity
AllianceKnow your regulations:
• ISO 27001 – Adopted by the cloud industry . Although no real reference to cloud (ISO 27017 is planned,but still a draft).•SSAE16 – Got some level of cloud details… Need to verify the scope.•FIPS140-2 - Standard for encryption on sensitive data.•PCI –Many resources on adapting PCI on cloud environment. Including PCI cloud guidelines.•ENISA– guide for cloud security recommendations.• ILITA (Israel) - guidelines for outsourcing computer data including cloud reference.
CSACloudSecurity
Alliance
•CSA – Responsible for CSA STAR Level 1,2,3. Which is ISO27001 / SOC with additional controls from CCM. •FedRAMP – Defining the federal policy regarding the use of cloud services within the federal government. Based on NIST guidelines.
Security standards for cloud computing - cont
CSACloudSecurity
AllianceUseful tools
CSACloudSecurity
AllianceAgendaIntroduction to cloud computing
Creating Trust
Security in the development phase
Virtualization security
CSACloudSecurity
AllianceSecurity in the development process
Design to securityIntegrate security into software life
cyclePlan your security
testing
Threat modeling
(including cloud threats)
Access controls
Coding standard
(Based on relevant Regulation)
Code review
SDLC Checkpoint
Cloud provider API’s
Static analysis
Dynamic analysis
Vulnerability scanning
Penetration test
CSACloudSecurity
AllianceDesign to Security• SDLC in the cloud requires us to integrate the cloud
provider and consumer into the process. • Security referent should be present on each development
team.• Threat modeling should include cloud specific threats.• SDLC can be any standard in the market, as long as you
remember to adjust responsibilities.
Architecture & Design
Development Test Production
IaaS Cloud Consumer
Cloud Consumer Shared Shared
PaaS Shared Cloud Consumer Shared Shared
SaaS Shared Cloud Provider
Cloud Provider
Cloud Provider
CSACloudSecurity
AllianceIdentity Management
Identity is the perimeter
Identity Lifecycle
Access control
Authentication
• Cloud consumers prefer to extend their Identities to the cloud instead of creating new ones.
• Identity Providers are a growing service. • SCIM – marked as the new standard for
provisioning (replacing SPML).• XACML is growing standard regarding access management.
• Best practices separate between Policy Decision Point and Policy enforcement Point.
• The challenge is to leverage customer current authentication mechanism.
• Identity Federation is growing market. • SAML, Open ID and Oauth can help SaaS
provider to meet customers requirements.
CSACloudSecurity
AllianceAnalysis Pen test•Dynamic and Static analysis should be
integrated to the SDLC.• Penetration test and vulnerability scans are a
must in some standards and regulations, and should be done periodically.• Scan results and pen test should be available
to customers. •Customers should have the ability to
coordinate scans and penetration tests.
CSACloudSecurity
AllianceUseful tools• Vulnerability management as a service a very popular. Just
make sure they are Cloud API aware• Code review and Web Application Firewall can also used as a
service.• New standards such as SAML, SCIM and XACML can assist.
CSACloudSecurity
AllianceChapter 4Introduction to cloud computing
Creating Trust
Security in the development phase
Security in the operation phase
CSACloudSecurity
AllianceSecurity in the Operation phase
Data lifecycle management
Transparency in operations
Incident management
Encrypt, Encrypt, Encrypt
Access control
Clear policy and standards
Monitoring
what is incident?
Incident life cycle
CSACloudSecurity
AllianceData lifecycle
Classification
Encryption
Access control
Archiving and Termination
CSACloudSecurity
AllianceEncryption of data in rest
File Level
Database Level
Volume Level
Storage Level
Level? By?
Proxy
Infrastructure
Keys?
Provider
Customer
Application level
CSACloudSecurity
Alliance
CSACloudSecurity
Alliance
•Customers will expect:Clear Security Policy.Change management process.DR / BC procedures.Backup and Restore procedure and testing.Notice on maintenance & service time.Clear information channel regarding malfunctions.SLA for coordinating audits / VA / Pen tests. Visibility into the operations.
Transparency in operations
Amazon Web Services - Request vulnarbility scan form.mht
CSACloudSecurity
Alliance
42
Monitoring Applications
•not just complianceLog Monitoring
•Availability and more.Performance Monitoring
•tie to alertingMonitoring for Malicious use
•analytics helpful hereMonitoring for Compromise
•access control, authorized useMonitoring for policy violations
CSACloudSecurity
AllianceIncident Management• Define what is “Incident” with your customers.• The nature of cloud makes likelihood of some kinds of incident goes
up, others goes down. • Consider attacks targeted at the Cloud infrastructure provider and
how that affects your systems• Legislative and Regulatory régimes may have different
requirements for incident management.• Plan your containment policy in cases where attack is focused on
specific customer.• Provide your customer with POC and make sure you got
communication channels to address them.
Preparation Detection & Analysis
Containment
Eradication & Recovery
CSACloudSecurity
Alliance
44
Useful tools• COBIT / ITIL can make a good framework for building
correct operations standards.• Twitter turned to be great tool for information
distribution.• NIST SP800-61 is great start for incident management.
CSACloudSecurity
Alliance
46
•US privacy laws are made from federal legislation, and state level regulation.• The 4th amendment is the basic pillar for privacy in US,
and is not valid for cloud services. • The FISA, Patriot act and protect America act grant US
government right to force Cloud provider to deliver customer data.•US laws require provide planning capability to respond
to requests for legal holds on documents (FRCP)
US Legal Particulars
CSACloudSecurity
Alliance
47
• EU privacy laws prohibit transfer of EU data outside of the EU unless it will receive the same level of protection.•US based companies enjoyed Safe Harbor agreement
for processing EU data.• On July 2, 2012 – Working Party 29 issued an opinion
stating that safe harbor controls are not sufficient for cloud computing.
European Legal Particulars
CSACloudSecurity
AllianceWhat we secure:
48
Data• Make sure
that data in the cloud is
secured along all data
lifecycle.
Application
• Make sure application meets the standards and risks.
Users• Make sure
that users lifecycle matches
standards and risks.
CSACloudSecurity
Alliance
49
Create
Destroy
Store
Share Archive
UseClassifyAssign RightsContent Discovery
Access ControlsEncryptionRights Management
Activity Monitoring and Enforcement
Rights ManagementLogical ControlsApplication Security
DLPEncryption (SSL/HTTPS)Logical ControlsApplication Security
EncryptionAsset Management
Crypto-ShreddingSecure DeletionContent Discovery
Data Security Lifecycle
CSACloudSecurity
Alliance
50
Identity & Access Management concerns
Identity Management • Lifecycle
management may require
identity propagation
and/or synchronization• Identity
provisioning• User profile
management
Access Management • Authentication –
process can occur on Cloud
Consumer side or Cloud Provider
side• Authorization –
process can occur on Cloud
Consumer side, and always occurs
on the Cloud Provider side
Federation• Managi
ng relation
ships and
policies
Compliance
•Dealing with
regulations and
audits
CSACloudSecurity
Alliance
51
Standards
CSACloudSecurity
Alliance
52
SaaS/PaaS Provider Checklist
1.What provisioning standards do you support today?
2.Do you support SPML? What version? If so, do you have a schema?
3.Do you offer web services for automated provisioning (bulk or single)?
CSACloudSecurity
Alliance
53
SaaS/PaaS Provider Checklist4. Do you offer on the fly (just-in-time)provisioning,
where by users are provisioned using a pre-assigned token but activated at the time of online registration?
5. What language support do you offer for clients of provisioning web services? Examples include Java, .NET, Ruby on Rails, PHP, etc.
6. Do you support provisioning via transient federation(SAML)?
7. What logging of provisioning requests is performed, and how is it protected from tampering? What reconciliation mechanisms are available?