isaca cloud security presentation 2013-09-24
DESCRIPTION
Delivered for ISACA's San Antonio chapter on September 24th, 2013. Covers cloud security and related questions from IT auditors.TRANSCRIPT
Cloud SecurityMajor Hayden, Rackspace
Cloud Security // ISACA San Antonio 2013-09-24 2
Why are we here today?
Cloud Security // ISACA San Antonio 2013-09-24 3
Who am I?
Chief Security Architect at Rackspace
Red Hat Certified Architect and MySQL DBA
Five years of cloud operations experience Integrated Slicehost with Rackspace Launched Rackspace’s Cloud Servers product
based on Slicehost technology Launched Rackspace’s Open Cloud Servers
powered by OpenStack
Cloud Security // ISACA San Antonio 2013-09-24 4
Today’s big three
1. An understandable and repeatable definition of cloud really does exist (and I’ll help you learn it)
2. There are different cloud deployment strategies and you can secure each of them
3. Cloud hosting risks are very similar to the risks from other IT hosting methods
Cloud Security // ISACA San Antonio 2013-09-24 5
What is cloud hosting?
Cloud Security // ISACA San Antonio 2013-09-24 6
Cloud hosting is a shift from managing
computersto utilizing
computing resources
Cloud Security // ISACA San Antonio 2013-09-24 7
Cloud Security // ISACA San Antonio 2013-09-24 8
Colocation
Dedicated
Managed Cloud
Cloud Security // ISACA San Antonio 2013-09-24 9
Colocation
Dedicated
Managed Cloud
Cloud Security // ISACA San Antonio 2013-09-24 10
Colocation
Dedicated
Managed Cloud
Cloud Security // ISACA San Antonio 2013-09-24 11
Colocation
Dedicated
Managed Cloud
Cloud Security // ISACA San Antonio 2013-09-24 12
Key points
Resources are always available
Pay for what you use
Fewer fixed costs, more variable costs
Maintain business focus
Cloud Security // ISACA San Antonio 2013-09-24 13
Cloud hostingbrings new challenges
Cloud Security // ISACA San Antonio 2013-09-24 14
Homes vs. Apartments
Flickr: atelier_tee Flickr: oldtasty
Cloud Security // ISACA San Antonio 2013-09-24 15
Key points
Can’t choose your neighbors
Fluctuating performance
Stay within the confines of the system
Service providers can touch your data*
Cloud Security // ISACA San Antonio 2013-09-24 16
Cattle vs. Pets(Credit goes to Gavin McCance at CERN for this analogy)
Cloud Security // ISACA San Antonio 2013-09-24 17
Key points
Rely on automation
Use configuration management
Build in redundancy based on business needs
Cloud Security // ISACA San Antonio 2013-09-24 18
Cloud types:Public, Private, and Hybrid
Cloud Security // ISACA San Antonio 2013-09-24 19
Benefits
Public: easily expandable and cheap
Private: host with provider or host internally, fewer noisy neighbor issues, compliance is easier
Hybrid: helpful for bridging into cloud, allows for the workloads to run where they run best
Cloud Security // ISACA San Antonio 2013-09-24 20
Let’s go throughyour questions
Cloud Security // ISACA San Antonio 2013-09-24 21
What due diligence should a company
perform when selecting cloud
services?
Cloud Security // ISACA San Antonio 2013-09-24 22
Due diligence
Easy answer: Assess a cloud provider just as you would any other provider of IT services
Look for business practice and security maturity
Test the provider thoroughly ahead of time
Monitor the provider’s actions closely around outages or when receiving support
Cloud Security // ISACA San Antonio 2013-09-24 23
What are somegood contractual
agreement clauses?
Cloud Security // ISACA San Antonio 2013-09-24 24
Contractual agreements
Confidentiality and security requirements
Encryption standards*
Service description and SLA’s
Indemnification
Cloud Security // ISACA San Antonio 2013-09-24 25
What are the risksif the company
owns the servers?
Cloud Security // ISACA San Antonio 2013-09-24 26
Company-owned server risks
Similar to self-hosted or vendor-hosted IT services on dedicated equipment
IT staff that maintain the servers will have some level of access to virtual machine data
Cloud Security // ISACA San Antonio 2013-09-24 27
Does the internet-facing nature of
public cloud create additional risks?
Cloud Security // ISACA San Antonio 2013-09-24 28
Public cloud networking risks
About the same as internet-facing dedicated hardware
Some public clouds may have hardware networking devices such as firewalls or load balancers
Other providers might provide a shared firewall or load balancer environment to use
Cloud Security // ISACA San Antonio 2013-09-24 29
How do I securely store data in cloud
services?
Cloud Security // ISACA San Antonio 2013-09-24 30
Storing data in cloud
Your data is never fully safe in any storage
Understand your most probable threats first
Make your data less useful to others Encryption with digital signatures Sharding Tokenization (can help with data transport
laws) Hardware Security Module (HSM)
Cloud Security // ISACA San Antonio 2013-09-24 31
Thanks for inviting me!
Q&A?
Have more questions [email protected]
mhttp://major.io/
Cloud SecurityMajor Hayden, Rackspace