ohm2013 cloud security 101 slideshare
DESCRIPTION
Cloud security 101 was presented at OHM 2013, the 4-yearly conference dedicated to technology and its (mis)use.TRANSCRIPT
![Page 1: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/1.jpg)
Cloud Security 101presented at OHM2013
“what would General Eisenhower say about PRISM”
Dr. Peter HJ van Eijk@petersgriddle
![Page 2: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/2.jpg)
Cloud Security: an oxymoron?
The knee-jerk reaction of a lot of people when they first hear about cloud is:– “The PATRIOT act/PRISM allows the US
government/YFTLA * to see everything that (I do/everything my company does)on the internet”
– “Therefore, the cloud is evil”– “Besides: cloud computing is marketing hype.”
Is YFTLA ruining your internet?Whose internet is it anyway?
*) Your favorite three letter agency
![Page 3: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/3.jpg)
This talk’s roadmap
• Who am I? Who are you?• Security and power in a historical context• The Cloud: hype or reality?• Basic cloud security concepts and methods• Wrap up
![Page 4: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/4.jpg)
Who am I?
• One of the world’s most experienced independent cloud trainers.
• Developing and delivering cloud training such as CCSK, Cloud Essentials and Cloud Governance worldwide.
• Work history: University of Twente, AT&T Bell Labs 07974, EDS, Eunet, Deloitte, independent
• See www.clubcloudcomputing.com for more information and https://ohm2013.org/wiki/User:Petersgriddle
![Page 5: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/5.jpg)
Who are you at OHM2013?
• You are probably professionally involved in IT or IT security
• You might work at or for corporate IT or with cloud providers
• Or maybe for a three-letter agency• You might be a senior developer, sysadmin,
risk manager, consultant or auditor
![Page 6: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/6.jpg)
LET’S TALK A LITTLE BIT OF HISTORY
![Page 7: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/7.jpg)
Dwight D. Eisenhower
• 5-star general US army• Supreme commander of
Allied Forces in Europe WW2.• Responsible for D-day ‘the
longest day’ invasion of Normandy June 1944
• 1st Supreme Allied Commander Europe (NATO)
• 34th president of the USA (1953-1961)
• Instituted NASA and DARPA
![Page 8: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/8.jpg)
Dwight D Eisenhower warns in 1961
• On January 17, 1961, Eisenhower gave his final televised Address to the Nation from the Oval Office.[204] In his farewell speech, Eisenhower raised the issue of the Cold War and role of the U.S. armed forces. He described the Cold War: "We face a hostile ideology global in scope, atheistic in character, ruthless in purpose and insidious in method ..." and warned about what he saw as unjustified government spending proposals and continued with a warning that
"we must guard against the acquisition of unwarranted influence, whether sought or unsought, by the military–industrial complex." He said, "we recognize the imperative need for this development ... the potential for the disastrous rise of misplaced power exists and will
persist ... Only an alert and knowledgeable citizenry can compel the proper meshing of the huge industrial and military machinery of defense with our peaceful methods and goals, so that security and liberty may prosper together."
2013 update: g/the Cold War/s//Terrorism/
![Page 9: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/9.jpg)
“we must guard against the acquisition of unwarranted
influence, whether sought or unsought, by the
military–industrial complex”
![Page 10: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/10.jpg)
DARPA: Defense Advanced Research Projects Agencies
• Part of the military-industrial complex• Established 1958 under Eisenhower• Funds a significant part of all US Information
Technology research.• Set up ARPAnet in 1969, which we now know
as the Internet
• Arguably the most important founding (grand)father of “the cloud”
![Page 11: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/11.jpg)
Who is who?
• The internet is a product of the military-industrial complex.
• Who is part of this complex?– HP, Cisco, AT&T, IBM, Microsoft, most US universities and
research agencies, etc.– Most of Silicon Valley– The security industry ….
• That includes you, probably.
![Page 12: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/12.jpg)
Whose side are you on?
• Friend or Foe?• Black hat or white hat?• Cat or mouse?• Inventor or user?
• You decide …
![Page 13: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/13.jpg)
Personal opinion and story
• I believe there is a role for regulation and governments in the way we collectively handle data.
• I don’t believe that uncontrolled access to data is healthy, neither by governments or other organizations
• “A car with your name on it is used for an armed robbery” <- this and similar things have happened to me.
![Page 14: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/14.jpg)
WHAT IS CLOUD COMPUTING AND WHY ARE PEOPLE USING IT?
![Page 15: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/15.jpg)
Cloud computing is a type of IT outsourcing
See NIST definitions on http://www.nist.gov/itl/cloud/
NIST: Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources […]. This cloud model promotes availability and is composed of five essential characteristics • On-demand self-service• Broad network access,• Resource pooling• Rapid elasticity• Measured Service (pay as you go)
15
Colloquial: Your data on somebody else’s hard disk.
![Page 16: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/16.jpg)
On-demand self service
Broad network access
Resource pooling
Rapidelasticity
Measuredservice
The consumer can unilaterally decide to change his resource consumption, i.e. through a website, potentially programmatically
No human intervention at provider necessary
16
![Page 17: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/17.jpg)
On-demand self service
Broad network access
Resource pooling
Rapidelasticity
Measuredservice
The service is accessible•through a variety of networks•by a variety of devices: PC, server, mobile
The network is a given
17
![Page 18: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/18.jpg)
On-demand self service
Broad network access
Resource pooling
Rapidelasticity
Measuredservice
The resources are pooled to serve a number of independent users. This is also called ‘multi-tenancy’.
Resources will be allocated dynamically.
Resources could be •Processor capacity•Storage•Memory•Bandwidth
18
![Page 19: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/19.jpg)
On-demand self service
Broad network access
Resource pooling
Rapidelasticity
Measuredservice
The resources can be scaled up and down quickly.
This is done without provider intervention, through the on-demand self service.
19
![Page 20: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/20.jpg)
On-demand self service
Broad network access
Resource pooling
Rapidelasticity
Measuredservice
The consumption of the resource is measured in a meaningful way, e.g. memory, processor capacity, user counts.
This usage can be the basis for the billing of the consumer.
20
![Page 21: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/21.jpg)
http://infoonsoftwaretesting.blogspot.com/
Software as a Service
Platform as a Service
Infrastructure as a Service
Not all clouds are created equal: three ‘service models’
21
![Page 22: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/22.jpg)
Platform as a Service: e.g. social mediaintegration
Web API / PaaS connection
GET http://api.twitter.com/1/statuses/user_timeline.json?screen_name=petersgriddle22
![Page 23: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/23.jpg)
Who is hosting my website, really?Integration happens client side
* Source: Gomez 2010
In November 2010, 30% of web transactions used an Amazon EC2 object
23
![Page 24: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/24.jpg)
Companies are flocking to the cloud because of the business benefits they experience or
expect
![Page 25: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/25.jpg)
Business benefitGeneric IT outsourcing
benefits +• Collaboration• Speed of deployment• Fast scale up and down• Low initial cost• Low capital cost• Easier integration• Wider user base• …
25
On-demand self service
Broad network access
Resource pooling
Rapidelasticity
Measuredservice
![Page 26: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/26.jpg)
IT is outgrowing the capability of organizations to manage IT
• IT is still one of the fastest growing and innovative technologies, 50 years and counting
• From 1:20 to 1:1000 productivity.– i.e. servers, workplaces, network connections
• Do you think that Joe R. SME can run secure IT in his closet? Really. What are you smoking?
![Page 27: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/27.jpg)
It is ‘cloud’ when the consumer experiences it as ‘cloud’.
![Page 28: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/28.jpg)
The cloud is *BIG*.
Amazon, Google and Microsoft have 200K-2M+ servers, each. (conservatively)
Akamai runs 10-20% of total Internet traffic.
![Page 29: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/29.jpg)
Disruptive Innovations
Characteristics• Much cheaper• Not as good (initially)• Rapidly improving• Eventually drives original
out of the market• Addresses ‘over served’
clients
Examples• Mass manufacturing• PC• Internet• Wikipedia• Cloud Computing
29https://en.wikipedia.org/wiki/Disruptive_innovation
![Page 30: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/30.jpg)
•Up to date content•Lower cost
Editorial content
‘Social’ content
Dutch Olympic committee
Content hosted at Flickr, Twitter and Youtube
30
![Page 31: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/31.jpg)
Dutch Olympic committee website
• Challenge: The Dutch Olympic committee had a traditionally hosted website for the Beijing games in 2008, running up a bill of more than 150.000 euro.
• Approach: For the Vancouver games they totally changed the concept. The website became a single page, hosted in the cloud. This page then pulls in social media content that is hashtagged #os2010.
• It is displayed on two panes. The top one, whitelisted by author name, is the editorial content. The rest is social media content. Run cost for the new website: a few hundred euro per month.
![Page 32: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/32.jpg)
Oxfam: flexible capacity
• Type of organization: charity, relief aid
• # IT staff: ~200
• Challenge: inconsistent infrastructure, no scalability for seasonal or exceptional (i.e. natural disasters) demand patterns
• Approach: IBM private cloud (IaaS)
• http://www.businesscloudnews.com/applications/789-oxfam-cio-cloud-is-a-philosophical-challenge.html
![Page 33: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/33.jpg)
KLM: dispersed workforce
• Type of organization: Airline• Challenge: dispersed workforce, multilingual,
multiple devices to work on• Solution: SaaS. Google Apps Premier Edition
for more than 10.000 crew members
• http://googleenterprise.blogspot.nl/2010/02/flying-into-cloud.html
![Page 34: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/34.jpg)
Canadian Pacific: flexible deployment
• Type of organization: Railroad• Challenge
– “…lead times to get new infrastructure for development, for test, for experimentation purposes as well as production purposes,” said Stuart Charlton, executive IT advisor at CP.
• Approach: IaaS private cloud plus Amazon;– IBM WebSphere eXtreme Scale for developing distributed
software• http://www.itworldcanada.com/news/canadian-pacific-gets-a
gile-with-hybrid-cloud/145408
![Page 35: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/35.jpg)
Commonwealth of Virginia:Community SaaS
• Type of organization: Public Government• Challenge: procurement process spread over 171
agencies, most having their own IT systems, controlling $3B procurement
• Approach: Community SaaS procurement system (Ariba)
• http://cloud2slg.techamericafoundation.org/wp-content/uploads/group-documents/3/1328666319-Final2_Commonwealth_of_VA_ProcurementCaseStudy.pdf
![Page 36: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/36.jpg)
CLOUD SECURITY AND RISK CONCEPTS
![Page 37: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/37.jpg)
Cloud is the same, but different
• Like Websites/web technology – Technical risk
• but different– Scalability and elasticity much higher
• Like outsourcing– Third party risk
• but different– Speed of control and failure is much higher– Chains of providers– More sharing
• Virtualization– But taken to much higher levels of automation
38
![Page 38: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/38.jpg)
Cloud computing implies massive sharing and scaling
Consolidation risk– Performance– Capacity management– Multi-tenancy leakage– More ‘collateral damage’ of legal action – Bigger impact of failures– More interesting target for cybercrime
You cannot manage this risk on a yearly or even monthly basis
See Animoto autoscaling (next slide)
39
![Page 39: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/39.jpg)
Animoto, EC2 and RightScale
Num
ber o
f ser
vers
Launch of Facebook modification
Peak of 4700 instances
4/14/2008 4/15/2008 4/16/2008 4/18/2008 4/19/2008 4/20/20084/17/20084/13/2008
Using RightScale, Animoto automatically scaled to handle a dramatic load to their application
Inside scoop at http://blog.rightscale.com/2008/04/23/animoto-facebook-scale-up/40
![Page 40: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/40.jpg)
Cloud Computing differs from traditional outsourcing
• Contracts much more flexible/volatile• More sharing of resources across customers• Little influence from customer• More players and layers involved• More legal implications
41
![Page 41: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/41.jpg)
Cloud brings new technology
• Multitenancy– VMs, storage, databases, application code
• Federated Identity Management– OpenID, Oauth, SAML
This tends to be a tough challenge for •Software publishers moving to a SaaS model and•Hosting companies moving to an IaaS model
42
![Page 42: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/42.jpg)
Compliance is harder in the cloud• More moving parts• More regulation
– E-DPD, PCI-DSS, HIPAA, Sox, Ediscovery, Netneutrality, privacy, etc, etc, etc
• More risk exposure– The world is our playfield– Cybercrime– TLAs
43
![Page 43: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/43.jpg)
Cloud Security Alliance
The Cloud Security Alliance (CSA) is an industry consortium, volunteer based, open.
• Sample products– CCSK (Certificate of Cloud Security Knowledge)
• CSA guidance, ENISA study
– Clouds Controls Matrix– STAR registry
• Disclosure: I am a certified CCSK trainer, and Dutch chapter board member.
Similar/complementary efforts underway at ISO, ISACA, etc.
![Page 44: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/44.jpg)
CCSK Course Structure
1 Intro to Cloud Computing
•NIST definitions:•Essential characteristics•Service models•Deployment models
2 Infrastructure Security for Cloud
•Securing base infrastructure•Management plane security•Securing Virtual Hosts and Networks•IaaS, PaaS, SaaS security
3 Managing Cloud Security and Risk
•Risk and Governance•Legal and Compliance•Audit•Portability and interoperability•Incident response and more
4 Data Security for Cloud
•Cloud Data Architectures•Data Security Lifecycle•Information Governance•Data security and Encryption•Data Loss prevention
5 Securing Cloud Applications and
Users
•Application Security•Identity and Access management
6 Selecting Cloud Services•What to look for in a cloud provider•Security as a Service
![Page 45: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/45.jpg)
Infrastructure security
• No longer sufficient• Still required, with additional surface to
protect (hypervisor, management plane)• More opportunity for fine grained and elastic
controls, especially through automation
![Page 46: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/46.jpg)
Data security
• A blanket (perimeter) approach to data security fails
• The data that matters to you might not be in your datacenter to begin with
• Lifecycle model allows more precise controls to be applied
• Encryption can be applied on multiple levels.
![Page 47: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/47.jpg)
Application security
• Web security++ (OWASP on steroids)• Application lifecycle model allows more fine-
grained controls to be applied
![Page 48: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/48.jpg)
User security
• Federated ID-management allows decoupling of Identity Providers and Relying Parties
• Can reduce the need for credential sprawl and leakage
![Page 49: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/49.jpg)
Security as a Service
• The cloud can be a source of security solutions• E.g. spam filtering, web filtering, management
dashboards, DDOS protection.
![Page 50: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/50.jpg)
MANAGING CLOUD SECURITY
51
![Page 51: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/51.jpg)
How does professional security and risk management work?
• Risk based: professional risk management prioritizes the most important risks– No superfluous or useless measures and controls
• Professional risk management incorporates audit and compliance obligations– Anchor in operational process, instead of running a
troublesome project for each audit• Professional risk management is repeatable and
scalable– Champagne? Really? Did you expect the audit to be a one
time effort?
52
![Page 52: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/52.jpg)
Control frameworks
• Cloud security alliance: Cloud Control Matrix• ISACA : Cobit, mostly cost/value based• ISO: ISO 27001 Information Security
Management Systems• CloudControls.org: Dutch initiative (CloudVPS,
KPMG)• ISO: ISO 20000 Not security but relevant as a
service management and governance framework
53
![Page 53: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/53.jpg)
Cloud Security AllianceCloud Control Matrix
• CSA: dominant industry coalition• Cloud Controls Matrix version 1.3
– soon to be v3.0• CCM features:
– 11 control areas, 98 controls– Selectable by S-P-I, Provider/Tenant– Cross referenced to COBIT, ISO, HIPPAA, PCI-DSS
etc.
54
![Page 54: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/54.jpg)
New controls• 3rd and 4th party management• Contracts• SLA• Identity and Access Management (IAM)• Escrow
55
![Page 55: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/55.jpg)
The future of cloud GRC
• Collaborative effort between provider and consumer
• Continuous audit• As automated as possible• Integrated GRC: risk management in the
widest sense of the word drives governance– Compliance is a collateral benefit– Maturity level of organization rises
56
![Page 56: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/56.jpg)
CCM (Cloud Control Matrix), CAIQ (Consensus Assessments Initiative Questionnaire), Cloud Audit and CTP (Cloud Trust Protocol) are products maintained by CSA (Cloud Security Alliance).
Cloud compliance in real-timeGRC stack component
Example element
CCM CO-02: Independent reviews and assessments shall be performed at least annually […]
CAIQ CO-02.3: Do you conduct regular application penetration tests of your cloud infrastructure as prescribed by industry best practices and guidance?
Cloud Audit http://mycloudprovider.com/cloudaudit/org/cloudsecurityalliance/guidance/CO-02
CTP "It is 11 pm, do you know in which geography your virtual machines are running?"
57
![Page 57: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/57.jpg)
The CAIQ Questionnaire
58
![Page 58: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/58.jpg)
Sample Questions to VendorsCompliance - Independent Audits
CO-02CO-02a - Do you allow tenants to view your SAS70 Type II/SSAE 16 SOC2/ISAE3402 or similar third party audit reports?CO-02b - Do you conduct network penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance? CO-02c - Do you conduct application penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance? CO-02d - Do you conduct internal audits regularly as prescribed by industry best practices and guidance? CO-02e - Do you conduct external audits regularly as prescribed by industry best practices and guidance? CO-02f - Are the results of the network penetration tests available to tenants at their request? CO-02g - Are the results of internal and external audits available to tenants at their request?
Data Governance - Classification
DG-02DG-02a - Do you provide a capability to identify virtual machines via policy tags/metadata (ex. Tags can be used to limit guest operating systems from booting/instantiating/transporting data in the wrong country, etc.?)DG-02b - Do you provide a capability to identify hardware via policy tags/metadata/hardware tags (ex. TXT/TPM, VN-Tag, etc.)?DG-02c - Do you have a capability to use system geographic location as an authentication factor? DG-02d - Can you provide the physical location/geography of storage of a tenant’s data upon request?DG-02e - Do you allow tenants to define acceptable geographical locations for data routing or resource instantiation?
59
![Page 59: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/59.jpg)
CSA star
Security, Trust and Assurance Registry (STAR)• Cloud Security Alliance initiative• An online clearinghouse where cloud providers
can submit documentation detailing their security controls for review by potential customers, indexed by CAIQ reference
• 22 participating providers, including Amazon Web services, Microsoft Azure.
• www.cloudsecurityalliance/star 60
![Page 60: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/60.jpg)
Patriot act !?• In the context of cloud computing,
the Patriot act hardly adds anything to the power that the US federal government already has in accessing digital assets worldwide.
• Other governments have similar, or even more extensive powers.
• Competitive advantage based on not having infrastructure on US territory is speculative, at best.
The Sting, Paul Newman to Robert Redford: “If this goes wrong, the Feds will be the least of our problems.”61
![Page 61: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/61.jpg)
WRAP UP
![Page 62: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/62.jpg)
The big Cloud Firewall
63
![Page 63: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/63.jpg)
• It is a new world out there, and it has only just begun
• Cloud computing is inevitable• New security issues *and* controls exist• You can be an ‘alert and knowledgeable
citizen’ and ‘security and liberty may prosper together.’
• If you apply your own moral compass
![Page 64: Ohm2013 cloud security 101 slideshare](https://reader036.vdocument.in/reader036/viewer/2022081414/54b87ca34a7959547a8b45ae/html5/thumbnails/64.jpg)
Thank you!
More info?www.clubcloudcomputing.com
and search for CCSK