Predicting the Future: Security and Compliance in the Cloud Age

Introduction• Misha Govshteyn – CTO, Alert Logic

– Work in security and web-scale architecture; operate high performance LAMP environment and Erlang-based compute grid

– Help hosting/cloud service providers deliver security services– Secure Cloud Review blog -> http://www.securecloudreview.com/

• What we do at Alert Logic

About this session

• Objective:Help you make security & compliance decisions that prepare your company for the future

• This presentation addresses a broad trend of consuming IT as a service

– Cloud in this context includes • IaaS• PaaS• SaaS

Why take such a broad view? Because each of these models has potential to significantly alter the way you protect your most critical assets

Putting 2010 questions in perspective

IT vs Cloud?

Private vs Public?

IaaS? PaaS? SaaS?

• Questions of today are less important than this fact : IT is increasingly delivered as a service

• Your IT footprint is already changing…– probably adopting some form of cloud services– network is already becoming decentralized

• Some of your data may already be off-premise

Formulating a Security Strategy

Position decisions you make today to

meet demands of tomorrow

Make a new set of

assumptions

Identify relevant

questions

Your Enterprise in 2015

private

Enterprise Software

Enterprise Platforms

Cloud Enabled Functions

HRCRMFinancePOS web storefront

ISV platformsaas

burst

virtualdesktop

Cloud questions today and tomorrow

2010

2015

Your enterprise 5 years from now

• Perimeter is less important than ever– More than 50% of your critical data is offsite– Some in environments you do not control– Some users don’t need your VPN to do their jobs

• Securing the enterprise will be characterized by– Continuous transfer of security responsibility to

service providers of all types– Application/protocol level attacks– Even more compliance requirements than today

Security trends in next 5 years• Governance and compliance efforts will extend to private

and public cloud environments• Cloud providers will use security as a differentiator

– Become increasingly more transparent– Provide automated attestation and auditing of key controls, including

access to logs– Native data encryption available & heavily promoted, but sparingly used– Most will offer enterprise-level Security-as-a-Service within 2-3 years

• Changes in security industry– Identity management is likely to become the first cloud sec “killer app”– Netsec vendors, less strategic to enterprises, will focus on CSPs– Application/protocol security and Data Leak Prevention are likely to

become increasingly important due to PCI mandates

Cloud impact on network security• Most network security products are unable to deal with

complexity of CSP networks– Big pipes: CSPs already see speeds well in excess of 50gbps– Small customers: thousands of customers, some with very little

traffic (no native multi-tenancy)– Rapid elasticity – changing topology, new IP allocations, new

VLANS, more traffic flows• Today’s notions of trusted users, networks and computing

resources will need to be re-thought• Cloud Service Providers will begin to control an

increasing share of the network, rather than Enterprise IT

The Evolving perimeter• Traditional notion of perimeter will

change dramatically as data migrates into the cloud

• Network firewalls will fade in importance as perimeter disappears

• Network security functions subsumed by service providers

• Increasingly offered as a service• Become embedded in CSP and

NSP network fabric • New security focus:

• Applications• Protocols• Endpoints

mobile devices

terminals

remote users

laptops

Emerging cloud security services

IPS

IDM

App

VA

Logs

WAF

cloud security saas

Web

VPN

AV

Mail

security saas

• Delivered by– Cloud Service Providers (CSPs) – Network Service Providers (NSPs) – Direct to enterprise by pure-play Security SaaS providers

CSP vs Customer responsibility

Policy Violations

Serving illegal content (Movies, MP3’s, Warez)

VulnerabilityScanning

SPAM

BotnetsMalware

Mass ScaleCloud

Attacks

Multi-Tenant Compromise

Service/Vuln Enumeration

Platform Targeting

Mass data leakage

Management Infrastructure

Brute force attacks

Information leakage

Mass permissions

changes

API Targeting

Security SaaS

Single Tenant Compromise

Data Theft

Application Attacks

Worm/Botnet Infection

Compliance Services

Attestation

Auditing

Log Review

PCI Scans

Customer /Managed Service

Cloud Service Provider

Compliance in the cloud

→ Attestation→ Auditing of key controls→ Activity reporting → Log availability

• Requires a robust set of enterprise-grade security capabilities and services from CSPs

• Automated cloud auditability:

Emerging standard: CloudAudit/A6

X-Factor: the Auditors

• Passing a compliance audit in the cloud in next 5 years will require equal parts luck and planning

• Improving your chances– Distant future: find an auditor that understands and

has experience in cloud environments– Today: help your auditor understand your environment

API? CSA? XML? A6? Hadoop?

EC2? VPC? XEN?

First steps

• Engage with your IT security and auditors• Build a roadmap for dealing with the dissolving

perimeter and set realistic goals for your team• Understand how Security SaaS fits into your

current and future strategy• Explore technologies/efforts important to secure

cloud adoption: IDM, OWASP, WAF, CSA, A6• Choose cloud environments that understand and

plan to address your evolving security needs

Alert Logichttp://www.alertlogic.com/

Secure Cloud Review Bloghttp://www.securecloudreview.com/

Email: misha@alertlogic.comTwitter: @CToMG