protecting what matters...an enterprise approach to cloud security
DESCRIPTION
Presented at InnoTech Dallas 2014. All rights reserved.TRANSCRIPT
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Protecting what matters... ... An enterprise approach to cloud security
Ed Reynolds HP Fellow, CISSP, CCSK HP Enterprise Security Services
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2
Today’s agenda
TRENDS PERSPECTIVES GUIDANCE
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3
Worldwide Security Trends & Implications
Cyber threat 56% of organizations have been the target of a cyber attack
Extended supply chain 44% of all data breach involved third-party mistakes
Financial loss $8.6M average cost associated with data breach
Cost of protection 8% of total IT budget spent on security
Reputation damage 30% market cap reduction due to recent events
Source: HP internal data, Forrester Research, Ponemon Institute, Coleman Parkes Research
Key Points
• Security is a board of directors concern
• Security leadership is under immense pressure
• Need for greater visibility of business risks and to make sound security investment choices
Reactive vs. proactive 60% of enterprises spend more time and money on reactive measures vs. proactive risk mgmt
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 4
Managing security challenges
Today, security is a board-level agenda item
#1 Board Identified Risk: Reputational Damage
Source: EisnerAmper LLP, February 2011 - Second Annual Board of Directors Survey - 2011: Concerns About Risks Confronting Boards
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 5
Managing Risk: Current Challenges
Primary Challenges
Nature & Motivation of Attacks (Fame to national enemies) 1
Transformation of Enterprise IT (Delivery and consumption changes) 2
Traditional DC Private Cloud Managed Cloud Public Cloud
Network Storage Servers
Delivery
Regulatory Pressures (Increasing cost and complexity) 3
A New Type of Adversary
Basel III
Enhanced Regulatory Environment
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6
HP research: Top concerns for IT executives
67% 66% 63% 54%
Extremely concerned Somewhat concerned Not very concerned
Data privacy and information
breaches
Lack of skilled resources to effectively
manage security
Risk associated with more consumption of apps/IT services across public, private & hybrid cloud
Risk associated with more consumption of
apps/IT services
Source: HP 20:20 CIO Report, 2012
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 7
Cloud services: adoption is tempered by uncertainty
Security or related component is #1 concern/issue for most enterprises
LOB/IT CIO
Security
Performance
Reliability
Scalability
Service levels
Data security & protection
Compliance
Auditing
Cost
Governance
Control
Availability
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 8
CSA: Cloud Computing Top Threats for 2013
Top Threats for 2013 1. Data Breaches 2. Data Loss 3. Account or Service Hijacking 4. Insecure Interfaces and APIs 5. Denial of Service 6. Malicious Insiders 7. Abuse of Cloud Services 8. Insufficient Due Diligence 9. Shared Technology Vulnerabilities
Security for the cloud
http://cloudsecurityalliance.org/
1. HP’s Rafal Los co-chaired the CSA Top Threats working group 2. HP selected by CSA as Master Training Partner in APJ (initial region)
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 9
What do we mean by “cloud security”?
• Security for the cloud? Securely use cloud (consumers)
• Security from the cloud? Security-as-a-Service
• Security in the cloud? Embedded security (providers)
• Security across clouds? Hybrid models, interoperability
1
2
3
4
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 10
Cloud models require different security solutions…
Attack surface increases
composition of two or more clouds
Hybrid cloud
Sold to the public, mega-scale infrastructure
Public cloud
Shared infrastructure for specific community
Community cloud
Enterprise-owned or leased
Private cloud
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11
... and different roles & responsibilities regarding security
Cloud
SaaS
PaaS
IaaS
SaaS: Software as a Service, generally provides application, data and infrastructure security, with varying degrees of compliance
PaaS: Platform as a Service, may provide some additional security functions for IDM and secure application development – security falls to app developer and customer IT operations
IaaS: Infrastructure as a Service – providers generally offer basic network & infrastructure security, firewalls, some tools – but customer is generally responsible for implementation, operations, monitoring
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 12
But what is really new about “cloud security”?
Many traditional security concerns are recast as a “cloud problem”. . .
• Many “cloud security incidents“ are issues with web apps and data-hosting, but at greater scale…
- e.g. Phishing, downtime, data loss, weak passwords, compromised hosts running botnets, etc …
• Unexpected side channels and covert channels arising from shared-resource environments in public services
- Activity patterns need to be protected in addition to apps and data
• Reputation fate sharing: possible blacklisting or service disruption due to “bad neighbors”
- Need “mutual auditability” (providers need to audit/monitor users)
• Longer trust chains: {SaaS to PaaS to IaaS}
– Y.Chen, et.al, “What’s New About Cloud Computing Security?” UC Berkeley, Jan.20, 2010
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
“It’s not about cloud security – it’s about securing your enterprise’s use of cloud-based services” “Cloud security begins with, and adds to, well-defined enterprise security”
Perspectives
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 14
Enterprise approach to cloud security
HP Enterprise Security Services Whitepaper
1. Establish a risk-based approach
2. Design applications to run in the cloud
3. Ongoing auditing and management
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 15
HP approach to complete information security
Establish a risk-based approach
Actionable
Security Intelligence
Moving from Reactive to Proactive Information Security & Risk Management
Assess security investments and posture Transform from silos to a comprehensive view Optimize to proactively improve security posture
Manage security effectively
Establish a risk based approach
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 16
HP Cloud Security Risk and Control Assessment
Stage 1: Assessment Workshop
Business Issues
Discovery
Strategic Control Plan
Risk Assessment
Scope
Engagement with senior management
Stage 2: Risk Assessment
Engagement with business-level security
Business Risk
Assessment
Asset Risk Assessment
Assets Prioritized
by Risk
Stage 3: Controls Assessment
Cloud Control
Measures
Consensus Assessment
Prioritized Security
Control Plan
Engagement with operational level security
Establish a risk based approach
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 17
Are your applications & data… The path of least resistance?
Design apps to run in cloud
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 18
Secure SDLC: protect data & IP Design apps to run in cloud
Attacker Software & data
Hardware
Network
Intellectual property
Customer data
Business processes
Trade secrets
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 19
The National Vulnerability Database (DHS/US-CERT)
• Lists >47,000 documented vulnerabilities
Undiscovered/unreported (0-day) vulnerabilities are huge
• 20X1 multiplier • 47,000 x 20 = estimated 940,000 vulnerabilities
replicated in many products
The risks
Vulnerabilities (security defects) Quality issue: many more “underwater” than those reported “above the water”
Greater than 80% of attacks happen at the application layer
Notes: HP research and 1“Public Vulnerabilities Are Tip of the Iceberg,” CNET News, June 1, 2007
Design apps to run in cloud
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 20
The National Vulnerability Database (DHS/US-CERT)
• Lists >47,000 documented vulnerabilities
Undiscovered/unreported (0-day) vulnerabilities are huge
• 20X1 multiplier • 47,000 x 20 = estimated 940,000 vulnerabilities
replicated in many products
The risks
Vulnerabilities (security defects) Quality issue: many more “underwater” than those reported “above the water”
But <1% of security spend is allocated to application security !!!
Notes: HP research and 1“Public Vulnerabilities Are Tip of the Iceberg,” CNET News, June 1, 2007
Design apps to run in cloud
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 21
Designing applications to run in the cloud
• Embed security in application architecture
• Address new attack surfaces early in design
• Encrypt “everything” by default – end-to-end
• Adopt new mindset to privacy
• Bounding processes around PII (e.g. PCI tokenization example)
• Build in audit trails for forensics
• Conduct 3rd party reviews (CATA, Pen.Test)
Design apps to run in cloud
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 22
Securing “data-in-process,” in addition to “at rest” and “in motion”
Encryption advances & alternatives∗
Advances
Broadcast encryption: encryption for groups and memberships
Searchable symmetric encryption: securely search encrypted data
Identity-based encryption: ad-hoc PKI, user chooses his own public key
Predicate encryption: fine-grained PKI
Homomorphic encryption: emerging techniques to compute on ciphertext
* Source: CSA Guidance v3.0 Chapter 11
Alternatives*
Tokenization. Data sent to the public cloud is altered (tokenized) and contains a reference to the data residing in the private cloud.
Data anonymization. Personally identifiable information (PII) is stripped before processing. (Watch assumptions)
Utilizing cloud database controls. Using (fine-grained) access controls at database layer to provide segregation.
Design apps to run in cloud
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 23
Architecting Security into Applications
Security assurance thought leadership
Requirements/ architecture & design • Security requirements gap analysis • Security designed in • Dramatically reduces risk of vulnerabilities • More complete and less expensive assurance • Guides late lifecycle assurance • The best response to a greater threat
Reactive Traditional
Proactive Extending security assurance
Higher ROI
The traditional approach is backwards. It can never solve the problem by itself but works great after proactively prioritizing late life cycle assurance focus
Post-release First, people found vulnerabilities, patched, and issued bulletins
Integration/ penetration test • In-house, more proactive • More expensive
in isolation
Coding • Security code scanners • Code review • Better when design
supports security
Design apps to run in cloud
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 24
Applications rationalisation
Cloud-specific workload analysis
Risk analysis & TCO BPA
HP cloud applications transformation
Level 2 transformation strategy determination (x to x)
Level 1 transformation strategy determination (RE’s)
App migration
Cloud service types
Cloud deployment models
IaaS PaaS SaaS
Public Private Virtual private
Dedicated/hosted (retain, retire)
Suitable for SaaS
Suitable for preferred target/
public cloud
Need modernisation
analysis
Not suitable for cloud
Cloud suitability mapping
• Replace • Re-architect • Re-factor • Re-host
App migration
Apps
Design apps to run in cloud
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 25
Applications modernization strategy
Re-factor Re-architect
Re-host Replace
Application cloud
strategy
Codi
ng e
ffor
t
New value generation potential
IaaS SaaS
PaaS
PaaS
SOA
Design apps to run in cloud
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 26
Auditing cloud services
Continuous compliance monitoring is essential to securely delivering cloud services and ensuring compliance
• Cloud Services are inherently dynamic. The dynamic provisioning and de-provisioning of resources is a key part of the Cloud value proposition and business model
• Automation for operations and asset management are essential in this dynamic environment
• Verification of compliance with policy and legislation – such as the EU Data Protection Directive, GLBA, HIPAA, and Export compliance controls like ITAR – requires continuously running automation
Yearly or monthly audits are irrelevant in an environment that changes completely on a daily or hourly basis
Ongoing auditing & management
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 27
Are we secure?
Continuous security monitoring Ongoing auditing & management
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 28
What about infrastructure and network security?
• Infrastructure and network security are critical areas for cloud-based solutions
• Enterprises have little or no influence on a provider’s implementation and controls in these areas
• A thorough review of the service provider’s policies should be completed as part of the due diligence process during contract negotiation and service sourcing
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 29
5 key ways to reduce risk
1. Understand your risk profile
2. Architect for the cloud
3. Robust identity, access management
4. Confirm legal, compliance obligations, due diligence
5. “Clear Responsibility” – CSP, Customer, Both
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 30
Cloud security: guidance for critical areas
Architecture 1. Cloud computing architectural framework
Governance 2. Governance and enterprise risk management 3. Legal issues: contracts and electronic discovery 4. Compliance and audit management 5. Information management and data security 6. Interoperability and portability
Operations 7. Traditional security, business continuity,
and disaster recovery 8. Data center operations 9. Incident response 10. Application security 11. Encryption and key management 12. Identity, entitlement, and access management 13. Virtualization
Security for the cloud
http://cloudsecurityalliance.org/
https://ccsk.cloudsecurityalliance.org/
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 31
Final thoughts
Recognize the threats have changed and become ‘industrialized’
Employ comprehensive and integrated approach to enterprise security & risk management
Conduct security threat analyses for all critical applications
Design in security from the beginning: essential for public cloud usage
Be vigilant: continual compliance monitoring and audits, intrusion testing, verifiable backups…
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you Whitepaper: bit.ly/hpcloudsecurity Email: [email protected] URL: hp.com/enterprise/security