securing the cloud: masterclass 2
DESCRIPTION
Securing the Cloud: Masterclass 2. Lee Newcombe ([email protected]) Infrastructure Services April 2013. Agenda. Introduction. The Future Cloud?. The Perfect Storm – BYOD, Social Media, Big Data, Cloud. Service Management -> Service Orchestration. ?. Identity in the Cloud. - PowerPoint PPT PresentationTRANSCRIPT
Securing the Cloud: Masterclass 2
Lee Newcombe ([email protected])
Infrastructure ServicesApril 2013
2Copyright © Capgemini 2012. All Rights Reserved
Managing Security in the Cloud 2
Agenda
The Future Cloud?
The Perfect Storm – BYOD, Social Media, Big Data, Cloud
Identity in the Cloud
Introduction
Conclusions
Service Management -> Service Orchestration?
4Copyright © Capgemini 2012. All Rights Reserved
Managing Security in the Cloud 2
Agenda
Introduction
The Perfect Storm – BYOD, Social Media, Big Data, Cloud
Identity in the Cloud
The Future Cloud?
Conclusions
Service Management -> Service Orchestration?
5Copyright © Capgemini 2012. All Rights Reserved
Managing Security in the Cloud 2
The Future Cloud
Public Cloud Providers likely to continue to be subject to rapid amalgamation Terremark – bought by Verizon Savvis – bought by Century Link Heroku – bought by Salesforce.com Nimbula – bought by Oracle
Amalgamation will lead to a smaller set of major public cloud providers Smaller players will exist to serve niche markets (e.g. HMG)
Big Outsourcing firms will continue to offer “enterprise” cloud services Likely to continue to struggle to justify premiums over the likes of AWS
6Copyright © Capgemini 2012. All Rights Reserved
Managing Security in the Cloud 2
Interoperability will remain problematic Niche vendors will continue to exist enable cross-cloud operations Rising importance of service brokers and SIAM capabilities
“Cloud First" attitude will become standard – not just in Government
Compromises will occur. The sky will fall… but the cloud paradigm will survive.
The Future Cloud
7Copyright © Capgemini 2012. All Rights Reserved
Managing Security in the Cloud 2
Evolving Compliance Requirements
The DPA requires the data controller to have a written contract … requiring that the “data processor is to act only on instructions from the data controller” and “the data processor will comply with security obligations equivalent to those imposed on the data controller itself.”
Cloud customers should take care if a cloud provider offers a ‘take it or leave it’ set of terms and conditions without the opportunity for negotiation. Such contracts may not allow the cloud customer to retain sufficient control over the data in order to fulfil their data protection obligations. Cloud customers must therefore check the terms of service a cloud provider may offer to ensure that they adequately address the risks discussed in this guidance
8Copyright © Capgemini 2012. All Rights Reserved
Managing Security in the Cloud 2
Evolving Compliance Requirements
It’s important to note that all cloud services are not created equal. Clear policies and procedures should be agreed between client and cloud provider for all security requirements, and responsibilities for operation, management and reporting should be clearly defined and understood for each requirement
Without adequate segmentation, all clients of the shared infrastructure, as well as the CSP, would need to be verified as being PCI DSS compliant in order for any one client to be assured of the compliance of the environment. This will likely make compliance validation unachievable for the CSP or any of their clients
9Copyright © Capgemini 2012. All Rights Reserved
Managing Security in the Cloud 2
Requires details of the “system” – not just the controlsRequires a written statement of assertion
Assurance – new Standards
SAS70
SSAE16
10Copyright © Capgemini 2012. All Rights Reserved
Managing Security in the Cloud 2
Cloud Security Alliance OCF
https://cloudsecurityalliance.org/research/ocf/
12Copyright © Capgemini 2012. All Rights Reserved
Managing Security in the Cloud 2
AWS Changes – Evolving Security
Release: Amazon EC2 on 2013-03-11 http://aws.amazon.com/releasenotes/4286407650196705
14Copyright © Capgemini 2012. All Rights Reserved
Managing Security in the Cloud 2
Agenda
Introduction
The Future Cloud?
Identity in the Cloud
The Perfect Storm – BYOD, Social Media, Big Data, Cloud
Conclusions
Service Management -> Service Orchestration?
15Copyright © Capgemini 2012. All Rights Reserved
Managing Security in the Cloud 2
The Perfect Storm - BYOD
Bring Your Own Disaster Device (BYOD)
BYOD or CYOD? Business driven desire for mobile working End point protection
• Entry point to your trusted domain• Holds your data• Duress?
Data Protection • Better in the cloud?• Encrypted on device?• Remote wipe? Of my device?!
Mobile Device Management
16Copyright © Capgemini 2012. All Rights Reserved
Managing Security in the Cloud 2
The Perfect Storm - Social Media
Twitter, LinkedIn, Facebook, Google+, etc the “Consumer Cloud”
Reputation Management Damaging Tweets by employees Damaging comments from customers Hacked accounts: Burger King, BBC…
Personal vs Business. Identity in the cloud? More later
Data exfiltration Are you monitoring the data your users send via these
channels?
17Copyright © Capgemini 2012. All Rights Reserved
Managing Security in the Cloud 2
The Perfect Storm – Big Data
Big Data
How Big is Big? NoSQL? Pseudonymisation… Anonymisation…
• Fine so long as you know nothing about your target• Fine so long as compute resource remains expensive and exclusive
- https://downloads.cloudsecurityalliance.org/initiatives/bdwg/Big_Data_Top_Ten_v1.pdf
18Copyright © Capgemini 2012. All Rights Reserved
Managing Security in the Cloud 2
Big Data (continued)
Where is the data coming from?• Trust?• Validation?
Where are you going to put it?• NoSQL vs RDBMS?• Cloud or on-premise?
How are you going to control access to it? Compliance
• How much anonymisation is enough?
http://www.ico.gov.uk/for_organisations/data_protection/topic_guides/~/media/documents/library/Data_Protection/Practical_application/anonymisation_code.ashx
19Copyright © Capgemini 2012. All Rights Reserved
Managing Security in the Cloud 2
The Perfect Storm - Cloud
Cloud is the ANSWER!
But what was the question
20Copyright © Capgemini 2012. All Rights Reserved
Managing Security in the Cloud 2
Putting it all together…
Big Data Social Media usage Research and Development Modelling Device and Data usage (SIEM)
Stored and processed in the cloud NoSQL. Not much security either
Accessed from users personal devices
Anybody see any security issues here?
21Copyright © Capgemini 2012. All Rights Reserved
Managing Security in the Cloud 2
Putting it all together… to fix it
Mobile Device Management DRM? Big Data security… See CSA Paper Anonymisation Security Architecture
22Copyright © Capgemini 2012. All Rights Reserved
Managing Security in the Cloud 2
Agenda
Introduction
The Future Cloud?
Identity in the Cloud
Service Management -> Service Orchestration
Conclusions
The Perfect Storm – BYOD, Social Media, Big Data, Cloud
?
23Copyright © Capgemini 2012. All Rights Reserved
Managing Security in the Cloud 2
• Management of Infrastructure -owned or client assets
• Management of Infrastructure -owned or client assets
Systems Integrators Service Integrators
• Service consolidation
• Opportunity to leverage service desk and management assets
• Service consolidation
• Opportunity to leverage service desk and management assets
• “Service Broker”
• Enabler of Cloud propositions
• “Service Broker”
• Enabler of Cloud propositions
• Aggregation and orchestration of many cloud-based services
• Aggregation and orchestration of many cloud-based services
Service Orchestration
Service Aggregation
Service Integration
Service Management
Service Integration and Management - SIAMService Integration and Management - SIAM
24Copyright © Capgemini 2012. All Rights Reserved
Managing Security in the Cloud 2
SIAM and Security
Sits across the top of the cloud services Responsible for ensuring consistent service levels to the customer across their
cloud services Harmonisation/orchestration of disparate SLAs
But also a good place to incorporate central set of security capabilities: Security Monitoring Identity and Access Management Certificate Authority Service Monitoring and Management Security Management
• Consistent content filtering?• Consistent network access controls?
Potentially a cloud service itself
25Copyright © Capgemini 2012. All Rights Reserved
Managing Security in the Cloud 2
Agenda
Introduction
The Future Cloud?
The Perfect Storm – BYOD, Social Media, Big Data, Cloud
Identity in the Cloud
Conclusions
Service Management -> Service Orchestration?
26Copyright © Capgemini 2012. All Rights Reserved
Managing Security in the Cloud 2
Identity in the Cloud
Digital Identity: “a set of claims made by one digital subject about itself or another digital subject.”
- Kim Cameron’s Laws of Identity http://www.identityblog.com/?p=354
Jericho Forum Identity Commandments https://collaboration.opengroup.org/jericho/Jericho%20Forum%20Identity%20Commandments%20v1.0.pdf
Physical entities can have more than one persona…• Employee• Husband• Father• Elven Wizard• Citizen• Customer• Shadowy criminal mastermind
27Copyright © Capgemini 2012. All Rights Reserved
Managing Security in the Cloud 2
Identity in the Cloud
Identities are necessary to: Establish relationships
• Especially commercial relationships • But also citizen and HMG interactions
It is not necessary for EVERY relationship I have to know EVERYTHING about all of my identities
Identity Providers• More like Persona Providers. But IdP is the standard term…
Attribute Providers• Is my driving licence valid?• Is my CLAS membership valid?• Am I really tall, dark, handsome and incredibly wealthy?
– You also need to trust your Attribute Providers.
28Copyright © Capgemini 2012. All Rights Reserved
Managing Security in the Cloud 2
Federated Identity Management
29Copyright © Capgemini 2012. All Rights Reserved
Managing Security in the Cloud 2
Cabinet Office Citizen Identity Assurance Model
“Our preferred solution suggests the use of ‘hubs’ (technical intersections) which allow identities to be authenticated by contracted private sector organisations without an individual’s data being centrally stored or privacy being breached by unnecessary data and details of the user being openly ‘shared’ with either transacting party.”
30Copyright © Capgemini 2012. All Rights Reserved
Managing Security in the Cloud 2
Cabinet Office Citizen Identity Assurance Model
31Copyright © Capgemini 2012. All Rights Reserved
Managing Security in the Cloud 2
Federated Identity Management
Better for your organisations Establish a single identity repository and federate out across your cloud services Manage identity and provisioning in one place Easier to plug’n’play cloud services through identity re-use Less management overhead – federate with your trusted partners
Better for your customers Less of their data will be compromised in a single event Fewer passwords to remember Consider integration with the consumer cloud via OAuth, OpenID, Facebook Connect etc
33Copyright © Capgemini 2012. All Rights Reserved
Managing Security in the Cloud 2
Agenda
Introduction
The Future Cloud?
The Perfect Storm – BYOD, Social Media, Big Data, Cloud
Conclusions
Identity in the Cloud
Service Management -> Service Orchestration?
34Copyright © Capgemini 2012. All Rights Reserved
Managing Security in the Cloud 2
Conclusions
• The Cloud market will change rapidly over the next few years
• More accepted
• Fewer players
• Cloud risks stay much the same
• Same threat actors
• Same vulnerabilities
• Potentially greater impacts as usage increases
• The “Perfect Storm” will begin to worry end users
• Humans don’t like to be watched
• Anonymisation doesn’t often really work for both data controller and data subject
• Federated identity management will be the way ahead
• Getting your SIAM right is key to successful operation in the Cloud
35Copyright © Capgemini 2012. All Rights Reserved
Managing Security in the Cloud 2
Q&A
36Copyright © Capgemini 2012. All Rights Reserved
Managing Security in the Cloud 2
Moving HR to the cloud
Securing the Cloud: More Workshops!
Moving R&D services to the cloud
Retiring and replacing your collaboration platform
John Martinez John Arnold Lee Newcombe
The information contained in this presentation is proprietary.Rightshore® is a trademark belonging to Capgemini
© 2012 Capgemini. All rights reserved.
www.capgemini.com
About Capgemini
With more than 120,000 people in 40 countries, Capgemini is one of the world's foremost providers of consulting, technology and outsourcing services. The Group reported 2011 global revenues of EUR 9.7 billion.Together with its clients, Capgemini creates and delivers business and technology solutions that fit their needs and drive the results they want. A deeply multicultural organization, Capgemini has developed its own way of working, the Collaborative Business ExperienceTM, and draws on Rightshore ®, its worldwide delivery model.