security, privacy and the cloud
DESCRIPTION
Security, Privacy and the Cloud. Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services. Agenda. Introduction to Cloud Computing Models Top Threats Categorical Approach to Cloud Security Technology Areas of Focus Encryption. - PowerPoint PPT PresentationTRANSCRIPT
Security, Privacy and the CloudConnecticut Community Providers’ AssociationJune 20, 2014
Steven R Bulmer, VP of Professional Services
Agenda
• Introduction to Cloud Computing Models
• Top Threats
• Categorical Approach to Cloud Security
• Technology Areas of Focus
• Encryption
3
Definitions – Cloud ComputingCloud Computing is:
A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications & services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
This cloud model promotes availability and is composed of:
5 essential characteristics 3 service models 4 deployment models
- National Institute of Standards and Technologyhttp://csrc.nist.gov/groups/SNS/cloud-computing
4
Cloud Definitions Cont’dCloud Characteristics
1. On-demand Self-Service – User provisions their services
2. Ubiquitous Network Access – Standard network or mobile access
3. Resource Pooling – Shared resources and location independence
4. Elasticity – Capabilities scaled or released “rapidly”
5. Measured Service – Metered, monitored and billed as utility
5
Cloud Definitions Cont’dCloud Service Models
1. Software as a Service (SaaS) – User access to the application
layer
2. Platform as a Service – User deployment using providers’ tools
3. Infrastructure as a Service (IaaS)– User access to IT
infrastructure
6
Cloud Definitions Cont’dCloud Deployment Models
1. Private Cloud – Deployed for a single organization or company
2. Community Cloud – Shared by organizations with similar needs
3. Public Cloud – Cloud services available to all and shared
4. Hybrid Cloud – Two or more clouds with operational relationship
7
Business Services
Cust
omer
Pro
vide
d
Cloud Provided
Application Logic
Middleware/DB
Infrastructure
Cloud Layers
SaaS
PaaS
IaaS
Top Cloud Security Threats
1. Data Breaches
2. Data Loss
3. Account or Service Traffic Hijacking
4. Insecure Interfaces and API
5. Denial of Service Attacks
6. Malicious Insiders
7. Abuse of Cloud Services
8. Insufficient Due Diligence
9. Shared Technology
Vulnerabilities
Source: Cloud Security Alliance
cloudsecurityalliance.org
9
Approach to Security in the CloudGovernance
• Assessing the Risk
• Managing and Measuring Posture and Response
Compliance
• Direct policy and technology requirements to meet regulations
Architecture
• The technical components and their inherent strength and weaknesses
Resiliency
• The ability to withstand and/or recover from an incident
Process
• Established, regular, IT practices that ensure policy adherence
Access
• Identity and authentication
10
Security in the CloudCategory Focus Areas Tasks Applicability
Governance • Regulations• Data Location• eDiscovery• Evaluation
• Risk Assessment / Analysis• Audit Controls• Audits
• PCI 5, 6, 11• HIPAA (C) 164.308, 312, 314
Compliance • Data Location• eDiscovery• Device & Media Control
• Policy Development• Policy Enforcement• eMail Archiving
• PCI DSS, PA-DSS• HIPAA 160.203, 164.308, • SEC Rule 17a-3,4
Architecture • Attack Surface• Isolation/Separation• Network Security
• Systems and Application Configuration Policy
• PCI 1,2• PA-DSS• HIPAA 164.312
Resiliency • Availability• Data Protection• Disaster Recovery
• Contingency Planning• Encryption• Media Management
• PCI 3,4• FISMA• HIPAA 164.308, 310
Process • Incident / Change Mgmt• Security Mgmt / • Monitoring
• Response Reporting• Proactive Monitoring
• PCI 10,11• HIPAA 164.316
Access • Identity / Authentication• Access Controls
• Unique User ID• Access Policies• Remote Access Policy
• PCI 7, 8 , 9• HIPAA 164.308
11
Technical FocusArchitecture
• Provisioning Process and Capability
• Software / Network Isolation
• Multi-tenancy vs Dedicated
• Hypervisor structure
• Network structure
• Security Infrastructure
Resiliency/Availability
• Business Continuity and Disaster Recovery
• Data Integrity
Identity and Access Management
• Authentication tie-ins to customer, stand alone
Data Protection
• Backups and Recovery
• Data Location and Encryption
• Physical Security
12
A Few Words On EncryptionEncryption Built into Cloud Service vs Encrypting at the Source
• SaaS and PaaS:
• SSL based transfer prior to encryption in the cloud
• Read and Understand the Privacy Policy
• Cloud Storage
• Encrypt locally, then store in the cloud (e.g. DropBox)
o Viivo, Sookasa, BoxCryptor, CloudFogger
• Use an integrated hybrid cloud storage solution
o Wualu, SpiderOak, Tresorit
• Use Appliance Based Backups & BC
o Walker/Datto
13
Encryption (cont’d)
Cloud Storage features to Look for:
• Granularity: File vs Container vs Volume
• Key Management
• Administrative Features to meet your needs (e.g. compliance)
• Does it work with the service(s) you use?
• Dropbox, Box.com, Google Drive, Microsoft SkyDrive, Amazon S3
14
SourcesCloud Security Alliancehttp://cloudsecurityalliance.org
NIST Cloud Computing Definitionhttp://csrc.nist.gov/groups/SNS/cloud-computing
CSA Top Nine Cloud Computing Threats White Paperhttps://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf
HIPAA Guidelines Simplified from HHShttp://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf
NIST Cloud Security for Federal Agencies White Paperhttp://www.nist.gov/customcf/get_pdf.cfm?pub_id=909494