transforming cloud security into an advantage
TRANSCRIPT
![Page 1: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/1.jpg)
Cloud Securityfrom risk to business advantage
Moshe Ferber, CCSK
![Page 2: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/2.jpg)
CSACloudSecurity
AllianceAbout me:•Moshe Ferber, 37, lives in Modiin (+2).• Information security professional for over 15 years.•Managed the security department for Ness Technologies.• Founded Cloud7, Israel based MSSP (currently owned by Matrix).• Shareholder at Clarisite• Shareholder at FortyCloud•Member of the board at Macshava Tova•Certified instructor for the Cloud Security Alliance
2
![Page 3: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/3.jpg)
CSACloudSecurity
AllianceAgendaIntroduction to cloud computing
Creating Trust
Security in the development phase
Security in the Operation phase
![Page 4: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/4.jpg)
CSACloudSecurity
AllianceAgendaIntroduction to cloud computing
Evaluating your cloud solution
Operating in the cloud
Virtualization security
![Page 5: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/5.jpg)
CSACloudSecurity
Alliance Hitler and Cloud Comput
ing
![Page 6: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/6.jpg)
CSACloudSecurity
AllianceWhat is cloud computing?
“Cloud computing is nothing more than a faddish term for the established concept of computers linked by
networks.”Larry Ellison, ORACLE
![Page 7: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/7.jpg)
CSACloudSecurity
Alliance
7
What is cloud computing?
Broad Network AccessRapid ElasticityMeasured ServiceOn-Demand Self-ServiceResource Pooling
NIST Model of Cloud Computing
![Page 8: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/8.jpg)
CSACloudSecurity
Alliance
8
Cloud computing does not mean virtualization *
* Although they usually go hand in hand…
![Page 9: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/9.jpg)
CSACloudSecurity
Alliance
9
Cloud Service Models
![Page 10: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/10.jpg)
CSACloudSecurity
Alliance
11
Security Impact of the SPI stack
• The lower down the stack the cloud service provider stops, the more security capabilities and management consumers are responsible for implementing and managing themselves.
SaaS
IaaS
PaaS
Security ResponsibilityProviderCustomer
![Page 11: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/11.jpg)
CSACloudSecurity
Alliance
Public Cloud Private Cloud
Community Hybrid
Cloud Deployment
Models
12
![Page 12: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/12.jpg)
CSACloudSecurity
AllianceAgendaIntroduction to cloud computing
Creating Trust
Operating in the cloud
Virtualization security
![Page 13: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/13.jpg)
CSACloudSecurity
AllianceSecurity in Cloud
computing is a major concern
![Page 14: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/14.jpg)
CSACloudSecurity
AllianceBut Cloud Providers can
make it an advantage
![Page 15: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/15.jpg)
CSACloudSecurity
Alliance3 steps for turning security risks into
security advantage
Creating Trust
Security in the development
processSecurity in the
Operation process
![Page 16: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/16.jpg)
CSACloudSecurity
AllianceCreate common trust •Make sure that you and your customers speak the
same language. • Transparency, planning and taking risks are key
success factors for this process.• Standards are great way for establishing common
ground for discussion.•Contracts and SLA will define the partnership.
![Page 17: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/17.jpg)
CSACloudSecurity
AllianceCreating trust
Transparent Legal documents
Know your regulation
Define who does what
![Page 18: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/18.jpg)
CSACloudSecurity
AllianceWho does what?
Taken from: Ponemon Institute: security of cloud computing users study 2013
Research show that many organization don’t understand the shared responsibilities between customer and provider in
cloud computing .
![Page 19: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/19.jpg)
CSACloudSecurity
Alliance
Responsibilities
• .
20
SaaS
IaaS
PaaS
ProviderCustomer
All Guest and App
security
App Security
Contractual controls
Infrastructure & Application security
Platform Security
InfrastructureOnly
![Page 20: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/20.jpg)
CSACloudSecurity
AlliancePCI Cloud guidelines:
22
![Page 21: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/21.jpg)
CSACloudSecurity
AllianceLegal documents•Adjust your contracts to reflect the nature of
the cloud (This is not a software licensing agreement).•Do not over complicate.• Provide security policy statement.• Specify how you help customer to avoid
Vendor lock-in and unexpected termination.
![Page 22: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/22.jpg)
CSACloudSecurity
Alliance
Don’t forget liabilities as provider:•Responsible for actions of his providers. •Compliance in the service.• Answer to subpoena and e-discovery•Data loss / recovery.•Conform with specification. • Fix break down.• SLA: uptime, downtime notice &POC.• Indemnity
Location of
services
Contract jurisdictio
n
Standard of care
Applicable legislation
Treaties
![Page 23: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/23.jpg)
CSACloudSecurity
AllianceKnow your regulations:
• ISO 27001 – Adopted by the cloud industry . Although no real reference to cloud (ISO 27017 is planned,but still a draft).•SSAE16 – Got some level of cloud details… Need to verify the scope.•FIPS140-2 - Standard for encryption on sensitive data.•PCI –Many resources on adapting PCI on cloud environment. Including PCI cloud guidelines.•ENISA– guide for cloud security recommendations.• ILITA (Israel) - guidelines for outsourcing computer data including cloud reference.
![Page 24: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/24.jpg)
CSACloudSecurity
Alliance
•CSA – Responsible for CSA STAR Level 1,2,3. Which is ISO27001 / SOC with additional controls from CCM. •FedRAMP – Defining the federal policy regarding the use of cloud services within the federal government. Based on NIST guidelines.
Security standards for cloud computing - cont
![Page 25: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/25.jpg)
CSACloudSecurity
AllianceUseful tools
![Page 26: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/26.jpg)
CSACloudSecurity
AllianceAgendaIntroduction to cloud computing
Creating Trust
Security in the development phase
Virtualization security
![Page 27: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/27.jpg)
CSACloudSecurity
AllianceSecurity in the development process
Design to securityIntegrate security into software life
cyclePlan your security
testing
Threat modeling
(including cloud threats)
Access controls
Coding standard
(Based on relevant Regulation)
Code review
SDLC Checkpoint
Cloud provider API’s
Static analysis
Dynamic analysis
Vulnerability scanning
Penetration test
![Page 28: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/28.jpg)
CSACloudSecurity
AllianceDesign to Security• SDLC in the cloud requires us to integrate the cloud
provider and consumer into the process. • Security referent should be present on each development
team.• Threat modeling should include cloud specific threats.• SDLC can be any standard in the market, as long as you
remember to adjust responsibilities.
Architecture & Design
Development Test Production
IaaS Cloud Consumer
Cloud Consumer Shared Shared
PaaS Shared Cloud Consumer Shared Shared
SaaS Shared Cloud Provider
Cloud Provider
Cloud Provider
![Page 29: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/29.jpg)
CSACloudSecurity
AllianceIdentity Management
Identity is the perimeter
Identity Lifecycle
Access control
Authentication
• Cloud consumers prefer to extend their Identities to the cloud instead of creating new ones.
• Identity Providers are a growing service. • SCIM – marked as the new standard for
provisioning (replacing SPML).• XACML is growing standard regarding access management.
• Best practices separate between Policy Decision Point and Policy enforcement Point.
• The challenge is to leverage customer current authentication mechanism.
• Identity Federation is growing market. • SAML, Open ID and Oauth can help SaaS
provider to meet customers requirements.
![Page 30: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/30.jpg)
CSACloudSecurity
AllianceAnalysis Pen test•Dynamic and Static analysis should be
integrated to the SDLC.• Penetration test and vulnerability scans are a
must in some standards and regulations, and should be done periodically.• Scan results and pen test should be available
to customers. •Customers should have the ability to
coordinate scans and penetration tests.
![Page 31: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/31.jpg)
CSACloudSecurity
AllianceUseful tools• Vulnerability management as a service a very popular. Just
make sure they are Cloud API aware• Code review and Web Application Firewall can also used as a
service.• New standards such as SAML, SCIM and XACML can assist.
![Page 32: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/32.jpg)
CSACloudSecurity
AllianceChapter 4Introduction to cloud computing
Creating Trust
Security in the development phase
Security in the operation phase
![Page 33: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/33.jpg)
CSACloudSecurity
AllianceSecurity in the Operation phase
Data lifecycle management
Transparency in operations
Incident management
Encrypt, Encrypt, Encrypt
Access control
Clear policy and standards
Monitoring
what is incident?
Incident life cycle
![Page 34: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/34.jpg)
CSACloudSecurity
AllianceData lifecycle
Classification
Encryption
Access control
Archiving and Termination
![Page 35: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/35.jpg)
CSACloudSecurity
AllianceEncryption of data in rest
File Level
Database Level
Volume Level
Storage Level
Level? By?
Proxy
Infrastructure
Keys?
Provider
Customer
Application level
![Page 36: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/36.jpg)
CSACloudSecurity
Alliance
![Page 37: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/37.jpg)
CSACloudSecurity
Alliance
•Customers will expect:Clear Security Policy.Change management process.DR / BC procedures.Backup and Restore procedure and testing.Notice on maintenance & service time.Clear information channel regarding malfunctions.SLA for coordinating audits / VA / Pen tests. Visibility into the operations.
Transparency in operations
Amazon Web Services - Request vulnarbility scan form.mht
![Page 38: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/38.jpg)
CSACloudSecurity
Alliance
42
Monitoring Applications
•not just complianceLog Monitoring
•Availability and more.Performance Monitoring
•tie to alertingMonitoring for Malicious use
•analytics helpful hereMonitoring for Compromise
•access control, authorized useMonitoring for policy violations
![Page 39: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/39.jpg)
CSACloudSecurity
AllianceIncident Management• Define what is “Incident” with your customers.• The nature of cloud makes likelihood of some kinds of incident goes
up, others goes down. • Consider attacks targeted at the Cloud infrastructure provider and
how that affects your systems• Legislative and Regulatory régimes may have different
requirements for incident management.• Plan your containment policy in cases where attack is focused on
specific customer.• Provide your customer with POC and make sure you got
communication channels to address them.
Preparation Detection & Analysis
Containment
Eradication & Recovery
![Page 40: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/40.jpg)
CSACloudSecurity
Alliance
44
Useful tools• COBIT / ITIL can make a good framework for building
correct operations standards.• Twitter turned to be great tool for information
distribution.• NIST SP800-61 is great start for incident management.
![Page 42: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/42.jpg)
CSACloudSecurity
Alliance
46
•US privacy laws are made from federal legislation, and state level regulation.• The 4th amendment is the basic pillar for privacy in US,
and is not valid for cloud services. • The FISA, Patriot act and protect America act grant US
government right to force Cloud provider to deliver customer data.•US laws require provide planning capability to respond
to requests for legal holds on documents (FRCP)
US Legal Particulars
![Page 43: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/43.jpg)
CSACloudSecurity
Alliance
47
• EU privacy laws prohibit transfer of EU data outside of the EU unless it will receive the same level of protection.•US based companies enjoyed Safe Harbor agreement
for processing EU data.• On July 2, 2012 – Working Party 29 issued an opinion
stating that safe harbor controls are not sufficient for cloud computing.
European Legal Particulars
![Page 44: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/44.jpg)
CSACloudSecurity
AllianceWhat we secure:
48
Data• Make sure
that data in the cloud is
secured along all data
lifecycle.
Application
• Make sure application meets the standards and risks.
Users• Make sure
that users lifecycle matches
standards and risks.
![Page 45: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/45.jpg)
CSACloudSecurity
Alliance
49
Create
Destroy
Store
Share Archive
UseClassifyAssign RightsContent Discovery
Access ControlsEncryptionRights Management
Activity Monitoring and Enforcement
Rights ManagementLogical ControlsApplication Security
DLPEncryption (SSL/HTTPS)Logical ControlsApplication Security
EncryptionAsset Management
Crypto-ShreddingSecure DeletionContent Discovery
Data Security Lifecycle
![Page 46: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/46.jpg)
CSACloudSecurity
Alliance
50
Identity & Access Management concerns
Identity Management • Lifecycle
management may require
identity propagation
and/or synchronization• Identity
provisioning• User profile
management
Access Management • Authentication –
process can occur on Cloud
Consumer side or Cloud Provider
side• Authorization –
process can occur on Cloud
Consumer side, and always occurs
on the Cloud Provider side
Federation• Managi
ng relation
ships and
policies
Compliance
•Dealing with
regulations and
audits
![Page 47: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/47.jpg)
CSACloudSecurity
Alliance
51
Standards
![Page 48: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/48.jpg)
CSACloudSecurity
Alliance
52
SaaS/PaaS Provider Checklist
1.What provisioning standards do you support today?
2.Do you support SPML? What version? If so, do you have a schema?
3.Do you offer web services for automated provisioning (bulk or single)?
![Page 49: Transforming cloud security into an advantage](https://reader035.vdocument.in/reader035/viewer/2022062400/58729c8d1a28ab07208b4df9/html5/thumbnails/49.jpg)
CSACloudSecurity
Alliance
53
SaaS/PaaS Provider Checklist4. Do you offer on the fly (just-in-time)provisioning,
where by users are provisioned using a pre-assigned token but activated at the time of online registration?
5. What language support do you offer for clients of provisioning web services? Examples include Java, .NET, Ruby on Rails, PHP, etc.
6. Do you support provisioning via transient federation(SAML)?
7. What logging of provisioning requests is performed, and how is it protected from tampering? What reconciliation mechanisms are available?