what “really” matters in cloud security? really matters... · cloud security factoids areas...
TRANSCRIPT
Mike [email protected]
ElectEngr/MSEE, CISSP, SysEngrISSA / ISC2 / SOeC… AFCEA / NDIA… IEEE / INCOSE / et al…
What “REALLY” matters in Cloud Security?RE: Internet of things – sensors, data, security and beyond!
Dec 9, 2013
HOW to best integrate security into the office AND the cloud?And what is a “thing” – is that MORE we have to do???
COMPLEXITY
“easy button”
Cyber Security – Overall Status (Senior IA/Cyber VIP – Mike Jacobs ‐ same issues as 40‐50 years ago, but better in last 10)
Technology ‐‐‐
Business ‐‐‐
Policy ‐‐‐
Procedures / standards ‐‐‐
Education ‐‐‐
Leadership ‐‐‐
Awareness ‐‐‐
G
Y
Y
R
G
G
G
trending
Must all provide an enterprise integrated, cyber package – including cloud security!
We have what we NEED NOW
Some LSIs resist change
Legislation poorCan’t be voluntary
NIST done wellNeed uniform implementation
170+ CAEs (schools)10,000+ / year
Complexity vs CISOC‐suite complacency and inability to absorb
Education starting earlier, STEM, NICE
What’s new in cyber, and what matters?
RIFD, Apps, MEMS, WSN,SCADA, PLC, ASIC, API, ETC, etc
Sensor + WiFi = device ‐‐‐ Things ‐> systems, machines, equipment, and devices—connected to the Internet and each other
Is all this stuff secure?How much is needed?
The “Internet of things (IoT)” is not really new…IoT requires ALL the cyber protections we already know ‐ and still need to do!
COMPLEXITYIs everywhere!
Where sensors dominate What is a “due diligence” level of security?
Complexity of Enterprise IT Systems is IncreasingAND so is the associated Cyber Security – from sensor to cloud!
Follow the DATA, where is it, who has it – how sure are you?
So what is ‘good enough’ security?
5
SO… what does matter in Cyber?
It’s NOT about expensive new “cyber capabilities / toys”but more about the SoS / I&I “glue” (distributed trust, resiliency, automation, profiles, etc)
When in doubt, do the cyber BASICS well!!!An achievable 90‐95% solution to MOST vulnerabilities – stabilize the environment!
CYBER is fundamentally all about TRUST and DATA
90+% of security incidents are from lack of doing the basics! Conduct Effective Security Continuous Monitoring (SCM / SIEM) – a MUST DO!USE enforced: cyber hygiene, enterprise access control, & reduce complexity (APLs)Shift from only protecting the network, to the DATA security itself – information centric view
Embrace your Risk Management Plan – LIVE IT!Have an enforceable security policy – what is allowed / not – train to itKNOW your baseline ‐ Protect the business from the unknown risks as wellEmploy a due diligence level of security – then transfer residual risks!
A cyber end‐state stresses encapsulation using secure communications
What’s a “simple” IA/Cyber vision / end‐state look like?AND what are the “requirements”?
AND DATA ‐ Is yours assured / with a pedigree? “4Vs” satisfied?
Cyber is ALL about TRUST, Rules/MOAs & State
thingscomms
IoT = things + comms
KEY C‐I‐A entities / touch points
“the cloud”
Gartner's 2013 Hype Cycle for Emerging Technologies
Everything connected to everything? Comms Secure ?
Automation = machines in control? M2M Secure ?
Pervasive new technologies? Built secure ?
“ALL” the technologies / connections need built in security
How do we prove end‐2‐end security?What is a ‘due diligence’ level of cyber?
“IoT” is all about SECURE sensors, DATA and communications!
Cloud Security Factoids
Areas that will mature soon, enhancing enterprise risk management (re: Gartner):• Consensus on what constitutes the most significant risks,• Cloud services certification standards,• Virtual machine governance and control (orchestration),• Enterprise control over logging and investigation,• Content‐based control within SaaS and PaaS, and • Cloud security gateways, security "add‐ons" based in proxy services
We recommend following both the NIST and CSA cloud guidance:https://downloads.cloudsecurityalliance.org/initiatives/guidance/csaguide.v3.0.pdfhttp://csrc.nist.gov/publications/PubsSPs.htmlAND an overall, enterprise, e2e, risk management approach (e.g., RMF & FedRAMP)
The cloud security challenges are principally based on:a. Trusting vendor's security modelb. Customer inability to respond to audit findingsc. Obtaining support for investigationsd. Indirect administrator accountabilitye. Proprietary implementations can't be examinedf. Loss of physical control
Cloud Security Alliance (CSA) nine critical threats:1. Data Breaches 2. Data Loss3. Account Hijacking 4. Insecure APIs5. Denial of Service 6. Malicious Insiders7. Abuse of Cloud Services 8. Insufficient Due Diligence9. Shared Technology Issues
Shift from only protecting the network, to the DATA itself!(e.g., data centric security)
“Notional” Data Centric Architectureiso the typical information environment
DATA Storage Services Apps Host / device
transport
IA / Security / cyber (e.g., defense in depth (DiD))
IA controls / inheritance
Business logicMiddlewareBehavior monitoring
Supports quality / assured data (with pedigree / provenance)
Data is either at rest, being processed OR in transit
Must account for the “four ‘Vs’”Volume, Variety, Velocity and Veracity
FW/IDS/IPSContinuous monitoring
DCA Security = DCPS, DDSI, DataReader, DataWriter, Pub / Sub. Java, mobile code, widgets, storage SW, middleware, services, ESB, etc
What IA/security capabilities are needed for the DATA itself?
Cyber must be preserved in the full data AND capabilities life‐cycle
OMG / DDS
How does the DATA move about?
Must accommodate BOTH in‐house and cloud
Reputation‐based Security
Cloud Security OverviewSecurity in the cloud is likely better than you have in‐house
* Security is the SAME everywhere – ‘WHO does which’ IA controls changes
For more details see paper: Cloud Security – What really matters? At http://www.sciap.org/blog1/ (under Cyber Body of Knowledge )
* Don’t sell cloud – offer security capabilities instead – end2end services
* Few are “all in” the cloud @ 100% ‐ Hence TWO environments to manage
* ALL must use the same cloud security standards (and QA in SLA / supports SoS too)http://www.sciap.org/blog1/wp‐content/uploads/Cloud‐Security‐Standards‐SEP‐20131.xlsx
* Implement SCM / SIEM – integrate cloud metrics / status (& QA the SLAs)
* Service Level Agreements (SLA) not sufficient – trust but verify (Orchestration SW ?)
* Encrypt everywhere ‐ Yes more key management, but risks greatly reduced
* Data owners always accountable for PII / privacy / compliance (& location)
* Update Risk management Plan (RMP) = Comms, COOP…. with cloud R&Rhttp://media.amazonwebservices.com/AWS_Risk_and_Compliance_Whitepaper.pdf