The cloud is in the details –policy and requirements inthe era of cloud computing Ben Rothke, CISSP CISA BT Global Services Senior Security Consultant
About me• Ben Rothke (too many certifications)• Senior Security Consultant – British Telecom• Frequent writer and speaker• Author - Computer Security: 20 Things Every Employee Should Know
Agenda/Key take-away thought• Agenda – Overview of the need to create specific requirements & policies for a cloud initiative• Take-away – Contractors would never start building without plans and designs; a cloud project similarly shouldn’t be started without appropriate plans and designs and requirements definition
Cloud computing-choose your definition• Definition #1 – Process you don’t full understand, manage poorly and is out of control, that you give to a cloud provider, with the hope and prayer that they can make sense of it and miraculously make it work; and be HIPAA, SoX and PCI compliant• Definition #2 – Corporate strategic decision to use service-oriented architecture and utility computing to on-demand network access to a shared pool of configurable computing resources; that support the firm’s tactical IT plans and long- term goals
Cloud challenges• Making cloud meet business requirements• integrating cloud into applications• producing documentation to deliver trust• management and reliability• planning and deployment• managing migration and scalability
Cloud security challenges• Authentication, identity management• compliance and regulatory• access control• trust management• policy• logging and accounting• privacy and data protection
CSA Top Threats1. Abuse and Nefarious Use of Cloud Computing2. Insecure Interfaces and APIs3. Malicious Insiders4. Shared Technology Issues5. Data Loss or Leakage6. Account or Service Hijacking7. Unknown Risk Profile
The $64,000 cloud question What is your security problem and howdo you expect cloud services to solve it?• Biggest mistake with cloud computing is that firms run to it without knowing why• Then they use it with no plan for deployment
Other ill-defined projects• Information Week, Computer World, etc., continuously have stories about large projects ($25 - $200 million) that fail• Why do these large Oracle, ERP, cloud, SAP projects continuously fail? – often inadequate, changing or conflicting requirements
Cloud success metricsCloud success is measured with thefollowing business questions: – does it deliver real business benefits? – was it deployed quickly and cost-effectively? – is it secure and does it provide trust? – is it reliable and easy to use? – can it be managed? – can it evolve and scale?
What is your deployment plan?• Typical cloud project is likely to be more complex than previous experience of typical IT projects may suggest• As well as project management, technical and operational aspects, there are many policy, legal and security issues which must not be neglected• By understanding and defining appropriate requirements, many of the potential traps and pitfalls can be avoided• The risks to the business and the project are reduced and those that remain are quantified at an early stage
Successful cloud deployment steps1. Requirements Analysis – Identify business, operational, commercial and security requirements2. Architecture Definition – Detailed definition of the operating model and cloud architecture3. Operations – Production of operational policies and procedures4. Security Review – Security review of the proposed system design, architecture and operations5. Integration – System piloting, integration of cloud enabled applications and testing6. Deployment – Operational deployment and production roll-out7. Post-Deployment – Management of upgrades and change processes for the production cloud
Step 1 - Requirements Analysis• First step in implementing any cloud based solution is to understand the requirements: – what’s the problem and how do you expect a cloud to solve it? – what are the business drivers? – what level of security is appropriate? – where are the system vulnerabilities? – what are the legal and regulatory compliance constraints?
Step 1 - Requirements Analysis• These requirements must be clearly identified and analyzed• Analysis of the costs and business benefits and the provision of suitable project planning schemes are integral to step 1 – If the requirements aren’t clear, do not go forward
Step 1 - Requirements Analysis – Project Planning • Project manager is essential – Some large-scale projects may need multiple managers • PM must be given the resources, responsibility and authority to successfully deliver the cloud project • Attempts to implement a cloud without PM have invariably resulted in failed projects
Step 2 - Architecture Definitions• Once the requirements are known, the next step is to produce an operating model and to design the chosen cloud architecture• At this stage, cloud enabling of end user applications is also considered, allowing parallel development
Step 2 - Architecture DefinitionsCreate set of documentation templates andchecklists to: – define how the cloud will be operated – define how trust will be passed between entities – define the cloud architecture, taking account of practical issues such as resilience, management, performance, security, scalability and current industry standards and best practices – specify what the architecture will comprise – specify how end-entity applications are to be cloud-enabled – specify how the complete cloud will be tested and supported – produce a detailed project plan
Step 2 – Cloud architecture• Public• private• hybrid• community• What is the best architecture for you?• The one that meets your specific requirements and needs
Step 3 Operations• Identify the policies, procedures, support issues and SLA• Organizational issues delineate who is responsible for the various parts of the cloud• Any security system is only as effective to the degree it is correctly operated – define the operating procedures and controls necessary to make sure that that the cloud security system remains effective
Step 4 – Security Review• With any system it is important to understand where the risks are and where the system is most vulnerable – Nothing will ever be 100% secure• At this stage, the cloud is well specified and therefore it is important that the proposed system is subjected to an independent review and risk analysis and, where appropriate, corrective action is taken
Step 4 – Security Review• The cloud is inherently unsafe and untrusted• your job is to add the controls necessary to be a safe and trusted environment
Step 4 – Security Review• Detailed lists of the threats, vulnerabilities and countermeasures – If you have an insecure infrastructure, then you will have an insecure cloud• Creation of the system security policy provides a baseline level of security controls that must be implemented during cloud deployment
Step 4 - Risk analysis & assessment• Effective risk assessment and analysis ensures you are worrying about the right things• Ultimate outcome of a risk analysis should be to see if you really can benefit from the product – Don’t worry about missing the bus
Step 4 - Risk analysis & assessment• Some companies have determined at Step 4 that they really do not want to / can’t move forward• Don’t be afraid to cancel a cloud project if there is not a business need for it, or if the security risks are too great
Step 4 – Cloud web applications• Browsers are very complicated security environments• understand how malware can thrive in a cloud environment
Step 4 - Policy• Create and maintain policies on how you will address the many cloud security issues – identify threats to the cloud environment & its contents; ensure you address current threats – metrics for monitoring – accountability – incident response – adequate training for new/transitioned staff
Step 4 – Shared responsibilities• Cloud provider – Responsible for security from the data center to the hypervisor• Client – Responsible for security for the operating system and all applications• But Saas, PaaS & IaaS will have different shared responsibility models
Step 5 Integration• Integration of all the cloud components and the building of a pilot system against which all the functional, performance and operational requirements can be tested• Integration testing of any cloud-enabled applications is also performed• DR/BCP – Enterprise cloud be available 24 x 7 x 365
Step 6 Deployment• This step involves the installation and validation of the operational cloud, followed by acceptance testing• A security review and penetration test is included to ensure that the actual implementation meets all the security requirements• Documentation is finalized and published• Acceptance testing
Step 6 Deployment• Project closure meeting and report – Customer agrees that all planned project activities have been completed, project performance information has been captured and the cloud project is properly closed – Projects have a defined duration, but without a formal project closure activity, a project can drift and never be satisfactorily concluded
Step 7 Post-deployment• All systems are subject to change and cloud is no exception – Well-designed cloud should be able to integrate new requirements without having to be re-engineered
References• Cloud Computing Risk Assessment – www.enisa.europa.eu/act/rm/files/deliverables/loud-computing-risk-assessment• Security Guidance for Critical Areas of Focus – www.cloudsecurityalliance.org/csaguide.pdf• Cloud Security Guidance – www.redbooks.ibm.com/redpapers/pdfs/redp4614.pdf• Top Threats to Cloud Computing – www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf• Cloud Security and Compliance: A Primer – www.sans.org/reading_room/analysts_program/mcafee_carbird_08_2010.pdf
Conclusion• Cloud computing is a powerful platform• But don’t attempt to roll-out an enterprise- wide cloud without a well-defined plan and adequate security requirements
Contact information• Ben Rothke, CISSP CISA• Senior Security Consultant• BT Professional Services• firstname.lastname@example.org• www.linkedin.com/in/benrothke• www.twitter.com/benrothke• www.slideshare.net/benrothke
Click on the questions tab on your screen, type in your question, name and e-mail address; then hit submit.
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.