Security considerations for the cloud
Upcoming SlideShare
Loading in...5
×
 

Security considerations for the cloud

on

  • 424 views

COMMON Europe Congress 2012 - Vienna

COMMON Europe Congress 2012 - Vienna

Statistics

Views

Total Views
424
Views on SlideShare
424
Embed Views
0

Actions

Likes
0
Downloads
18
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Security considerations for the cloud Security considerations for the cloud Document Transcript

  • www.skyviewpartners.com 6/7/2012 Carol Woodbury, President SkyView Partners, Inc. www.skyviewpartners.com @carolwoodbury (c) SkyView Partners, Inc, 2012. All Rights Reserved. 1 (c) SkyView Partners, Inc, 2012. All Rights Reserved. 2(c) SkyView Partners, Inc, 2012. All Rights Reserved. 1
  • www.skyviewpartners.com 6/7/2012 Benefits: However:  Hardware  Must meet  Support of the requirements of hardware security policy  Software licensing  Legal requirements  Software maintenance  Compliance requirements (c) SkyView Partners, Inc, 2012. All Rights Reserved. 3  Depends on the type of data (c) SkyView Partners, Inc, 2012. All Rights Reserved. 4(c) SkyView Partners, Inc, 2012. All Rights Reserved. 2
  • www.skyviewpartners.com 6/7/2012  EU Data Protection Laws ◦ Currently being revised (c) SkyView Partners, Inc, 2012. All Rights Reserved. 5 Determines  Default access  Encryption requirements  Retention requirements  Storage requirements  Disposal method (both printed and online) While considering  Compliance requirements  Legal considerations (c) SkyView Partners, Inc, 2012. All Rights Reserved. 6(c) SkyView Partners, Inc, 2012. All Rights Reserved. 3 View slide
  • www.skyviewpartners.com 6/7/2012  Data classification requirements don’t change just because the data is now in the cloud (c) SkyView Partners, Inc, 2012. All Rights Reserved. 7  Carefully plan the security and privacy aspects of cloud computing solutions before engaging them (a cloud provider.)  Understand the public cloud computing environment offered by the cloud provider.  Ensure that a cloud computing solution satisfies organizational security and privacy requirements.  Ensure that the client-side computing environment meets organizational security and privacy requirements for cloud computing.  Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments. (c) SkyView Partners, Inc, 2012. All Rights Reserved. 8(c) SkyView Partners, Inc, 2012. All Rights Reserved. 4 View slide
  • www.skyviewpartners.com 6/7/2012  Encryption  Auditing (logging)  No passwords in cleartext  Access controls  Reporting  Incident response handling  What will a QSA or auditor say …? (c) SkyView Partners, Inc, 2012. All Rights Reserved. 9  Where is the data physically located  Incident response handling ◦ Do you and provider have the same definition of a breach?  Can your SLAs be fulfilled? ◦ (think disaster-recovery)  As well as compliance requirements (c) SkyView Partners, Inc, 2012. All Rights Reserved. 10(c) SkyView Partners, Inc, 2012. All Rights Reserved. 5
  • www.skyviewpartners.com 6/7/2012  Questions for providers’ security practices: ◦ Is admin (root) power limited to only those users needing it? ◦ Who/What is logged? ◦ Do administrators access systems via encrypted sessions? ◦ What is the patch management strategy? ◦ What anti-virus / anti-malware software is used? ◦ Are the servers in compliance with  PCI  SOX  HIPAA ◦ Who are you audited by and can we see the results? (c) SkyView Partners, Inc, 2012. All Rights Reserved. 11  User management: ◦ Process to integrate with HR to remove access?  What about immediate removal for terminated employees/contractors? ◦ Password composition rules? ◦ Password change rules? (c) SkyView Partners, Inc, 2012. All Rights Reserved. 12(c) SkyView Partners, Inc, 2012. All Rights Reserved. 6
  • www.skyviewpartners.com 6/7/2012  Logging: ◦ Invalid sign on attempts  Lock-out for excess attempts ◦ Reads and changes to HIPAA or PCI data ◦ Access attempts to data ◦ Retention of the logs ◦ Review of the logs  Network logging: ◦ Connections ◦ Data movement – what about DLP? (c) SkyView Partners, Inc, 2012. All Rights Reserved. 13  Because the service provider holds so much data, they may become a victim of a targeted attack  However … provider likely has ◦ Network monitoring ◦ Trained personnel to recognize and respond to the attack ◦ Knowledge / Hardware to prevent or limit the attack (c) SkyView Partners, Inc, 2012. All Rights Reserved. 14(c) SkyView Partners, Inc, 2012. All Rights Reserved. 7
  • www.skyviewpartners.com 6/7/2012  Business level objectives  Responsibilities of both parties  Business continuity/disaster recovery  Redundancy  Maintenance  Data location  Data seizure  Provider failure  Jurisdiction  Brokers and resellers http://www.ibm.com/developerworks/cloud/library/cl- rev2sla.html?ca=drs- (c) SkyView Partners, Inc, 2012. All Rights Reserved. 15  Security  Incident response  Data encryption  Transparency  Privacy  Certification  Data retention and  Performance definitions deletion  Monitoring  Hardware erasure,  Auditability destruction  Metrics  Regulatory compliance  Human interaction (c) SkyView Partners, Inc, 2012. All Rights Reserved. 16(c) SkyView Partners, Inc, 2012. All Rights Reserved. 8
  • www.skyviewpartners.com 6/7/2012  Determine your organization’s security and compliance requirements for the type of data going to the cloud  Put the appropriate SLA in place ◦ Terminology / Communication is key – make sure you agree to each others’ definitions  Monitor the results to determine if SLA is being met (c) SkyView Partners, Inc, 2012. All Rights Reserved. 17  Find your private and confidential data  Do not assume it doesn’t exist just because it’s not supposed to be a on specific server or in a specific database! (c) SkyView Partners, Inc, 2012. All Rights Reserved. 18(c) SkyView Partners, Inc, 2012. All Rights Reserved. 9
  • www.skyviewpartners.com 6/7/2012  Many organizations are realizing the benefits of “private” clouds ◦ Reduced hardware / software costs ◦ Quicker patching ◦ Consolidated security expertise  Monitoring (NOC)  Recognition and response to incidents ◦ Consolidated logging (correlated events) ◦ More layers of security (depending on the data requirements) (c) SkyView Partners, Inc, 2012. All Rights Reserved. 19  Clouds specializing in meeting compliance needs: ◦ PCI ◦ HIPAA  Significantly more expensive but consider that with public clouds you ‘get what you pay for.’ (c) SkyView Partners, Inc, 2012. All Rights Reserved. 20(c) SkyView Partners, Inc, 2012. All Rights Reserved. 10
  • www.skyviewpartners.com 6/7/2012  Service providers have been providing “cloud” services for many years ◦ Private / Specialized cloud – typically without the dynamic allocation of new resources  Security/Compliance/Legal requirements you make of them are the same as what we’ve been discussing. (c) SkyView Partners, Inc, 2012. All Rights Reserved. 21 Best practices and Certifications for Cloud Security  https://cloudsecurityalliance.org/ Guidelines on Security and Privacy in Public Cloud Computing – National Institute of Standards and Technology (NIST) SP 800-144  http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf Cloud Computing Synopsis and Recommendations - – National Institute of Standards and Technology (NIST) SP 800-146 – DRAFT  http://csrc.nist.gov/publications/drafts/800-146/Draft-NIST-SP800-146.pdf Articles:  www.sans.org  www.isaca.org  Search ‘European cloud Computing Strategy’ Contact us at: info@skyviewpartners.com @carolwoodbury (c) SkyView Partners, Inc, 2012. All Rights Reserved. 22(c) SkyView Partners, Inc, 2012. All Rights Reserved. 11