Security considerations for the cloud

www.skyviewpartners.com 6/7/2012

Carol Woodbury, President
SkyView Partners, Inc.
www.skyviewpartners.com
@carolwoodbury

(c) SkyView Partners, Inc, 2012.
All Rights Reserved. 1


(c) SkyView Partners, Inc, 2012. All Rights Reserved. 1


Benefits: However:
 Hardware  Must meet
 Support of the requirements of
hardware security policy
 Software licensing  Legal requirements

 Software maintenance  Compliance
requirements


 Depends on the type of data




 EU Data Protection Laws
◦ Currently being revised


Determines
 Default access
 Encryption requirements
 Retention requirements
 Storage requirements
 Disposal method (both printed and online)

While considering
 Compliance requirements
 Legal considerations




 Data classification requirements don’t change just
because the data is now in the cloud


 Carefully plan the security and privacy aspects of cloud
computing solutions before engaging them (a cloud
provider.)
 Understand the public cloud computing environment
offered by the cloud provider.
 Ensure that a cloud computing solution satisfies
organizational security and privacy requirements.
 Ensure that the client-side computing environment meets
organizational security and privacy requirements for cloud
computing.
 Maintain accountability over the privacy and security of
data and applications implemented and deployed in public
cloud computing environments.




 Encryption
 Auditing (logging)
 No passwords in cleartext
 Access controls
 Reporting
 Incident response handling

 What will a QSA or auditor say …?


 Where is the data physically located
 Incident response handling
◦ Do you and provider have the same definition of a breach?
 Can your SLAs be fulfilled?
◦ (think disaster-recovery)

 As well as compliance requirements




 Questions for providers’ security practices:
◦ Is admin (root) power limited to only those users needing it?
◦ Who/What is logged?
◦ Do administrators access systems via encrypted sessions?
◦ What is the patch management strategy?
◦ What anti-virus / anti-malware software is used?
◦ Are the servers in compliance with
 PCI
 SOX
 HIPAA
◦ Who are you audited by and can we see the results?


 User management:
◦ Process to integrate with HR to remove access?
 What about immediate removal for terminated
employees/contractors?
◦ Password composition rules?
◦ Password change rules?




 Logging:
◦ Invalid sign on attempts
 Lock-out for excess attempts
◦ Reads and changes to HIPAA or PCI data
◦ Access attempts to data
◦ Retention of the logs
◦ Review of the logs

 Network logging:
◦ Connections
◦ Data movement – what about DLP?


 Because the service provider holds so much data, they
may become a victim of a targeted attack

 However … provider likely has
◦ Network monitoring
◦ Trained personnel to recognize and respond to the attack
◦ Knowledge / Hardware to prevent or limit the attack




 Business level objectives
 Responsibilities of both parties
 Business continuity/disaster recovery
 Redundancy
 Maintenance
 Data location
 Data seizure
 Provider failure
 Jurisdiction
 Brokers and resellers

http://www.ibm.com/developerworks/cloud/library/cl-
rev2sla.html?ca=drs-


 Security  Incident response
 Data encryption  Transparency
 Privacy  Certification
 Data retention and  Performance definitions
deletion  Monitoring
 Hardware erasure,  Auditability
destruction  Metrics
 Regulatory compliance  Human interaction

(c) SkyView Partners, Inc, 2012. All
Rights Reserved. 16



 Determine your organization’s security and compliance
requirements for the type of data going to the cloud
 Put the appropriate SLA in place
◦ Terminology / Communication is key – make sure you agree to
each others’ definitions
 Monitor the results to determine if SLA is being met


 Find your private and confidential data

 Do not assume it doesn’t exist just because it’s not
supposed to be a on specific server or in a specific
database!




 Many organizations are realizing the benefits of
“private” clouds
◦ Reduced hardware / software costs
◦ Quicker patching
◦ Consolidated security expertise
 Monitoring (NOC)
 Recognition and response to incidents
◦ Consolidated logging (correlated events)
◦ More layers of security (depending on the data requirements)


 Clouds specializing in meeting compliance needs:
◦ PCI
◦ HIPAA

 Significantly more expensive but consider that with
public clouds you ‘get what you pay for.’




 Service providers have been providing “cloud” services
for many years
◦ Private / Specialized cloud – typically without the dynamic
allocation of new resources
 Security/Compliance/Legal requirements you make of
them are the same as what we’ve been discussing.


Best practices and Certifications for Cloud Security
 https://cloudsecurityalliance.org/

Guidelines on Security and Privacy in Public Cloud Computing – National Institute of
Standards and Technology (NIST) SP 800-144
 http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf

Cloud Computing Synopsis and Recommendations - – National Institute of Standards and
Technology (NIST) SP 800-146 – DRAFT
 http://csrc.nist.gov/publications/drafts/800-146/Draft-NIST-SP800-146.pdf

Articles:
 www.sans.org
 www.isaca.org
 Search ‘European cloud Computing Strategy’

Contact us at: info@skyviewpartners.com
@carolwoodbury



Security considerations for the cloud

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (7)

Similar to Security considerations for the cloud

Similar to Security considerations for the cloud (20)

More from COMMON Europe

More from COMMON Europe (20)

Recently uploaded

Recently uploaded (20)

Security considerations for the cloud