CONTROLLING CLOUDS:
BEYOND SAFETY
GORDON HAFF (@ghaff)
CLOUD EVANGELIST

NOVEMBER 2013
ABOUT ME
Red Hat Cloud Evangelist
Twitter: @ghaff

Google+: Gordon Haff
Email: ghaff@redhat.com
Blog: http://bitmason.blog...
IS IT SAFE?
INTEGRITY

SAFETY =~

PRIVACY
CONTINUITY

SECURITY
CreditJackman Chiu cc/flickr
http://www.flickr.com/photos/lewolf011/728...
BUT IN THE WORDS OF INIGO MONTOYO
THE REALITY (IN TWITTER SHORTHAND)
WHAT I’LL COVER
What’s new

What isn’t new
Certifications
The broader view—examples from the Cloud
Security Alliance
WHAT’S NEW-ISH
Shared responsibility model

New (higher) levels of abstraction
“Rules of the road” still developing
SHARED RESPONSIBILITY:
CLOUD PROVIDER VIEW

Source: Cloud Security Alliance
ABSTRACTIONS HIDE (BY DESIGN)
IaaS

PaaS

SaaS

APPLICATION
APPLICATION PLATFORM
(JBOSS, PHP, RUBY, ETC)
OPERATING SYSTEM
...
PERVASIVE
SELF-SERVICE
CONSUMERIZED
EXPECTATIONS
SCALE

CreditJulie Blaustein, cc/flickr
http://www.flickr.com/photos/2513...
BROADLY: CLOUD IS SHIFT TO DELIVERY OF
SERVICES RATHER THAN INFRASTRUCTURE
BUT MUCH DOESN’T CHANGE
If your security practices
suck in the physical realm,
you’ll be delighted by the
surprising lack ...
ITIL BEST PRACTICES HIGHLY
RELEVANT TO SERVICE
DELIVERY THROUGH CLOUD
ITIL Service Strategy provides guidance on
generatin...
COST/BENEFIT STILL APPLIES
RISK = LIKELIHOOD * IMPACT

Source: ENISA
EXAMPLE: COMPLIANCE CHALLENGES
THE NICE THING ABOUT CERTIFICATIONS
IS THAT THERE ARE SO MANY OF THEM
SAS 70
Specifically created for financial auditors o...
SOC 2 AND 3
Report can be issued on one or more Trust
Services Principles
Security
Availability
Processing integrity
Confi...
CSA CLOUD CONTROLS MATRIX
98 “control areas” in 11 categories
Example: Security Architecture - Production / NonProduction ...
11 DOMAINS
Compliance (CO)

Operations Management (OM)

Data Governance (DG)

Risk Management (RI)

Facility Security (FS)...
COMPLIANCE

Audit controls
Limitations of third-party
auditability can be a
concern for public cloud
users

Regulatory map...
DATA GOVERNANCE
Controls to prevent data
leaks in a multi-tenant
environment
Red Hat uses SELinux as
part of Red Hat
Enter...
INFORMATION SECURITY
Identity and Access Control
Store and manage timely
identity information about
every person who acces...
SECURITY ARCHITECTURE
Multi-factor authentication
Card keys+PIN

Establishment and
implementation of encryption
policies
K...
SECURITY ARCHITECTURE
Segmentation and restricted
connections in network
environments
“Networks shared with external
entit...
BUT IT’S NOT ABOUT BEING AN INHIBITOR
Remember the cost/benefit
tradeoff
Your organization is (almost
certainly) using pub...
SOURCES FOR A BROADER CLOUD
GOVERNANCE VIEW
Deloitte Cloud Computing Risk Intelligence Map
Cloud Computing Security Risk A...
FOR A GOOD VIEW OF
INFOSEC IN A DEVOPS AGE
The DevOps revolution is
the moment that every
information security
practitione...
QUESTIONS?
THANK YOU.
Gordon Haff

ghaff@redhat.com
Twitter: @ghaff
Google+: Gordon Haff

Blog: bitmason.blogspot.com
Upcoming SlideShare
Loading in...5
×

Controlling Clouds: Beyond Safety

1,091

Published on

As an industry, we’ve mostly moved on from naive notions about cloud computing being inherently “safe” or “risky.” However, more sophisticated discussions require both greater nuance and greater rigor. This presentation takes attendees through frameworks for evaluating and mitigating potential issues in hybrid cloud environments, discusses key risk factors to consider, and describes some of the relevant standards and provider certifications. This is a broad and sometimes complex topic. However, it’s very manageable if individual risk factors are considered systematically and specifically. This session will give IT professionals tools and knowledge to help them make informed decisions.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,091
On Slideshare
0
From Embeds
0
Number of Embeds
34
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Controlling Clouds: Beyond Safety"

  1. 1. CONTROLLING CLOUDS: BEYOND SAFETY GORDON HAFF (@ghaff) CLOUD EVANGELIST NOVEMBER 2013
  2. 2. ABOUT ME Red Hat Cloud Evangelist Twitter: @ghaff Google+: Gordon Haff Email: ghaff@redhat.com Blog: http://bitmason.blogspot.com Flickr: http://www.flickr.com/photos/bitmason/ Formerly: Illuminata (industry analyst), Data General (minicomputers/Unix/NUMA/etc.), shareware developer
  3. 3. IS IT SAFE?
  4. 4. INTEGRITY SAFETY =~ PRIVACY CONTINUITY SECURITY CreditJackman Chiu cc/flickr http://www.flickr.com/photos/lewolf011/7283101824
  5. 5. BUT IN THE WORDS OF INIGO MONTOYO
  6. 6. THE REALITY (IN TWITTER SHORTHAND)
  7. 7. WHAT I’LL COVER What’s new What isn’t new Certifications The broader view—examples from the Cloud Security Alliance
  8. 8. WHAT’S NEW-ISH Shared responsibility model New (higher) levels of abstraction “Rules of the road” still developing
  9. 9. SHARED RESPONSIBILITY: CLOUD PROVIDER VIEW Source: Cloud Security Alliance
  10. 10. ABSTRACTIONS HIDE (BY DESIGN) IaaS PaaS SaaS APPLICATION APPLICATION PLATFORM (JBOSS, PHP, RUBY, ETC) OPERATING SYSTEM (RHEL) VIRTUALIZATION (RHEV) HARDWARE (x86) STORAGE (RHS) Managed and Controlled by Customer (IT, Dev, or User) Automated and Managed by the Public or Private Cloud Offering Increased Control Increased Automation
  11. 11. PERVASIVE SELF-SERVICE CONSUMERIZED EXPECTATIONS SCALE CreditJulie Blaustein, cc/flickr http://www.flickr.com/photos/25138992@N00/4960914218
  12. 12. BROADLY: CLOUD IS SHIFT TO DELIVERY OF SERVICES RATHER THAN INFRASTRUCTURE
  13. 13. BUT MUCH DOESN’T CHANGE If your security practices suck in the physical realm, you’ll be delighted by the surprising lack of change when you move to cloud. Chris Hoff Credit: Michael Rosenstein, cc/flickr http://www.flickr.com/photos/michaelcr/1508784073/
  14. 14. ITIL BEST PRACTICES HIGHLY RELEVANT TO SERVICE DELIVERY THROUGH CLOUD ITIL Service Strategy provides guidance on generating a strategy for a major shift in service delivery ITIL practices can help design cloud computing as appropriate end-to-end services
  15. 15. COST/BENEFIT STILL APPLIES RISK = LIKELIHOOD * IMPACT Source: ENISA
  16. 16. EXAMPLE: COMPLIANCE CHALLENGES
  17. 17. THE NICE THING ABOUT CERTIFICATIONS IS THAT THERE ARE SO MANY OF THEM SAS 70 Specifically created for financial auditors of service organizations ISO/IEC 27001 Information security management system standard published in 2005 PCI DSS For organizations processing credit card transactions FedRAMP Security Controls Framework for US Federal agencies HIPAA US healthcare
  18. 18. SOC 2 AND 3 Report can be issued on one or more Trust Services Principles Security Availability Processing integrity Confidentiality Privacy Type 1: Suitability of design See www.webtrust.org Type 2: Suitability of design and effectiveness SOC 3 is a condensed public version of SOC 2 Mostly in the US today
  19. 19. CSA CLOUD CONTROLS MATRIX 98 “control areas” in 11 categories Example: Security Architecture - Production / NonProduction Environments Each mapped to areas of relevance Examples: IaaS, PaaS, SaaS, corporate governance, and supplier relationships Each mapped to relevant regulations and certifications Examples: NIST, PCI DSS
  20. 20. 11 DOMAINS Compliance (CO) Operations Management (OM) Data Governance (DG) Risk Management (RI) Facility Security (FS) Release Management (RM) Human Resources (HR) Resiliency (RS) Information Security (IS) Security Architecture (SA) Legal (LG) Some examples…
  21. 21. COMPLIANCE Audit controls Limitations of third-party auditability can be a concern for public cloud users Regulatory mapping Can be especially important to understand where data resides CreditEvan Long, cc/flickr http://www.flickr.com/photos/clover_1/1178035169/
  22. 22. DATA GOVERNANCE Controls to prevent data leaks in a multi-tenant environment Red Hat uses SELinux as part of Red Hat Enterprise Linux and OpenShift security measures Support for Virtual Private Clouds (VPC) on Amazon Web Services
  23. 23. INFORMATION SECURITY Identity and Access Control Store and manage timely identity information about every person who accesses the cloud resources and determine their level of access Still evolving for cloud use cases, but critical to get it right
  24. 24. SECURITY ARCHITECTURE Multi-factor authentication Card keys+PIN Establishment and implementation of encryption policies Key management User policies for mobile devices
  25. 25. SECURITY ARCHITECTURE Segmentation and restricted connections in network environments “Networks shared with external entities shall have a documented plan detailing the compensating controls used to separate network traffic between organizations” One of the reasons VPCs are interesting to many organizations
  26. 26. BUT IT’S NOT ABOUT BEING AN INHIBITOR Remember the cost/benefit tradeoff Your organization is (almost certainly) using public clouds A private cloud that doesn’t provide cloud agility isn’t a cloud Automation, streamlined process, clearly-defined policy help users and reduce risk
  27. 27. SOURCES FOR A BROADER CLOUD GOVERNANCE VIEW Deloitte Cloud Computing Risk Intelligence Map Cloud Computing Security Risk Assessment CSIS 20 Critical Security Controls Cloud Security Alliance STAR and Cloud Controls Matrix Links: http://www.isaca.org/Groups/Professional-English/cloudcomputing/GroupDocuments/Deloitte%20Risk%20Map%20for%20Cloud%20Computing.pdf http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment http://www.cloudsecurityallia nce.org http://www.sans.org/critical-security-controls/guidelines.php
  28. 28. FOR A GOOD VIEW OF INFOSEC IN A DEVOPS AGE The DevOps revolution is the moment that every information security practitioner has been waiting for. The death spiral can be broken, and this book shows you how. JOSHUA CORMAN
  29. 29. QUESTIONS? THANK YOU. Gordon Haff ghaff@redhat.com Twitter: @ghaff Google+: Gordon Haff Blog: bitmason.blogspot.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×