Protecting What Matters...An Enterprise Approach to Cloud Security

  • 124 views
Uploaded on

Presented at InnoTech Dallas 2014. All rights reserved.

Presented at InnoTech Dallas 2014. All rights reserved.

More in: Business , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
124
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
4
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Protecting what matters... ... An enterprise approach to cloud security Ed Reynolds HP Fellow, CISSP, CCSK HP Enterprise Security Services
  • 2. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.2 Today’s agenda TRENDS PERSPECTIVES GUIDANCE
  • 3. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.3 Worldwide Security Trends & Implications Cyber threat 56%of organizations have been the target of a cyber attack Extended supply chain 44% of all data breach involved third-party mistakes Financial loss $8.6M average cost associated with data breach Cost of protection 8% of total IT budget spent on security Reputation damage 30% market cap reduction due to recent events Source: HP internal data, Forrester Research, Ponemon Institute, Coleman Parkes Research Key Points • Security is a board of directors concern • Security leadership is under immense pressure • Need for greater visibility of business risks and to make sound security investment choicesReactive vs. proactive 60% of enterprises spend more time and money on reactive measures vs. proactive risk mgmt
  • 4. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.4 Managing security challenges Today, security is a board-level agenda item #1 Board Identified Risk: Reputational Damage Source: EisnerAmper LLP, February 2011 - Second Annual Board of Directors Survey - 2011: Concerns About Risks Confronting Boards
  • 5. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.5 Managing Risk: Current Challenges Primary Challenges Nature & Motivation of Attacks (Fame to national enemies)1 Transformation of Enterprise IT (Delivery and consumption changes)2 Traditional DC Private Cloud Managed Cloud Public Cloud Network Storage Servers Delivery Regulatory Pressures (Increasing cost and complexity)3 A New Type of Adversary Basel III Enhanced Regulatory Environment
  • 6. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.6 HP research: Top concerns for IT executives 67% 66% 63% 54% Extremely concerned Somewhat concerned Not very concerned Data privacy and information breaches Lack of skilled resources to effectively manage security Risk associated with more consumption of apps/IT services across public, private & hybrid cloud Risk associated with more consumption of apps/IT services Source: HP 20:20 CIO Report, 2012
  • 7. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.7 Cloud services: adoption is tempered by uncertainty Security or related component is #1 concern/issue for most enterprises LOB/IT CIO Security Performance Reliability Scalability Service levels Data security & protection Compliance Auditing Cost Governance Control Availability
  • 8. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.8 CSA: Cloud Computing Top Threats for 2013 Top Threats for 2013 1.Data Breaches 2.Data Loss 3.Account or Service Hijacking 4.Insecure Interfaces and APIs 5.Denial of Service 6.Malicious Insiders 7.Abuse of Cloud Services 8.Insufficient Due Diligence 9.Shared Technology Vulnerabilities Security for the cloud http://cloudsecurityalliance.org/ 1. HP’s Rafal Los co-chaired the CSA Top Threats working group 2. HP selected by CSA as Master Training Partner in APJ (initial region)
  • 9. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.9 What do we mean by “cloud security”? • Security for the cloud? Securely use cloud (consumers) • Security from the cloud? Security-as-a-Service • Security in the cloud? Embedded security (providers) • Security across clouds? Hybrid models, interoperability 1 2 3 4
  • 10. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.10 Cloud models require different security solutions… Attack surface increases composition of two or more clouds Hybrid cloud Sold to the public, mega-scale infrastructure Public cloud Shared infrastructure for specific community Community cloud Enterprise-owned or leased Private cloud
  • 11. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.11 ... and different roles & responsibilities regarding security Cloud SaaS PaaS IaaS SaaS: Software as a Service, generally provides application, data and infrastructure security, with varying degrees of compliance PaaS: Platform as a Service, may provide some additional security functions for IDM and secure application development – security falls to app developer and customer IT operations IaaS: Infrastructure as a Service – providers generally offer basic network & infrastructure security, firewalls, some tools – but customer is generally responsible for implementation,operations, monitoring
  • 12. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.12 But what is really new about “cloud security”? Many traditional security concerns are recast as a “cloud problem”. . . • Many “cloud security incidents“ are issues with web apps and data-hosting, but at greater scale… - e.g. Phishing, downtime, data loss, weak passwords, compromised hosts running botnets, etc … • Unexpected side channels and covert channels arising from shared-resource environments in public services - Activity patterns need to be protected in addition to apps and data • Reputation fate sharing: possible blacklisting or service disruption due to “bad neighbors” - Need “mutual auditability” (providers need to audit/monitor users) • Longer trust chains: {SaaS to PaaS to IaaS} – Y.Chen, et.al, “What’s New About Cloud Computing Security?” UC Berkeley, Jan.20, 2010
  • 13. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. “It’snotaboutcloudsecurity– it’saboutsecuringyour enterprise’suseofcloud-based services” “Cloudsecuritybeginswith, andaddsto,well-defined enterprisesecurity” Perspectives
  • 14. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.14 Enterprise approach to cloud security HP Enterprise Security Services Whitepaper 1. Establish a risk-based approach 2. Design applications to run in the cloud 3. Ongoing auditing and management
  • 15. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.15 HP approach to complete information security Establish a risk-based approach Actionable Security Intelligence Moving from Reactive to Proactive Information Security & Risk Management Assess security investments and posture Transform from silos to a comprehensive view Optimize to proactively improve security posture Manage security effectively Establish a risk based approach
  • 16. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.16 HP Cloud Security Risk and Control Assessment Stage 1: Assessment Workshop Business Issues Discovery Strategic Control Plan Risk Assessment Scope Engagement with senior management Stage 2: Risk Assessment Engagement with business-level security Business Risk Assessment Asset Risk Assessment Assets Prioritized by Risk Stage 3: Controls Assessment Cloud Control Measures Consensus Assessment Prioritized Security Control Plan Engagement with operational level security Establish a risk based approach
  • 17. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.17 Are your applications & data… The path of least resistance? Design apps to run in cloud
  • 18. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.18 Secure SDLC: protect data & IP Design apps to run in cloud Attacker Software & data Hardware Network Intellectual property Customer data Business processes Trade secrets
  • 19. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.19 The National Vulnerability Database (DHS/US-CERT) • Lists >47,000 documented vulnerabilities Undiscovered/unreported (0-day) vulnerabilities are huge • 20X1 multiplier • 47,000 x 20 = estimated 940,000 vulnerabilities replicated in many products The risks Vulnerabilities (security defects) Quality issue: many more “underwater” than those reported “above the water” Greater than 80% of attacks happen at the application layer Notes: HP research and 1“Public Vulnerabilities Are Tip of the Iceberg,” CNET News, June 1, 2007 Design apps to run in cloud
  • 20. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.20 The National Vulnerability Database (DHS/US-CERT) • Lists >47,000 documented vulnerabilities Undiscovered/unreported (0-day) vulnerabilities are huge • 20X1 multiplier • 47,000 x 20 = estimated 940,000 vulnerabilities replicated in many products The risks Vulnerabilities (security defects) Quality issue: many more “underwater” than those reported “above the water” But <1% of security spend is allocated to application security !!! Notes: HP research and 1“Public Vulnerabilities Are Tip of the Iceberg,” CNET News, June 1, 2007 Design apps to run in cloud
  • 21. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.21 Designing applications to run in the cloud • Embed security in application architecture • Address new attack surfaces early in design • Encrypt “everything” by default – end-to-end • Adopt new mindset to privacy • Bounding processes around PII (e.g. PCI tokenization example) • Build in audit trails for forensics • Conduct 3rd party reviews (CATA, Pen.Test) Design apps to run in cloud
  • 22. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.22 Securing “data-in-process,” in addition to “at rest” and “in motion” Encryption advances & alternatives∗ Advances Broadcast encryption: encryption for groups and memberships Searchable symmetric encryption: securely search encrypted data Identity-based encryption: ad-hoc PKI, user chooses his own public key Predicate encryption: fine-grained PKI Homomorphic encryption: emerging techniques to compute on ciphertext * Source: CSA Guidance v3.0Chapter 11 Alternatives* Tokenization. Data sent to the public cloud is altered (tokenized) and contains a reference to the data residing in the private cloud. Data anonymization. Personally identifiable information (PII) is stripped before processing. (Watch assumptions) Utilizing cloud database controls. Using (fine-grained) access controls at database layer to provide segregation. Design apps to run in cloud
  • 23. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.23 Architecting Security into Applications Security assurance thought leadership Requirements/ architecture & design • Security requirements gap analysis • Security designed in • Dramatically reduces risk of vulnerabilities • More complete and less expensive assurance • Guides late lifecycle assurance • The best response to a greater threat Reactive Traditional Proactive Extending security assurance Higher ROI The traditional approach is backwards. It can never solve the problem by itself but works great after proactively prioritizing late life cycle assurance focus Post-release First, people found vulnerabilities, patched, and issued bulletins Integration/ penetration test • In-house, more proactive • More expensive in isolation Coding • Security code scanners • Code review • Better when design supports security Design apps to run in cloud
  • 24. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.24 Applications rationalisation Cloud-specific workload analysis Risk analysis & TCO BPA HP cloud applications transformation Level 2 transformation strategy determination (x to x) Level 1 transformation strategy determination (RE’s) App migration Cloud service types Cloud deployment models IaaS PaaS SaaS Public Private Virtual private Dedicated/hosted (retain, retire) Suitable for SaaS Suitable for preferred target/ public cloud Need modernisation analysis Not suitable for cloud Cloud suitability mapping • Replace • Re-architect • Re-factor • Re-host App migration Apps Design apps to run in cloud
  • 25. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.25 Applications modernization strategy Re-factor Re-architect Re-host Replace Application cloud strategy Codingeffort New value generation potential IaaS SaaS PaaS PaaS SOA Design apps to run in cloud
  • 26. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.26 Auditing cloud services Continuous compliance monitoring is essential to securely delivering cloud services and ensuring compliance • Cloud Services are inherently dynamic. The dynamic provisioning and de-provisioning of resources is a key part of the Cloud value proposition and business model • Automation for operations and asset management are essential in this dynamic environment • Verification of compliance with policy and legislation – such as the EU Data Protection Directive, GLBA, HIPAA, and Export compliance controls like ITAR – requires continuously running automation Yearly or monthly audits are irrelevant in an environment that changes completely on a daily or hourly basis Ongoing auditing & management
  • 27. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.27 Are we secure? Continuous security monitoring Ongoing auditing & management
  • 28. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.28 What about infrastructure and network security? • Infrastructure and network security are critical areas for cloud-based solutions • Enterprises have little or no influence on a provider’s implementation and controls in these areas • A thorough review of the service provider’s policies should be completed as part of the due diligence process during contract negotiation and service sourcing
  • 29. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.29 5 key ways to reduce risk 1. Understand your risk profile 2. Architect for the cloud 3. Robust identity, access management 4. Confirm legal, compliance obligations, due diligence 5. “Clear Responsibility” – CSP, Customer, Both
  • 30. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.30 Cloud security: guidance for critical areas Architecture 1. Cloud computing architectural framework Governance 2. Governance and enterprise risk management 3. Legal issues: contracts and electronic discovery 4. Compliance and audit management 5. Information management and data security 6. Interoperability and portability Operations 7. Traditional security, business continuity, and disaster recovery 8. Data center operations 9. Incident response 10. Application security 11. Encryption and key management 12. Identity, entitlement, and access management 13. Virtualization Security for the cloud http://cloudsecurityalliance.org/ https://ccsk.cloudsecurityalliance.org/
  • 31. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.31 Final thoughts  Recognize the threats have changed and become ‘industrialized’  Employ comprehensive and integrated approach to enterprise security & risk management  Conduct security threat analyses for all critical applications  Design in security from the beginning: essential for public cloud usage  Be vigilant: continual compliance monitoring and audits, intrusion testing, verifiable backups…
  • 32. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Thankyou Whitepaper: bit.ly/hpcloudsecurity Email: ed.reynolds@hp.com URL: hp.com/enterprise/security