Marketing, Uncertainty and Doubt: Information Security and Cloud Computing

About zSquad • Information Security Consulting Practice • Focus areas are: – Policy review/development – IT Governance – Security Architecture – Application Security – PCI, SAS 70 and ISO 27001 audit prep – 3rd party due diligence audits • Customers are financial services, insurances and state / city agencies • We also founded The Layoff Support Network (www.layoffsupportnetwork.com) 2

Agenda • Too many “cloud” offerings = confused market • Pay-as-you-go vs. always on • Cloud (in)security • Hype: Security vendors • Hype: Cloud providers • Enterprise Cloud Computing • Know your information • Minimum due diligence – questions to ask your cloud provider • If you are a cloud (or related service) provider – questions you better have answers for • If you develop, things to do • QA 3

“Cloud:” Buzzword 2.0 • Gmail and Hotmail are clouds, too • So are SalesForce.com and Google Apps • What about timesharing mainframes of old? • Or the $5/month shared web-hosting? So is the cloud concept decades old? 4

So what exactly is a “cloud”? … Massively scalable IT-enabled capabilities delivered 'as a service' to external customers using Internet technologies. -- Gartner 5

Cumulous, Stratus, Nimbus… • SaaS: SalesForce, GoogleMail, Google Apps… • Utility Computing: Amazon EC2, IBM, Unisys… • Web Services (API): Google Maps, ADP Payroll processing… • Platform As A Service: Force.com, Google App Engine, Azure • Managed Service Providers: Hosted anti- spam services • Infrastructure as a Service: Amazon, 3Tera 6

Characteristics: • Elasticity: provisioning and deprovisioning resources in real time to meet workload demands • Utility: providing resources on a 'pay-as- you-go' basis • Ubiquity: providing services available from anywhere to anywhere 7

Cloud (in)Security Characteristics • Outside customers’ physical security perimeter • Unknown (untrusted?) personnel • Unenforceable regulatory compliance • Unpredictable jurisdiction over data • Unknown disaster recovery • You may very well be locked-in • Zero support for forensics / investigations But: Trust us, we are doing the right things 8

Every RSA Conference has a buzzword This year it was "the cloud." In one way or another, vendors were pushing their answer to handling security in the cloud. Cisco unveiled a number of tools and services in the cloud April 21, even though a day later Cisco CEO John Chambers described the idea of securing a virtual cloud network as “a security nightmare.” IBM pulled the covers off a new arsenal of products designed to protect cloud computing environments as well, while McAfee CEO Dave DeWalt used his keynote to talk about using the cloud in the context of what he called “predictive security,” his vision of how McAfee will share threat intelligence in the cloud to better protect end users. eWeek.com - 4/24/2009 9

Customers Worry • 90% of cloud application users say they would be very concerned if the company at which their data were stored sold it to another party. • 80% say they would be very concerned if companies used their photos or other data in marketing campaigns. • 68% of users of at least one of the six cloud applications say they would be very concerned if companies who provided these services analyzed their information and then displayed ads to them based on their actions. Cloud Computing Gains in Currency Pew Internet and American Life Project 10

Vendors Respond: • Since 2007, Amazon has been telling us they are: ".. working with a public accounting firm to ... attain certifications such as SAS70 Type II" but these have not happened in 2+ years. 11

Vendors Respond http://googleenterprise.blogspot.com/2008/11/sas-70-type-ii-for-google-apps.html 12

Reality • March 7, 2009 from the WSJ: Google disclosed Saturday that it shared a very small number of online documents with users who weren’t authorized to see them. The privacy glitch, caused by a software bug, affected just a tiny fraction of documents — an estimated less than .05% http://blogs.wsj.com/digits/2009/03/08/1214/ • September 18, 2009 from the NY Times: A recent bug in Google Apps allowed students at several colleges to read each other's email messages and some were even able to see another student's entire inbox. The issue occurred at a small handful of colleges… http://www.nytimes.com/external/readwriteweb/2009/09/18/18readwriteweb- whoops-students-going-google-get-to-read-ea-12995.html 13

Want To Complain? http://www.google.com/accounts/TOS?hl=en 14

Amazon EC2/S3 http://developer.amazonwebservices.com/connect/thread.jspa?threadID=34960 We are not responsible for any unauthorized access to, alteration of, or the deletion, destruction, damage, loss or failure to store any of, Your Content (as defined in Section 10.2), your Applications, or other data which you submit or use in connection with your account or the Services. http://aws.amazon.com/agreement/ 15

No Customer Audit Allowed http://www.v3.co.uk/v3/analysis/2246616/q-google-apps-director-security …It is possible for you to build a PCI level 2 compliant app in our AWS cloud using EC2 and S3, but you cannot achieve level 1 compliance. And you have to provide the appropriate encryption mechanisms and key management processes. If you have a data breach, you automatically need to become level 1 compliant which requires on-site auditing; that is something we cannot extend to our customers. … I recommend businesses always plan for level 1 compliance. So, from a compliance and risk management perspective, we recommend that you do not store sensitive credit card payment information in our EC2/S3 system because it is not inherently PCI level 1 compliant. It is quite feasible for you to run your entire app in our cloud but keep the credit card data stored on your own local servers which are available for auditing, scanning, and on-site review at any time. 16 http://developer.amazonwebservices.com/connect/thread.jspa?threadID=34960

Detour: SAS 70 type II • Concept: ISO 9000 certified Concrete Life Jackets • manufactured according to the documented procedures • instructions on how to complain about defects • SAS 70: Company management defines controls to be evaluated Management: We have a guard at the front door. That is the sole control we want evaluated Auditor: And he checked my ID. The control works as claimed. Here is your SAS 70 type II certification Unless you can see which controls were evaluated, SAS 70 type II reports are not meaningful 17

Can you move your enterprise to the cloud? Or, If you are a cloud vendor, how do you convince your customers to move? 18

Case Study • Business: Automatic discount at retail stores • Customer identified by Credit Card used • Currently 1 million transactions/day • PCI-certified stores have demanded PCI certification • Client stress test: 1 million transactions/hour • Amazon Extra-Large Instance • Cost: ~ $200 • They can not get PCI certified on Amazon • Any other platform is unaffordable 19

Solution Source: Kavis Technology Consulting 20

Customer: Data Classification • Some parts of the enterprise can go to the cloud • The trick is in understanding that: • All data is not created equal • Some entirely fit to be in/on a cloud • But if data is valuable enough that someone might bring out a gun, cloud is not the right place to be. • If you need PCI certification, excellent advice from AWS rep: … keep the credit card data stored on your own local servers which are available for auditing, scanning, and on-site review at any time 21

Off-premise has different security problems and requirements Understand them, and you can secure them or Make an informed decision to Stay Away 22

Customer Due Diligence • Centralization of data makes insider threats from within the cloud provider a bigger risk • Customers should perform onsite inspections of cloud provider facilities whenever possible • Customers should inspect cloud provider disaster recovery and business continuity plans. • Customers should identify physical interdependencies in provider infrastructure. • For IaaS, deploy applications in runtime in a way that is abstracted from the machine image. Backups should also be machine independent. • Understand who your provider’s competitors are. Plan for a migration http://www.cloudsecurityalliance.org/ 23

Considering a SaaS provider? • If you have the resources, do an audit yourself • If your data requires that level of assurance • If the provider allows • Ask the vendor for 3rd party audit reports • SAS 70 audit reports: better than nothing • Barely • Ask them about: • Employee background check • Secure development process • Trust, but verify 24

Multi-tenant SaaS Security Issues • Not net-new vulnerabilities • But suddenly you are hosting data on servers managed by people who don't work for you • And you are not the only user of the server • Can someone do an off-by-one attack? • By mistake? • Denial of service attack against another customer? 25

Providers: • Know what you will host • Spell out policies and procedures • Employees are background-checked? • Are they bonded? • How would you stop someone from backing up a VM and taking it home? • Be clear about what you will NOT support • It took Amazon AWS 2 years to provide an answer • Some things are still unclear • The Google / AWS disclaimers are excellent models • Unisys has ISO 27001-certified data centers. • Think before investing that much time, effort and money 26

Providers (cont.) • Cloud providers should adopt as a security baseline the most stringent requirements of any customer. • Or make clear to the customer where they stand • Providers should have robust compartmentalization of job duties and limit knowledge of customers to that which is absolutely needed to perform job duties. • Understand that you may be subject to a legal / regulatory discovery because of a customer 27

Creating Secure Software • Developers care about deadlines and meeting the requirements • If security is not in the requirements, it will not get done • If developers don't know how to code securely, it will not get done right • If at all 28

Building a SaaS offering? • Train your developers and architects • A single-day training will probably eliminate 90% future security issues • Build Security into your life-cycle • Let security people, not developers, write the security requirements • Security Code review sounds nice, but is expensive • Do an application audit before going live • Allow time for it in the project plan 29

Final Thoughts IaaS Customer Extensibility PaaS SaaS Provider Security Responsibility Where are you? What are you doing about it? 30

Questions? javed@zsquad.com http://10domains.blogspot.com http://www.zsquad.com 31

Marketing, Uncertainty and Doubt: Information Security and Cloud Computing

by jikbal on Oct 07, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

2 Embeds 19

Statistics

Marketing, Uncertainty and Doubt: Information Security and Cloud Computing — Presentation Transcript

http://www.slideshare.net	14
http://10domains.blogspot.com	5