Core Requirements for Security In The CloudBob Gourley March 2011 Find this brief at http://crucialpointllc.com
About This Presentation• A focus on requirements users and CIOs are placing for cloud security• Goal: provide help to users who need to articulate security requirements and provide help to cloud providers who should anticipate those requirements 2
Context on Secure Cloud Computing• New Reality: Cloud based continuous services that connect to us all and appliance-like connected devices enabling us to interact with these services.• Including Private Clouds, Public Clouds, Edge Clouds and a spectrum in between.• Driven by functionality improvements, but also cost, agility and security benefits.• Security benefits will only come with planning and work. Without planning and work, security becomes a nightmare.
Planning for Cloud Computing Security• Cyber Security includes all steps required to ensure mission effectiveness- Information confidentiality, integrity, availability.• These are all made harder in environments that are complex and rapidly changing.• Cloud computing introduces even more changes to this environment. Without planning, the risk will go up.• However, if done right, with planning, Cloud Computing holds the potential of dramatically enhancing security. “Complexity Kills: Complexity sucks the life out of users, developers and IT. Complexity makes products difficult to plan, build, test and use. Complexity introduces security challenges. Complexity causes administrator frustration.” – Ray Ozzie at ozzie.net
Security Issues with the Cloud• Moving to cloud gives you the chance to clean up from the past and prep for the future. So do it! But do it with awareness of security issues• Security Issues: • Multi-Tenancy: requires secure access and separation of user allocated cloud resources • Availability: If you are using a cloud it better be there • Confidentiality: Will you be putting all your eggs in one discoverable basket? Will you protect data in transit? Will you protect data on the processor? • Integrity: Will you ensure your data is not changed?
Multi Tenancy• Multi-Tenancy: requires secure access and separation of user allocated cloud resources • Clouds have multiple concurrent users from disparate and possibly competitive organizations. • Even those from all the same organizations may have a need for tight separation, for example, HR and Finance have data that must be protected. • Development organizations may have software development efforts that could be impacted if secure boundaries are not in place. • The lack of secure boundaries is slowing cloud adoption and is a key missing feature of most cloud offerings. • Issues to address: • Assurance of underlying systems comprising the cloud, including assurance of their proper provisioning and segmentation • Secure access to and separation of user allocated cloud resources with sign-on and security provided separate from the applications hosted in the cloud
Availability• Availability: If you are using a cloud it better be there • Assured comms • Assured always up servers • An ability to reach to users at their place of work. • For many, an ability to reach to users wherever they are. • There are tight ties to the requirements of confidentiality and integrity, but additional planning is required to ensure always on protected availability in the face of threats and outages. • Make availability part of your agreement with your cloud provider. And have plans for working through outages that impact your cloud provider.
Confidentiality• Confidentiality: Will you be putting all your eggs in one discoverable basket? Will you protect data in transit? Will you protect data on the processor? • Strong identity management that protects and authorizes. • Knowledge of who in your cloud provider can access your cloud. • Comms security not only to and from the cloud but within the cloud and between virtual machines. • Accreditation of deployment such that one can assure your cloud is operating according to business policies and upholding regulated governance (e.g., SOX, HIPAA, FISMA etc). • Encryption of data in motion and data at rest • Consider new means of storing/obfuscating stored data, such as Cleversafe • Understand the type of processors that operate on your data and the mechanisms in place on the servers to ensure no tampering with or monitoring of data while it is being processed. Make this awareness a requirement. Understand how your provider watches for malicious code
Integrity• Integrity: Will you ensure your data is not changed? • Of course encryption of data at rest and data in motion • Backups • Smart use of checks/hashes/backups to ensure data not tampered with. • Checks through repeatability: the same operation on the same data should always produce the same results.
Concluding Thoughts• Seek independent audit of your cloud provider and the many checks they will have in place to ensure your confidentiality, availability, integrity in the face of multi-tenancy.• ISO27001, SAS70 and similar standards might not be keeping up. But they are a start, since they provide the foundation for third party audit.• Ask hard questions about all your requirements. What responsibility does the provider have to notify users when a requirement is not met?• What guarantees do you have?• If you are a user, articulate your requirements• If you are a provider, anticipate your requirements
The Meta RequirementThe Absence of unmitigatable surprise
Please help with your thoughts/input/questionsE-mail: firstname.lastname@example.orgBlog: http://ctovision.comTwitter: http://www.twitter.com/bobgourleyFacebook, Plaxo, LinkedIn, etc: See the blog.
Disruptive Security TechBob Gourley March 2011
Thesis of this Presentation• Technology really matters – People and process are critical too, of course, but it is criminal to neglect the technical piece 15
Goal of this Presentation• Tell you about technologies you might not know about yet – So I’m not going to talk about those great firms like ArcSight, Netwitness, Symantec. 16
MethodologiesUnderstanding Realities of Enterprise IT Winners of: RSA CTOVision.com SINET Disruptive IT List A list of exemplars in American Security Security Challenge (75 Firms)Tracking R&D of Big IT firms and investment from VC
• 3VR – Video analytics. The Candidates • Quantum4D - Advanced visual analysis.• Akamai – Web acceleration and content delivery across the fabric. • Qynergy – New battery technology.• AdaptivEnergy – Capture energy from vibrations. • Rapid7 – Automating security testing including vulnerability testing.• Appistry - Deploy apps across a grid; Computational Storage • Recorded Future – Gain knowledge of the future by looking for events mentioned on the net.• ArcSight - Network and security management. Bought by HP. Still a player in demand. • SenseNetworks – Dramatic use of location data to create useful information. Consumer apps provide• Aster Data – Specialized DBMS with built-in MapReduce for high-end analytics. heat maps of cities. Enterprise capabilities provide important analytics.• Basis Technology - Foreign language document and media exploitation. • StreamBase – Capture and analyze data in stream.• Bit9 – New models dramatically enhancing security through application whitelisting • Sonitus Medical – hear from your teeth.• Bluecat Networks – Total management and optimization of all things IP. • SpaceCurve – A new kind of database enabling large scale analytics and effortless indexing (Gourley• Brightcove – Enhancing, dramatically, how enterprises manage and disseminate video. is on their advisory board).• Cloudshield – One of only two companies that can protect nets at line rate speeds. • Spotfire - Enterprise analytics for business intelligence. Analytics for every user in the enterprise.• Cloudera – Providing support to open source and specialized software that makes Hadoop ready for • Splunk – Dramatically enhanced IT search. the enterprise. • Tableau – Great, fast, interactive visualizations.• Cleversafe – Smart way to save your data in the cloud. Clever and Safe. • ThingMagic – Advanced RFID solutions.• Centrifuge Systems – Fast visual analytics via multiple modes. • Thetus - Knowledge modeling and discovery• Cipheroptics – network and data encryption • Touch Table - Interact with data and visualizations by hand• Destineer Studios – Advanced immersive environments. • Traction Software - Enterprise hypertext collaboration.• Endeca - Next-generation information retrieval and analysis through advanced search and guidance • Triumfant - Enterprise class compliance, reporting, remediation (Gourley is on their advisory board). navigation. • TSRI - Move legacy code to the future fast.• Endgame Systems – Cloud-based botnet and malware detection. • Twiki – Enterprise agility platform.• EnterpriseDB - Enterprise Postgres. Leader in open source database products/services/support. • Visible Technologies – Analysis.• FireEye - Botnet protection. • Zafesoft – Discover, classify and secure enterprise data with ease of control. Prevent data leaks,• FMS – Analysis. including leaks by malicious insiders.• Forterra Systems - Distributed virtual world technologies- for the enterprise. • Some capabilities under evaluation in our CTOlabs:• FortiusOne - Next generation intelligent mapping. • QlikView• Fortinet - Integration of multiple security technologies. • Decision Lens• ForgeRock - Full solution stack based on top quality open source software. The IT Powerhouses• Fusion-IO – Extremely fast and high capacity SSD • There are so many things going on at the big companies it is hard to keep track. Also, they all are• GainSpan – WiFi enablement. looking for innovation and frequently buy to keep the innovation flowing in. So this is a dynamic area• Geosemble – Map people, places, things using data from RSS feeds and tweets. to say the least. It is also an area very hard to sum up in a few words. But here goes:• Greenplum – Massively parallel database. High volume SQL transactions for MapReduce • Adobe - Adobe Acrobat Connect and many related collaborative tools.• Global Velocity – Hardware based DLP • Cisco - Far more than networking gear, now a collaboration powerhouse. IRIS.• Hardcore Computer – Blade server with total liquid submersion technology. • Citrix - On demand computing, including virtualization of desktops and servers.• iMove - Imaging and immersive video for wide area and geospatial surveillance. • EMC - Growing through acquisition and internal innovation. Real powerhouse in grid computing and• Infinite Power Solutions – Thin-film batteries to power RFID. end to end enterprise solutions. No longer just a storage company.• Image Tree Corp – Figure out what is growing on the earth. • HP – Also growing through acquisition and internal R&D/innovation. End to end enterprise solutions• Invincea – Device protection by wrapping the browser. including automation. Networking. Recently bought ArchSight.• Janya – Multilingual Semantic Analysis. • IBM - Continuing to modernize. Will move into the mashup space. Continuing to innovate internally• Koolspan – High quality mobile voice encryption. and through acquisition. BigFix is a key example.• KNO – They assert they are for education, but CTOs in enterprises everywhere should watch this • Intel – The primary business is producing chips (silicon innovation) but they field solutions for many one. other parts of the ecosystem. Recently bought McAfee.• Liquid Machines - Primarily Enterprise Rights Management. Key product is “Document Control 6.0″ • Microsoft - Large investments in R&D. Beginning to move to open standards/open source. Win 7 will Others in this area include IBM, EMC, Adobe. Member of SISA alliance. be a huge hit, with enhancements to functionality and security. Now a player in Mobile with Windows• LensVector – Taking moving parts out of cameras. 7 for Mobile.• Looxie – Bluetooth Camcorder. Imagine the impact on enterprise business models (and IT). • Oracle - Innovating by buying the best. Stand by for disruptions by forced integrations resulting in• Malden Labs – Fast/smart/modern delivery of content and apps to any device. positive forward movement. Services for open source. Currently supporting Solaris and MySQL, but• MarkLogic – New, smarter ways of storing, searching, acting on and displaying information. many wonder about their commitment to those.• MetaCarta - Geospatial data extraction and transformation • SAP (and Business Objects and Inxight) Business intelligence. SAP has not stopped re-inventing• Network Integrity Systems – Protected Distribution Systems itself and is a SOA leader.• Nexenta – Open Solaris power and the usability of Linux.Enterprise class storage (ZFS based) • Symantec - Their core business is security but this is broadly defined as ensuring enterprise• Narus – Unified IP Management and Security. Bought by Boeing. Still a player. functionality.• Nicira – Could be the future of network virtualization. • VMware - Virtualization leader.• Object Video - Business intelligence from video. • These companies are also tracked on the CTOvision.com Tech Titan List• Oculis Labs – Data obfuscation at the user’s screen. Some Open Source Disruptors• piXlogic - Image segmentation and search. Visual Search Engine. • Red Hat - with commercially supported Linux• Perceptive Pixel - Multi-touch interaction with data visualizations. • Alfresco - Enterprise content management in an open source framework.• Permabit – Embedded high performance OEM data optimization software. • Talend – Open Source ETL and data integration.• Polychromix - Miniature analysis tools for mobile labs. • Cloudera – Open Source around Hadoop, as well as some key licensable IP.• Previstar - An Intelligent Resource and Information Management system designed to automate • ForgeRock - Full solution stack based on top quality open source software. Pure play open source. National Incident Management guidelines for preparedness, response and recovery. • Nexenta – Open Solaris power and the usability of Linux.Enterprise class storage (ZFS based)• Proofpoint – Enhanced email security, email archiving and DLP for enteprises.
Disruptive Security CategoriesStopping MalwareHardware Based IT SecurityOS Based IT SecurityNetwork Based SecurityDiscovering Bad Actors
Disruptive Security ExemplarsStopping Malware• Invincea: Winner of RSA security innovator award• Bit9: New methods of application white listing• FireEye: Botnet protectionHardware Based IT Security• Intel vPro: Immediately enhances manageability/securityOS Based IT Security• Windows 7: Upgrade now and enable bit-lockerNetwork Based Security• Cloudshield: DPI and action over net traffic Other Hot Ones: • RedSealDiscovering Bad Actors • Cleversafe• Endeca: Discovery and iterative examination • GlobalIDs• Hadoop: Facebook-scale analytics • Silvertail • Veracode