Cloud Security - Made simple

Cloud SecurityCloud Security sameer paradia sameer paradia

Goals 1. Brief on Cloud Computing 2. Security Threats 2 Security Threats 3. Framework 4. Controls 4. Controlshttp://www.flickr.com/photos/tomhaymes/321292834/

Understand Cloud Cl d

Essential CharacteristicOn‐Demand Lowered requirement to forecasts Lowered requirement to forecasts Demand trends are predicted by the providerUsage‐metered Usage metered Pay‐by‐the‐realtime use Self‐service from pool of resources Resources managed by consumer Resources managed by consumer with a GUI or APIElastic Scalability Grow or shrink resources as required Grow or shrink resources as requiredUbiquitous Network The network is essential to use the service ser i e

Beyond basic..Modes of Deployment p S i Services Types Compute Storage IaaSDeployment Network Datacentre models Web 2.0 Applications Public cloud S PaaS Runtime Development tools Business Hybrid cloud Middleware Database Java Runtime Private cloud Pi t l dCommunity cloud Collaboratio ERP / CRM aS n Saa Business Enterprise Processes Applications

Security Threat Thr t

Lots of noise on....Cloud Security?...how do we simplify it how it... http://www.flickr.com/photos/purpleslog/2870445256/in/photostream/

It is same As current InfoSec practice You have to take the ha e same approach as current ISMShttp://www.flickr.com/photos/pheckaboolala/3410638119

Cloud Security• What is it? – Protection of your information in Protection of your information in cloud• Why is critical? – Your information is at central unknown place in cloud – No visibility of security measures in No visibility of security measures in Public cloud• Impact of breach on business? – Lack of Compliance k f li – Legal issue – Breach of privacy Breach of privacy http://www.flickr.com/photos/nigeljohnson73/6788941421

Threats in XaaS Threats in XaaS Models• SaaS: – Built in security functionality Built in security functionality – Least consumer extensibility – Relatively high level of integrated security• PaaS – Enable developers to build their own applications on top of the platform – M More extensible than SaaS, at the expense of customer ready features ibl h S S h f d f – Built in capabilities are less complete, but there is more flexibility to layer on additional security• IaaS – Few application‐like features, – Enormous extensibility – Less integrated security capabilities and functionality beyond protecting the infrastructure itself – Assets to be managed and secured by the cloud consumer

Security Framework Fr rk

1. Identify asset 2. Assess impact 3. Map the asset to c oud y to cloudify o ta se g of transferring to potential to potential a) Data assets on cloud cloud b) Applications on business in deployment case of breach case of breach models Security Framework 4. Evaluate 5. Evaluate the controls in Dataflow , to ata o , to each of Iaas/ understand the Paas/ Saas flow layer y depending upon asset

Cloud Controls C tr l

3 Dimensions of cloud security Business IT Assets Risk Criticality C iti lit in cloud i l d Assessment A t For achieving robust and practical security consider all 3 perspective

Types of Controls Types of Controls Governance G Operational O ti l (Strategic) (Tactical) • Risk Management • BCP/ DR• Legal & Electronic • Data centre Discovery Operations• Compliance/ Audit • Incident • Information Life Management M t cycle management • Application security• Portability and Portability and • Encryption Encryption Interoperability • Identity & Access Management Management • Virtualization

Implement Controls• Possible controls – Layered security – facilities (physical security) – network infrastructure(network t ki f t t ( t k security) – IT systems (system security) – information and applications (application security).• IaaS Cloud provider : IaaS Cloud provider : – address security controls such as physical security, environmental security, and virtualization security it d i t li ti it• SaaS – Addresses upto Application layer Addresses upto Application layer http://www.flickr.com/photos/telstar/2816038167

Summary• Consider three perspective‐ Assets, Risk management and Business criticality • Cloud as an operational model neither provide for nor prevent p p achieving compliance • Selection of control depends on the service and deployment model the service and deployment model• Control varies depending on the design, deployment, and management of the resources f h• Most of Security controls in cloud are, same as normal IT environment http://www.flickr.com/photos/isadocafe/2095153000/

Sameer Paradia – CGEIT, CISM, CISSP(sameer_m_paradia@yahoo.com)Practicing IT Security for 12+ y g y years out of 20+ y years of IT Services/ Outsourcing work experience. g p http://www.flickr.com/photos/forgetmeknottphotography/7003899183/sizes/l/in/photostream/

Cloud Security - Made simple

by Sameer Paradia on Apr 24, 2012

Accessibility

Categories

Upload Details

Usage Rights

Statistics

Cloud Security - Made simple Presentation Transcript