Cloud Security Alliance Q2-2012 Atlanta Meeting


Published on

Cloud Computing, Virtualization & Data Security (and the Occasional Intersection of the Three)

Published in: Technology, News & Politics
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cloud Security Alliance Q2-2012 Atlanta Meeting

  1. 1. virtualization, cloud & data security and the occasional intersection of the threeFriday, April 6, 2012
  2. 2. Hi, I’m Taylor. @taylorbanks ‣ I’m a control freak. ‣ I do #security. I advocate for #privacy. ‣ I build virtual datacenters and cloud infrastructure. ‣ I keep my data in the cloud. 2Friday, April 6, 2012
  3. 3. "Cloud computing is about gracefully losing control while maintaining accountability even if the!operational responsibility falls upon one or more third parties. " From the CSA’s Security Guidance for Critical Areas of Focus in Cloud Computing Copyright © 2010 by L. Taylor Banks 3Friday, April MarchWednesday, 6, 201210, 2010
  4. 4. *These statements have not been evaluated by the CSA. This presentation is not designed to diagnose, prevent, treat or cure any cloud security problems or conditions. 4Friday, April 6, 2012
  5. 5. CloudSec 5Friday, April 6, 2012
  6. 6. Fundamentals Cloud security doesn’t happen in a vacuum 1 Secure Virtualization Unique architectures present unique challenges 2 Data in the Cloud Public or private, understanding your data is the key to securing it 3 6Friday, April 6, 2012
  7. 7. Cloud May Magnify Risk Simply put, if you’re not securing your data effectively before moving it into the cloud, you’re in for a rude awakening when you do. 7Friday, April 6, 2012
  8. 8. I hate to disappoint you, really I do. But most of what I’m about to tell you, you should already know. 8Friday, April 6, 2012
  9. 9. Access Control A mechanism which enables an authority to control access to data in a given information system 9Friday, April 6, 2012
  10. 10. AAA: Authentication Authorization Accounting 10Friday, April 6, 2012
  11. 11. Hello, my name is: RBAC 11Friday, April 6, 2012
  12. 12. Data Considerations • Data classification • Data sensitivity • Data at rest • Data in motion • On-premise • Off-premiseFriday, April 6, 2012
  13. 13. Categorization vs. Sensitivity Classification has become synonymous with ‘censored for,’ arguably to the detriment of effective categorization. Classification Classification (Categorization) (Sensitivity) The purpose of classification is to protect Simply possessing a clearance should not information from being used to damage or automatically authorize an individual to endanger organizational security. view all data classified at or below that level. 13Friday, April 6, 2012
  14. 14. From Understanding Data Classification Based on Business and Security Requirements By Rafael Etges, CISA, CISSP, and Karen McNeil from ISACA Journal Online 14Friday, April 6, 2012
  15. 15. Data Classification Example Properties ‣ Relative importance ‣ Frequency of use ‣ Topical content ‣ File type ‣ Operating platform ‣ Average file size ‣ MAC times ‣ Departmental ownership 15Friday, April 6, 2012
  16. 16. RTO-based Classification Example Data by Fred G. Moore of HorISon Information Strategies Mission- Attributes Vital Sensitive Non-Critical Critical RTO Immediate Seconds Minutes Hours, days Availability 99.999+ 99.99 99.9 <99 Retention Hours Days Years Infinite 16Friday, April 6, 2012
  17. 17. Data at Rest vs. Data in Motion Both important yet distinct considerations Data at Rest Data in Motion “On the Internet, communications security However, anyone can read what’s going is much less important than the security of across the wire when it is sent unencrypted. the endpoints.” - Bruce Schneier 17Friday, April 6, 2012
  18. 18. CA Office of HIPAA Implementation Requires encryption to protect any data containing electronic protected health information (EPHI). ‣ DATA AT REST • Data at rest should be protected by one of the following: - Encryption, or - Firewalls with strict access controls that authenticate the identity of those individuals accessing _____ [system/data]. • The use of password protection instead of encryption is not an acceptable alternative to protecting EPHI. • Systems that store or transmit personal information must have proper security protection, such as antivirus software, with unneeded services or ports turned off and subject to needed applications being properly configured. 18Friday, April 6, 2012
  19. 19. CA Office of HIPAA Implementation Requires encryption to protect any data containing electronic protected health information (EPHI). ‣ TRANSMISSION SECURITY • All emails with EPHI transmitted outside of State (or county) departments’ networks must be encrypted. • Any EPHI transmitted through a public network to and from vendors, customers, or entities doing business with ___ [name of the org in the State of California, or a county] must be encrypted or be transmitted through an encrypted tunnel. EPHI must be transmitted through a tunnel encrypted with ___ [specify type of encryption to be used, such as virtual private networks (VPN) or point-to-point tunnel protocols (PPTP) like Secure Shells (SSH) and secure socket layers (SSL)]. • Transmitting EPHI through the use of web email programs is not allowed. • Using chat programs or peer-to-peer file sharing programs is not allowed. • Wireless (Wi-fi) transmissions must be encrypted using ___. 19Friday, April 6, 2012
  20. 20. On-premise vs. Off-premise New trust models will likely have a direct impact on the effectiveness of pre-existing security policies. On-premise Off-premise You need only trust those vetted, hired and Trust model now includes external entities, managed by your organization, and plus potential additional considerations according to your own security policies. around governance, regulations and compliance. 20Friday, April 6, 2012
  21. 21. Fundamentals Cloud security doesn’t happen in a vacuum 1 Secure Virtualization Unique architectures present unique challenges 2 Data in the Cloud Public or private, understanding your data is the key to securing it 3 21Friday, April 6, 2012
  22. 22. Virtualization is ...a broad term with many uses ‣ Abstraction of the characteristics of physical compute resources from systems, users, applications ‣ Typically, one of: • Resource (virtual memory, RAID, SAN) • Platform (virtual machines, instances) 22Friday, April 6, 2012
  23. 23. VirtSec ‣ Security of virtual infrastructure and the virtual machines running therein. ‣ While many security considerations are the same within physical and virtual, ... ‣ Virtualization does introduce unique architectures & a few unique challenges 23Friday, April 6, 2012
  24. 24. Unique Challenges, you say? ‣ VMs are highly-mobile & often short-lived ‣ VM sprawl vs. VM stall ‣ Most orgs have poor change control & patch management systems for virtual ‣ Introspection mechanisms available, but not widely deployed 24Friday, April 6, 2012
  25. 25. Compute resources 1 Virtual machines 5 Network resources 2 Management console 6 Storage resources 3 Networking layer 7 Hypervisor 4 Administrators 8 25Friday, April 6, 2012
  26. 26. Simpler is Better • Keep It Simple, Stupid (KISS) • Make Your Architecture Simpler to Secure! (MYASS) • More moving pieces means more time, effort and money required to implement security completely and effectively • Don’t let the capabilities of your platform fool you into believing you need all of them Copyright © 2010 by L. Taylor Banks 26Friday, April MarchWednesday, 6, 201210, 2010
  27. 27. Secure Your Resources • Your virtual infrastructure is only as secure as the resources that comprise it! • Securing your compute, network and storage infrastructure is as important as securing the hypervisor and guests Copyright © 2010 by L. Taylor Banks 27Friday, April MarchWednesday, 6, 201210, 2010
  28. 28. The Malignant OS • Needs to be hardened / secured just like on physical machines • Principles of minimization will lead to smaller, faster, more secure vm’s Copyright © 2010 by L. Taylor Banks 28Friday, April MarchWednesday, 6, 201210, 2010
  29. 29. Guest OS Hardening • Consider automated assessment tools, checklists and/or hardening scripts • nmap, Nessus, Metasploit, CANVAS • “15 Steps to Hardening WS2003” • Microsoft Baseline Security Analyzer • Bastille Linux Copyright © 2010 by L. Taylor Banks 29Friday, April MarchWednesday, 6, 201210, 2010
  30. 30. VM Introspection Inspecting a virtual machine from the outside (typically by way of the hypervisor) for the purpose of analyzing [its behavior] ‣ Introspective firewalling ‣ Introspective malware detection ‣ Introspective DLP ‣ Traditionally, distinct products • Catbird, Hytrust, Juniper, Reflex Systems,Trend Micro, VMware, etc. 30Friday, April 6, 2012
  31. 31. Fundamentals Cloud security doesn’t happen in a vacuum 1 Secure Virtualization Unique architectures present unique challenges 2 Data in the Cloud Public or private, understanding your data is the key to securing it 3 31Friday, April 6, 2012
  32. 32. What is “Cloud Security?” Without context, cloud security is undefined. ‣ Network security? ‣ Virtualization security? ‣ Application security? ‣ Governance, Risk & Compliance? ‣ YesPls! • Depends on service and deployment models • Determined mostly by your DATA! 32Friday, April 6, 2012
  33. 33. 4 8 15 16 23 42 • Five characteristics • On-demand self-service, Broad network access, Resource pooling, Rapid elasticity, Measured service • Three service models • SaaS, PaaS, IaaS • Four deployment models • Public, Community, Private, Hybrid Copyright © 2010 by L. Taylor Banks 33Friday, April MarchWednesday, 6, 201210, 2010
  34. 34. Private IaaS? Public IaaS? It matters! In public IaaS, the likelihood of having control over virtual infrastructure comprising ‘your cloud’ is slim. 34Friday, April 6, 2012
  35. 35. Cloud Security Fundamentals ‣ See: K.I.S.S. M.Y.A.S.S. ‣ Classify your data; consider trust models ‣ Understanding what your org means by ‘cloud’ is key to securing data in the cloud: • 5 characteristics • 3 service models • 4 deployment models 35Friday, April 6, 2012
  36. 36. Cloud Security Risks CSA’s Top Threats to Cloud Computing v1.0 ‣ Abuse and Nefarious Use of Cloud Computing ‣ Insecure Interfaces and APIs ‣ Malicious Insiders ‣ Shared Technology Issues ‣ Data Loss or Leakage ‣ Account or Service Hijacking ‣ Unknown Risk Profile 36Friday, April 6, 2012
  37. 37. Mitigation • Encrypt locally before storing in the cloud • Ensure external key storage and management • Keep private data out of cloud • Build protection mechanisms directly into your resources in the cloud • Host private cloud Copyright © 2010 by L. Taylor Banks 37Friday, April MarchWednesday, 6, 201210, 2010
  38. 38. Cloud Security Fundamentals ‣ Network, infrastructure, virtual and application security are no less important than before ‣ Compliance is important, but useless taken out of context (SAS 70 TII, but with which controls?) ‣ Compliance doesn’t fully address governance, residency or access 38Friday, April 6, 2012
  39. 39. Understand your Data How will your data be used, accessed and modified? How and when will it be removed? By whom? 39Friday, April 6, 2012
  40. 40. Avoiding the Data Tornado ( which your data is a vortex of bits across multiple jurisdictions, tossing data around like a doublewide.) ‣ Deep knowledge of your data ‣ Data flow and threat modeling ‣ AAA, IAM & RBAC FTW ‣ Effective security policies ‣ Tested security procedures ‣ Proven security controls 40Friday, April 6, 2012
  41. 41. Required Reading ‣ CSA’s Secure Guidance for Critical Areas of Focus in Cloud Computing ‣ ENISA’s Cloud Computing: Benefits, Risks and Recommendations for Information Security ‣ CSA’s Cloud Controls Matrix ‣ ENISA’s Procure Secure: A guide to monitoring of security service levels in cloud contracts ‣ NIST SP 800-145 Definition of Cloud Computing and 800-137 on Information Security Continuous Monitoring 41Friday, April 6, 2012
  42. 42. Taylor @ Cloud in 42Friday, April 6, 2012