Cloud Security And Privacy

3,380 views

Published on

Presentation based on the book "Cloud Security and Privacy" by Tim Mather, Subra Kumaraswamy, and Shahed Latif.

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,380
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
13
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Cloud Security And Privacy

  1. 1. Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance Tim Mather Subra Kumaraswamy, Sun Shahed Latif, KPMG
  2. 2. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif What We Do Not Discuss • Existing aspects of information security which are not impacted by ‘cloud computing’ • Consumer aspects of cloud computing 2
  3. 3. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif What We Do Discuss • Infrastructure Security • Network-level • Host-level • Application-level • Data Security • Identity and Access Management (IAM) • Privacy Considerations • Audit & Compliance Considerations • Security-as-a- [Cloud] Service (SaaS) • Impact on the Role of Corporate IT Where Risk Has Changed: ± 3
  4. 4. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Components of Information Security Security Management Services Management – ACL, hygiene, patching, VA, incident response Identity services – AAA, federation, provisioning Information Security – Data Encryption (transit, rest, processing), lineage, provenance, remanence Information Security – Infrastructure Application-level Host-level Network-level 4
  5. 5. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Cloud Computing: Evolution 5
  6. 6. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Cloud Pyramid of Flexibility 6
  7. 7. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Infrastructure Security – currently • Trust boundaries have moved • Specifically, customers are unsure where those trust boundaries have moved to • Established model of network tiers or zones no longer exists • Domain model does not fully replicate previous model • No viable, scalable model for host-to-host trust • Data labeling / tagging required at application- level • Data separation is logical not physical 7
  8. 8. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Infrastructure Security – going forward • Need for greater transparency regarding which party (CSP or customer) provides which security capability • Inter-relationships between systems, services, and people needs to be addressed by identity management 8
  9. 9. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Data Security – currently • Provider’s data collection efforts and monitoring of such (e.g., IPS, NBA) • Use of encryption • Point-to-multipoint data-in-transit an issue • Data-at-rest possibly not encrypted • Data being processed definitely not encrypted • Key management is a significant issue • Advocated alternative methods (e.g., obfuscation, redaction, truncation) are nonsense • Data lineage • Data provenance • Data remanence 9
  10. 10. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Data Security – going forward Large-scale multi-entity key management • Must scale past multi-enterprise to inter-cloud • Not just hundreds of thousands of systems or even millions of virtual machine images, but billions of files or objects • Must not only handle key management lifecycle (per NIST SP 800-57, Recommendation for Key Management), but also • Key recovery • Key archiving • Key hierarchies / chaining for legal entities • Fully homomorphic encryption • Potentially huge boon to cloud computing • Will increase need for better key management 10
  11. 11. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif IAM – currently • Generally speaking, poor situation today: • Federated identity widely not available • Strong authentication available only through delegation • Provisioning of user access is proprietary to provider • User profiles are limited to “administrator” and “user” • Privilege management is coarse, not granular 11
  12. 12. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif IAM – going forward • Emerging identity-as-a-service (IDaaS) needs to evolve beyond authentication • SAML, SPML and XACML (especially) need to be more fully leveraged • Increasing need for user-to-service and service-to-service authentication and authorization (OAuth) 12
  13. 13. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Privacy – currently • Transborder data issues may be exacerbated • Specifically, where are cloud computing activities occurring? • Data governance is weak • Encryption is not pervasive • Data remanence receives inadequate attention • Cusps absolve themselves of privacy concerns: ‘We don’t look at your data’ 13
  14. 14. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Privacy – going forward • Privacy laws are inconsistent across jurisdictions; need global standard • Need specific requirements for auditing (e.g., AICPA/CICA Generally Accepted Privacy Principles – GAPP) 14
  15. 15. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Audit & Compliance – currently • Effectiveness of current audit frameworks questionable (e.g., SAS 70 Type II) • CSP users need to define: • their control requirements • understand their CSP’s internal control monitor- ing processes • analyze relevant external audit reports • Issue is assurance of compliance 15
  16. 16. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Audit & Compliance – going forward • Inter-cloud (i.e., cross-CSP) solutions will demand unified compliance framework • Volume, multi-tenancy of cloud computing, demand that CSP compliance programs be more real-time and have greater coverage than most traditional compliance programs 16
  17. 17. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Security-as-a-Service – currently • Some offerings mature • E-mail filtering, archiving • Web content filtering • Some offerings still emerging • (E-mail) eDiscovery • Identity-as-a-Service (IDaaS) • Encryption, key management • Today’s security-as-a-service providers sell to CSP customers, not CSPs • None of today’s CSPs offer security-as-a- service as integrated offering 17
  18. 18. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Security-as-a-Service – going forward • Horizontal integration • Pure play SaaS providers will broaden offerings beyond e-mail + Web content filtering • Vertical integration • CSPs will offer SaaS as integrated offering • IDaaS has to scale effectively for cloud computing to truly take off • Complexity of key management screams for SaaS offering 18
  19. 19. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Impact on Role of Corporate IT – currently • Governance issue as internal IT becomes “consultants” and business analysts to business units • Delineation of responsibilities between providers and customers much more nebulous than between customers and outsourcers, collocation facilities, or ASPs • Cloud computing likely to involve much more direct business unit interaction with CSPs than with other providers previously 19
  20. 20. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Impact on Role of Corporate IT – going forward • Relationship between business units and corporate IT departments vis-à-vis CSPs will shift greater power to business units from IT • Number of functions performed today by corporate IT departments will shift to CSPs, along with corresponding job positions • Functions performed by corporate IT departments will shift from those who do (i.e., practitioners who build or operate) to those who define and manage • IT itself will become more of a commodity as practices and skills are standardized and automated 20
  21. 21. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Conclusions • Part of customers’ infrastructure security moves beyond their control • Provider’s infrastructure security may (enterprise) or may not (SMB) be less robust than customers’ expectations • Data security becomes significantly more important – yet provider capabilities are inadequate (except for simple storage which can be encrypted, and processing of non- sensitive (unregulated and unclassified) data 21
  22. 22. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Conclusions (continued) • IAM is less than adequate for enterprises – weak authentication unless delegated back to customers or federated, weak authoriza- tion, proprietary provisioning • Because of above, expect significant business unit pressure to desensitize or anonymize data; expect this to become a chokepoint • No established standards for obfuscation, redaction, or truncation 22
  23. 23. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif What’s Good about the Cloud? • A lot! Both for enterprises and SMBs – for handling of non-sensitive (unregulated and unclassified) data • Cost • Flexibility • Scalability • Speed 23
  24. 24. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Developments to Watch • VMware’s vCloud API − submitted to DMTF • Amazon’s Virtual Private Cloud − hybrid cloud that extends private cloud through “cloud bursting” • Security-as-a-Service offered by CSPs (e.g., Amazon’s Multi-Factor Authentication) • Cloud Security Alliance v2 white paper • Slow transparency and assurance from CSP (e.g., ISO 27002-based assurance) • IT governance framework that blends ITIL, ISO 27002, CObIT 24
  25. 25. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance Continue the discussion on-line at: cloudsecurityandprivacy.com 25

×