Question: how many CIOs are in the room. How many have regular (at least monthly) 1 to 1s with CEO or CFO?
Working on a project – project managers says we have a VPN tunnel for data transfer so that is enough for security
Talk about data classification. We will talk about dropbox later
Apply encryption only where needed and make sure that the key management is done properly. NIST document http://csrc.nist.gov/groups/ST/toolkit/key_management.html
Jirasek Consulting ServicesClassification: Public 1Supporting Business AgilitySecure your cloud applications by buildingsolid foundations with enterprise (security) architectureVladimir Jirasek, Managing directorJirasek Consulting Services&Research Director, Cloud Security Alliance, UK chapter
Jirasek Consulting ServicesClassification: Public 2About me• MBA (MSc) degree• 20 years experience in IT• 13 years experience in InfoSec• Worked in various companies in diversesectors• Engaged in security organisations as projectssuch as CAMM, CSA• Technical editor of a cloud security book• Present at security and IT conferences
Jirasek Consulting ServicesClassification: Public 3Agenda• Enterprise architecture crash course• Security architecture overview• Cloud security models• Governance in Cloud• Data security in Cloud• Identity and Access in Cloud
Supporting Business AgilityJirasek Consulting ServicesClassification: Public 4ENTERPRISE ARCHITECTURE
Jirasek Consulting ServicesClassification: Public 5What is Enterprise ArchitectureEnterprise architecture (EA) is theprocess of translating business visionand strategy into effective enterprisechange by creating, communicatingand improving the key requirements,principles and models that describethe enterprises future state andenable its evolution.WikipediaCommon sense to ensure everyone ina company is pulling in one direction,maximising ROI, reducing waste,increasing efficiency, effectiveness,agility, maintaining strategic focus anddelivering tactical solutions.Vladimir JirasekEnterprise architecture is about strategy, notabout engineering.Gartner
Jirasek Consulting ServicesClassification: Public 6EA is a business support functionShould be discussed here Is commonly discussed here
Jirasek Consulting ServicesClassification: Public 7EA frameworksSource: http://msdn.microsoft.com/en-us/library/bb466232.aspx
Jirasek Consulting ServicesClassification: Public 8One of the most used architectureframeworks: TOGAF
Supporting Business AgilityJirasek Consulting ServicesClassification: Public 9ENTERPRISE SECURITYARCHITECTURE
Jirasek Consulting ServicesClassification: Public 10Security model – business drives securityInformationSecuritypoliciesInputBusinessobjectivesCompliancerequirementsLaws &RegulationsBusinessimpactBusiness &informationrisksDefineDefineDefineSecuritythreatsInternationalsecuritystandardsInformationSecuritystandardsInformationSecurityguidelinesSecurityintelligenceInputLineManagementAuditorsSecuritymanagementRisk &ComplianceGovernanceProductManagementProgramManagementAssuranceSecurityServicesSecurityProfessionalsIT GRCInformInformationSecurityProcessesTechnologyPolicy frameworkSecurity managementPeopleServicesDefine securitycontrolsExecute securitycontrolsInformationSecurityMetricsobjectivesMetrics frameworkMeasure securitymaturityExternalsecuritymetricsMandate MeasuredbyInputCorrection of security processesFeedback: update business requirementsProcess framework
Jirasek Consulting ServicesClassification: Public 11Security architecture domains• Security architectwork across alldomains• Stakeholder in EA• Works with domainarchitects (dependson the size of anorganisation)
Jirasek Consulting ServicesClassification: Public 12Cloud model maps to Security modelCloud modelDirect map
Jirasek Consulting ServicesClassification: Public 13Responsibilities for areas in securitymodel compared to delivery modelsPhysical securityNetwork securityHost securityApplication sec.Data securitySIEMIdentity, AccessCryptographyBusiness continuityGRCProvider responsible Customer responsibleIaaS PaaS SaaS IaaS PaaS SaaS
Jirasek Consulting ServicesClassification: Public 14PresenttimeFutureShould data security be on CIOsagendas? Why only CIO?Not many security breachesso far. Why?Will become targeted as more enterprises rely onpublic Cloud computingMandatory reading!Cloud providerreputation/costsYour companyreputation/costs Consolidation ofCloud providersCost savings inEnterprisesPaaS/SaaSSaaSSaaS
Supporting Business AgilityJirasek Consulting ServicesClassification: Public 15CLOUD DEPLOYMENTGOVERNANCE
Jirasek Consulting ServicesClassification: Public 16Governance related to Cloud• Setting company policyfor Cloud computing• Risk based decisionwhich Cloud provider, ifany, to engage• Assigningresponsibilities forenforcing and monitoringof the policy compliance• Set corrective actions fornon-compliance
Jirasek Consulting ServicesClassification: Public 17Cloud governance::Policy• Cloud adopted typically bya) IT directors – managed relatively consistently andmostly [I|P]aaSb) Business managers – less governance; typicallySaaS• Policy should state: It is a policy of …. to managethe usage of external Cloud computing services,taking into account risks to business processes,legal and regulatory compliance when usingexternal services Cloud services. CIO isresponsible for creating and communicatingexternal Cloud computing strategy andstandards.
Jirasek Consulting ServicesClassification: Public 18Cloud standard structure• General statements– Governance requirements for Cloud– Enterprise architecture to be ready forCloud and Cloud services to plug-in(IAM, SIEM, Data architecture,Forensic)– Discovery of Cloud service use• Before Cloud project– Cloud service to comply with dataclassification– Encrypting all sensitive data in Cloud– Identity and Access management(AAA) link to Cloud service• During Cloud project– Due diligence to be performed– Do not forget “right to audit”– Know locations of PII• During Cloud project (cont)– Assess availability (SLA and DR) ofCloud provider– Assess Cloud provider security controls– Assess potential for forensicinvestigation by company’s team• Running a Cloud service– Limit use of live data for developmentand testing– Monitor cloud provider’s securitycontrols– Link Company’s SIEM with Cloudprovider and monitor for incidents• Moving out of Cloud– Data cleansing– Data portability
Jirasek Consulting ServicesClassification: Public 19Examples:I have 1TB of CSV files, now what?• Customer uses well know CRM in Cloud• SaaS designed to immerse clients into welldefined, bespoke CRM• No known data mode• Export of data in CSV.Tip: Portability is the key in SaaS applications.Think about leaving the Cloud provider upfront.How will you take your data?
Jirasek Consulting ServicesClassification: Public 20Example:Scaling up/down development• Large manufacture and service company• Requirement to support developmentneeds with seasonal demands – idealcase for [I|P]aaS• Security team approached up-front toperform review• “Live” data not uploaded to the providerbefore on-site sanitising
Supporting Business AgilityJirasek Consulting ServicesClassification: Public 21DATA SECURITY IN CLOUD
Jirasek Consulting ServicesClassification: Public 22Cloud provider: “AES-128 so itmust be secure! Trust me!”PDFSecretPDFSecret010100011010101010110101010010101010101100110101Cloud serviceuserJust because it is encrypted does notmake it secure… Look end to end.CloudServiceProvider
Jirasek Consulting ServicesClassification: Public 23However not all data in the cloudare secret!
Jirasek Consulting ServicesClassification: Public 24Sometimes too much encryption isbad though.Who holds encryption keys? Are they available?
Jirasek Consulting ServicesClassification: Public 25Data protection options in cloudmodelsInfrastructure as aServicePlatform as a Service Software as a ServiceEncryption appliance(e.g. Safe-Net ProtectV)Application encryption (customer retains keys)NetworkNetwork VPN (could extend to SaaS)Web TLS (for IaaS operated by customer)HostProvider dependent and operated host encryptionApplicationTokenisation and anonymisationDataExtend company file or objectencryptionEncrypting/tokenising reverseproxy engines (e.g. CipherCloud)SIEMExtend company SIEM Plug-in to Provider’s SIEMExtend DLP or eDRM Provider operated data/database encryption
Jirasek Consulting ServicesClassification: Public 26Example of SaaS – Use of Gmailinside and outside an organisation• SaaS web basedapplication. Other standardinterfaces – IMAP, POP3,SMTP, Web API• Data in Gmail available toanyone with properauthentication• TLS used on transport layer• Consider using CipherCloudlike product but be mindfulof traffic flows with externalcustomersSenderRecipientIntra companyRecipientProxySender
Jirasek Consulting ServicesClassification: Public 27Example of IaaS – Cloud provider offers virtualcomputing resources for Internal apps deployment• Cloud provider cantheoretically access alldata, if decryptionhappens on the virtualmachine! But would they?• Use two possible models: Local crypto operationswith remote keymanagement. ConsiderSafeNet ProtectV Remote crypto operationsover VPN – speed penaltyInternaluserAdministratorIntra companyVPNVirtual serversTravelling userKey managementData encryptedLocal encryptionoperationsData encryptedRemoteencryptionoperationsHSM
Supporting Business AgilityJirasek Consulting ServicesClassification: Public 28IDENTITY AND ACCESSMANAGEMENT IN CLOUD
Jirasek Consulting ServicesClassification: Public 29IAM is a complex domain::closer toinformation management then security!IdentitymanagementAccessmanagementFederation EntitlementsThese capabilities can be and are mixed between on-site managed by organisationsor provided as a service by Cloud providers.
Jirasek Consulting ServicesClassification: Public 30Identity management::mostlyinformation management• Principal management• Credential management• Attribute management• Group memberships• Business and IT roles• Directory• Link to HR dataProvision and de-provisionusers from cloud servicesautomatically
Jirasek Consulting ServicesClassification: Public 31Entitlements and AccessmanagementEntitlements• Managing access policies• XACML policies –(Subject, Rule, Resource)• Bespoke policies• Based on attributes orgroupsConnects subjects andresourcesAccess management• Uses identity information,entitlement policies andcontext to make accessdecisions:– Grant– Deny– Grant but limitDecision closer to resource
Jirasek Consulting ServicesClassification: Public 32Identity Federation::Let’s trust identityproviders• Not everyone wantsto have thousands ofusername/passwords• Cloud services areideal for identityfederation• SAML 2.0• OAUTH 2.0 (do notconfuse with OATH)
Jirasek Consulting ServicesClassification: Public 33Summary• Create Enterprise Architecture function with dotted line toCEO• Appoint Security Architect as part of Enterprise architecturefunction• Have a Cloud policy/standard and update risk managementclassification• Always think of exit from Cloud first!• Discover usage of Cloud services• Prepare you enterprise architecture to plug Cloud services inIAM, SIEM, Key management• Build IAM that supports changing business. Federate andFederate…• Do not fear Cloud – sophisticated form of outsourcing: usesupplier management techniques.
Jirasek Consulting ServicesClassification: Public 34Links• A Comparison of the Top Four Enterprise-Architecture Methodologies -http://msdn.microsoft.com/en-us/library/bb466232.aspx• TOGAF 9 - http://www.opengroup.org/togaf/• CipherCloud - http://www.ciphercloud.com/• Amazon AWS Security -https://aws.amazon.com/security/• Dropbox security incidents -http://www.zdnet.com/dropbox-gets-hacked-again-7000001928/
Jirasek Consulting ServicesClassification: Public 35Contact• Vladimir Jirasek• email@example.com• www.jirasekconsulting.com• @vjirasek• About.me/Jirasek