Whose cloud is it anyway? Exploring data security, ownership and control as presented at ISSE EU 2014
Forget the geeky analysis of cloud security; risk is driven by people involved and the approach to adoption. Cloud security conversations often focus on technical risk from other users of the cloud’s pooled resources, or vulnerabilities in the application and virtualization layers. The more important conversation is likely around data control, ownership, and identity management as the resource pooling and abstraction to address risks from cloud users, cloud administrators, law enforcement, intelligence agencies and a pantheon of adversaries. In all these organizations there is an increase in the latest technologies that could possibly jeopardize security. There are trends with using unsecure cloud services and bring your own devices that often make these organizations vulnerable to risks. In today’s technological world it is not a matter of if the data will be compromised but when it will be compromised and what these groups can do to protect the data when this happens.
This discussion will tackle the complex issues around data ownership and control. If data is destiny, then too many people are in charge of your fate. We discuss how to get it back.
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control
1. Whose
Cloud
Is
It
Anyway?
Exploring
Data
Security,
Ownership
and
Control
David
Etue
VP,
Corporate
Development
Strategy
SafeNet,
Inc.
2. Cloud
and
VirtualizaFon
Are
Changing
the
Way
IT
is
Managed
and
Consumed
Agile.
Now.
On
demand.
Simple.
Secure?
3. Cloud
Benefits
Are
Being
Realized…
• 80%
of
mature
cloud
adopters
are
seeing:1
– Faster
access
to
infrastructure
– Greater
Scalability
– Faster
Time
to
Market
for
Applica=ons
• 50%
of
cloud
users
report
benefits
including:1
– BeAer
applica=on
performance
– Expanded
geographic
reach
– Increased
IT
staff
efficiency
1-‐
RightScale
State
of
the
Cloud
Report
2014
6. Leading
Inhibitors
to
Cloud
AdopFon
451
TheInfoPro
2013
Cloud
Compu7ng
Outlook
–
Cloud
Compu7ng
Wave
5
7. Security
and
Compliance
Concerns
With
Shared
Clouds
Data
Governance
Lack
of
Visibility
• Can
you
track
all
of
my
data
instances?
Backups?
Snapshots?
• Am
I
aware
of
government
requests/discovery?
• Do
you
new
when
data
is
copied?
Data
Compliance
Lack
of
Data
Control
• Who
is
accessing
my
data?
• Can
I
illustrate
compliance
with
internal
and
external
mandates?
• Is
there
an
audit
trail
of
access
to
my
data?
Data
ProtecFon
Risk
of
Breach
and
Data
How
Do
You
Maintain
Ownership
and
Control
Of
Your
Informa7on
In
A
Mul7-‐Tenant
Environment?
Loss
• Are
all
my
data
instances
secure?
• Can
I
assure
only
authorized
access
to
my
data?
• Can
I
“pull
the
plug”
on
data
that’s
at
risk
of
exposure
or
who’s
lifecycle
has
expired?
8. New
Risks
Driving
Cloud
Security
Challenges
• Increased
AAack
Surface
• Privileged
Users
• Ability
to
Apply
Security
Controls
• Control
(or
there
lack
of)
11. New
Risk:
Ability
to
Apply
Security
Controls
Security
Controls
Mapping
and
Sized
by
Budget
Security
Management
&
GRC
IdenFty/EnFty
Security
Data
Security
App
Sec
CSA Cloud Model
Host
Network
Infrastructure
Security
Source:
Control
Quo;ent:
Adap;ve
Strategies
For
Gracefully
Losing
Control
(RSA
US
2013)
by
Josh
Corman
and
David
Etue.
12. New
Risk:
Ability
to
Apply
Security
Controls
Most
organiza7ons
are
trying
to
deploy
“tradi7onal”
security
controls
in
cloud
and
virtual
environments…
but
were
the
controls
even
effec7ve
then?
13. New
Risk:
Control
(or
there
lack
of)
The lower down the stack the Cloud
provider stops, the more security you
are tactically responsible for
implementing & managing yourself.
Amazon EC2 - IaaS
Salesforce - SaaS
Google AppEngine - PaaS
Source:
Control
Quo;ent:
Adap;ve
Strategies
For
Gracefully
Losing
Control
(RSA
US
2013)
by
Josh
Corman
and
David
Etue.
“Stack”
by
Chris
Hoff
-‐>
CSA
14. And
Not
Just
The
TradiFonal
“Bad
Guys"
Sensi=ve
Data
in
the
Cloud
Adversaries
Government
Discovery
Cloud
Administrators
Auditors
/
Regulators
15. So,
Whose
Cloud
Is
It
Anyway?
Model
Private
Cloud
IaaS
in
Hybrid
/
Community
/
Public
Cloud
PaaS/SaaS
Whose
Privilege
Users?
Customer
Provider
Provider
Whose
Infrastructure?
Customer
Provider
Provider
Whose
VM
/
Instance?
Customer
Customer
Provider
Whose
ApplicaFon?
Customer
Customer
Provider
Government
Discovery
Contact?
Customer
Provider
Provider
16. Geographical
ConsideraFons?
16
Cloud
Region
Loca=on
Cloud
Provider
Headquaters
-‐
US
Court
Decision
with
Serious
ImplicaFons:
IN
THE
MATTER
OF
A
WARRANT
TO
SEARCH
A
CERTAIN
E-‐MAIL
ACCOUNT
CONTROLLED
AND
MAINTAINED
BY
MICROSOFT
CORPORATION,
13
Mag.
2814
-‐
A
Sober
Look
at
NaFonal
Security
Access
to
Data
in
the
Cloud
-‐
A
Hogan
Lovells
White
Paper
(covers
US,
EU,
and
EU
member
country
legislaFon
and
case
law)
17. Making
it
Your
Cloud:
Key
Enablers
to
Cloud
Security
Encryp=on
(and
Key
Management)
Iden=ty
and
Access
Management
with
Strong
Authen=ca=on
Segmenta=on
Privilege
User
Management
Detec=on
and
Response
Capabili=es
System
Hardening
Asset,
Configura=on,
and
Change
Management
20. Cloud
EncrypFon
Models
Type
of
EncrypFon
DefiniFon
Also
Called:
Service
Provider
EncrypFon
with
Provider
Managed
Keys
Encryp=on
performed
by
the
cloud
service
provider
using
encryp=on
keys
owned
and
managed
by
the
cloud
service
provider
• Server
Side
Encryp=on
• SSE
Service
Provider
EncrypFon
with
Customer
Managed
Keys
Encryp=on
performed
by
the
cloud
service
provider
using
encryp=on
keys
owned
and
managed
by
the
customer
• “Customer
provided
keys”
• SSE-‐CPK
Customer
Managed
EncrypFon
with
Customer
Managed
Keys
Encryp=on
performed
by
the
customer
using
encryp=on
keys
owned
and
managed
by
the
customer
• “Client
side
encryp=on”
(for
object
storage
and
client-‐
server
environments)
21. How
Do
You
Apply
Security
Controls?
Security
Controls
Mapping
and
Sized
by
Budget
Security
Management
&
GRC
IdenFty/EnFty
Security
Data
Security
App
Sec
CSA Cloud Model
Host
Network
Infrastructure
Security
Source:
Control
Quo;ent:
Adap;ve
Strategies
For
Gracefully
Losing
Control
(RSA
US
2013)
by
Josh
Corman
and
David
Etue.
22. Need
to
Focus
“Up
The
Stack”
Security
Management
&
GRC
IdenFty/EnFty
Security
Data
Security
App
Sec
CSA Cloud Model
Host
Virtualization, Software Defined Networks,
and Network
Public/Hybrid/Community Cloud Forces
Infrastructure
a Change Security
in How Security Controls Are
Evaluated and Deployed
23. Data
Centric
Security
=
Agility!
Security
Management
&
GRC
IdenFty/EnFty
Security
Data
Security
App
Sec
CSA Cloud Model
Host
Network
Infrastructure
Security