Human Factors of XR: Using Human Factors to Design XR Systems
Secure Cloud Hosting: Real Requirements to Protect your Data
1. Secure Cloud Hosting:
Real Requirements to Protect your Data
Chris Hinkley
Senior Security Architect
Great Wide Open – Atlanta, GA
April 2 – 3, 2014
2. Locking Down the Cloud – A Holistic View
Agenda
• The Specialization of IT
• Challenges Facing Cloud Consumers and Providers
• A To-Do List for Cloud Consumers and Providers
• The Secure Cloud is Not a Myth
• Physical Security
• Perimeter Security
• Virtual Server Security
• Supporting Security Services
• Secure Administrative Access
• Business Continuity and DR
• Compliance for Cloud
3. The Specialization of IT
• Complexities of IT has meant more specialists than generalists,
each responsible for a small piece of the puzzle
• New tools and technologies has led to increased staffing levels,
with specific experience on implementation and management
• Rapid change in technology means nearly
continuous training for specialists
• High cost to implement and maintain
IT infrastructure have many companies
looking for ways to offload as
much as possible
Locking Down the Cloud – A Holistic View
4. Challenges Facing Cloud Consumers and Providers
• Consumers want to outsource both technology and
compliance responsibilities
• Consumers cannot abdicate their
compliance responsibility
• Providers do not adequately define the
division of responsibilities between
themselves and customers
• Providers often do not clearly
articulate how they can help
customers meet compliance
requirements
• All can lead to confusion in
the purchasing decision and
create conflicts during an audit
Locking Down the Cloud – A Holistic View
5. A To-Do List For Cloud Consumers and Providers
• Consumers need to fully understand all of their security and
compliance responsibilities
• Consumers need to effectively evaluate and understand the
various cloud provider models
• Consumers need to ask for clear definition of all services,
the division of their responsibilities and those of their providers
• Consumers must put programs in place to ensure that their
providers are meeting their responsibilities.
• Providers must become transparent about their
security programs and deliver adequate details
about offered services
• Providers must clearly articulate the delineation of
responsibilities between themselves and customers
• Providers must be clear about how their offered
services can assist consumers in meeting
compliance requirements
Locking Down the Cloud – A Holistic View
6. The Secure Cloud is Not a Myth
• Build for security not compliance
• Follow security best practices vs. chasing compliance guidelines
• Use a common controls approach
• Deploy multiple security
countermeasures using
a layered approach
Locking Down the Cloud – A Holistic View
7. Physical Security
• Locate data center in area at low risk to natural disasters
• No identifying signage
• 24X7 manned security, roving patrols
• Multi-factor authentication for entry
• Comprehensive CCTV coverage
• Log all entries, monitor systems,
securely store logs and video
Locking Down the Cloud – A Holistic View
8. Attackers need Targets
Verizon DBR Data
• 92% of breaches were perpetrated by outsiders
• 78% of initial intrusions rated as low difficulty
• Attack Targeting
• Opportunistic – 75%
• Targeted – 25%
FireHost Superfecta
• 47,917,145 of IPRM blocks in 2013
• 14,057,093 of blocked attacks via WAF
Locking Down the Cloud – A Holistic View
• Cross-Site Request Forgery – 3,347,515
• Cross-Site Scripting – 4,904,651
Broken
down
into
the
4
categories
• Directory Traversal – 3,269,680
• SQL Injection – 2,535,247
11. Locking Down the Cloud – A Holistic View
Routers w/IP Reputation Filtering
Redundant
DoS/DDoS Mitigation
Redundant
Web Application Firewalls
Redundant
Public Traffic
Intrusion Detection
Perimeter Security
12. Locking Down the Cloud – A Holistic View
SECURITY ZONE
Application
Servers
Database
Servers
Load
Balancers
VMware Hypervisor (Hardened)
Blade/SAN Architecture
High Availability Architecture
20 Gbps Network (Public & Private)
Per VM Firewall Policies
Unlimited Security Zones
Web Servers
SECURITY ZONE
Secure SAN Storage
Physically Isolated Secure Storage Area Network Secure
Data Deletion and Destruction Complete Data Obfuscation
VM
VM VM VM VM
LB LB
VM VM VM VM VM
SAN
Virtual Server Security
13. Locking Down the Cloud – A Holistic View
Data Leakage
Protection
Antimalware/
Antivirus
File Integrity
Monitoring
Vulnerability
Management
Log
Management
Patch
Management
Configuration
Management
Supporting Security Services
14. Locking Down the Cloud – A Holistic View
Protecting from the Outside In
15. Locking Down the Cloud – A Holistic View
Secure Administrative Access
Physically Isolated Network Secure Jump Hosts
Privileged Access Management Full Session Recording
Multi-Factor Authentication
SSLVPN/L2LVPN Secure Access
MPLS Termination
Secure Customer Access
Secure Administrative Access
16. Locking Down the Cloud – A Holistic View
Putting It All Together
17. Locking Down the Cloud – A Holistic View
IsolatedCustomerEnvironment
IsolatedCustomerEnvironment
Data Leakage
Protection
Antimalware/
Antivirus
File Integrity
Monitoring
Vulnerability
Management
Log
Management
Patch
Management
Configuration
Management
Secure Administrative Access
Physically Isolated Network Secure Jump Hosts
Privileged Access Management Full Session Recording
SECURITY ZONE
Application
Servers
Database
Servers
Load
Balancers
VMware Hypervisor (Hardened)
Blade/SAN Architecture
High Availability Architecture
20 Gbps Network (Public & Private)
Per VM Firewall Policies
Unlimited Security Zones
Web Servers
SECURITY ZONE
Secure SAN Storage
Physically Isolated Secure Storage Area Network Secure
Data Deletion and Destruction Complete Data Obfuscation
VM
VM VM VM VM
LB LB
VM VM VM VM VM
SAN
Multi-Factor Authentication
SSLVPN/L2LVPN Secure Access
MPLS Termination
Secure Customer Access
Routers w/IP Reputation Filtering
Redundant
DoS/DDoS Mitigation
Redundant
Web Application Firewalls
Redundant
Public Traffic
Intrusion Detection
18. Business Continuity & DR
• Lessons (supposedly) learned from Katrina
and other recent disasters
• Did we really learn? What about Sandy and Nemo?
• Location of data centers, loss of transportation, large scale power and other critical
service outage, employees worrying more about personal and family safety
• Didn’t fully learn from the past
• BCDR Solutions
• Focus on business continuity
part of BCDR
• Build for high availability
• Implement redundant sites with
geographic load balancing
• At minimum replicate data to
another location
Full Infrastructure
Geographic Location 1
Full Infrastructure
Geographic Location 2
Primary
Infrastructure
File/Database
Backups
Regular Backups
Real-Time Replication
Locking Down the Cloud – A Holistic View
19. Managing Compliance for Cloud
• Treat all data as sensitive (after all, it’s just 1’s and 0’s to the systems)
• Develop a common controls framework (CCF) of controls based on
industry standard frameworks; enabling efficient compliance
adoption and validation reporting
• Use existing industry standards like ISO 27001
and NIST 800-53 as a baseline and add specific
requirements based on your needs
(PCI, HIPAA, GLBA, etc.)
• Future proof compliance iterations
by keeping your CCF updated
• Implement a continuous monitoring
and audit program
Locking Down the Cloud – A Holistic View
20. Continuous Monitoring for Compliance
• Confusing term and application depending on who you talk to
• What is the definition of “real-time?”
• Define the appropriate monitoring interval for each control
• Patching – 30 days upon release
• Log reviews - daily
• Malware scans – real-time alerting and reporting
• Access reviews – privileged accounts
monthly, others quarterly
• Implement tools to monitor the
controls at the defined interval
• Centralize all monitoring
results in a secure system
• Build dashboard to track
compliance based on results
Locking Down the Cloud – A Holistic View
21. What about data sovereignty and regional
regulation?
• Ensure you understand what regulations apply to your business
• Engage with your customers to understand their requirements
• Take these regulations and customer requirements into account
within your CCF
• Architect your cloud to enable data sovereignty
and allow customers to select the location(s)
for their servers and data
• Provide monitoring/reporting that allows
customers to validate where their
data is at any time
• Keep up with changes to the regulations
Locking Down the Cloud – A Holistic View