Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Shared responsibility - a model for good cloud security

254 views

Published on

A presentation at the Jisc security conference 2019 by Andy Powell, Cloud CTO, Jisc.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Shared responsibility - a model for good cloud security

  1. 1. Shared responsibility - a model for good cloud security Andy Powell, Jisc
  2. 2. Shared responsibility - a model for good cloud security Andy Powell, Jisc
  3. 3. Mohamed Hammady, CTO Sky 3 Shared responsibility - a model for good cloud security “We have decided to build our data lake on Google Cloud Platform. This is a key component of our internal data factory transformation programme. One of the deliverables of this programme, which is very ambitious, is to join up all available data in a customer-centric way. This will allow us to progressively personalise every customer interaction to make it quicker and more relevant to the individual customer need.”
  4. 4. David Rogers, Head of Architecture and Security Ministry of Justice 4 Shared responsibility - a model for good cloud security “As we started to create more and more digital services AWS became a platform for us. We started to automate the way we were delivering these services into the cloud. We started to consolidate the way we were working with the cloud, such as thru our deployment pipeline and thru monitoring and logging. What emerged was the use of that platform very consistently across digital services for around 19 or 20 services.”
  5. 5. “We now have a unified API as a basis for designing, testing, and deploying the next generation of machine learning and digital services in the hospital for our young patients. This will also enable rapid and easier collaboration with our international paediatric hospital partners to share specialised tools to improve patient outcomes and experience.” “Partnering with Microsoft on the Azure API for Fast Healthcare Interoperability Resources (FHIR) allows us to scale out and accelerate our customers’ use of [data]. The managed service is a great additional component […] bringing research and innovation closer to clinical impact.” Professor Neil Sebire, Chief Research Information Officer Great Ormond Street Hospital Rodrigo Barnes, CTO Aridhia 5 Shared responsibility - a model for good cloud security
  6. 6. Darryl West, Group CIO HSBC 6 Shared responsibility - a model for good cloud security “HSBC is no different to most other global enterprises. We tried for many years to build data centres, to provision infrastructure, to buy products and to run it all ourselves. But we decided about 18 months ago that we ought to focus on what we are great at, which is customer experience and focusing on our customers and partnering with people like Google to do all the heavy lifting on infrastructure.”
  7. 7. Scene setting • Three big players in the market (yes, there are others as well!) • All with similar directions of travel • Global presence (10s or 100s of data centres) • Typically organised into Regions, Availability Zones and Edge locations • Service portfolio that extends well beyond traditional IaaS • … including big data, container platforms, serverless, database as a service, IoT, ML, AI, … • All three talk about a shared responsibility model for security 7 Shared responsibility - a model for good cloud security
  8. 8. Threat, what threat? 1. Data breaches 2. Data loss 3. Account / service compromise 4. Insecure API 5. Denial of service 6. Insider threat 7. Abuse of cloud services 8. Insufficient due diligence 9. Shared tech vulnerabilities 8 Shared responsibility - a model for good cloud security
  9. 9. Shared responsibility 9 Shared responsibility - a model for good cloud security Application design, identity & access management Operating system, network & firewall configuration Data at rest (on-prem) Data at rest (in cloud) Data in transit Software Hardware / global infrastructure Regions Availability zones Edge locations Compute Database NetworkingStorage Security in the cloud (your responsibility) Security of the cloud (cloud provider’s responsibility)
  10. 10. Confidentiality, Integrity, Availability • Is access to my data restricted to the people I want to see it? • Can I tell if my data has been tampered with? • Can the right people get access if they need to? 10 Shared responsibility - a model for good cloud security Confidentiality • Access control • Encryption • Firewalling Integrity • Encryption • Audit logs Availability • Global scale • Account/subscription config • DDoS protection
  11. 11. Basic building blocks • Regions and availability zones • Virtual Private Clouds (VPCs) and subnets • Security groups & Network Access Control Lists (firewalls) • Identity and access management (cloud platform level and operating system) • Logging of all API access • Encryption of data at rest (option to bring your own keys and use HSM in the cloud) including for database as a service options • Encryption of data in transit • DDoS protection at platform level (and WAF and DDoS available as extras, usually bundled into edge-based CDN) 11 Shared responsibility - a model for good cloud security
  12. 12. Connectivity • Most of your cloud usage is going to be hybrid • Connectivity will be critical, as will securing your data in transit • All the cloud providers provide dedicated private connectivity options • However, Janet has extremely good peering arrangements • For connectivity requirements up to 1.5Gbps bandwidth, just use Janet • For hybrid requirements, secure data in transit using a site-to-site VPN irrespective of whether you use Janet or not 12 Shared responsibility - a model for good cloud security
  13. 13. Infrastructure as Code • All the major cloud suppliers support infrastructure as code (IaC) • CloudFormation, ARM Templates, Cloud Deployment Manager • And you can also use third-party tooling such as Terraform • Repeatable and re-usable deployments • Manage your infrastructure in a code repository • Helps to prevent accidental deployments of insecure infrastructure 13 Shared responsibility - a model for good cloud security
  14. 14. Security Information and Event Management (SIEM) 14 Shared responsibility - a model for good cloud security • Native SIEM tooling is emerging from the major cloud vendors (e.g. Sentinel on Azure) • However, your SIEM requirements are likely to be hybrid (and may be multi- cloud) • All the major SIEM vendors will provide integration with cloud platform logging • Note that Jisc is partnered with Splunk in order to provide a hosted Splunk platform
  15. 15. Auto-remediation • All cloud vendors now support serverless • Small software ‘functions’ run on demand, typically triggered by an API event or by a timer • Use this approach to auto-run remediation code • E.g. to automatically (and instantly) close down a security group that allows world access to SSH or RDP or to take a copy of a compromised VM, prior to deletion, so that it can be spun up in an isolated environment for later analysis • Also look at Security Orchestration, Automation and Response (SOAR) tools, e.g. CloudCustodian 15 Shared responsibility - a model for good cloud security
  16. 16. Third-party tooling • Our experience is that some native tooling can be limited, especially with early releases • Your existing security approaches can almost always be stretched into the cloud • Either by buying them from the marketplace • … or by layering them in-front of cloud services • For example, we often use Imperva Cloud WAF as an alternative to the native WAF solutions provided by the cloud vendors • We also use CloudCheckr for billing recommendations, security posture analysis, and compliance status 16 Shared responsibility - a model for good cloud security
  17. 17. Compliance 17 Shared responsibility - a model for good cloud security
  18. 18. Are you well architected? 18 Shared responsibility - a model for good cloud security
  19. 19. Summary – 5 take-aways 1. Understand the shared responsibility model. Where does the cloud provider’s responsibility end and yours start? How does this apply to IaaS, PaaS and SaaS? How does this affect your compliance? 2. Use the basic building blocks to create highly resilient and secure solutions - don’t forget the basics… firewalls, anti-malware and backups 3. It’s your data - secure it at rest (on-prem and in the cloud) and in transit - encryption is your friend 4. If necessary, use existing security tooling to complement what the cloud provider gives you 5. Defend in depth - follow best-practice guidance including the NCSC 14 cloud security principles 19 Shared responsibility - a model for good cloud security
  20. 20. Arguably, AWS, Microsoft and Google are now the biggest security companies in the world Questions? Andy Powell, Jisc @andypowe11 andy.powell@jisc.ac.uk
  21. 21. Additional reading • AWS Compliance Programs • Azure Compliance • Google Compliance Resource Center • AWS Well-Architected • Pillars of a great Azure architecture • Google Infrastructure Security Design Overview • Azure Security and Compliance UK OFFICIAL Blueprint • Standardized Architecture for UK-OFFICIAL on AWS • NCSC Cloud security guidance 21 Shared responsibility - a model for good cloud security

×