Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cloud security what to expect (introduction to cloud security)

1,007 views

Published on

This presentation is based on slides taken from Cloud Security Alliance CCSK training slides.

Published in: Technology
  • Be the first to comment

Cloud security what to expect (introduction to cloud security)

  1. 1. Cloud Security Moshe Ferber, CCSK Onlinecloudsec.com What to expect?
  2. 2. • Moshe Ferber, 37, lives in Modiin (+2). • Information security professional for over 15 years. • Managed the security department for Ness Technologies. • Founded 2Bsecure cloud services, Israel based MSSP (currently owned by Matrix). • Shareholder at Clarisite – Your customer’s eye view • Shareholder at FortyCloud – Make your public cloud private • Member of the board at Macshava Tova • Certified instructor for the Cloud Security Alliance 2
  3. 3. Introduction to cloud computing IaaS Security
  4. 4. Introduction to cloud computing IaaS Security PaaS & IaaS security Logical controls
  5. 5. 6 Broad Network Access Rapid Elasticity Measured Service On-Demand Self-Service Resource Pooling
  6. 6. 7
  7. 7. Public Cloud Private Cloud Community Hybrid Cloud Deployment Models 8
  8. 8. 9 • The lower down the stack the cloud service provider stops, the more security capabilities and management consumers are responsible for implementing and managing themselves. SaaS IaaS PaaS SecurityResponsibility Provider Customer
  9. 9. • . 10 SaaS IaaS PaaS ProviderCustomer All Guest and App security App Security Contractual controls Infrastructure & Application security Platform Security Infrastructure Only
  10. 10. 12
  11. 11. Introduction to cloud computing IaaS Security PaaS & PaaS Security Logical Controls
  12. 12. How IaaS Is No Different You still have to manage the host’s security •Patches •Configuration Management •Log Management •Host Based IDS if appropriate •Host Based Firewall if appropriate •AV if you have to •Crypto-key management •In other words, just like normal 14
  13. 13. How IaaS Is Different No Control/Visibility of the Network •Flat network •No outbound firewalling •No NIDS/NIPS •Firewalling limited to Layer 4 •Limited WAF options •Limited to no DLP options •Limited commercial SSL termination options •Only 1 IP per instance 15
  14. 14. Your Provider What you get from the Provider • Selection of Operating Systems • Open Source – Linux in particular • Most also provide access to Windows • IP Address • SAN Access • Basic Firewalling • API for provisioning and management What you don’t get from the Provider • Multiple IPs per host (usually) • Layer 7 firewalling • NIDS/NIPS • Any sort of IDM • Patching or systems management • It’s all up to you! 16
  15. 15. 17 Virtual Machine Access Keys Host (SSH) Keys Firewall Network Zones Location Zones
  16. 16. • There are many different types of security credentials: Username/password for logging into the web interface. Access keys for REST/query (web) API. X.509 certificates for SOAP (programmatic) access (like the command line interface). Host keys for accessing instances. Account ID for bundling and sharing images. 18
  17. 17. Load from secure image Pre-install software packages Transfer security credentials Scan and harden on the fly Policy across different providers Virtual Machine
  18. 18. Storage Hardware Hypervisor OS DB Application Users Taken from: www.privatecore.com Storage level encryption Relevant: IaaS , PaaS, SaaS, Control by: provider Keys: At Provider Protect from: Hardware theft OS/Volume level encryption Relevant: IaaS , Control by: Consumer Keys: consumer Protect from: provider, hardware DB level encryption Relevant: IaaS , PaaS Control by: consumer / provider Keys: both Protect from: provider, breaches Complex Simple
  19. 19. Storage Hardware Hypervisor OS DB Application Users Taken from: www.privatecore.com File level encryption (IRM) Relevant: Specific file types only Control by: Consumer Keys: Consumer Protect from: any illegal access App level encryption Relevant: IaaS , PaaS Control by: Consumer Keys: consumer Protect from: provider, breaches Proxy level encryption Relevant: SaaS Control by: consumer Keys: Consumer Protect from: provider, breaches Complex Simple
  20. 20. Amazon CAI
  21. 21. Moshe Ferber, CCSK Tel. +972-52-8342313 moshe@onlinecloudsec.com
  22. 22. • Cloud Security Alliance CCSK courseware • Cloud Security Alliance research. • Jim Reavis, Cloud Security Alliance CEO. • The NIST Definition of Cloud Computing • NIST Cloud Security Architecture (Draft) • ENISA Cloud Computing risk assessment • Securosis Blog and Research database
  23. 23. • Moshe Ferber • http://www.linkedin.com/pub/moshe-ferber/0/58a/828

×