Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Enterprise Strategy for Cloud Security


Published on

Security is high on the list of concerns for many organizations as they evaluate their cloud computing options. This session will examine security in the context of the various forms of cloud computing. We'll consider technical and non-technical aspects of security, and discuss several strategies for cloud computing, from both the consumer and producer perspectives.

Published in: Technology, Business
  • Be the first to comment

Enterprise Strategy for Cloud Security

  1. 1. <Insert Picture Here>Enterprise Strategy for Cloud SecurityOracle Architect Day May 16, 2012Dave Chappelle
  2. 2. Agenda• Cloud Security Considerations• Consumer Strategies• Provider Strategies
  3. 3. A Few General Considerations…• Multi-tenancy • Varying degrees of isolation (how thick are the walls?) • Unpredictable cohabitation (do you really know your neighbors?)• Isolation Barriers • Physical vs. logical • Several vs. few• Data (Operational, Metadata, Log Data, Backups, etc.) • Ownership • Dispersal, Privacy, and Retention Laws• Complexity • Technical: technologies, integration, domain federation • Business: policies, procedures, continuity• Auditing and Compliance • Capabilities and support
  4. 4. Security Principles & Cloud• Least Privilege • Restricting administrative privileges• Segregation of Duties • Consumer privileges vs. provider privileges• Compartmentalization • Controlling resource allocation/ utilization in a shared environment• Defense in Depth • Discontinuity…
  5. 5. Defense in Depth: Layers Identity & Access Management Security Governance, Security Database Security (online storage & backups) Risk Management, Management Content Security, Information Rights Management & Compliance & Monitoring Message Level Security Data Federation (SSO, Identity Propagation, Trust, …) Application Authentication, Authorization, Auditing (AAA) Security Assurance (coding practices) Host Platform O/S, Vulnerability Mgmt (patches), Desktop (malware protection),… Internal Network Transport Layer Security (encryption, identity) Firewalls, network address translation, denial Perimeter of service prevention, message parsing and validation, ... Physical Fences, walls, guards, locks, keys, badges, … Data Classification, Password Strengths, Policies, Procedures, & Awareness Code Reviews, Usage Policies, …OTN Architect Day 2011
  6. 6. Security Layering and Cloud Technology Integration Private Private PublicId & Access Mgmt Cloud Cloud CloudData SaaSApplication / Service PaaS VMsHost IaaSInternal NetworkPerimeterPhysical Your Cloud Organization ProviderPolicies & ProceduresSGRCSecurity Management & Monitoring Planning & Reconciliation
  7. 7. Control Frameworks• ISO/IEC 27001:5• NIST Recommended Security Controls for Federal Information Systems and Organizations (Pub 800-53)• COBIT• SANS 20 Critical Security Controls• Cloud Security Alliance Cloud Controls Matrix
  8. 8. NIST Security Controls Technical Operational Management• Access Control • Awareness & Training • Security Assessment &• Audit & Accountability • Configuration Management Authorization• Identification & Authentication • Contingency Planning • Planning• System & Communications • Incident Response • Risk Assessment Protection • Maintenance • System & Services • Media Protection Acquisition • Physical & Environmental • Program Management Protection • Personnel Security • System & Information Integrity
  9. 9. Exposure, Control, & Risk • Exposure • Public access to applications, services, platforms, & data • Administrative accessThreat Categories • Data traversing unprotected networks • Reliance on isolation implementation(s) • Control (or delegation thereof) • Physical, managerial, operational • Functional and non-functional capabilities • Compliance • Search and seizure • Quantitative Risk = threat probability * magnitude of loss • Relative risk = RiskIT / RiskCloud
  10. 10. Service & Deployment Models Dependent uponService Models internal controls Deployment Models• IaaS • Private operated, & managed• PaaS • Private, partner-operated & Exposure Control managed• SaaS • Private, partner-located, operated & managed • Remote dedicated / leased • Public, shared Dependent upon Cloud provider and internal compensating controls
  11. 11. Agenda• Cloud Security Considerations• Consumer Strategies o Security Governance, Risk Management,• Provider Strategies & Compliance (SGRC) o Usage Strategies o Identity & Access Management (IAM)
  12. 12. SGRC Strategy• How will Cloud providers be assessed for risk?• Who will evaluate assessments and have authority to grant approvals?• What compliance issues are pertinent to the use of Cloud? (Compliance with all government, industry, and internal policies and regulations.)• Who will review issues related to compliance and have authority to grant approvals?• Under what circumstances might a Cloud be used without a formal assessment and compliance review?• What governance processes will be established/used to properly evaluate a Cloud provider for all aspects of security (including business continuity)?• What governance processes will be established/used to actively monitor and audit access to, and usage of, company assets in a Cloud environment?• …
  13. 13. Usage Strategy• How the cloud will be used • Development & test vs. production • Internet access vs. private / VPN • Public content vs. sensitive information • …
  14. 14. Public Cloud, Public Access Point Internet Internet Users Users (Employees) (General Public) Intranet Users Intranet-Based Public-Facing Web Apps Web Apps (Internal DMZ) (Cloud DMZ) Non-Critical Business-Critical Systems, Systems & Public-Facing Sensitive Data VPN Content IAM Internal IT / Private Cloud Public Cloud (PaaS, IaaS) • Cloud is used to serve up public content • Sensitive data and monetized transactions are handled internally
  15. 15. Dedicated Datacenter Extension Internet Users Intranet Users Intranet-Based Web Apps (DMZ) Company-Owned Provider-Owned Infrastructure, IaaS/PaaS with Platforms & Software VPN Company Software IAM Internal IT / Private Cloud Dedicated Cloud (PaaS, IaaS) • Cloud is used to extend the capacity of IT • Private access to dedicated resources
  16. 16. Public Cloud for Commodity Computing Internet Users Intranet Users Custom Web Apps, Commodity Company Portals Web Apps (Internal DMZ) (Cloud DMZ) Custom-Built, Commodity Business- Applications Differentiating & Services Systems IAM IAM Internal IT / Private Cloud Public Cloud (SaaS) • SaaS providers used for commodity computing needs • Access most often via common Internet connectivity
  17. 17. Private Cloud, Standardization &Consolidation Support IT-Managed IaaS/PaaS Sales Private Cloud Finance Internal IT Private Cloud Migration Public Cloud (XaaS) • Private cloud offers an efficient alternative • Migration to cloud based on evaluation of projects in pipeline • Decision on public or private based on evaluation criteria
  18. 18. Identity and Access Management Strategy• How will management be accomplished without compromising existing IAM capabilities (standardized provisioning, approval, integration, audit, attestation, and analysis) • Centralized • Distributed • Federated • Synchronized • Replicated • …
  19. 19. Anonymous & Personalized Public Cloud Users Login Redirect / Login Secure Anonymous Systems & Applications, Sensitive Data Public Content Personalized AuthN AuthZ User Id Applications and Content Credentials, Roles, Attributes, Policies Identity & Access Management Internal IT / Private Cloud Public Cloud • Nothing in the cloud performs access control • Identity is used for non-security purposes (personalization, etc.)
  20. 20. Centralized IAM Users Login, Access Internal Applications, Private Clouds Network-Isolated IaaS/PaaS VPN AuthN AuthZ Public Cloud Credentials, Roles, Attributes, Policies Network-Isolated VPN Identity & Access Management IaaS/PaaS Internal IT / Private Cloud Public Cloud • Identity management and security services are centrally deployed • Cloud applications access centralized security services
  21. 21. Access Control with Vouched Identity Users Login Access SAML, OpenID Standalone SSO & Internal Applications Applications w/ RBAC, ABAC AuthN AuthZ AuthZ Credentials, Roles, Application Attributes, Policies Access Policies Identity & Access Management Access Policy Management Internal IT / Private Cloud Public Cloud • Users are authenticated by internal authentication services • Identity is securely propagated to enable authorization decisions in the cloud
  22. 22. Standalone Synchronized IAM Users Login Login Standalone Internal Cloud-based Applications Applications AuthN AuthZ AuthN AuthZ Credentials, Roles, Credentials, Roles, Attributes, Policies Attributes, Policies Identity & Access Management sync Identity & Access Management Internal IT / Private Cloud Public Cloud• Users are authenticated in multiple places• Identity data is synchronized across multiple locations via manual or automated processes
  23. 23. Federated IAM Users Login Access HTTP, SOAP Standalone Internal Cloud-based Applications Applications WS-Trust, WS-Fed AuthN AuthZ STS STS AuthN AuthZ Credentials, Roles, Id SAML Svc Credentials, Roles, Attributes, Policies Prov Prov Attributes, Policies Identity & Access Management sync Identity & Access Management Internal IT / Private Cloud Public Cloud • Federated identities may be mapped to cloud-based groups or roles • Synchronization becomes less critical due to abstraction
  24. 24. Brokered Identity Management Users Register & Manage Login Access Brokered Identity Customer-facing Management System Applications Internal IT / Private Cloud Credentials, Id Prov OpenID Attributes 3rd Party Identity Provider Cloud-based Applications Public Cloud • Brokered identity management relies on a trusted 3rd party to manage identities • Clouds, and optionally internal IT, may elect not to manage identities at all
  25. 25. Agenda• Cloud Security Considerations• Consumer Strategies• Provider Strategies
  26. 26. Provider Strategy• Velocity & Scale: Standardization & Governance • Minimal process deviation; enables automation • Default secure configurations • Common security services • Processes that automate the proper behavior• Domain Strategy • Group resources together appropriately and consistently apply the proper degree of security controls• Multi-tenancy Strategy • Defines how tenants will share resources securely• Cohabitation Strategy • Which tenants “belong together”
  27. 27. Service Model Domains All Users IaaS PaaS SaaS Cloud Domain Cloud Domain Cloud Domain Cloud Security & Management Public Cloud • Group tenants by service model • Rationale: similar services have similar configurations and security requirements • Similar services share the same access patterns
  28. 28. Network Tier Cloud Domains Web Tier Cloud Domain Dev / Test Private Cloud Apps & Services Partner Apps Cloud Domain Cloud Domain Dev / Test Public Cloud Data Tier BI / DW Cloud Domain Cloud Domain Dev / Test Environments Production Environment Cloud• Group tenants by network tier• Rationale: maintain network-level security controls using existing network infrastructure
  29. 29. Tenant Group-Based Domains All Users Group 1 Group 2 Group n Cloud Domain Cloud Domain Cloud Domain … Cloud Security & Management Public Cloud• Each group has dedicated resources with network isolation• Groups may reflect common data sensitivity, compliance, SLA requirements, etc.
  30. 30. Dedicated Access Domains Tenant 1 Tenant 2 Tenant n Private Network Private Network Private Network VPN VPN VPN Tenant 1 Tenant 2 Tenant n Cloud Domain Cloud Domain Cloud Domain … Cloud Security & Management Public Cloud • Tenant-based domains with VPN access • Share-nothing, greatest isolation, greatest cost
  31. 31. Multi-Tenancy Strategy• Shared everything• Shared Infrastructure • Virtual Machines • O/S virtualization• Shared Nothing
  32. 32. Shared Everything Tenant A Shared Tenant B Application Shared Tenant C Schema Shared Security Services & IAM• Common SaaS model for maximum economy of scale• Application must provide isolation• Data from multiple tenants is stored in the same database tables• Highest (relative) risk due to least control, greatest exposure
  33. 33. Shared Infrastructure: Virtual Machines Tenant A Virtual Environment A Apps Data Hypervisor Tenant B Virtual Environment B Apps Data Tenant C Virtual Environment C Apps Data Shared Infrastructure Shared Security Services & IAM• Each tenant has their own virtual environment• Isolation provided by hypervisor• Resource contention depends on VM capability and configuration• Adds an additional layer and processes to run and manage
  34. 34. Shared Infrastructure: OS Virtualization Resources Tenant A Zone 1 Operating System • Processes & Memory • Disks & Filesystems • NICs & IP Addresses • … Tenant B Zone 2 Controls • Max share of CPU • Max memory usage • Max network bandwidth Tenant C Zone 3 • … Shared Infrastructure Shared Security Services & IAM• Each tenant has their own processing zone• Isolation provided by the operating system• Resource contention depends on zone configuration• No VMs to run and manage, no abstraction layer between app & OS
  35. 35. Shared Nothing Tenant A Tenant B Tenant C Routing Application Schema Application Schema Application Schema Cluster A A Cluster B B Cluster C C IAM Partition A IAM Partition B IAM Partition C Resource Pool A Resource Pool B Resource Pool C Shared Security Services • Greatest degree of isolation, least economical
  36. 36. Final Thoughts• Define and execute on a strategy • Codify your appetite for risk; CYA• Consider all aspects of security • Use a framework• Not all clouds are the same • Be aware of the risks as well as the rewards• You can delegate responsibility but you can’t delegate accountability• Visit us online at
  37. 37. 37