Security Imperatives when selecting your vendor
Agenda•What are the key components of Cloud Computing?•How is vendor / solution selection done?•What are the key criteria from Cloud information security perspective?•How to jump start the process of adoption of Cloud?
The reason we are talking aboutinformation security here today
Simple analogy of cloud computing and its components
Key phases of fact based solution / vendor selection
Key criteria for solution and vendor selection for cloud
Key stakeholders in cloud security and their requirements
Key cloud security criteria – Information Security, Privacy, Compliance and LegalForrester Cloud Security Alliance Gartner OthersData protection Governance and Enterprise Risk Privileged User Access Policy, standards, and guidelinesIdentity management ManagementPhysical and personnel security Legal and Electronic Discovery Regulatory Compliance TransparencyAvailability Compliance and Audit Data Location Personnel securityApplication security Information Lifecycle Management Data segregation Third party providersPrivacy Portability and Interoperability Recovery LegalBusiness continuity and data Traditional Security, Business Continuity Investigative Support Business Continuityrecovery and Disaster RecoveryLogs and audit trails Data Center Operations Long term viability Resource ProvisioningUnique compliance requirements Incident Response, Notification and Software assurance RemediationRecords Application Security Network security Host and VM security Encryption and Key Management Identity and Access Management Identity and access management Virtualization Authentication Key management Cryptography Operational Security
Detailed questions for each area - SamplesChecklist : Personnel SecurityPersonnel Security• Are there policies and procedures for:• Hiring employees who will have access to or control over cloud components?• Pre-employment checks for personnel with privileged access?• Are personnel security policies consistent across locations?• Do they apply to online cloud systems and data as well as to offline systems that either stored data or to offline systemsthat will be provisioned for online use?• Is there a security education program, and if so, how extensive is it?• Is personnel security frequently reviewed to determine if employees with access should continue to have access?• Are personnel required to have and maintain security certifications?• Does physical access to the CSP’s facility require background checks?Checklist : LegalLegal• Where—in which jurisdiction—will data be stored?• Where—in which jurisdiction—is the CSP incorporated?• Does the CSP use third party providers who are not located in the same jurisdiction?• Does the CSP subcontract any services or personnel?• Does the CSP use a customer’s data in any manner that is not part of the service?• Does the CSP have a documented procedure for responding to legal requests (such as a subpoena) for customer data?• In the event of a subpoena, how does the CSP produce data for a single customer only without providing non-subpoenadata?• Is the CSP insured against losses, including remuneration for customer losses due to CSP outages or data exposure?
Detailed questions for each area - SamplesChecklist :Third Party ProvidersThird Party Providers• Are any services or functions provided by a third party?• If any part of a cloud is subcontracted or otherwise outsourced, does the providing party comply with the same policyand standards that the CSP enforces?• If used, are third party providers audited for compliance with the CSPs policies and standards?• Does the CSP security policy (or equivalent) and governance extend to all third party providers?Checklist : Network SecurityNetwork Security• What controls are in place to manage externally sourced and internally sourced attacks, including distributed denial ofservice (DDoS)?• For customers, how is isolation managed between VMs by the hypervisor?• For customers, how is isolation managed between VMs by network hardware and routing?• What standards or best practices are used to implement virtual network infrastructure?• How are MAC spoofing, ARP poisoning, and so on protected against?• How is isolation managed between customer accessed/routable systems and cloud management systems andinfrastructure?• Is cloud customer processing dependent on off-cloud tenant components such as LDAP?• Does the CSP perform periodic penetration testing against the cloud?• If so, is penetration testing done both from external to the cloud and from inside the cloud and the cloudinfrastructure?• Does the CSP perform vulnerability testing of the cloud infrastructure, cloud management, and also customer accessiblecomponents?• How are identified vulnerabilities tracked and addressed?• Is vulnerability information made available to customers?• Does the CSP allow customers to perform vulnerability testing against the customer’s own VMs or other containers?
Why is there uncertainty when it comes to cloud adoption