NetStandard CTO John Leek presents 20 Critical Security Controls for the Cloud at Interface Kansas City. This presentation is based on controls set forth by the SANS Institute. Learn more at http://www.netstandard.com.
5. Your Physical
Devices
Source: SANS Institute
1. Review cloud provider’s SSAE 16 to
understand controls in place and note
3rd party auditors’ assessment of the
effectiveness of these controls.
2. Where IaaS or PaaS is engaged,
implement controls to monitor
performance and review logs to ensure
services remain secure.
7. #2: Know
Your
Software
Company 1
Company 2
Manufacturing
Company 3
Media Company
Company 1
Cloud Voice
Businesses now have many cloud apps
1. Document known business application inventory
2. Empowered users require extra effort to identify.
all known applications in use.
3. Maintain whitelist of applications.
4. Create alerts for new applications that are used
outside the inventory.
5. Create an “application authorization process,”
including a process to evaluate application security
requirements.
8. #3: Secure All Devices
Build secure configurations on each of the devices (servers, desktops,
laptops, mobile devices).
1. Review cloud provider’s SSAE 16 to
understand controls in place and note 3rd
party auditors’ assessment of the
effectiveness of these controls.
2. Where Infrastructure-as-a-Service cloud
services are engaged, implement standards
to deploy secure configurations.
3. Coordinate with cloud provider to see if they
have pre-hardened server images.
10. Source: SANS Institute
#4: Continuously Scan for Vulnerabilities
and Remediate Them
1. Review cloud provider’s SSAE16 to
understand controls in place and note 3rd
party auditors’ assessment of the
effectiveness of these controls.
2. Where IaaS or PaaS is in place, implement
controls to scan for vulnerabilities.
3. Coordinate scans with your cloud hoster to
ensure their tools don’t highlight the scans
as an attack.
11. #5:
Implement
Malware
Defenses
Source: SANS Institute
1. Review the SSAE 16 to understand the cloud
provider’s antimalware defense offerings.
2. Ensure your cloud agreement includes
antimalware defenses.
3. Implement mitigating controls.
13. Source: SANS Institute
#7:
Wireless
Access
Control
1. Cloud-based Wi-Fi controllers are
emerging as part of virtual networking
strategies.
2. Remote offices may receive Wi-Fi services
from WAN providers.
3. Ensure security controls are enforced.
16. #8: Data Recovery Capability
1. Review the cloud provider’s controls.
2. Analyze risks.
3. Understand data backup and replication.
4. Design mitigating controls.
17. #9: Security Skill Gap Assessment and Training
• Follow same process whether in the cloud
or on premise.
• Review cloud provider’s SSAE 16 controls to
ensure controls you require are in place.
• If controls are missing at the cloud provider,
work with them to address through SLA
adjustments.
For information on the skill gap analysis, see:
http://www.counciloncybersecurity.org/practice-areas/people
18. Source: SANS Institute
#10: Secure Network
Configurations
1. Review roster of cloud-based services.
2. Secure all devices that may access cloud services.
3. Work with cloud provider to understand their
security posture and mitigate risks as necessary.
19. #11: Control Network Ports, Protocols
and Services
Source: SANS Institute
1. Review roster of cloud-based services.
2. Document required network ports,
protocols and services that must be in use.
3. Review the risks and apply controls to
mitigate those risks.
20. #12: Control Use of Privileged Accounts
1. Review roster of cloud-based services.
2. Document privileged accounts and who
must have access.
3. Understand cloud provider’s controls and
work with them to reduce risk. In some
cases, cloud provider will maintain control.
21. #13: Boundary Defense
1. Understand the cloud
application’s security.
2. Manage what can be
controlled.
3. Identify gaps.
4. Review gaps with
hosting provider.
5. Address residual risk.
22. #14: Maintenance, Monitoring and
Analysis of Audit Logs
1. Understand the cloud application’s
security.
2. Manage what can be controlled.
3. Identify gaps.
4. Review gaps with hosting provider.
5. Address residual risk.
23. Security Event and
Correlation Management
Internet
Firewall
Intrusion
PreventionEvent Correlation
Engine (SIEM)
SIEM TECHNOLOGY aggregates event data produced
by security devices, network infrastructures,
systems and applications. The primary data source
is log data, but SIEM technology can also process
other forms of data. Event data is combined with
contextual information about users, assets, threats
and vulnerabilities. The data is normalized, so that
events, data and contextual information from
disparate sources can be correlated and analyzed
for specific purposes, such as network security
event monitoring, user activity monitoring and
compliance reporting. The technology provides real-
time security monitoring, historical analysis and
other support for incident investigation and
compliance reporting.
DOS SHIELD DETECTS
WHEN ACTIVE ATTACKS BEGIN TO CONSUME
LARGE AMOUNTS OF THE NETWORK'S
BANDWIDTH, AND IMMEDIATELY BLOCK
THEM. LEGITIMATE TRAFFIC PROCEEDS
NORMALLY.
BGP Router
WAFS
DataBase Server
WEB
Server
With Anti-Malware
DoS Pattern
Filter
1. Engineer how you will review/aggregate
logs across all cloud environments
associated with your company.
2. Work with cloud provider to
understand reports and services that
can be provided and/or recommended.
Maintenance, Monitoring and
Analysis of Audit Logs
24. #15: Control Access
Based on “Need to
Know”
1. Review roster of cloud applications and
establish granular access controls based
upon data classification matrix.
2. Work with cloud provider to understand
reporting or rights review tools that may be
available.
25. #16: Account Monitoring and Control
1. Review roster of cloud applications
and document account monitoring
and control procedures.
2. Work with cloud provider to
understand reports that can be
provided.
27. #17: Data Loss Prevention
1. Ensure controls are in place, including rules
for encrypting data that is commonly shared
outside the organization.
2. Understand the cloud provider’s offering to
ensure it complies with standards. If it
doesn’t, work with cloud provider to
improve controls.
29. Incident Response and Management
1. Review the cloud provider’s Security
Incident Response Plan.
2. Contact cloud provider to discuss how
customers will be engaged in incident
response.
30. #19: Engineer Security
1. Review the SSAE 16 for all cloud providers.
2. Perform vendor management.
3. Understand the security of the hosted
application and how it will be accessed.
31. #20: Penetration Tests and Red Team Exercises
1. Review the SSAE 16 for all cloud
providers to obtain 3rd party verification
of the effectiveness of the control.
2. Do not use hosters who do not have this
control.
32. Next Steps
• Review your security programs and enhance them to address
cloud controls.
• Review SAN’s Institute’s data to look at suggested metrics and
detailed process steps.
• Encourage your company leaders to engage the security team
for assessment before they implement a cloud-based
application.
• The cloud is hear to stay; we must adapt our processes and
controls.
• For a copy of the presentation, please leave your card with me.