Avoiding a mushroom cloud

How to Avoid Becoming the
Victim of a “Mushroom” Cloud
Assessing the Security Ecosystem
of Your Cloud Service Provider

Presented by Brad Bemis

© 2011 Network Computing Architects, all rights reserved

Introduction
• Rehashing the Basics
• Are You Ready for the Cloud?
• Is the Cloud Ready for You?
• Evaluating Service Providers
• Moving to the Cloud
• Contingency Planning
• Resources


Rehashing the Basics
• What is the cloud?

Essential Characteristics
• On-demand Self-service
• Broad Network Access
• Resource Pooling
• Rapid Elasticity
• Measured Service

Service Models
• Software as a Service
• Platform as a Service
• Infrastructure as a Service
• Security as a Service

Deployment Models
• Private Cloud
• Public Cloud
• Hybrid Cloud
• Community Cloud
• Vertical Cloud


• What is the cloud?
• What are the benefits?

Essential Characteristics Value Added Through
• On-demand Self-service • Focus on Core Business
• Broad Network Access • Functional Alignment
• Resource Pooling • Competitive Advantage
• Rapid Elasticity • Scales of Economy
• Measured Service • Universal Access
• Standardization
Service Models
• Software as a Service Reductions In
• Platform as a Service • Cost
• Infrastructure as a Service • Complexity
• Security as a Service • Resource Overhead
• Compliancy Issues
Deployment Models
• Private Cloud Increases In
• Public Cloud • Operational Efficiency
• Hybrid Cloud • Resource Availability
• Community Cloud • General Adaptability
• Vertical Cloud • Organizational Responsiveness


• What is the cloud? Risks
• Contractual Limitations
• Asset Management
• What are the benefits? • Loss of Control
• Limited Visibility
• What are the risks? • Portability of Assets
• Isolation Failures
• Data Leakage
Essential Characteristics Value Added Through • Data Persistence
• On-demand Self-service • Focus on Core Business • Interface Compromises
• Broad Network Access • Functional Alignment • Service Engine Compromises
• Resource Pooling • Competitive Advantage • Crypto Management Failures
• Rapid Elasticity • Scales of Economy • Software Licensing Confusion
• Measured Service • Universal Access • Configuration Conflicts
• Standardization • Economic DOS
Service Models • Network Interception
• Software as a Service Reductions In • Malicious Insiders
• Platform as a Service • Cost • Resource Exhaustion
• Infrastructure as a Service • Complexity • Poor Performance
• Security as a Service • Resource Overhead • Service Degradation
• Compliancy Issues • Outages and Downtime
Deployment Models • Jurisdictional Concerns
• Private Cloud Increases In • E-Discovery Issues
• Public Cloud • Operational Efficiency • Incident Handling Methods
• Hybrid Cloud • Resource Availability • Law Enforcement Involvement
• Community Cloud • General Adaptability • Legal/Regulatory Compliance
• Vertical Cloud • Organizational Responsiveness • Provider Failure/Service Termination


• What is the cloud? Risks
This is just • Asset Management
• What are the benefits? a partial list! • Loss of Control
• What are the risks? • Portability of Assets
• Data Leakage
Essential Characteristics Value Added Through • Data Persistence
• On-demand Self-service • Focus on Core Business • Interface Compromises
• Broad Network Access • Functional Alignment • Service Engine Compromises
• Resource Pooling • Competitive Advantage • Crypto Management Failures
• Rapid Elasticity • Scales of Economy • Software Licensing Confusion
• Measured Service • Universal Access • Configuration Conflicts
• Standardization • Economic DOS
Service Models • Network Interception
• Software as a Service Reductions In • Malicious Insiders
• Platform as a Service • Cost • Resource Exhaustion
• Infrastructure as a Service • Complexity • Poor Performance
• Security as a Service • Resource Overhead • Service Degradation
• Compliancy Issues • Outages and Downtime
Deployment Models • Jurisdictional Concerns
• Private Cloud Increases In • E-Discovery Issues
• Public Cloud • Operational Efficiency • Incident Handling Methods
• Hybrid Cloud • Resource Availability • Law Enforcement Involvement
• Community Cloud • General Adaptability • Legal/Regulatory Compliance
• Vertical Cloud • Organizational Responsiveness • Provider Failure/Service Termination


Are You Ready for the Cloud?
• Have you thought about your data?
 What data is going into the cloud?
 What is the value/sensitivity of the data?
 Who will interact with the data?
 How will the data be accessed?
 How will the data be used?


• Have you thought about your data?
 What data is going into the cloud?
 What is the value/sensitivity of the data?
 Who will interact with the data?
 How will the data be accessed?
 How will the data be used?
• Have you defined your requirements?
 Business requirements
 Technology requirements
 Compliance Requirements
 Security Requirements
 Operational Requirements


• Have you considered the risks? Risks
• Loss of Control
• Portability of Assets
• Data Leakage
• Data Persistence
• Interface Compromises
• Service Engine Compromises
• Crypto Management Failures
• Software Licensing Confusion
• Configuration Conflicts
• Economic DOS
• Network Interception
• Malicious Insiders
• Resource Exhaustion
• Poor Performance
• Service Degradation
• Outages and Downtime
• Jurisdictional Concerns
• E-Discovery Issues
• Incident Handling Methods
• Law Enforcement Involvement
• Legal/Regulatory Compliance
• Provider Failure/Service Termination


• Loss of Control

WAIT!
• Data Leakage
• Economic DOS


• Loss of Control

WAIT!
• Data Leakage

How mature is your current • Economic DOS

security program?


• Loss of Control

WAIT!
• Data Leakage

How mature is your current • Economic DOS

security program?

≠ • Incident Handling Methods


Is the Cloud Ready for You?
• Lots of things are happening!
 Increased industry recognition
 Better understanding of the issues
 New ideas and approaches daily
 CSA and others are leading the way!!!


• We still have a long road to travel though!
 Increased vigilance and accountability is a must!
 Cloud providers have a clear responsibility here!
 The market will ultimately determine what's right!


• We still have a long road to travel though!
 Increased vigilance and accountability is a must!
 Cloud providers have a clear responsibility here!
 The market will ultimately determine what's right!
• Security is STILL the #1 barrier to cloud adoption
 How do we move from barrier to enabler?
 Are there any security models that can help?



Version 3.0 Under Development



Version 3.0 Under Development

The GRC Stack
• Cloud Audit (A6)
• Cloud Controls Matrix
• Assessment Questionnaire
• Cloud Trust Protocol


Evaluating Service Providers
• For this presentation:
 It‟s not about public vs. private vs. hybrid
 It‟s not about SaaS, PaaS, IaaS
 It‟s not about the technologies involved
 It‟s not about using the cloud to “get out of jail for free”
 You can‟t afford to fall for clever marketing schemes
 Sending out a general questionnaire isn‟t going to cut it
 Especially if you‟re just filing the responses away
 You have to do your homework

IT’S ABOUT DUE DILLIGENCE!!!


• Let‟s frame the discussion in terms of risk management
• The “gap” approach to assessments is insufficient
• Many of our tools are gap based, not risk based
• Even many of our risk-based tools are highly flawed
• Applying flawed methods to unknowns is dangerous
• The real question for cloud service providers is:
“Can you provide me with an adequate
degree of protection that is consistent with
my established risk tolerance thresholds”
HOW DO WE FIND THE ANSWER?


• The true goal of a risk assessment is to help business
leaders make informed/better decisions!!!
• To meet this goal you need to assess the security
ecosystem of your cloud service provider and deliver
findings/recommendations that are:
– Clear
There’s a complication
– Concise
though… Providers are unlikely
– Meaningful to let you peek behind the
– Actionable curtain.


• The true goal of a risk assessment is to help business
leaders make informed/better decisions!!!
• To meet this goal you need to assess the security
ecosystem of your cloud service provider and deliver
findings/recommendations that are:
– Clear
There’s a complication
– Concise
though… Providers are unlikely
– Meaningful to let you peek behind the
– Actionable curtain.

How would you know
or the difference?


The Maturity Continuum
You can learn a lot about a provider just by their response to the question “What
security controls do you have in place?”

Acknowledgement Basic Contractual General 3rd Party Full ISO 27001 Cert
Of Security Issues Language In Place Assessment Done Achieved

0 5

No Understanding of Verbal Security Controls Statement SAS 70/SSAE 16
Security At All! Assurances Made Made Available Audit Performed

THIS MAY BE ALL YOU HAVE TO WORK WITH!


The Tools We’ll Use:
• First of all, there‟s this great organization called the
Cloud Security Alliance (CSA)
– You may have heard of them!
– They‟ve built a “GRC Stack” of resources
• Cloud Audit Toolset
• Cloud Controls Matrix
• Consensus Assessment Initiative Questionnaire
• Next we‟ll add in resources from NIST and ENISA
• Finally, we‟ll draw from FAIR and more from NIST
• At the end we‟ll use a scorecard for comparison


Assessment Process Flow
Inputs
Fully Qualified Service Provider’s
Business Needs Security Assertions

Description Framework Data Collection Risk Catalogue

Controls Consensus NIST 800-144/
Matrix Questions ENISA Report

Supplement as Needed Supplement as Needed
CSA
Guidance Slightly Modified
Your Reqs

NIST 800-30 FAIR

Reporting Format Risk Analysis

Fully Informed
Business Decision
Output


Business Needs (+Requirements):
• What‟s “Fully Qualified” mean in a cloud context?
– Let‟s point back to your requirements for reference:
• Why are you moving to the cloud?
• Do you understand what the cloud is?
• How you thought about the data?
• Are you ready for the cloud? Is your house in order?
– What business needs will you be satisfying?
– Where are your risk tolerance thresholds set?
– How will this align with your governance efforts?
– …and lots more!


Provider Assertions:
• Where is the provider on the maturity scale?

• What type of assertions do you have to work with?
• Did you send survey questions and get responses?
• What else do you need for the assessment?


CSA Guidance:
• Grab a copy of the Cloud Security Alliance‟s
“Security Guidance for Critical Areas of Focus in Cloud
Computing” (v 2.1)
– Describes 13 domains relevant to cloud security
– Offers a structure and advice for tackling cloud security
challenges
– Provides a level of detail that you won‟t find anywhere
else – and it‟s part of the GRC Stack!
– Should serve as an authoritative resource
• Version 3.0 in development – watch for it!


Cloud Controls Matrix:
• This is where “the rubber meets the road”
• A complete mapping of the cloud security domains as
presented by the CSA
• Includes applicability columns for SaaS, PaaS, IaaS
based services – and provider vs. tenant responsibilities
• Most importantly, it offers a direct mapping across
every major security best practice in the industry
– COBIT, HIPAA/HITECH, ISO 27001, NIST 800-53, PCI DSS 2.0, BITS,
GAPP, etc.
– Version 1.2 is out now – I added in the Jericho Forum Piece!


Consensus Questionnaire:
• Yet another component of the GRC Stack – the
questionnaire is an invaluable data gathering tool
– Directly aligned with the Controls Matrix
– Asks very cloud specific questions
– Can be used to guide the assessment effort
• Supplementation is recommended though
– Look at the BITS Shared Assessment Program
– Leverage the BITS Questionnaire (there‟s even a lite version)
– Remember, BITS is already mapped to the Controls Matrix
• Many other great resources out there…


NIST and ENISA Materials:
• The CSA materials are great, but we also need a “Risk
Catalogue” to help us go from a gap-based approach
to a risk-based one
• The CSA Guidance document is a great start, but
there‟s more information needed
• NIST 800-144 steps through a number of key issues and
places them into a risk-based context
• The ENISA Cloud Computing Assessment is an
absolutely fantastic risk resource – a „must have‟


The FAIR Assessment Method:
• Now we need to use a risk analysis process to create a
list of comparative, contextual results
• Factor Analysis of Information Risk, by Jack Jones is a
REALISTIC approach to risk assessment/analysis
• It provides a model for risk measurement that goes far
beyond the traditional “threat + vulnerability = risk”
• It takes into account things like: Loss Event Frequency,
Threat Event Frequency, Contact (opportunity), Action
(motive), Vulnerability, Threat Capability, Control
Strength, Probable Loss Magnitudes, and more…


NIST 800-30:
• Ultimately this contains a „traditional‟ (insufficient)
methodology for risk assessments
• However, it does include a few things that FAIR only
hints at (like System Characterization)
• Appendix B offers a simple reporting outline that‟s
actually quite useful when coupled with FAIR outputs
• Using this as a tool to assist in shaping the final findings
and recommendations report is invaluable
• FAIR displaces most of the methodology though
• 800-30 is due for an update – so keep an eye out


The *INFORMED* Business Decision:
• With a clear, concise, meaningful, and actionable
report in hand, business leaders can make much better
management decisions about their cloud security risks
• These business decisions may have a major influence
on the future of the organization – moving to the cloud
is no small undertaking, even at a micro level
• Keep in mind that the report will only be as good as
the quality of the information and level of effort that
went into it though


• Now granted – this is a pretty involved process


• Take what you need and do what makes sense


• Just remember how important this could be to the
future of your business


• Don‟t forget the basic due diligence/due care
mandate


mandate
• You have a duty to protect your customers, partners,
brand, etc.


mandate
• You have a duty to protect your customers, partners,
brand, etc.
• No matter how much data you collect though, it‟s
good to rate your top 2 or 3 providers against one
another – a scorecard could be helpful


Leveraging a “Score Card” Approach
• YOUR Requirements
• Choosing the Right Team
• Objective Scoring Criteria
• Clearly Defined Rating System
• ‘Tie-Breaker’ Rules Just in Case


Leveraging a “Score Card” Approach
• YOUR Requirements
• Choosing the Right Team
• Objective Scoring Criteria
• Clearly Defined Rating System
• ‘Tie-Breaker’ Rules Just in Case

Don’t Forget:
This is what you are trying to avoid!


Moving to the Cloud
• Make sure that you have a clear plan in place, that
you know what you‟re getting yourself into, and that
you‟re truly ready to make the leap


Moving to the Cloud
• Start small and build upwards/outwards; there‟s no
need to push everything into the cloud all at once –
this will keep your scope and risks more manageable!


Moving to the Cloud
• Leverage the resources available – a lot of work has
already gone into defining this space and creating
models to support it


Moving to the Cloud
• Leverage the resources available – a lot of work has
already gone into defining this space and creating
models to support it
• Don‟t let the nature of the cloud invalidate best
practices that are known to work – in many cases it‟s
just a matter of tweaking the context


Contingency Planning
• As you are getting INTO the cloud arena – think about
how you‟re going to get back OUT again if something
goes wrong


goes wrong
• Pay attention to warning signs indicating issues or
problems with your service provider – don‟t be afraid
to go elsewhere if your security needs aren‟t being met


goes wrong
• Really start thinking in terms of a „Zero Trust‟ model –
the less trust you place in service providers the better
protected you will be no matter what happens


goes wrong
• Really start thinking in terms of a „Zero Trust‟ model –
the less trust you place in service providers the better
protected you will be no matter what happens
• Update all of your business continuity, disaster
recovery, and incident response processes to reflect
your cloud relationships – BE PREPARED!


Resources
• Check out the Cloud Security Alliance web site


Resources
• Join the local CSA Chapter and participate


Resources
• Join the local CSA Chapter and participate
• And of course – ENGAGE NCA TO HELP!
NCA‟s Information Security Practice is an ISO 27001 Certified Professional Security Services Consultancy with offices in
Bellevue WA, Portland OR, and Las Gatos CA. We offer a wide range of professional security services that can be
scaled and customized to meet the business needs of any organization. Our major core competencies include:

• Program Management: Building and managing holistic information security programs.
• Governance: Incorporating security into enterprise or IT governance frameworks.
• Risk Management: Measuring and managing information security and other related risks.
• Compliance: Ensuring that all internal and external requirements are being met.
• Identity & Access Management: Managing identities and permissions for systems and users.
• Perimeter Defense & Firewall Management: Defending the borders between networks.
• Traditional & Mobile End-Point Protection: Securing fixed and mobile end-point devices.
• Virtualization & Cloud Security: Safeguarding the latest virtualized and cloud-based technologies.
• Event Management & Incident Response: Detecting and responding to security incidents.
• Awareness & Training: Engaging people in the process of security on a daily basis.

Through a number of strategic partnerships we can also deliver additional services in the areas of:

• Managed Services: Managing the day-to-day operational security of information systems.
• Application Security & Penetration Testing: Validating controls for business applications.
• Business Continuity & Disaster Recovery: Sustaining the business during emergencies.


Questions???
Send Additional Follow-up Questions to Brad.Bemis@NCANet.com
Or Call Us at 1-877-566-9622

Follow Me:
@SecureITExpert


About the Author:
Brad Bemis is the CISO, Security Practice Manager, and Principle Security Consultant for Network Computing
Architects (NCA) in Bellevue WA, and has over 20 years of practical experience in IT and information security. He
is also a Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor
(CISA), Associate Business Continuity Planner (ABCP), and Lean Six Sigma Greenbelt; with several additional
technology-centric certifications from Cisco, Microsoft, and CompTIA.

Brad holds associate degrees in both Personnel Management and in Information Systems Technology, a Bachelors of Science in
Information Technology, and is currently pursuing a Masters of Science in Education. He has also engaged in graduate level course-work
towards a Masters of Business Administration and a Masters of Science in Clinical Psychology.

Brad has worked with multiple Fortune 500 companies, military organizations, and government agencies around the world; in roles
ranging from Systems Security Administrator to Chief Information Security Officer (and everything in-between). Although highly skilled
across multiple security disciplines, his main passion is information security awareness and training – evangelizing the message and
engaging others. He is also very active in the security community, including: contributions to the Cloud Security Alliance (CSA), board
positions with the Greater Seattle Area Chapter of the Cloud Security Alliance and the Pacific Northwest Chapter of the Information
Systems Security Association (ISSA), participation in several other professional associations, sharing insights and experience across a
number of on-line security forums, and much much more.

Additional information can be found on Brad's professional blog at www.secureitexpert.com.


Avoiding a mushroom cloud

More Related Content

What's hot

Viewers also liked

Similar to Avoiding a mushroom cloud

Recently uploaded

Avoiding a mushroom cloud