This document summarizes a webinar on cloud security presented by representatives from 6fusion and Network Box USA. It discusses common cloud security myths, challenges related to access, protection, segregation and recovery of cloud data, and best practices for cloud security including implementing security by design, active monitoring and having an incident response plan. The webinar concluded by discussing developing a risk-based security framework and taking questions from attendees.

1. Extending Security in the Cloud
Steven Wolford Chad Walter
Director, Information Security Director, Channel Development
6fusion Network Box USA

2. Today’s Agenda
• Introduction
• IT Infrastructure Models
• Common Cloud Security Myths
• Cloud Security Basics
• Cloud Security Challenges
• Access
• Protection
• Segregation
• Recovery
• Cloud Security Best Practices

3. Who We Are
6fusion Network Box USA
6fusion provides a utility-metered cloud Network Box USA provides
platform that enables global workload comprehensive, fully managed perimeter
distribution by turning public, private and internet security solutions. The Network Box
hybrid clouds into pay-per-use billable utilities. Unified Threat Management (UTM) solution
The unique metering algorithm, Workload combines numerous applications such as
Allocation Cube (WAC), creates a commercial firewall, intrusion prevention and
standard to quantify supply and demand for detection, anti-virus, content filtering, anti-
compute resources. span, anti-phishing, anti-spyware and VPN into
one single, sophisticated mix of hardware and
software. Network Box USA enables
businesses of all sizes to secure their networks
easily and cost effectively.
This is the first in a series of webinars on cloud security. We will let you
shape the content of the next webinar at the end of this webinar.

4. IT Infrastructure Models

5. Cloud Security Myths
• Cloud cannot be secure
• All Cloud models are not created equal
- Private, Hybrid, Public
- IaaS, PaaS, SaaS
• All Cloud providers are not created equal
- Look for independent audit reports
• Cloud security is new
• The security concepts remain unchanged
• Unfortunately many used network defenses to compensate for
weak application security
• Cloud requires more effort or tools to be as secure
• NIST used the existing SP 800-53 and SP 800-37 to develop FedRAMP
• Oh by the way, Department of Homeland Security recently announced it is moving services
to a cloud provider that has been reviewed under FedRAMP
• The only reason enterprises move to the cloud is cost
reduction, reallocation, etc.
• Security can also be enhanced if you incorporate the following in your migration
- Security by Design, Active Monitoring, Incident Response Plan

6. A Quick Cloud Analogy
Your data happily in the cloud
Procurement
PII
Financial
Email
Payroll
HR An incident
beyond yourYour data no longer just in the cloud
control occurs
Payroll PII
Email
Procurement Financial
HR

7. Data Loss in Summary
To an Resulting in
Data Can Leak
Outsider Breach
• Trade Secrets • Stored on the • Thieves, • Company
• Account network or mobsters, defamation
Numbers shared drives other • Monetary
• Social Security • Copied on nefarious expense per
Numbers removable characters record lost
• Intellectual media • Competitors • Loss of assets
Property • Transferred • Regulators • Breach of
• Health electronically • Unauthorized customer
Records Internal Users trust
• Other • Press/Media
Personal
Information

8. Top Reasons for Data Loss
Hardware
Failure Human
35% Error
28% Software
Theft/Mal Failure
icious 14%
Employee
Action Virus
17% 6%

9. Cloud Security Challenges
There are a number of security issues associated with cloud
computing, but data security is arguably the biggest issue.
Main areas of concern specific to data security include:
Access Protection Segregation Recovery

10. Access
Data placed in the cloud are accessed and managed by persons other
than privileged users within the customer’s organization.
• What type and level of security checks are
Access enforced on those individuals?
• How are those checks enforced?
• What policies are in place to ensure roles and
privileges are enforced?

11. Protection
The nature of cloud computing means data can be stored at any
geographical location at any given time.
• Apart from some cloud service providers such as
Amazon who offers their customers the option of
Protection choosing between different zones in which to store
their data, it is uncommon to see a cloud computing
service contract where the customer is guaranteed that
their data would not be transferred outside a specified
region.
• Customers need to be aware that local laws may apply
to data held on servers within the cloud, and that it is
their responsibility to comply with data protection laws
under various jurisdictions worldwide where their data
is held.

12. Segregation
Data in the cloud is typically stored in a shared environment whereby
one customer’s data is stored alongside another customer’s data.
• While it is difficult to assure data
segregation, customers should review the cloud
Segregation vendor’s architecture to ensure proper data
segregation is available and that data leak
prevention (DLP) measures are in place.

13. Recovery
As with traditional IT systems, unexpected problems can and will occur
with cloud computing.
• What plan is in place to recover customer’s data
in event of a disaster, how long will data
Recovery restoration take and the impact on business
continuity?

14. Cloud Security Best Practices
• Ask where data will be kept and enquire the details of data protection laws in
the relevant jurisdictions.
• Include clauses in the cloud service contract that your data always belong to
you, that you can reclaim your data at any time and that your data shall not be
disclosed to any third party.
• Make it as hard as possible to gain access to your systems and then to your data
by implementing two-factor user authentication.
• Ensure that data is encrypted both ways across the Internet by using, for
example, mutual SSL. Ensure that data is encrypted when at rest, as well as
when in motion from one location to another. You, the customer, should have
control of key materials used for encrypting and decrypting data.
• Develop good password policies – how they’re created, changed and protected.
• Seek an independent security audit of the cloud vendor.

15. Where do you go from here?

16. Risk-based Framework
Establish
Identify
Govern
Assess
Loosely based on NIST RMF

17. Security by DESIGN
• Understand your
security philosophy
• Know all of the
components for
each information
system
• Implement the
controls that bring
risk down to the
level acceptable to
your organization

18. Implement Active MONITORING
• Customers would
rather hear bad
news from you than
from the media
• Mitigation cannot
happen if you do
not know adverse
events are
occurring
• What, How, Who

19. Develop a RESPONSE Team and Plan
• Security is not a
guarantee
• Most events can be
categorized with
operational, technic
al, and legal
responses planned
• Training and
awareness are key

20. Questions?

21. Thank You!
Resources What’s next?
FedRAMP 2nd Webinar in the Series
http://www.gsa.gov/portal/category/1
02371 • Timing: Early March
• Topic: How to advance your
Cloud Security Alliance
https://cloudsecurityalliance.org/
organizational security
• Details: You tell us…
FFIEC (not really cloud but outsourced
providers)
http://ithandbook.ffiec.gov/it- What do you want to hear about in
booklets/outsourcing-technology- the next webinar?
services/appendix-d-managed-security-
service-providers.aspx
NIST (SP800-144)
Email us at marketing@6fusion.com
http://www.nist.gov/customcf/get_pdf. with your ideas!
cfm?pub_id=909494