Protecting What Matters...An Enterprise Approach to Cloud Security

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Protecting what matters...
... An enterprise approach to cloud security
Ed Reynolds
HP Fellow, CISSP, CCSK
HP Enterprise Security Services

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.2
Today’s agenda
TRENDS
PERSPECTIVES
GUIDANCE

Worldwide Security Trends & Implications
Cyber threat 56%of organizations have been
the target of a cyber attack
Extended supply chain
44% of all data breach involved
third-party mistakes
Financial loss $8.6M average cost associated
with data breach
Cost of protection 8% of total IT budget
spent on security
Reputation damage 30% market cap reduction due to
recent events
Source: HP internal data, Forrester Research, Ponemon Institute, Coleman Parkes Research
Key Points
• Security is a board of
directors concern
• Security leadership is under
immense pressure
• Need for greater visibility of
business risks and to make
sound security investment
choicesReactive vs. proactive
60% of enterprises spend more time
and money on reactive measures vs.
proactive risk mgmt

Managing security challenges
Today, security is a
board-level agenda item
#1 Board Identified Risk:
Reputational Damage
Source: EisnerAmper LLP, February 2011 - Second Annual Board of Directors Survey - 2011: Concerns About Risks Confronting Boards

Managing Risk: Current Challenges
Primary Challenges
Nature & Motivation of Attacks
(Fame to national enemies)1
Transformation of Enterprise IT
(Delivery and consumption changes)2
Traditional DC Private Cloud Managed Cloud Public Cloud
Network Storage Servers
Delivery
Regulatory Pressures
(Increasing cost and complexity)3
A New Type of Adversary
Basel III
Enhanced Regulatory Environment

HP research: Top concerns for IT executives
67% 66% 63% 54%
Extremely concerned Somewhat concerned Not very concerned
Data privacy
and information
breaches
Lack of skilled
resources to effectively
manage security
Risk associated with more
consumption of apps/IT
services across public,
private & hybrid cloud
Risk associated with
more consumption of
apps/IT services
Source: HP 20:20 CIO Report, 2012

Cloud services: adoption is tempered by uncertainty
Security or related component is #1 concern/issue for most enterprises
LOB/IT CIO
Security
Performance
Reliability
Scalability
Service levels
Data security
& protection
Compliance
Auditing
Cost
Governance
Control
Availability

CSA: Cloud Computing Top Threats for 2013
Top Threats for 2013
1.Data Breaches
2.Data Loss
3.Account or Service Hijacking
4.Insecure Interfaces and APIs
5.Denial of Service
6.Malicious Insiders
7.Abuse of Cloud Services
8.Insufficient Due Diligence
9.Shared Technology Vulnerabilities
Security for
the cloud
http://cloudsecurityalliance.org/
1. HP’s Rafal Los co-chaired the CSA Top Threats working group
2. HP selected by CSA as Master Training Partner in APJ (initial region)

What do we mean by “cloud security”?
• Security for the cloud? Securely use cloud (consumers)
• Security from the cloud? Security-as-a-Service
• Security in the cloud? Embedded security (providers)
• Security across clouds? Hybrid models, interoperability
1
2
3
4

Cloud models require different security solutions…
Attack
surface
increases
composition of two
or more clouds
Hybrid cloud
Sold to the public,
mega-scale infrastructure
Public cloud
Shared infrastructure for
specific community
Community cloud
Enterprise-owned
or leased
Private cloud

... and different roles & responsibilities regarding security
Cloud
SaaS
PaaS
IaaS
SaaS: Software as a Service, generally provides
application, data and infrastructure security,
with varying degrees of compliance
PaaS: Platform as a Service, may provide some
additional security functions for IDM and secure
application development – security falls to app
developer and customer IT operations
IaaS: Infrastructure as a Service – providers generally
offer basic network & infrastructure security, firewalls,
some tools – but customer is generally responsible
for implementation,operations, monitoring

But what is really new about “cloud security”?
Many traditional security concerns are recast as a “cloud problem”. . .
• Many “cloud security incidents“ are issues with
web apps and data-hosting, but at greater scale…
- e.g. Phishing, downtime, data loss, weak passwords, compromised hosts running botnets, etc …
• Unexpected side channels and covert channels arising from shared-resource
environments in public services
- Activity patterns need to be protected in addition to apps and data
• Reputation fate sharing: possible blacklisting or service disruption due to “bad neighbors”
- Need “mutual auditability” (providers need to audit/monitor users)
• Longer trust chains: {SaaS to PaaS to IaaS}
– Y.Chen, et.al, “What’s New About Cloud Computing Security?” UC Berkeley, Jan.20, 2010

“It’snotaboutcloudsecurity–
it’saboutsecuringyour
enterprise’suseofcloud-based
services”
“Cloudsecuritybeginswith,
andaddsto,well-defined
enterprisesecurity”
Perspectives

Enterprise approach to cloud security
HP Enterprise Security Services Whitepaper
1. Establish a risk-based approach
2. Design applications to run in the cloud
3. Ongoing auditing and management

HP approach to complete information security
Establish a risk-based approach
Actionable
Security
Intelligence
Moving from Reactive to Proactive Information Security & Risk Management
Assess security investments and posture
Transform from silos to a comprehensive view
Optimize to proactively improve security posture
Manage security effectively
Establish a
risk based
approach

HP Cloud Security Risk and Control Assessment
Stage 1:
Assessment
Workshop
Business
Issues
Discovery
Strategic
Control Plan
Risk
Assessment
Scope
Engagement with senior management
Stage 2:
Risk
Assessment
Engagement with business-level security
Business
Risk
Assessment
Asset Risk
Assessment
Assets
Prioritized
by Risk
Stage 3:
Controls
Assessment
Cloud
Control
Measures
Consensus
Assessment
Prioritized
Security
Control Plan
Engagement with operational level security
Establish a
risk based
approach

Are your applications & data…
The path of least resistance?
Design apps to
run in cloud

Secure SDLC: protect data & IP Design apps to
run in cloud
Attacker
Software & data
Hardware
Network
Intellectual
property
Customer
data
Business
processes
Trade
secrets

The National Vulnerability Database (DHS/US-CERT)
• Lists >47,000 documented vulnerabilities
Undiscovered/unreported (0-day)
vulnerabilities are huge
• 20X1 multiplier
• 47,000 x 20 = estimated 940,000 vulnerabilities
replicated in many products
The risks
Vulnerabilities (security defects)
Quality issue: many more “underwater” than those reported “above the water”
Greater than 80% of attacks
happen at the application layer
Notes: HP research and 1“Public Vulnerabilities Are Tip of the Iceberg,” CNET News, June 1, 2007
Design apps to
run in cloud

The National Vulnerability Database (DHS/US-CERT)
• Lists >47,000 documented vulnerabilities
Undiscovered/unreported (0-day)
vulnerabilities are huge
• 20X1 multiplier
• 47,000 x 20 = estimated 940,000 vulnerabilities
replicated in many products
The risks
Vulnerabilities (security defects)
Quality issue: many more “underwater” than those reported “above the water”
But <1% of security spend is
allocated to application security !!!
Notes: HP research and 1“Public Vulnerabilities Are Tip of the Iceberg,” CNET News, June 1, 2007
Design apps to
run in cloud

Designing applications to run in the cloud
• Embed security in application architecture
• Address new attack surfaces early in design
• Encrypt “everything” by default – end-to-end
• Adopt new mindset to privacy
• Bounding processes around PII
(e.g. PCI tokenization example)
• Build in audit trails for forensics
• Conduct 3rd party reviews (CATA, Pen.Test)
Design apps to
run in cloud

Securing “data-in-process,” in addition to “at rest” and “in motion”
Encryption advances & alternatives∗
Advances
Broadcast encryption: encryption for
groups and memberships
Searchable symmetric encryption:
securely search encrypted data
Identity-based encryption: ad-hoc PKI,
user chooses his own public key
Predicate encryption: fine-grained PKI
Homomorphic encryption: emerging
techniques to compute on ciphertext
* Source: CSA Guidance v3.0Chapter 11
Alternatives*
Tokenization. Data sent to the public cloud
is altered (tokenized) and contains a reference
to the data residing in the private cloud.
Data anonymization. Personally identifiable
information (PII) is stripped before processing.
(Watch assumptions)
Utilizing cloud database controls. Using
(fine-grained) access controls at database
layer to provide segregation.
Design apps to
run in cloud

Architecting Security into Applications
Security assurance thought leadership
Requirements/
architecture & design
• Security requirements gap analysis
• Security designed in
• Dramatically reduces risk of vulnerabilities
• More complete and less expensive assurance
• Guides late lifecycle assurance
• The best response to a greater threat
Reactive
Traditional
Proactive
Extending security assurance
Higher ROI
The traditional approach is backwards.
It can never solve the problem by itself
but works great after proactively
prioritizing late life cycle
assurance focus
Post-release
First, people found
vulnerabilities,
patched, and issued
bulletins
Integration/
penetration test
• In-house, more proactive
• More expensive
in isolation
Coding
• Security code scanners
• Code review
• Better when design
supports security
Design apps to
run in cloud

Applications rationalisation
Cloud-specific
workload analysis
Risk analysis
& TCO
BPA
HP cloud applications transformation
Level 2 transformation strategy determination (x to x)
Level 1 transformation strategy determination (RE’s)
App
migration
Cloud
service
types
Cloud
deployment
models
IaaS PaaS SaaS
Public Private
Virtual
private
Dedicated/hosted
(retain, retire)
Suitable
for SaaS
Suitable for
preferred target/
public cloud
Need
modernisation
analysis
Not suitable
for cloud
Cloud suitability mapping
• Replace
• Re-architect
• Re-factor
• Re-host
App
migration
Apps
Design apps to
run in cloud

Applications modernization strategy
Re-factor Re-architect
Re-host Replace
Application
cloud
strategy
Codingeffort
New value generation potential
IaaS SaaS
PaaS
PaaS
SOA
Design apps to
run in cloud

Auditing cloud services
Continuous compliance monitoring is essential
to securely delivering cloud services and ensuring compliance
• Cloud Services are inherently dynamic. The dynamic provisioning and de-provisioning
of resources is a key part of the Cloud value proposition and business model
• Automation for operations and asset management are essential in this
dynamic environment
• Verification of compliance with policy and legislation – such as the EU Data Protection
Directive, GLBA, HIPAA, and Export compliance controls like ITAR –
requires continuously running automation
Yearly or monthly audits are irrelevant in an environment that changes
completely on a daily or hourly basis
Ongoing auditing
& management

Are we secure?
Continuous security monitoring Ongoing auditing
& management

What about infrastructure and network security?
• Infrastructure and network security are
critical areas for cloud-based solutions
• Enterprises have little or no influence on a
provider’s implementation and controls in
these areas
• A thorough review of the service provider’s
policies should be completed as part of the
due diligence process during contract
negotiation and service sourcing

5 key ways to reduce risk
1. Understand your risk profile
2. Architect for the cloud
3. Robust identity, access management
4. Confirm legal, compliance obligations, due diligence
5. “Clear Responsibility” – CSP, Customer, Both

Cloud security: guidance for critical areas
Architecture
1. Cloud computing architectural framework
Governance
2. Governance and enterprise risk management
3. Legal issues: contracts and electronic discovery
4. Compliance and audit management
5. Information management and data security
6. Interoperability and portability
Operations
7. Traditional security, business continuity,
and disaster recovery
8. Data center operations
9. Incident response
10. Application security
11. Encryption and key management
12. Identity, entitlement, and access management
13. Virtualization
Security for
the cloud
http://cloudsecurityalliance.org/
https://ccsk.cloudsecurityalliance.org/

Final thoughts
 Recognize the threats have changed and become
‘industrialized’
 Employ comprehensive and integrated approach to
enterprise security & risk management
 Conduct security threat analyses for all critical
applications
 Design in security from the beginning: essential
for public cloud usage
 Be vigilant: continual compliance monitoring and
audits, intrusion testing, verifiable backups…

Thankyou
Whitepaper: bit.ly/hpcloudsecurity
Email: ed.reynolds@hp.com
URL: hp.com/enterprise/security

Protecting What Matters...An Enterprise Approach to Cloud Security

More Related Content

What's hot

Viewers also liked

Similar to Protecting What Matters...An Enterprise Approach to Cloud Security

More from InnoTech

Recently uploaded

Protecting What Matters...An Enterprise Approach to Cloud Security