Cloud Security ("securing the cloud")

Booz | Allen | Hamilton

NGI-4: CloudThe Technical Foundations of Security and Interoperability

Vic WinklerJuly 2011

Washington, DC

Overview

The Technical Foundations of Security and Interoperability

This presentation is based on my book:

“Securing the Cloud: Cloud Computer Security Techniques and Tactics”

Vic Winkler (Elsevier/Syngress May 2011)

Graphics are Copywrited by Elsevier/Syngress 2011

My experiences in designing, implementing and operating the security for:

“SunGrid” (2004+), “Network.com” (2006+) and “The Sun Public Cloud” (2007+)

…And research into best practices in cloud security (2008-2011)

Previously, I:

Was a pioneer in network and systems based intrusion detection

Designed a B1 trusted Unix system

Graphics copyright Elsevier/Syngress 2011 2

Booz | Allen | HamiltonGraphics copyright Elsevier/Syngress 2011 3

A Brief, Distorted View of History

Overview

ContinuingTechnologyEvolution

More “Evolution” than “Revolution”

So,what

is“cloud”?

A Minor Problem With Words…

Most common question: Is “cloud” secure?

Booz | Allen | Hamilton 6

Booz Allen:Cloud Computing “Quick Look” Assessment

Business/Mission Technology Security

Governance &Change Management

IT Management Organization

Economics

Policy

The QLA approach analyzes the organization and its potential cloud candidate functions and applications across eight Cloud Computing Factors, providing an in-depth assessment and suitability rating for each.

Cloud: A Model for Computing,A Model for Service Delivery

• “Cloud Services" – IT model for service delivery: Expressed, delivered and consumed over the Internet or private network– Infrastructure-as-a-Service (IaaS)– Platform-as-a-Service (PaaS)– Software-as-a-Service (SaaS)

• “Cloud Computing”– IT model for computing – Environment composed of IT components

necessary to develop & deliver "cloud services”

The Services StackTwo Perspectives

What about security?

…“Confidentiality”, “Integrity” and “Availability”?

The NIST Cloud Model

Security Concerns?

• 10. Unknown Risks: Concern that cloud computing brings new classes of risks and vulnerabilities

• 9. Control over Data: User data may be comingled with data belonging to others.

• 8. Legal and Regulatory Compliance: It may be difficult (unrealistic?) to utilize public clouds when data is subject to legal restrictions or regulatory compliance

• 7. Disaster Recovery and Business Continuity: Cloud tenants and users require confidence that their operations and services will continue despite a disaster

• 6. Security Incidents: Tenants and users need to be informed and supported by a provider

• 5. Transparency: Trust in a cloud provider’s security claims entails provider transparency

• 4. Cloud Provider Viability: Since cloud providers are relatively new to the business, there are questions about provider viability and commitment

• 3. Privacy and Data concerns with public or community clouds: Data may not remain in the same system, raising multiple legal concerns

• 2. User Error: A user may inadvertently leak highly sensitive or classified information into a public cloud

• 1. Network Availability: The cloud must be available whenever you need it

Security ConcernsSensitive Data & Regulatory Compliance

Security ConcernsTransparency

Security ConcernsExample of Private Cloud Concerns

Security ConcernsTrade Offs

Cloud Services are Expressed From Cloud IT Infrastructure

Virtualization and Elastic Service Expression

Is Organizational Control Good for Security?

Scope of Control

IaaS, PaaS and SaaS: Data Ownership

Organizational Control with Private versus Public

Cloud Demands Advanced Management Capabilities(This should benefit security)

Planning for Competitive Pricing (…in other words, “cost-effective security”)

Planning for Fundamental Changes

Patterns are Key for Cloud Infrastructure

…Patterns are Key for Cloud Infrastructure

ExampleSeparate Paths, Separate Networks

Example…Separate Paths, Separate Networks

Assessment:Is it “Correct”, “Secure” and Does it Meet Requirements?

How Much Assurance?

Operationally, How Will you Know?

Security MonitoringA High-Volume Activity

Monitoring Really Wants To BeA Near-Real-Time Feedback Loop

Beyond Security MonitoringIntegrated Operational Security

ExampleSecurity Use for CMDB

Defense-in-Depth in Infrastructure

What are the BIG Lessons?

• Provider– Model T approach: Any color the customer wants …as long as it’s “black”

• Special requests undercut profits– Plan ahead: Focus on eventual operations costs and on the certainty of change to the infrastructure– Seek to automate almost everything:

• Identify procedures/processes to drive down costs• Identify and refine patterns

– Segregate information• Don’t mix infrastructure management information • …with security information • …with customer data …etc.

– Architect for completely separate paths:• (Public) (Infrastructure control) (Network device control) (Security management)• Entails a differentiated set of networks• Isolate, Isolate, Isolate• Encrypt, Encrypt, Encrypt

• Consumer– Who is the provider?– What are you really buying? Transparency, independent verification, indemnification?

Thank You

Business: Winkler_Joachim@BAH.Com

Personal: Vic@VicWinkler.Com

Phone: 703.622.7111

“Securing the Cloud: Cloud Computer Security Techniques and Tactics”

Vic Winkler (Elsevier/Syngress 2011)

Cloud Security ("securing the cloud")

Technology

WSO2Con US 2013 - Securing Cloud and Mobile: Pragmatic Enterprise Security Architecture

Securing your cloud with Xen's advanced security features

Securing a Large Project with Private Cloud Computing · Cloud Computing Security Challenges • Addressing Security via Private Cloud ... Cloud Computing Security Challenges •

Keystone Security – OpenStack Summit Atlanta 1 Keystone Security A Symantec Perspective on Securing Keystone Keith Newstadt Cloud Services Architect

SonicWall Cloud App Security...SonicWall Cloud App Security Securing cloud application usage through visibility and control SonicWall Cloud App Security is a cloud service that provides

Securing the Private Cloud - IT Best of Breedi.crn.com/.../WP_Securing_Private_Cloud_Aug2016.pdf · Securing the Private Cloud Advanced Threats Require Advanced Security. 2 WHITE

Securing Apps and Data in the Cloud and On-Premises with OneLogin and Duo Security

2018 Report The State of Securing Cloud Workloads Pages/Alcide... · Securing cloud workloads is still largely the responsibility of the corporate IT security team, but there is a

Securing and Auditing Cloud Computing Jason Alexander Chief Information Security Officer

Best Practices for Workload Security: Securing Servers in Modern Data Center and Cloud

Securing the Cloud - GSE Young Professionals IBM Security for Cloud... · Securing the Cloud Johan Van Mengsel ... Risks introduced by cloud computing Less Control Data Security Security

Securing the Cloud from The z/OS Perspective. Introduction The history of The Cloud How virtualization allows for Cloud computing The Cloud Security Exposures

Week 5: Security Unit 5: Securing Cloud Foundry

Securing Your Data in the Cloud...Securing Your Data in the Cloud 2 About ASSURSEC ASSURSEC is a growing Cybersecurity consulting firm specializing in Cloud Security, Cyber Security,

Securing a business advantage - ITSecure Kft. Security and Cloud Services 2010.pdf · securing a business advantage for your ... Introduction The cloud offers a ... • Rollbase •

Cloud Security: Securing The Invisible Thing · Cloud Security: Securing The Invisible Thing Mohammad FebriR, OSCP, CEH –Sr. Security Engineer mohammad.ramadlan@tiket.com. Agenda

Securing the Microsoft Cloud the Microsoft Cloud Page 3 Cloud security challenges Cloud computing offers both challenges and opportunities for organizations looking to harness the

SECURING YOUR NEW PUBLIC CLOUD - ITC Secure ......SECURING YOUR NEW PUBLIC CLOUD Secure Your New Public Cloud 21st Century IT Security Cloud Security Shared Responsibility Model CUSTOMERDATA

Securing Oracle ERP Cloud ERP Cloud - Oracle Help Center · Oracle ERP Cloud Securing Oracle ERP Cloud Contents Preface i 1Introduction 1 Securing Oracle ERP Cloud: Overview

Confident Cloud Journeys - Microsoft · Securing Your Cloud Journey secure sure Microsoft Cloud provides an extraordinary opportunity for organisations to enhance their existing security