Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Cloud Security Framework (CSF)
Please send comments & suggestions to Suren Karavettil ([email protected])
December 09th, 2010
Contributors: Suren Karavettil, Bhumip KhasnabishNing So, Gene Golovinsky, and Meng Yu
12/9/2010 1
IETF IPR and Copyright Statements • This document (future Internet-Draft) is being
prepared for IETF in full conformance with the provisions of BCP 78 and BCP 79
• Copyright Notice– Copyright (c) 2010 IETF Trust and the persons identified as
the document authors. All rights reserved.
• This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info)
•12/9/2010 2
Outline• Definition
• Security Components Relationships
• Few purposes of CSF
• Cloud Resources & their Usage
• Expected Coverage Areas by CSF
• Security Layers
• Security Layers & Security Control Requirement Areas (multiple slides on this topic)
• Represent Security requirements based on OSI layers
• Information Management requirements12/9/2010 3
A Definition
• Cloud Security Framework (CSF) establishes security standards, policies, procedures and guidelines for the Cloud Service Providers (CSP). Standards would enable CSP organizations and development organizations using their service to practice safe security techniques for their applications and intra & inter CSP information exchange. The policies provide overarching guidance for the CSP’s on matters affecting the security of their customer information. While procedures & guidelines document the best practices, methods and compliance requirements as appropriate to ensure that the standards & policies objectives are met.
12/9/2010 4
Security Components Relationships
Fundamental Security Principle, CIA triad – Confidentiality, Integrity, Availability
12/9/2010 5
Asset x Agent Matrix = Access ControlThreat x Vulnerability Matrix = Risk
Few Purposes for Cloud Security Framework
• Multi-tenant isolation.• Multi-Cloud Services integrated application at
different CSPs.• Backup & Recovery of information (import/export
across CSP’s).• Business Continuity & Disaster Recovery.• Inter-Cloud Information Exchange between CSPs.• Load balancing multi-tenant users in cloud.• Reduce human intervention in provisioning &
management.
12/9/2010 6
Cloud Resources & their Usage
12/9/2010 7
Expected Coverage Areas by CSF
• CSF shall be applicable to both Cloud Applications (CloudApps) and Cloud Operations (CloudOps). Some of the intended areas of requirements that may be expected to be covered by CSF are:– Guidelines– Procedures– Best Practices – Policies– Standards– Governance & Audit– Regulations & Compliance– Configuration Management– Incident Management & Information Reporting– Risk Management
12/9/2010 8
Security Layers
• Application & Services Security
• Data Security
• Systems Security
• Network Security
• Physical Security
• Operational & Environmental Security
• Information Management
12/9/2010 9
Security Layers & Security Controls Requirements – Apps & Services
• Application & Services Security Requirements Areas– User & Resource Identification– Authentication– Authorization (Privileges & Roles)– Accountability– Multi-tenant isolation
• Few Threats– Session Hijacking– Input Data Validation– Cross-Site Scripting– Access Control Hijacking– Cross-Site Request Forgery– Client-Side override hijacking
12/9/2010 10
Security Layers & Security Controls Requirements - Data
• Data Security Requirements Areas– Data Integrity– Privacy– Multi-tenant isolation– Cryptography– Data Transformation (OR Mapping)
• Few Threats– Input Data Validation– SQL & XML Injection– Buffer Overflow
12/9/2010 11
Security Layers & Security Controls Requirements – Systems
• Systems Security Requirements Areas– Host Intrusion (Detection)– Servers (Web Servers, Application Servers, Database Servers)– Directory Services– Domain Services– PKI– Role Based Access– Multi-tenant isolation– Load balancing (Sticky)– Cryptography– Transport Level Security (e.g. HTTPS)
• Few Threats– Denial of Service– LDAP injection– Lack of sufficient Auditing– Parameter Tampering
12/9/2010 12
Security Layers & Security Controls Requirements – Network
• Network Security Requirements Areas– VPN– Virus Scanning– Load balancing (Sticky)– DMZ– VLAN– Bandwidth Management– Firewalls– System Access logs (syslog)– Network Intrusion (Detection & Prevention)– Multi-tenant isolation
• Few Threats– Man-in-the middle attack (Lack of Transport Level Security)– Spoofing attack– Risk due to lack of Separation of data (logs, load, configuration, etc)– Risk due to lack of Separation of duties– VLAN configuration & bandwidth management across orgs and media data (video, voice,
data).
12/9/2010 13
Security Layers & Security Controls Requirements – Physical
• Physical Security Requirements Areas– Access Control Card Readers– Wired Cables– Communication Rooms– Wireless Networks– Network Elements– Power Supply– HVAC, Fire & Cameras, Sensors
• Few Threats– Access Control– Risk due to lack of Separation of duties– Risk to Business Continuity
12/9/2010 14
Security Layers & Security Controls Requirements – Ops & Environment
• Operational & Environmental Security Requirements Areas– Asset Management
– Personnel Management
– Operational Procedures
– Business Hours & Resource Access Privileges
• Few Risks– Asset tracking, isolation
– Personnel tracking, isolation and knowledge12/9/2010 15
Security Layers & Security Controls Requirements – Management
• Information Management Requirements Areas– Alarms & Alerts based Incident Management– Configuration Management
• Change Management (Virus DAT or Windows updates, software releases ), Testing & Assurance, COTS Product Evaluation, etc
– Business Continuity & Disaster Recovery• Backup & Recovery• Service Level Agreements
– Governance, Audit & Risk Management• Policies
– Password Management, etc• Access Governance• Logging & Auditing data
– Legal, Investigation, Regulations & Compliance• PCI, HIPAA, SOX• Privacy• Forensics investigation
• Few Risks– Time sensitive alerts to management and businesses on incidents– Lack of controls– Security breaches– Lack of Certifications– Compliance– Forensics data availability– Intellectual Property Rights
12/9/2010 16
Represent Security Requirements based on OSI Layer Mapping
coming soon…
12/9/2010 17
Q&A Discussion
• Framework
• Requirements
• Next Steps
--------------------------
• Thoughts
• Questions
• Suggestions
12/9/2010 18
Client-Side Security Requirements
coming soon…
12/9/2010 19
Server (CloudCenter/DataCenter)-Side Security Requirements
coming soon…
12/9/2010 20
Cloud Service Session Bundling Security Requirements
coming soon…
12/9/2010 21
Data Duplication API Authentication & Security Requirements
coming soon…
12/9/2010 22
Data De-Duplication API Authentication & Security Requirements
coming soon…
12/9/2010 23
Layer-2 Virtualization & Load Balancing Security Requirements
coming soon…
12/9/2010 24
Layer-3 Virtualization & Load Balancing Security Requirements
coming soon…
12/9/2010 25
Information Management Requirements
coming soon…
12/9/2010 26