Cloud Security Guideline v1 Security... · 2012-10-25 · • Gawker news site (Gizmodo, Lifehacker, Kotaku, io9 or Jezebel) were stolen 1.3 million passwords and uploaded via torrent

10/25/2012

1

BY VORAPOJ LOOKMAIPUNCISSP, CISA, CISM, CRISC, CEH

[email protected]

• Security Cases

• What is Cloud?

• Road Map

• Security Concerns

Agenda

10/25/2012

2

• Data Protection

- Two arrested in iPad Security Breach (Jan 2011)- 2 computer hackers gathered 120,000 Apple iPad users email addresses and

personal information.- Epsilon Breach (April 2011)

- Epsilon, email marketing company,(for Best Buy, Ethan Allen, Walgreens, Target) hackers compromised 50 clients ‘ email address, and send out phishing emails masquerading the client to their customers.

- Data Availability

- Hotmail (Jan 2011)- 17,355 customers impacted temporarily lost the mail contents through the course of

mailbox load balancing between servers- Amazon EC2 (web hosting) offline (April, 2011)

- Foursquare, Reddit and Quora were among the sites went offline.

Security Cases on Cloud

10/25/2012

3

- Denial of Service

- Bot herders hid master control Channel in Google cloud (October 2009)- Google’s App Engine was tapped to act as the master control channel, by

download malicious program to infected PC for making part of botnet.• Data breach

– Gawker news site compromised (Dec 2010)• Gawker news site (Gizmodo, Lifehacker, Kotaku, io9 or Jezebel) were stolen 1.3

million passwords and uploaded via torrent file.– Microsoft BPOS hacked (Dec 2010)

• Microsoft Business Productivity Online Suite was accesses and company data was downloaded. BPOS includes Exchange online, SharePoint Online, Office communications Online and Office Live meeting.

• MS BPOS standard customer could be downloaded by other customers of the service.

Security Cases on Cloud

10/25/2012

4

• Data breaches are the main concern for business moving to

cloud

• More than 40% respondents report that their organization uses cloud computing

– 69 % SaaS

– 47% IaaS

– 55% PaaS

Survey – Cloud computing

Source: The 2012 Global State of Information Security Survey by pwc

10/25/2012

5

• Has the cloud improved security?

– 54% Yes

– 23% Believe the security has “weakened”

– 18% No change

– 5% Don’t know



• What about the greatest risks to cloud computing strategies?

– 32% Uncertain ability to enforce provider site security policies

– 19% Inadequate training and IT auditing

– 15% Questionable privileged access control at provider site

– 11% Proximity of data to someone else’s

– 9% Uncertain ability to recover data



10/25/2012

6

WHAT IS CLOUD?

10/25/2012

7

Cloud Computing Economies of Scale

• NITS SP 800-145 – The NIST Definition of Cloud Computing (2011)

“A model for enabling, ubiquitous, convenient, on-demand

network access to shared pool of configuration computing

resources (e.g. networks, servers, storage, applications, and

services) that can be rapidly provisioned and released with

minimal management effort or service provider interaction.”

What is Cloud?

10/25/2012

8

Composed of

–5 Essential characteristics

–3 Service models

–4 Deployment models.

What is Cloud Computing?

• 5 Essential Characteristics

1. On-demand self service

2. Broad network access

3. Resources pooling

4. Rapid elasticity

5. Measured service

Essential Characteristics

10/25/2012

9

1. On-demand self service

A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider


เชา่เป็นชว่งเวลา (นาท)ี

2. Broad network access

Capabilities are available over the network and access through standard mechanisms that promote use by heterogeneous thin or thick client platform (e.g.) mobile phones, tablets, laptops, and workstations)


จากอุปกรณ์ไหน จากทีไ̂หน กไ็ด้

10/25/2012

10

3. Resource pooling

The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g. country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth.



ลดคา่ใชจ้่าย

10/25/2012

11

4. Rapid elasticity

Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.


มคีวามยดืหยุ่นสงู และรวดเรว็

5. Measured service

Cloud systems automatically control and optimize resource use by leveraging a metering capabilities at some level of abstraction appropriate to the type of service (e.g. storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.


10/25/2012

12

• 3 Service Models

1. Infrastructure as a Service (IaaS)

2. Platform as a Service (PaaS)

3. Software as a Service (SaaS)

Service Models

1. Infrastructure as a Service (IaaS)

The provider suppliers hardware and network connectivity. The tenant is responsible for the virtual machine and everything that run within it.

Service Models

10/25/2012

13

2. Platform as a Service (PaaS)

The tenant suppliers the application they wish to deploy, and the provider supplies all the components required to run the application.

Service Models

3. Software as a Service (SaaS)

The provider suppliers the application and all the components required to run it. SaaS is designed to be a turnkey solution for the tenant

Service Models

10/25/2012

14

Cloud Service Models

API/GUI

Application

Solution Stack

Network

Hypervisor

Virtual Machine

Compute & Storage

Facility

API/GUI

Application

Solution Stack

Network

Hypervisor

Virtual Machine

Compute & Storage

Facility

API/GUI

Application

Solution Stack

Network

Hypervisor

Virtual Machine

Compute & Storage

Facility

Tenant

Provider

SaaSSaaSSaaSSaaS PPPPaaSaaSaaSaaS IIIIaaSaaSaaSaaS

Cloud Service Models

API/GUI

Application

Solution Stack

Network

Hypervisor

Virtual Machine

Compute & Storage

Facility

API/GUI

Application

Solution Stack

Network

Hypervisor

Virtual Machine

Compute & Storage

Facility

API/GUI

Application

Solution Stack

Network

Hypervisor

Virtual Machine

Compute & Storage

Facility

Tenant

Provider

SaaSSaaSSaaSSaaS PPPPaaSaaSaaSaaS IIIIaaSaaSaaSaaS

API/GUI

Application

Solution Stack

Network

Hypervisor

Virtual Machine

Compute & Storage

Facility

Private Private Private Private

CloudCloudCloudCloud

10/25/2012

15

SAAS

PAAS

IAAS

STRUCTURE OF SERVICE MODEL

GOOGLE DOCSSALESFORCE CRMDeskAway, GMAIL

FORCE.COMAPP ENGINEMS AZURE

RACKSPACE.COMGO GRIDEC2

• 4 Deployment Models

1. Private cloud

2. Community cloud

3. Public cloud

4. Hybrid cloud

Deployment Models

10/25/2012

16

1. Private cloud

The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g. business units). It may be owned, managed, and operated by the organization, 3rd party, or some combination of them, and it may exist on or off premises.

Deployment Models

2. Community Cloud

The cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.

Deploy Models

10/25/2012

17

3. Public cloud

The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.

Deploy Models

4. Hybrid cloud

The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g. cloud bursting for load balancing between clouds)

Deploy Models

10/25/2012

18

• Model Provider Data Center Consumer Data Center

Deployment Models

Private

Community

Public

Hybrid

ROAD MAP ON CLOUD

10/25/2012

19

The Virtualization Tipping Point in 2012

Road Map on Cloud Computing

10/25/2012

20

Road Map on Cloud - 2010

Road Map on Cloud - 2011

10/25/2012

21

Hype Cycle for Cloud Computing

Hype Cycle for Security Tools

10/25/2012

22

SECURITY CONCERNS ON CLOUD

1. Abuse and Nefarious Use of Cloud Computing (IaaS, Paas)

2. Insecure interfaces and APIs (IaaS, PaaS, SaaS)

3. Malicious Insiders (IaaS, PaaS, SaaS)

4. Shared Technology Issues (IaaS)

5. Data Loss or Leakage (IaaS, PaaS, SaaS)

6. Account or Service Hijacking (IaaS, PaaS, SaaS)

7. Unknown Risk Profile (IaaS, PaaS, SaaS)

Top 7 Threats to Cloud Computing (CSA)

10/25/2012

23

• Firewall

– No longer reply on the premise firewall.

• Antimalware

– Deploy the Antimalware used for Hypervisor Layer instead of on VMOS.

• IPS/IDS

– Implement IPS/IDS as an added security layer within infrastructure in detecting potential intrusion, misuse, or insider threat, especially in Hypervisor layer.

Security Concerns on Cloud

• Identity Management

– Ensure all ID’s meet password management and complexity policy

– Passwords are stored in an encrypted format along with encrypted transmission of password between systems and applications

– Management has a key role to help meeting the compliance and regulatory requirements.


10/25/2012

24

• Access Management

– Minimum 2-factor authentication to all applications and systems

– Using VPN based connection

– If VPN access is unavailable use a secure network protocol such as IPSEC, SSH and SSL


• Logging including

– System logs

– Network IPS logs

– Identity Access log


10/25/2012

25

• Your logging solution captures

– Failed login attempts

– Privileged access attempts

– Privileged activities

– Access attempts to sensitive data

– Access attempts to audit trail data

– Start and stop of services or applications

– System shutdown or start up


• Logging

– Each event should contain at minimum

• User ID

• Date and Timestamp

• Event description

• Event source

• Event success or failure


10/25/2012

26


• Data Security

– Data loss is a primary concern of IT managers across the globe.

– Your data protection solution address both internal and external threats

– Most standards required the organizations protect their data at rest – data encryption

• Data at Rest includes files stored on servers and removable media

• Data in Process includes real time transactional data such as data processed in a database

• Data in Transit focuses on network protocols and data passing over wired and wifi networks

• If possible, store keys outside of your cloud environment

• Application Security

– Create a website risk management plan that will heighten awarenessand will protect valuable corporate and customer data from attackers


10/25/2012

27

• Access Controls

• Incident Response and Management

• System and Network Configuration Backups

• Security Testing

• Data and Communications Encryption

• Password Standards

• Continuous Monitoring

Standards and Policies

• Get security right in private cloud first, then extend to hybrid and public cloud

• Map workloads to the right “style” of cloud security

• Being planning for augmenting existing security delivery mechanisms with security as a Service options

• Separation and auditability are key issues in maintaining security

• Don’t trust the infrastructure to secure the infrastructure

Recommendations

10/25/2012

28

1. Cloud Computing Architectural Framework

2. Governance and Enterprise Risk Management

3. Legal Issues: Contracts and Electronic Discovery

4. Compliance and Audit Management

5. Information Management and Data Security

6. Interoperability and Portability

7. Traditional Security, Business Continuity, and Disaster Recovery

8. Data Center Operations

9. Incident Response

10. Application Security

Security Guidance for Critical Area Focus in

Cloud Computing V3.0

11. Encryption and Key Management

12. Identify, Entitlement, and Access Management

13. Virtualization

14. Security as a Service

Security Guidance for Critical Area Focus in

Cloud Computing V3.0

10/25/2012

29

• Identity Services and Access Management Services

• Data Loss Prevention (DLP)

• Web Security

• Email Security

• Security Assessments

• Intrusion Management, Detection, and Prevention (IDS/IPS)

• Security Information and Event Management (SIEM)

• Encryption

• Business Continuity and Disaster Recovery

• Network Security

Interested Security as a Service (SaaS)

Additional Information

• Proactively Hardening Your cloud

– NIST

• http://csrc.nist.gov/publications/nistpubs/800-125/SP800-125-final.pdf

• http://collaborate.nist.gov/twiki-cloud-computing/bin/view/CloudComputing/

– Cloud Security Alliance

• https://cloudsecurityalliance.org/

• http://www.cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf

10/25/2012

30

Documents

Cloud Security Guideline v1 Security... · 2012-10-25 · • Gawker news site (Gizmodo, Lifehacker, Kotaku, io9 or Jezebel) were stolen 1.3 million passwords and uploaded via torrent