Upload
ngominh
View
212
Download
0
Embed Size (px)
Citation preview
Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
Characteristics On-demand self-service
Broad network access
Resource pooling
Rapid elasticity
Measured service
(NIST) National Institute of Standards and Technology/US Dept. of Commerce
http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
Service Models:
Software as a Service (SaaS)
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)
Deployment Models:
Private Cloud
Community Cloud
Public Cloud
Hybrid Cloud
Image Source: Wikipedia.org
Abstraction level and visibility
Assets (data and applications/processes) subject to:
Unavailability
Loss
Theft
Disclosure
Cost as a risk event
Privacy considerations
National Institute of Standards (NIST) cyber security framework –“to allow organizations – regardless of size, degree of cyber risk or cybersecurity sophistication – to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure. Step 1: Prioritize and Scope
Step 2: Get Oriented: Identify systems and existing risk management approaches within the scope
Step 3: Create a Target Profile
Step 4: Conduct a Risk Assessment
Step 5: Create a Current Profile (based on assessment results)
Step 6: Develop an Action Plan
Step 7: Implement the Action Plan
…rinse and repeat…
Many initiatives to create certification frameworks: Cloud Security Alliance
European Union Agency for Network and Information Security (ENISA)
CloudWATCH Consortium
ISO standards, 27018:2014 and 27017:2015
Virtualization vendors
Defense Information Systems Agency (DISA)
Center for Internet Security (CIS)
National Information Assurance Partnership (NIAP)
American Institute of CPAs SOC 2 report (AICPA)
Country-specific initiatives: US: Federal Risk and Authorization Management (FedRAMP)
UK: G-Cloud
Singapore: Multi-tier Cloud Security (MTCS)
Germany, France, Canada, Hong Kong, Australia, Israel, Turkey and Slovenia
SaaS: Software as a Service Risk-decreasing factors:
Improved security
Application patch management
Risk-increasing factors:
Data ownership
Data disposal
Lack of visibility into software systems development life cycle (SDLC)
Identity and access management
Exit strategy
Broad exposure of applications
Ease of contracting SaaS
Lack of control of the release management process
Browser vulnerabilities
Public Cloud: Risk-decreasing factors:
Public reputation
Risk-increasing factors:
Full sharing of the cloud (data pooling)
Collateral damage
Private Cloud: Risk-decreasing factors:
Can be built on-premises
Performance
Risk-increasing factors:
Application compatibility
Investments required
Cloud-IT skills required
Technical examples: Multitenancy visibility
Hypervisor attacks
Application attacks
Application compatibility
Regulatory examples: Asset ownership
Asset disposal
Asset location
Governance examples: Physical security/access
Media management
Purchasing/contractual misteps
Support for audit/forensic evaluations
Adopt a risk control framework, then test and verify Security
Availability
Processing integrity
Confidentiality and privacy
Monitor the financial position and market recognition of the vendor(s)
Discuss vendor’s business continuity plans, disaster recovery plans, backup procedures and redundancy plans
Qualify and quantify your own organization’s data classifications; policies, principles and frameworks; organizational expectations for ethics and risk behavior
Detail the explicit contracts, service level agreements, communication processes, roles and responsibilities
Local law of the enterprise
Local law of the CSP
Local law where data are stored
Local law where data are processed
Prepare your
internal environment
Select the cloud
service model
Select the cloud
deployment model
Select the cloud
provider
Migrate & review
continuously
Select a
FRAMEWORK
Re-evaluate
FRAMEWORK
Cristie Street: [email protected]
ISACA: http://www.isaca.org/cyber/pages/state-of-cybersecurity-implications-for-2016.aspx and http://www.isaca.org/knowledge-center/research/researchdeliverables/pages/security-considerations-for-cloud-computing.aspx
Cloud Security Alliance: https://cloudsecurityalliance.org/
Homeland Security: https://ics-cert.us-cert.gov/Assessments
NIST: http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf
NIST: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
HITRUST Alliance: https://hitrustalliance.net/content/uploads/2015/11/PrelimnaryDraftHPHCyberFrameworkImplementationGuide-20151110.pdf
OWASP: https://www.owasp.org/index.php/Main_Page
Stay Safe Online: http://www.staysafeonline.org/