Embed Size (px)
Citation preview
The Data Melting Pot – Computing in the CloudBecky PinkardManager, Security Operations Centres
Cloud
Research In Motion
Notable Quotes
• January 2010, Mark Zuckerberg (Facebook founder):– People have really gotten comfortable not only sharing more information and
different kinds but more openly and with more people That social norm isdifferent kinds, but more openly and with more people. That social norm is just something that has evolved over time.
• February 2010, Michael McConnell (former US Director of National Intelligence) :Intelligence) :– We’re not going to do what we need to do; we’re going to have a catastrophic
event [and] the government’s role is going to change dramatically, and then we’re going to go to a new infrastructure.g g g
• February 2010, Scott Borg (US Cyber Consequences Unit director):– The greatest damage to the American economy from cyber attacks is due to
massive thefts of business information.massive thefts of business information.
• May 2011, Howard Stringer (CEO, Sony):– After spending weeks to resolve a massive Internet security breach, Sony
Corp Chief Executive Howard Stringer said he can't guarantee the securityCorp. Chief Executive Howard Stringer said he can t guarantee the security of the company's videogame network or any other Web system in the "bad new world" of cybercrime.
Agenda
Data monitoring in the cloudWhy is data classification necessary?Why is data classification necessary?
Understanding the importance of policy development, g p p y p ,buy-in and roll-out prior to cloud utilisation.
Wh t ki d f d t i t d? Wh i it b i dWhat kind of data is created? Where is it being used, stored, and/or transmitted? Who is using it?
Measuring data policy compliance and reporting on usage and policy deviation.
Data Privacy & Regulations
• 1995: EU Data Protection Directive regulates processing of personal data within EU
1998 D t P t ti A t i UK l i l ti ibl f t ti l d t• 1998: Data Protection Act, primary UK legislation responsible for protecting personal data
• 2000: US-EU Safe Harbour Framework enacted to assist US companies when working with data belonging to EU citizens
• 2003: California becomes the first US state to enact a data security breach notification law covering credit card, medical and health insurance data of California citizens. (As of 10/2010: 46 States with legislation; 2011: 14 States introducing legislation)
• 2006: First compliance deadline set by the Payment Card Industry for compliance to their proposed Data Security Standard (PCI/DSS)
• 2009: European Council approves a data breach notification rule for European telecom p pp pcompanies
• 2010: The UK Information Commissioner imposed new timelines and monetary penalty amounts (up to £500K) against future serious breaches of the 1998 DPA
• May 26, 2011: The UK ICO is issuing new rules and guidance for websites using cookies to store data on end users’ systems.
What are we dealing with here?• What kind of data is created?
– Personal data– Personal data– Credit card data– Proprietary or intellectual propertyProprietary or intellectual property– Company confidential data
Wh h d t it?• Who had access to it? • Where is it stored?• How do we maintain/track access?• How do we report on provider compliance?
Definitions related to Data Privacy Regulationg• Data Protection Regulator
– In the UK, this function is carried out by the Information Commissioner’sIn the UK, this function is carried out by the Information Commissioner s Office
• Data ControllerData Controller– an individual who by themselves or jointly decides the purposes and the
manner in which any personal data are processed has responsibility for ensuring that the data is maintained in compliance with– has responsibility for ensuring that the data is maintained in compliance with the Data Protection Act
• Data Processor• Data Processor– Any individual or entity who obtains, records, and/or holds data – Any entity performing operations on the data (including deleting, removing or y y p g p ( g g g
otherwise destroying data) and/or disclosing it to third parties.
DPA Principles
The 8 principles of the DPA provide that data must be:1. Fairly and lawfully processed2. Obtained only for one or more specified and lawful purposes 3 Adequate relevant and not excessive3. Adequate, relevant and not excessive4. Accurate and kept up-to-date 5. Kept no longer than necessary p g y6. Processed in accordance with the rights of the data subject7. Kept secure against unlawful or unauthorised processing, or
id t l laccidental loss or erasure 8. Not transferred to a country outside the European Economic
Area unless that country ensures adequate level ofArea unless that country ensures adequate level of protection
http://www.ico.gov.uk/for_organisations/data_protection/the_guide/the_principles.aspx
Cloud Computing Definition
• January 2011: NIST’s most recent definition for cloud computing released (Special Publication 800-145).
• It includes:– 5 essential characteristics: On-demand self-service, Broad
network access, Resource pooling, Rapid elasticity and Measured service
– 3 service models: Cloud Software as a Service Platform as3 service models: Cloud Software as a Service, Platform as a Service and Infrastructure as a Service
4 d l t d l P i t C it P bli H b id– 4 deployment models: Private, Community, Public or Hybridhttp://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800-145_cloud-definition.pdf
Cloud Service Model Examples• Software as a Service
– Cloud-based software is contracted out for customer use (e.g. Salesforce.com, Zoho Office, Taleo, Google Apps)
• Platform as a Service• Platform as a Service– The provider hosts specific business development
applications on behalf of the customer (e.g. Force.com, Google App Engine)
• Infrastructure as a ServiceInfrastructure as a Service– A corporation’s entire data centre, storage or hardware
needs could be hosted by the provider (e.g. 3Tera’s A L i Li id C ti ’ Li idQ A ’ EC2)AppLogic, Liquid Computing’s LiquidQ, Amazon’s EC2)
Cloud Computing & Security Risks
Gartner’s “Seven cloud-computing security risks”1. Privileged user access – providers should utilise employee security
checks and control employee access to data2. Regulatory compliance – customer remains the data owner, but the g y p
provider must be open to audit and certification3. Data location – providers must agree by contractual commitment &
conform to location-specific storage requirements and boundariesp g q4. Data at rest, in motion – segregation and encryption5. Recovery assistance – replication and restoration in the event of
disasterdisaster6. Investigative support – contractual commitment for discovery and
investigations7 L t i bilit f th id7. Long-term viability of the provider
http://www.infoworld.com/d/security‐central/gartner‐seven‐cloud‐computing‐security‐risks‐853
Compliance and Reporting
• RSA’s Spring 2010 Security Bulletin:In cloud computing the virtualization layer provides:– In cloud computing, the virtualization layer provides:
• Increased visibility into almost every activity involved in providing application servicespp
• Fine-grained monitoring capabilities which can dramatically improve reporting processes for cloud auditing and complianceimprove reporting processes for cloud auditing and compliance
• From a regulatory compliance perspective, the lack of physical borders can make it difficult to comply with jurisdiction specificborders can make it difficult to comply with jurisdiction-specific privacy legislation
http://www.rsa.com/newsletter/Vantage/Spring2010/Vantage_Cloud_Control.pdf
Colocation Concerns
• Some additional items to keep in mind: http://www.colocationprovider.org/choosingacolocationprovider.htm
1. Does the Colocation Provider have technical staff available 24/7?
2. How long has the Colocation Service Provider been in business? Are they financially fit bl ?profitable?
3. Network redundancy and pipe size: how many other networks does the Colocation Provider connect to? What size connections exist?
4. What kind of security does the Colocation Facility offer?
5. Does the Colocation Provider have redundant power? Do they use a standard back-up generator or a prime source type of generator for back-up power?up generator or a prime source type of generator for back-up power?
6. Is the A/C System in each section of the Colocation Facility redundant?
7. Does the Colocation Provider offer secure locking cabinets or just racks in a shared g jcage?
8. Does the Provider offer worldwide colocation capabilities?
Cloud Computing is Not the Challenge
1. It’s no longer IT security or Information Security – it’s Data Security. (The perimeter is dead!)
2. Security will never be absolute.
As far as data leakage goes, it's not 'how' will it happen –it’s 'when'. As security professionals, we can no longer worry solely about securing the data, we have to focus on what it will cost us once the data has been breached.
Whomever pays less in the end, wins.
Be Careful Out There
References
• http://www.pcworld.com/article/186584/facebook_ceo_challenges_the_social_norm of privacy.html_ _p y
• http://www.wired.com/threatlevel/2010/03/schmidt-cyberwar/#ixzz0hJVBSbq2• http://www.infowars.com/intel-boss-mcconnell-says-u-s-would-lose-cyberwar/• http://loadtest.story.news.yahoo.com/s/afp/20100224/pl_afp/usitcomputersecurityip y y p p _ p p y
nternet_20100224161832• http://www.mondaq.com/article.asp?articleid=93070• http://www.dft.gov.uk/about/informationcharter/dataprotectionact
htt // h it t ht t / / ti l /0 289142 id14 i1373688 00• http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1373688,00.html
• http://www.networkworld.com/news/2009/042309-cloud-computing-a-security-nightmare.html g
• http://www.scmagazineuk.com/avoiding-the-security-pitfalls-of-cloud-computing/article/118523/
• http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-ti dfcomputing.pdf
• http://www.ico.gov.uk/~/media/documents/pressreleases/2011/ico_welcomes_new_powers_news_release_20110420.ashx
