Thin Air or Solid Ground? Practical Cloud Security

Thin Air or Solid Ground?Practical Cloud Security

Thin Air or Solid Ground, Oct. 2015, Dan Fitzgerald, All Rights Reserved 1

Agenda


Introduction Your presenter Service models

The Cloud Landscape Today Adoption Market for cloud security products

Tales from the Cloud (AWS & Elsewhere)• Building a cloud security program from scratch• Dan’s top 10 (it goes up to 11!)• Gotchas

Looking Ahead• Open APIs• CASB

Wrap-Up & Discussion• Helpful resources• Appendices

Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat.

-Sun Tzu


Professional

• CISO at Uptake, a Chicago data analytics startup that developed a cloud-based predictive analytics platform for the IoT of global industry and infrastructure

• Started my security career in Silicon Valley in late 90s

• Accenture, PwC & Independent consulting

• Consulted for 2004 Athens Olympics and lived in Greece

• Done security work on four continents

Personal

• Live in Oak Park, grew up in NJ (go Yankees!)

• Will write great American novel one day

• Love to travel


About Me…

Today’s Cloud Landscape



Some Stats on Cloud Adoption

APAC will generate 2.3 zettabytes of cloud traffic by 2018*

*Cisco Global Cloud Index 2013-2018 (2014)**Avanade Global Study: Hybrid Cloud—From Hype to Reality (2014)

Consumer cloud storage traffic 10 exabytes globally in 2016, 19 exabytes in 2018*

Cloud data center traffic will represent 76% of total data center traffic by 2018, compared to 54% in 2013.

Globally, cloud data center traffic will reach 6.5 Zettabytes per year (541 Exabytes per month) by 2018, up from 1.6 Zettabytes per year (137 Exabytes per month) in 2013.

Non-IT C-suite executives manage 37% of IT spend decisions on cloud technology adoption*

55% of C-level respondents unable to identify basic attributes of hybrid cloud 69% of respondents indicated hybrid cloud should be biggest priority for their

business** 72% plan to adopt hybrid solutions in 2015!


Evolving Service ModelsThe Boundaries Between SaaS, PaaS, & IaaS

Are Blurring

Source: Forrester, The Forrester Wave™: Enterprise Public Cloud Platforms, Q4 2014, December29, 2014

• Secure Email- $942m in 2015, $1b by 2017

• IdM– $860m in 2015, $1.2b by 2017

• Multifunction Identity as a Service (IDaaS) primary growth

• SSO also significant

• SMB sectors driving a lot of growth, but large enterprises also a factor


Huge Growth in Cloud Security Vendors

Tales from the cloud (AWS & elsewhere)


My experiences and recommendations


Chicken Little & the Pompous EngineerCloud is not all that new, or that different from security in traditional IT systems or hosting relationships, but many folks seem to lose their reason when evaluating cloud solutions and security.

Too little Too much

Informed risk-based decisions• No ‘one size fits all’• Based on your business

requirements & risk appetite• Regulatory & geographical

profile

Knowledge


The Shared Responsibility Concept

• AWS- specific diagram, but concepts do apply elsewhere

• Scope is key• 3rd party certifications should be a significant focus as you build your cloud

security program

• **Avoid the “checklist mentality”**


Provider Security Certifications

Source: Forrester, The Forrester Wave™: Public Cloud Platform Service Provider’s Security (2014)

Business Background

• SAAS predictive analytic platform

• Company ~1 year old

• Explosive growth • 60 employees when I started, now 250+• Brought on as CISO prior to internal IT team/CIO

• Target customers Fortune 500

• Low risk tolerance

• Significant customer and regulatory requirements

Technology

• AWS environment w/VPCs

• DevOps/ Agile environment, heavy development focus

• Limited knowledge of enterprise It practices


Building a cloud security program from scratch

Source: Cloud Security Alliance Cloud Adoption Practices & Priorities Survey Report (2015)

1. Socializing security• Charm & informal security awareness offensive• Management by walking around

2. Establish core security program• Risk assessments• Control roadmap• Create charter, governance framework• Service providers

3. Conduct tactical remediation• Technical risks/low hanging fruit• Negotiate immediate customer requirements &

establish temporary policies

4. Secure Infrastructure Design & Build• Vendors, vendors, vendors


What We Did First



High Level Program


High Level Architecture

Build out security services layer/ command centers


Underlying Architecture Components

Dan’s top 101. Embrace the changes

2. Maintain or improve your focus on risk management• Use CSA, NIST and other resources• Tighten up VRM posture• How will you maintain your asset inventory?

3. Data governance, lifecycle and provenance.• Document your data flows early and often• Understand privacy requirements• Call out geographical data requirements early

4. Let cloud help you• Seize on the opportunity to refine or redo your security

infrastructure• Embrace cloud-based security solutions• Prepare for “beta” and integration challenges


Dan’s top 105. Partitioning & segmentation = security &

portability• To many eggs in 1 cloud provider’s basket can increase risk• Make sure that in the event your business moves away from a

cloud provider, your security systems won’t hamper that.

6. Plan for robust encryption & PKI• If providing services to customers or internal LoBs, consider

BYOK models.• Evaluate native solutions vs. third party• Key management!

7. Shore up your endpoints• What? Aren’t we talking about cloud?• Weak link/ open window for attackers


Dan’s Top 108. Get familiar with DevOps &

Containerization

9. 2 factor everything & use privileged access solutions• Key management

10. Monitor billing and usage where feasible• You can learn a great deal from AWS

console logs

11. Plan on physical infrastructure and increased bandwidth. You will need it!


• IT partners & DevOps personnel may not be familiar with cloud security integration requirements and vendors

• “Your security logging drove our AWS bills from $6K a month to $40k…”

• We don’t want firewall management outsourced, but we don’t know how to set up HA on the Palos…

• Why do we need <MPLS| physical infrastructure| more endpoint security|> etc.?

• Many traditional security vendors are “in beta” with cloud capabilities

• Shadow IT- business stakeholders can procure and deploy very quickly

• Identity governance (weak at most cloud providers- Azure is best available)


Gotchas

Looking ahead



Cloud Security Open APIsExpedite cloud deploymentsA well-known and standard API layer will give enterprise developers the ability to leverage core cloud functions quickly, thus expediting the pace of cloud deployments.

Foster cross-cloud innovationsWith the Cloud Security Open APIs, developers now have a way to write cross-cloud functions without having to custom integrate with each cloud that it touches.

Extend cloud services reach to new functionality From the perspective of a cloud service provider (CSP), the Cloud Security Open APIs will allow a much larger set of developers (than those within the CSP’s own company) to leverage the CSP’s core code base/data and deliver adjacent functionality.

Source: Cloud Security Alliance (2015)


Cloud Access Security Brokers (CASB)

"By 2016, 25% of enterprises will secure access to cloud-based services using a CASB platform, up from less than 1% in 2012, reducing the cost of securing access by 30%.“

• CASBs are on-premises, or cloud-based, security policy enforcement points placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed.

• CASBs consolidate multiple types of security policy enforcement. Example security policies include authentication, SSO, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on.

3 Flavors of CASB: Direct to Cloud, Proxy, APIProtocols include: SAML, OAUTH, XACML, ICAP, OSSL, JSON, etc.

Source: Gartner, The Growing Importance of Cloud Access Security Brokers (2015)


CASB—API Mode



CASB—Proxy Model


Follow the data Plan for ongoing risk management and VRM Learn ‘enough’ about new technologies/ bring in

SMEs (DevOps/Containers/ Continuous Deployment/Etc.)

Make your security posture & team more agile Change is the only constant Focus on fundamentals and beware of silver bullets


Wrapping up


Thank you for a great [email protected]

https://www.linkedin.com/in/danfitzgerald2

mailto:[email protected]

https://www.linkedin.com/in/danfitzgerald2

Appendices



Helpful resourcesName Description URL

Cloud Security Alliance • Great source for controls- CCM• Certifications• Research publications collaboration opportunities

https://cloudsecurityalliance.org/

AWS Security Blog • Amazing number of white papers and implementation guidelines• FedRAMP, HIPPA, and other compliance architectures• Just rolled out security training classes

http://blogs.aws.amazon.com/security

Azure Security Center • MS landing page for security information https://azure.microsoft.com/en-us/support/trust-center/security/

NIST • Critical infrastructure guides and framework http://www.nist.gov/cyberframework/

NIST • Cloud materials http://www.nist.gov/itl/cloud/

FedRAMP • Federal cloud computing standards https://www.fedramp.gov/

PCI SSC Cloud Information Supplement

• Detailed list of responsibilities and configuration guidance for cloud & PCI DSS compliance

• Useful for guiding principles beyond PCI

https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf

ISO • Cloud security code of practice and other guidelines in development (ISO/IEC FDIS 27017 )

• Support the STAR certifications• Require license to obtain actual standards• Website is kind of confusing- search for cloud

http://www.iso.org

https://cloudsecurityalliance.org/

http://blogs.aws.amazon.com/security

https://azure.microsoft.com/en-us/support/trust-center/security/

http://www.nist.gov/cyberframework/

http://www.nist.gov/itl/cloud/

https://www.fedramp.gov/

https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf

http://www.iso.org/


DefinitionsPer NIST (c2011): Cloud computing is a model for enabling ubiquitous,

convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

This cloud model is composed of: Five essential characteristics, Three service models, Four deployment models.


Essential Characteristics

Per NIST (c2011):

1. On demand self service2. Broad network access3. Resource pooling4. Rapid elasticity5. Measured service


Service Models

Use provider’s application Accessible from clients via thin interface Limited user configuration settings- application layer

• Deploy applications onto cloud platform• Consumer does not manage underlying cloud infrastructure

including network, servers, operating systems, or storage• Customers control deployed applications and may be able to

configure some application environment settings.

• Customer control over operating systems, storage, deployed applications; and possibly select networking components.

SAASSoftware as a service

PAASPlatform as a service

IAASInfrastructure as a service


Deployment Models Provisioned for use by a single organization May be owned and managed by organization, third party or a

combination On-premise, hosted options

• Provisioned for exclusive use by a specific community of consumers from organizations with shared concerns.

• May be owned or managed by one or more organizations in community, third parties or combination.

• On-premise, hosted options

• Provisioned for use by general public• May be owned, managed and operated by a business, academic or

governmental organization or combination.• Hosted on premises of provider

• Combination of distinct and autonomously operated public/private and/or community clouds

• May be tied together by management layers, APIs, cloud broker solutions or other connectivity

Private Cloud

Community Cloud

Public Cloud

Hybrid Cloud

Survey respondents’ primary concerns about Shadow IT are: • Security of corporate data in the cloud (49

percent)

• Potential compliance violations (25 percent) • The ability to enforce policies (19 percent) • Redundant services creating inefficiency (8

percent)


Shadow IT



Security-Related Cloud Stats



Security-Related Cloud Stats
