Upload
dan-fitzgerald-cissp-cipm
View
722
Download
0
Embed Size (px)
Citation preview
Thin Air or Solid Ground?Practical Cloud Security
Thin Air or Solid Ground, Oct. 2015, Dan Fitzgerald, All Rights Reserved 1
Agenda
Thin Air or Solid Ground, Oct. 2015, Dan Fitzgerald, All Rights Reserved 2
Introduction Your presenter Service models
The Cloud Landscape Today Adoption Market for cloud security products
Tales from the Cloud (AWS & Elsewhere)• Building a cloud security program from scratch• Dan’s top 10 (it goes up to 11!)• Gotchas
Looking Ahead• Open APIs• CASB
Wrap-Up & Discussion• Helpful resources• Appendices
Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat.
-Sun Tzu
Thin Air or Solid Ground, Oct. 2015, Dan Fitzgerald, All Rights Reserved 3
Professional
• CISO at Uptake, a Chicago data analytics startup that developed a cloud-based predictive analytics platform for the IoT of global industry and infrastructure
• Started my security career in Silicon Valley in late 90s
• Accenture, PwC & Independent consulting
• Consulted for 2004 Athens Olympics and lived in Greece
• Done security work on four continents
Personal
• Live in Oak Park, grew up in NJ (go Yankees!)
• Will write great American novel one day
• Love to travel
Thin Air or Solid Ground, Oct. 2015, Dan Fitzgerald, All Rights Reserved 4
About Me…
Thin Air or Solid Ground, Oct. 2015, Dan Fitzgerald, All Rights Reserved 6
Some Stats on Cloud Adoption
APAC will generate 2.3 zettabytes of cloud traffic by 2018*
*Cisco Global Cloud Index 2013-2018 (2014)**Avanade Global Study: Hybrid Cloud—From Hype to Reality (2014)
Consumer cloud storage traffic 10 exabytes globally in 2016, 19 exabytes in 2018*
Cloud data center traffic will represent 76% of total data center traffic by 2018, compared to 54% in 2013.
Globally, cloud data center traffic will reach 6.5 Zettabytes per year (541 Exabytes per month) by 2018, up from 1.6 Zettabytes per year (137 Exabytes per month) in 2013.
Non-IT C-suite executives manage 37% of IT spend decisions on cloud technology adoption*
55% of C-level respondents unable to identify basic attributes of hybrid cloud 69% of respondents indicated hybrid cloud should be biggest priority for their
business** 72% plan to adopt hybrid solutions in 2015!
Thin Air or Solid Ground, Oct. 2015, Dan Fitzgerald, All Rights Reserved 7
Evolving Service ModelsThe Boundaries Between SaaS, PaaS, & IaaS
Are Blurring
Source: Forrester, The Forrester Wave™: Enterprise Public Cloud Platforms, Q4 2014, December29, 2014
• Secure Email- $942m in 2015, $1b by 2017
• IdM– $860m in 2015, $1.2b by 2017
• Multifunction Identity as a Service (IDaaS) primary growth
• SSO also significant
• SMB sectors driving a lot of growth, but large enterprises also a factor
Thin Air or Solid Ground, Oct. 2015, Dan Fitzgerald, All Rights Reserved 8
Huge Growth in Cloud Security Vendors
Tales from the cloud (AWS & elsewhere)
Thin Air or Solid Ground, Oct. 2015, Dan Fitzgerald, All Rights Reserved 9
My experiences and recommendations
Thin Air or Solid Ground, Oct. 2015, Dan Fitzgerald, All Rights Reserved 10
Chicken Little & the Pompous EngineerCloud is not all that new, or that different from security in traditional IT systems or hosting relationships, but many folks seem to lose their reason when evaluating cloud solutions and security.
Too little Too much
Informed risk-based decisions• No ‘one size fits all’• Based on your business
requirements & risk appetite• Regulatory & geographical
profile
Knowledge
Thin Air or Solid Ground, Oct. 2015, Dan Fitzgerald, All Rights Reserved 11
The Shared Responsibility Concept
• AWS- specific diagram, but concepts do apply elsewhere
• Scope is key• 3rd party certifications should be a significant focus as you build your cloud
security program
• **Avoid the “checklist mentality”**
Thin Air or Solid Ground, Oct. 2015, Dan Fitzgerald, All Rights Reserved 12
Provider Security Certifications
Source: Forrester, The Forrester Wave™: Public Cloud Platform Service Provider’s Security (2014)
Business Background
• SAAS predictive analytic platform
• Company ~1 year old
• Explosive growth • 60 employees when I started, now 250+• Brought on as CISO prior to internal IT team/CIO
• Target customers Fortune 500
• Low risk tolerance
• Significant customer and regulatory requirements
Technology
• AWS environment w/VPCs
• DevOps/ Agile environment, heavy development focus
• Limited knowledge of enterprise It practices
Thin Air or Solid Ground, Oct. 2015, Dan Fitzgerald, All Rights Reserved 13
Building a cloud security program from scratch
Source: Cloud Security Alliance Cloud Adoption Practices & Priorities Survey Report (2015)
1. Socializing security• Charm & informal security awareness offensive• Management by walking around
2. Establish core security program• Risk assessments• Control roadmap• Create charter, governance framework• Service providers
3. Conduct tactical remediation• Technical risks/low hanging fruit• Negotiate immediate customer requirements &
establish temporary policies
4. Secure Infrastructure Design & Build• Vendors, vendors, vendors
Thin Air or Solid Ground, Oct. 2015, Dan Fitzgerald, All Rights Reserved 14
What We Did First
Source: Cloud Security Alliance Cloud Adoption Practices & Priorities Survey Report (2015)
Thin Air or Solid Ground, Oct. 2015, Dan Fitzgerald, All Rights Reserved 16
High Level Architecture
Build out security services layer/ command centers
Thin Air or Solid Ground, Oct. 2015, Dan Fitzgerald, All Rights Reserved 17
Underlying Architecture Components
Dan’s top 101. Embrace the changes
2. Maintain or improve your focus on risk management• Use CSA, NIST and other resources• Tighten up VRM posture• How will you maintain your asset inventory?
3. Data governance, lifecycle and provenance.• Document your data flows early and often• Understand privacy requirements• Call out geographical data requirements early
4. Let cloud help you• Seize on the opportunity to refine or redo your security
infrastructure• Embrace cloud-based security solutions• Prepare for “beta” and integration challenges
Thin Air or Solid Ground, Oct. 2015, Dan Fitzgerald, All Rights Reserved 18
Dan’s top 105. Partitioning & segmentation = security &
portability• To many eggs in 1 cloud provider’s basket can increase risk• Make sure that in the event your business moves away from a
cloud provider, your security systems won’t hamper that.
6. Plan for robust encryption & PKI• If providing services to customers or internal LoBs, consider
BYOK models.• Evaluate native solutions vs. third party• Key management!
7. Shore up your endpoints• What? Aren’t we talking about cloud?• Weak link/ open window for attackers
Thin Air or Solid Ground, Oct. 2015, Dan Fitzgerald, All Rights Reserved 19
Dan’s Top 108. Get familiar with DevOps &
Containerization
9. 2 factor everything & use privileged access solutions• Key management
10. Monitor billing and usage where feasible• You can learn a great deal from AWS
console logs
11. Plan on physical infrastructure and increased bandwidth. You will need it!
Thin Air or Solid Ground, Oct. 2015, Dan Fitzgerald, All Rights Reserved 20
• IT partners & DevOps personnel may not be familiar with cloud security integration requirements and vendors
• “Your security logging drove our AWS bills from $6K a month to $40k…”
• We don’t want firewall management outsourced, but we don’t know how to set up HA on the Palos…
• Why do we need <MPLS| physical infrastructure| more endpoint security|> etc.?
• Many traditional security vendors are “in beta” with cloud capabilities
• Shadow IT- business stakeholders can procure and deploy very quickly
• Identity governance (weak at most cloud providers- Azure is best available)
Thin Air or Solid Ground, Oct. 2015, Dan Fitzgerald, All Rights Reserved 21
Gotchas
Thin Air or Solid Ground, Oct. 2015, Dan Fitzgerald, All Rights Reserved 23
Cloud Security Open APIsExpedite cloud deploymentsA well-known and standard API layer will give enterprise developers the ability to leverage core cloud functions quickly, thus expediting the pace of cloud deployments.
Foster cross-cloud innovationsWith the Cloud Security Open APIs, developers now have a way to write cross-cloud functions without having to custom integrate with each cloud that it touches.
Extend cloud services reach to new functionality From the perspective of a cloud service provider (CSP), the Cloud Security Open APIs will allow a much larger set of developers (than those within the CSP’s own company) to leverage the CSP’s core code base/data and deliver adjacent functionality.
Source: Cloud Security Alliance (2015)
Thin Air or Solid Ground, Oct. 2015, Dan Fitzgerald, All Rights Reserved 24
Cloud Access Security Brokers (CASB)
"By 2016, 25% of enterprises will secure access to cloud-based services using a CASB platform, up from less than 1% in 2012, reducing the cost of securing access by 30%.“
• CASBs are on-premises, or cloud-based, security policy enforcement points placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed.
• CASBs consolidate multiple types of security policy enforcement. Example security policies include authentication, SSO, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on.
3 Flavors of CASB: Direct to Cloud, Proxy, APIProtocols include: SAML, OAUTH, XACML, ICAP, OSSL, JSON, etc.
Source: Gartner, The Growing Importance of Cloud Access Security Brokers (2015)
Thin Air or Solid Ground, Oct. 2015, Dan Fitzgerald, All Rights Reserved 25
CASB—API Mode
Source: Gartner, The Growing Importance of Cloud Access Security Brokers (2015)
Thin Air or Solid Ground, Oct. 2015, Dan Fitzgerald, All Rights Reserved 26
CASB—Proxy Model
Source: Gartner, The Growing Importance of Cloud Access Security Brokers (2015)
Follow the data Plan for ongoing risk management and VRM Learn ‘enough’ about new technologies/ bring in
SMEs (DevOps/Containers/ Continuous Deployment/Etc.)
Make your security posture & team more agile Change is the only constant Focus on fundamentals and beware of silver bullets
Thin Air or Solid Ground, Oct. 2015, Dan Fitzgerald, All Rights Reserved 27
Wrapping up
Thin Air or Solid Ground, Oct. 2015, Dan Fitzgerald, All Rights Reserved 28
Thank you for a great [email protected]
https://www.linkedin.com/in/danfitzgerald2
Thin Air or Solid Ground, Oct. 2015, Dan Fitzgerald, All Rights Reserved 30
Helpful resourcesName Description URL
Cloud Security Alliance • Great source for controls- CCM• Certifications• Research publications collaboration opportunities
https://cloudsecurityalliance.org/
AWS Security Blog • Amazing number of white papers and implementation guidelines• FedRAMP, HIPPA, and other compliance architectures• Just rolled out security training classes
http://blogs.aws.amazon.com/security
Azure Security Center • MS landing page for security information https://azure.microsoft.com/en-us/support/trust-center/security/
NIST • Critical infrastructure guides and framework http://www.nist.gov/cyberframework/
NIST • Cloud materials http://www.nist.gov/itl/cloud/
FedRAMP • Federal cloud computing standards https://www.fedramp.gov/
PCI SSC Cloud Information Supplement
• Detailed list of responsibilities and configuration guidance for cloud & PCI DSS compliance
• Useful for guiding principles beyond PCI
https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf
ISO • Cloud security code of practice and other guidelines in development (ISO/IEC FDIS 27017 )
• Support the STAR certifications• Require license to obtain actual standards• Website is kind of confusing- search for cloud
http://www.iso.org
Thin Air or Solid Ground, Oct. 2015, Dan Fitzgerald, All Rights Reserved 31
DefinitionsPer NIST (c2011): Cloud computing is a model for enabling ubiquitous,
convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
This cloud model is composed of: Five essential characteristics, Three service models, Four deployment models.
Thin Air or Solid Ground, Oct. 2015, Dan Fitzgerald, All Rights Reserved 32
Essential Characteristics
Per NIST (c2011):
1. On demand self service2. Broad network access3. Resource pooling4. Rapid elasticity5. Measured service
Thin Air or Solid Ground, Oct. 2015, Dan Fitzgerald, All Rights Reserved 33
Service Models
Use provider’s application Accessible from clients via thin interface Limited user configuration settings- application layer
• Deploy applications onto cloud platform• Consumer does not manage underlying cloud infrastructure
including network, servers, operating systems, or storage• Customers control deployed applications and may be able to
configure some application environment settings.
• Customer control over operating systems, storage, deployed applications; and possibly select networking components.
SAASSoftware as a service
PAASPlatform as a service
IAASInfrastructure as a service
Thin Air or Solid Ground, Oct. 2015, Dan Fitzgerald, All Rights Reserved 34
Deployment Models Provisioned for use by a single organization May be owned and managed by organization, third party or a
combination On-premise, hosted options
• Provisioned for exclusive use by a specific community of consumers from organizations with shared concerns.
• May be owned or managed by one or more organizations in community, third parties or combination.
• On-premise, hosted options
• Provisioned for use by general public• May be owned, managed and operated by a business, academic or
governmental organization or combination.• Hosted on premises of provider
• Combination of distinct and autonomously operated public/private and/or community clouds
• May be tied together by management layers, APIs, cloud broker solutions or other connectivity
Private Cloud
Community Cloud
Public Cloud
Hybrid Cloud
Survey respondents’ primary concerns about Shadow IT are: • Security of corporate data in the cloud (49
percent)
• Potential compliance violations (25 percent) • The ability to enforce policies (19 percent) • Redundant services creating inefficiency (8
percent)
Thin Air or Solid Ground, Oct. 2015, Dan Fitzgerald, All Rights Reserved 35
Shadow IT
Source: Cloud Security Alliance Cloud Adoption Practices & Priorities Survey Report (2015)
Thin Air or Solid Ground, Oct. 2015, Dan Fitzgerald, All Rights Reserved 36
Security-Related Cloud Stats
Source: Cloud Security Alliance Cloud Adoption Practices & Priorities Survey Report (2015)