Cloud Security What you need to know

SanjayW (v1.1)

Cloud computing
Where were you when cloud computing took over?

I was..

on

Agenda
Cloud The birth of.. Define cloud The general fears and perceptions Cloud security considerations Conclusion

When it existed?
It existed long before the term coined Typical cloud examples
Hosted (a lot of them are free) email Online applications
Office365 Salesforce.com Skype (VoIP) Social media (Youtube, Facebook, Twitter)

File storage/storage hosting

Microsoft SkyDrive Dropbox

And.and.and

So this CLOUD ....

Is it repackaging? Is it truly new?
Is this the future?

How does it differ, security wise..?

Hype or not?

Cloud is here to stay..

Its no longer in just a hype
BUT. Theres still a lot of work in progress

Security is still a pressing thought Cloud computing is elusive..?

Old skool..infrastructure and security wise? Fear of the unknown?

Ada udang di sebalik awan

Gartners 7 top Cloud Security Concerns/Considerations..

Privilege user access Compliance Data Location Data Segregation Recovery Support Long term factor (LTF)

Network stance
Indifferent except
It may be hosted outside your environment Probably better (quicker) scale factor Takes away CAPEX quite a bit

It is as you would publish to WWW

Security on LAN is..

Physical Network Application Legislation Etc

Security Stance
It is (still) as strong as the weakest link (yet again) It may as well ENHANCE security Nonetheless, if its public facing raises RED flag
Takes away CAPEX quite a bit

Security on LAN is..

Security on WAN is..(still)

Physical Network Application Legislation Etc

What are the factors that makes it different?

Exposure/threat vectors

Security on WAN is..

Security on Cloud is..

Physical Network Application Legislation Etc

What are the factors that makes it different?

Responsibilities, threat vectors, control

Security on Cloud is..

Why?
Fear of known unknowns Fear of new unknowns Lack of tangibility Lack of visibility
Transparency of operations

Legislative factors Policy changes

To love cloud is to know cloud

Cloud computing 101..

Lets break it down

Software as a service Platform as a service Infrastructure as a service Each, have their own problems.. Lets analyze them

Lets break it down..

Public Private Community A combination of the above (hybrid)

Cloud security band wagon..

You inherit the benefits/problems of the internet You inherit the benefits/problems of the provider You inherit the benefits/problems of the respective country/laws You inherit the benefits/problems of your neighbors (co-hosting)

Software As A Service - Problems

You do not know what are they doing Bad software or APIs Shared model could mean shared domain security You cannot dictate the software codes

Platform As A Service - Problems

Poorly developed middleware
May not work with your apps May lead to a loophole to a good app sitting above it The case of one size do not fit all

Flexible may not be good here means room for errors

Infra As A Service - Problems

Skill sets of programmers and infra guys are unequal Most flexible. Again, not necessarily good Possibly inherit the {insert good/bad} from your existing network

The responsibility hierarchy

Responsibility segregation
SaaS Mostly them PaaS You and moderately them IaaS You and little them

A wise man once said.. Its okay to believe, just as long as you know!

Know!...
Using {insert provider here}
Where they are deployed How they are deployed Type of built-in controls Compliance

Where they are consumed? Need for re-perimeterization

Sure, love thy neighbor, not necessarily trusting them..

The Models, are the same, the application is different..

Fear not the CLOUD..

Security and Privacy Considerations

Technical Factors
Information/Data LifeCycle
Confidentiality, Integrity, Availability, Authenticity, Authorization, Authentication, and Non-Repudiation

Technical Factors
Security, DR and BCP
Since cloud is relatively new, legacy security implementation should be used
See their network and security devices physically See their NOC/team hierarchy

This also include legacy DR and BCP Legacy includes physical security Go visit them

Technical Factors
Data center
With cloud at a boom, come more Data Centers They may have certification of compliance some sort
But still request possibility of audit

Their cloud architecture and offering should be clearly defined

Compartmentalization Network architecture Resources redundancy And. And.And

Customer service

Technical Factors
Application security SDLC Based Apps Hardening of prebuilt OSes Inter-host communication policy Credential storage Where logs are stored should have similar quality as the actual data itself Backdoor accounts for support? Auditing rights Blackbox testing evasion Vulnerability assessment

Technical Factors
Encryption and key management Should we encrypt?
Keep private keys out where possible (use your own) Exposure of key files risk analysis in case keys cannot be separated

Ensure the encryption complies to industrial strengths and standards Data transmitted should also be encrypted

Technical Factors
Identity and access management Proprietary solutions for provisioning
i.e. do not use defaults

Authentication
Consider federation instead of decentralized Consider authentication means provided by the big boys like LIVE-ID, Yahoo, OpenID etc.. Use VPNs as pre-authentication OATH compliance if you want to write your own..

Technical Factors
Virtualization Identify the type, do your research
Take advantage of quality VM platforms security and controls

Prebuilt VMs Identify their built in IDS/IPS, antivirus, vulnerability management Get a compliancy for Secure by Default Protect admin user/interfaces, use strong authentication Validate VMs pedigree and integrity of the OS templates Segment and group security boundaries, dmz servers vs data servers

By the way, have we considered..

Legal Risk Management Compliance Information Lifecycle Management Portability and Interoperability

Conclusion
Adopt cloud technology after much research Use credible providers You have the right to question Do not compromise, instead write the contracts of what you NEED Plan, plan plan

Cloud security