•Cloud Security Agenda 2 ØCloud security – inheritance ØSecurity responsibility – private vs public ØGeneral areas of concerns ØKey security dangers to cloud computing ØCloud Security framework / standards ØCloud Security Implementation ØData privacy ØSecurity concerns – examples & quiz Ø 3 Cloud security: the grand challenge Cloud computing shifts much of the control over data and operations from the client organization to their cloud providers, much in the same way organizations entrust part of their IT operations to outsourcing companies. Even basic tasks, such as applying patches and configuring firewalls, can become the responsibility of the cloud service provider, not the user. This means that clients must establish trust relationships with their providers and understand the risk in terms of how these providers implement, deploy, and manage security on their behalf. This trust but verify relationship between cloud service providers and consumers is critical because the cloud service consumer is still ultimately responsible for compliance and protection of their critical data, even if that workload had moved to the cloud. Cloud security: inheritance 4 5 Security Guidance for Critical Areas of Focus in Cloud - https://downloads.cloudsecurityalliance.org/assets/research/security-guidance/csaguide.v3.0.pdf Security responsibility – differences for SaaS, PaaS, IaaS 6 • Software as a Service (SaaS) model, most of the responsibility for security management lies with the cloud provider. SaaS provides a number of ways to control access to the Web portal, such as the management of user identities, application level configuration, and the ability to restrict access to specific IP address ranges or geographies. • Platform as a Service allow clients to assume more responsibilities for managing the configuration and security for the middleware, database software, and application runtime environments. • Infrastructure as a Service (IaaS) model transfers even more control, and responsibility for security, from the cloud provider to the client. In this model, access is available to the operating system that supports virtual images, networking, and storage. § 2016+ 2008 -2016 BPAAS Security responsibility – differences between private and public cloud 8 Area Public Private owned Data ownership Physically cloud provider (legally you) You have full control / ownership Security standards You get what you are being offered Customization is possible – responsibility on security lies with you Security exposure Can be higher than in private cloud (in case private provider would not have knowledge or finances) but is more exposed to attacks Can be higher than in public cloud but requires expertise to establish all security aspects (with particular knowledge) Governance Lies with provider Lies with provider Design flexibility Minimum flexibility Do whatever you want Security responsibility – differences between private and public cloud - TBD 9 Security Guidance for Critical Areas of Focus in Cloud - https://downloads.cloudsecurityalliance.org/assets/research/security-guidance/csaguide.v3.0.pdf Cloud security – general areas of concern 10 1. Governance and Enterprise Risk Management 1. 2. Legal Issues: Contracts and Electronic Discovery 3. Compliance and Audit 4. Information Management and Data Security 5. Portability and Interoperability 6. Traditional Security, Business Continuity and Disaster Recovery 1. 1. Security Guidance for Critical Areas of Focus in Cloud - https://downloads.cloudsecurityalliance.org/assets/research/security-guidance/csaguide.v3.0.pdf Governance and Enterprise Risk Management The ability of an organization to govern and measure enterprise risk introduced by cloud computing. Items such as legal precedence for agreement breaches, ability of user organizations to adequately assess risk of a cloud provider, responsibility to protect sensitive data when both user and provider may be at fault, and how international boundaries may affect these issues. Legal Issues: Contracts and Electronic Discovery Potential legal issues when using cloud computing. Issues touched on in this section include protection requirements for information and computer systems, security breach disclosure laws, regulatory requirements, privacy requirements, international laws, etc. Compliance and Audit Maintaining and proving compliance when using cloud computing. Issues dealing with evaluating how cloud computing affects compliance with internal security policies, as well as various compliance requirements (regulatory, legislative, and otherwise) are discussed here. This domain includes some direction on proving compliance during an audit. Information Management and Data Security Managing data that is placed in the cloud. Items surrounding the identification and control of data in the cloud, as well as compensating controls that can be used to deal with the loss of physical control when moving data to the cloud, are discussed here. Other items, such as who is responsible for data confidentiality, integrity, and availability are mentioned. Portability and Interoperability The ability to move data/services from one provider to another, or bring it entirely back in-house. Together with issues surrounding interoperability between providers. Traditional Security, Business Continuity and Disaster Recovery How cloud computing affects the operational processes and procedures currently used to implement security, business continuity, and disaster recovery. The focus is to discuss and examine possible risks of cloud computing, in hopes of increasing dialogue and debate on the overwhelming demand for better enterprise risk management models. Further, the section touches on helping people to identify where cloud computing may assist in diminishing certain security risks, or entails increases in other areas. Data Center Operations How to evaluate a provider’s data center architecture and operations. This is primarily focused on helping users identify common data center characteristics that could be detrimental to on-going services, as well as characteristics that are fundamental to long-term stability. Incident Response, Notification and Remediation Proper and adequate incident detection, response, notification, and remediation. This attempts to address items that should be in place at both provider and user levels to enable proper incident handling and forensics. This domain will help you understand the complexities the cloud brings to your current incident-handling program. Application Security Securing application software that is running on or being developed in the cloud. This includes items such as whether it’s appropriate to migrate or design an application to run in the cloud, and if so, what type of cloud platform is most appropriate (SaaS, PaaS, or IaaS). Encryption and Key Management Identifying proper encryption usage and scalable key management. This section is not prescriptive, but is more informational in discussing why they are needed and identifying issues that arise in use, both for protecting access to resources as well as for protecting data. Identity and Access Management Managing identities and leveraging directory services to provide access control. The focus is on issues encountered when extending an organization’s identity into the cloud. This section provides insight into assessing an organization’s readiness to conduct cloud-based Identity, Entitlement, and Access Management (IdEA). Virtualization The use of virtualization technology in cloud computing. The domain addresses items such as risks associated with multi-tenancy, VM isolation, VM co-residence, hypervisor vulnerabilities, etc. This domain focuses on the security issues surrounding system/hardware virtualization, rather than a more general survey of all forms of virtualization. Security as a Service Providing third party facilitated security assurance, incident management, compliance attestation, and identity and access oversight. Security as a service is the delegation of detection, remediation, and governance of security infrastructure to a trusted third party with the proper tools and expertise. Users of this service gain the benefit of dedicated expertise and cutting edge technology in the fight to secure and harden sensitive business operations. Cloud security – general areas of concern 11 7. Data Center Operations 8. Incident Response, Notification and Remediation 9. Application Security 10. Encryption and Key Management 11. Identity and Access Management 12. Virtualization 13. Security as a Service 1. 1. Security Guidance for Critical Areas of Focus in Cloud - https://downloads.cloudsecurityalliance.org/assets/research/security-guidance/csaguide.v3.0.pdf Data Center Operations How to evaluate a provider’s data center architecture and operations. This is primarily focused on helping users identify common data center characteristics that could be detrimental to on-going services, as well as characteristics that are fundamental to long-term stability. Incident Response, Notification and Remediation Proper and adequate incident detection, response, notification, and remediation. This attempts to address items that should be in place at both provider and user levels to enable proper incident handling and forensics. This domain will help you understand the complexities the cloud brings to your current incident-handling program. Application Security Securing application software that is running on or being developed in the cloud. This includes items such as whether it’s appropriate to migrate or design an application to run in the cloud, and if so, what type of cloud platform is most appropriate (SaaS, PaaS, or IaaS). Encryption and Key Management Identifying proper encryption usage and scalable key management. This section is not prescriptive, but is more informational in discussing why they are needed and identifying issues that arise in use, both for protecting access to resources as well as for protecting data. Identity and Access Management Managing identities and leveraging directory services to provide access control. The focus is on issues encountered when extending an organization’s identity into the cloud. This section provides insight into assessing an organization’s readiness to conduct cloud-based Identity, Entitlement, and Access Management (IdEA). Virtualization The use of virtualization technology in cloud computing. The domain addresses items such as risks associated with multi-tenancy, VM isolation, VM co-residence, hypervisor vulnerabilities, etc. This domain focuses on the security issues surrounding system/hardware virtualization, rather than a more general survey of all forms of virtualization. Security as a Service Providing third party facilitated security assurance, incident management, compliance attestation, and identity and access oversight. Security as a service is the delegation of detection, remediation, and governance of security infrastructure to a trusted third party with the proper tools and expertise. Users of this service gain the benefit of dedicated expertise and cutting edge technology in the fight to secure and harden sensitive business operations. Key security dangers to cloud security 12 ØVirtualization and multitenancy Ø ØNonstandard and vulnerable APIs Ø ØInternal security breaches Ø ØData corruption or loss Ø ØUser account and service hijacking Ø Ø Listed challenges are typically addressed via series of tools and practices – e.g. ØHost-based intrusion protection systems (HIPS) ØNetwork-based intrusion protection systems (NIPS) ØSecurity best practices Key security dangers to cloud security 13 ØVirtualization and multitenancy Ø ØLimited isolation in place – hypervisor extend security risk and expose operational system. Attacker can expose not only hypervisor but can get access into data and internal application. Ø ØAs mitigation - security (operation system or application) best practices are recommended – e.g. patch management, Authentication, authorization, auditing Multi-tenancy 14 Multi-tenancy 15 Security Guidance for Critical Areas of Focus in Cloud - https://downloads.cloudsecurityalliance.org/assets/research/security-guidance/csaguide.v3.0.pdf Example – security concern Virtualization Security | By Chris Brenton - https://cloudsecurityalliance.org/wp-content/uploads/2011/11/virtualization-security.pdf The lack of an Air Gap In a legacy network, some semblance of an air gap exists between operating systems. For example two systems connected to the same Ethernet network can only communicate with each other via the Ethernet network. If that network is disconnected or firewalled, the systems will be unable to communicate with each other. In a virtualized environment however, the hypervisor always creates a software connection between systems. There is no way to completely isolate one operating system from another, without migrating one of the operating systems to a different hardware platform. It is this persistent software connection that has lead many to feel that virtualization can never be configured as securely as a legacy network. Key security dangers to cloud security 17 ØNonstandard and vulnerable APIs Ø ØCloud API are not standardize yet – weak interface (API) can expose system into intruders Ø ØAs mitigation - security (API) best practices are recommended – e.g. Authentication, authorization, auditing + review cloud provider’s security model used for API (e.g. API trusted chain) Ø Key security dangers to cloud security 18 ØInternal security breaches Ø ØIn IT area – over 70% of security breaches is caused by internal factors / employees Ø ØTo reduce risk consider following a)Transparency in information and internal management practices b)Understand the human resources requirements c)Have a clear level of escalation and notification of a breach Key security dangers to cloud security 19 ØData corruption or loss – 1/2 Ø ØData corruption or loss is amplified since the cloud provider is the source for a companies data, not the company itself Ø ØAs mitigation steps you might consider a)Implement application systems security best practices, such as authentication, authorization, and auditing b)Implement strong encryption, SSL, digital signatures and certificate practices c)Ensure that strong disaster recovery processes exist and are tested on a periodic basis d)Require that the persistent medium used to store your data is erased prior to releasing it back into the pool Key security dangers to cloud security 20 ØData corruption or loss – 2/2 Ø ØMulti-tenancy challenge Ø Øimplies use of same resources or application by multiple consumers that may belong to same organization or different organization. Ø ØThe impact of multi-tenancy is visibility of residual data or trace of operations by other user or tenant. Øimplies a need for policy-driven enforcement, segmentation, isolation, governance, service levels, and chargeback/billing models for different consumer constituencies Ø Øoffers benefits of scaling but could present security risk Security Guidance for Critical Areas of Focus in Cloud - https://downloads.cloudsecurityalliance.org/assets/research/security-guidance/csaguide.v3.0.pdf Key security dangers to cloud security 21 ØUser account and service hijacking Ø ØUser account and service hijacking occurs when a attacker obtains your cloud services information and uses it to take over your cloud access Ø ØIf attackers gain access to a cloud user’s credentials, they can eavesdrop on activities and transactions, manipulate or steal data, return falsified data, and redirect clients to illegitimate sites Ø ØTo mitigate this risk following approaches are recommended a)Implement security best practices, including human processes, such as strong passwords, two-factor authentication, and prohibiting the sharing of users’ credentials b)Implement application systems security best practices, such as AAA (authentication, authorization, and auditing) c)Implement strong encryption, SSL, digital signatures, and certificate practices d)Ensure that auditing and logging is being used to monitor activities Security Framework should cover at least following 22 • Flexibility and openness of cloud computing models have created a number of security concerns. Massive amounts of IT resources are shared among many users, and security processes are often hidden behind layers of abstraction. More to the point, cloud computing is often provided as a service, so control over data and operations is shifted to third-party service providers, requiring their clients to establish trust relationships with their providers and develop security solutions that take this relationship into account. COBIT 23 Control Objectives for Information and related Technology1 (CobiT), the International Organization for Standardization 27002:20052 (ISO/IEC 27002:2005), and the Information Technology Infrastructure Library3 (ITIL) have emerged worldwide as the most respected frameworks for IT governance and compliance. Cobit - is a set of best practices (framework) for IT management created by the Information Systems, Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) in 1996. It is an internationally accepted framework for IT governance and control. •ISO 27002 The ISO 27002 standard provides guidance for the implementation of an Information Security Management System. It is exhaustive. Therefore, every organization that relies on this preferred practice should select the controls that are applicable for their information system or environment. A step-by-step manner of approaching ISO/IEC 27002:2005 is best. The best starting point is usually an assessment of the current position or situation, followed by an identification of the changes needed for ISO/IEC 27002:2005 compliance. From here, planning and implementing must be rigidly undertaken “Provide guidance on the information security elements of cloud computing, recommending and assisting with the implementation of cloud-specific information security controls supplementing the guidance in ISO/IEC 27002 and indeed other ISO27k standards including ISO/IEC 27018 on the privacy aspects of cloud computing, ISO/IEC 27031 on business continuity, and ISO/IEC 27036-4 on relationship management, as well as all the other ISO27k standards” (source: http://www.iso27001security.com/html/27017.html) •Security and control frameworks •ISO 27017 COBIT The underlying concept of CobiT is that it looks at business information that every enterprise needs to support its business decisions. Business information itself is again a result of IT-related resources, which CobiT defines as applications, information, infrastructure, and people. Finally, these IT-related resources are managed by IT processes to fulfill certain business information criteria (effectiveness, efficiency, confidentially, integrity, availability, reliability, and compliance). 24 New Controls specific for cloud • •Shared roles and responsibilities within a cloud computing environment • •Removal of cloud service customer assets • •Segregation in virtual computing environments • •Virtual machine hardening • •Administrator’s operational security • •Monitoring of cloud services • •Alignment of security management for virtual and physical networks • • Source : http://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-contro ls-for-cloud-services/ ISO 27017 Cloud Control Matrix 25 Cloud Security alliance - https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3-0-1/ COBIT The underlying concept of CobiT is that it looks at business information that every enterprise needs to support its business decisions. Business information itself is again a result of IT-related resources, which CobiT defines as applications, information, infrastructure, and people. Finally, these IT-related resources are managed by IT processes to fulfill certain business information criteria (effectiveness, efficiency, confidentially, integrity, availability, reliability, and compliance). Cloud Security Cloud Security implementation 26 Implementation of security 27 The following security measures represent general best practice implementations for cloud security. At the same time, they are not intended to be interpreted as a guarantee of success. 1. Implement and maintain a security program. 2. Build and maintain a secure cloud infrastructure. 3. Ensure confidential data protection. 4. Implement strong access and identity management. 5. Establish application and environment provisioning. 6. Implement a governance and audit management program. 7. Implement a vulnerability and intrusion management program. 8. Maintain environment testing and validation. Cloud Security Summary 28 Cloud – data privacy, law 29 “If you look at the legislation landscape of Financial Services sector in North America, it is full of very specific requirements about how and where certain records and information must be retained. Unfortunately, there is no single set of rules to follow.” Source: https://www-304.ibm.com/connections/blogs/bcde08b8-816c-42a8-aa37-5f1ce02470a9/entry/legal_regulati ons_and_compliance_on_records_management?lang=cs Cloud – data privacy, law 30 There are existing security challenges, experienced in other computing environments, and there are new elements which are necessary to consider. The challenges include: • Governance • Data • Architecture • Application • Assurance • Security is often related to compliance & local laws or regulations – typical questions are below. 1. Jurisdiction and regulatory requirements (could data be hosted in private / public / hybrid cloud?) • 2. Complying with Export/Import controls (is data center located in approved country?) 3. Compliance of the infrastructure (is cloud provider uses standards to adhere GREEN compliance posture?) 4. Audit and reporting 5. Data location and segregation 6. Data footprints “SafeHarbor is the name of a policy agreement established between the United States Department of Commerce and the European Union (E.U.) in November 2000 to regulate the way that U.S. companies export and handle the personal data (such as names and addresses) of European citizens. The agreement is a policy compromise set up in response to a European directive that differed from traditional business procedures for U.S. companies dealing with the E.U” Source: http://trade.gov/media/publications/pdf/safeharbor-selfcert2009.pdf Cloud – data privacy, law, policy 32 How does an organization join? The decision by U.S. organizations to enter the U.S.-EU Safe Harbor program is entirely voluntary. Organizations that decide to participate in the U.S.-EU Safe Harbor program must comply with the U.S.-EU Safe Harbor Framework and publicly declare that they do so What do the Safe Harbor principles require? 1. Notice 2. Choice 3. Onward Transfer (Transfers to Third Parties) 4. Access 5. Security 6. Data integrity 7. Enforcement Source: http://trade.gov/media/publications/pdf/safeharbor-selfcert2009.pdf Cloud – Safe Harbor principles 33 Safe Harbour is being replaced by “Privacy Shield” agreement that should address certain legal issues (from EU perspective) (July 2016) It’s expected that even this agreement may not be final and European Court of justice may / likely will terminate its validity once real law case is presented to this institution. Cloud – Safe Harbor future 34 • •establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. •specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services. •is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which provide information processing services as PII processors via cloud computing under contract to other organizations. Source: ISO ISO/IEC 27018:2014 – privacy standard 35 Examples of additional controls and policies • •Rights of the customer to access and delete the data • •Not using the data for marketing and advertising • •Notification to the customer in case of a request for data disclosure • •Procedure for data restoration • •Encrypting data that is transmitted over public networks • •Specifying the minimum security controls in contracts with customers and subcontractors • •Ensuring the data reaches the destination • •Notification to the customer in case of a data breach • Source: www.adviser.com ISO/IEC 27018:2014 – privacy standard Information security and privacy standard examples 36 § Graphic to use for Cloud Specialty Cloud Security Security examples & concerns that might affect cloud adoption Example – security concern “Microsoft's U.K. head admitted in June 2011 that no cloud data is safe from the Patriot Act, and the company can be forced to hand EU-stored data over to U.S. authorities.” “While it has been suspected for some time, this is the first time Microsoft, or any other company, has given this answer. Any data which is housed, stored or processed by a company, which is a U.S. based company or is wholly owned by a U.S. parent company, is vulnerable to interception and inspection by U.S. authorities.” source: ZDLINK Response from European parliament “The European Commission should quickly make it clear that European businesses and citizens are under European privacy laws. European citizens and businesses need to be confident that EU institutions enforce their own laws. Keen to stress that though EU subsidiaries of U.S. parent companies are breaking European law by handing over data back to the United States under a Patriot Act request, that while these subsidiaries are operating within Europe, EU law must take precedent. "The European Commission should urgently contact the U.S. government and make clear that we do not accept.“ source: ZDLINK Example – security concern & quiz ”Safe Harbour is a agreement set up 16 years ago to create a way for US businesses to transfer EU citizens’ personal data to the US even though American data protection laws are not up to the European standard. Following the revelations by Edward Snowden that US businesses were being compelled to hand over personal data under the Prism programme, Austrian law student Schrems complained to the Irish data protection commissioner - Facebook’s EU operations are head-quartered in Ireland – that his privacy rights were being violated. The Irish data protection authority (DPA) refused to act on the grounds that the social network is signed up to Safe Harbour/Harbor - a voluntary scheme whereby companies promise to protect EU personal data. Undeterred, Schrems took his case to the Irish High Court which referred it to the European Court of Justice (ECJ). the ECJ says that national DPAs cannot use Safe Harbour as a reason for not investigating suspected mishandling of data. The challenge of the matter is that although companies may respect the Safe Harbour guidelines, “United States public authorities are not themselves subject to it”. The register.cu.uk Quiz: How facebook could respond for a ban on data transfer? a. No need to worry as Facebook is US company and they don’t need to follow EU rules / law b. Move data to EU c. Have all EU data encrypted (on side of US servers) d. Stop providing a service for users from EU Example – security assurance (encryption) “Microsoft is looking to follow its global cloud partners, Google and Yahoo, in encrypting the traffic flowing between its worldwide datacenter locations, fearing the U.S. government's ability to tap into customer data.” source: ZDLINK “Though Google and other companies spend vast amounts on leasing fiber optic cables from companies in order to keep their data off the "public" Internet, the NSA and GCHQ still reportedly tap these cables at major Internet hubs around the world, including in the U.K.” "Unless Microsoft takes immediate action to rectify this situation, any business or individual using their services to store or transmit sensitive data will have been fundamentally let down by a brand that suggested it was worthy of trust." Example – security concern Virtualization Security | By Chris Brenton - https://cloudsecurityalliance.org/wp-content/uploads/2011/11/virtualization-security.pdf Potential data misplacement The above slide shows one of the potential security issues that can occur when storage resources are shared. Remember that in a IaaS environment each VM is typically stored as a single file. As storage requirements change, those files may be resized. Reducing the size of one partition and increasing the size of another creates the possibility that sectors containing deleted file information will effectively move from one VM to another. This could permit the owner of the second VM to recover file information stored as part of the first VM. Again, dedicating physical storage ensure that this issue does not surface. Another possible solution is to encrypt all file information stored to disk. If encrypted, moved sectors would be unreadable without the appropriate key(s). Example – security concern Virtualization Security | By Chris Brenton - https://cloudsecurityalliance.org/wp-content/uploads/2011/11/virtualization-security.pdf Layers with virtualization Typically when we determine which servers to virtualize, we look at performance metrics such as average server utilization. The lower the utilization level, the more likely the server will make a good candidate for virtualization. Security also needs to be part of this equation. When we virtualize a server with no additional security controls (such as hypervisor malware control), we can potentially increase the risk to that server. This may be acceptable for low value data, or it may be completely unacceptable for extremely sensitive information. A good risk analysis will guide us either way. This is where the risk zones shown above come into our design. For example all of the virtualized servers in the “medium trust zone” will most likely require only minor security enhancements to mitigate risk to the proper level. The “high trust” zone, however, will contain servers that will most likely require additional security precautions. So by grouping our servers by risk level we not only enhance manageability but make more efficient use of our security resources. Example – security assurance (CMS) Additional Links and used materials 44 • Security for cloud computing http://www.cloudstandardscustomercouncil.org/security-d.htm • • IBM Security Technology Outlook: An outlook on emerging security technology trends ftp://public.dhe.ibm.com/software/tivoli/whitepapers/outlook_emerging_security_technology_trends.pd f • Security Guidance - IBM Recommendations for the Implementation of Cloud Security http://www.redbooks.ibm.com/redpapers/pdfs/redp4614.pdf • • Introducing the IBM Security Framework and IBM Security Blueprint to Realize Business-Driven Security http://www.redbooks.ibm.com/redpapers/pdfs/redp4528.pdf • Using the IBM Security Framework and IBM Security Blueprint to Realize Business-Driven Security www.redbooks.ibm.com/redbooks/pdfs/sg248100.pdf • • Review and summary of cloud security scenarios - From "Cloud Computing Use Cases Whitepaper" Version 3.0 (cl-rev1security-pdf ) http://www.ibm.com/developerworks/cloud/library/cl-rev1security.html • • IBM Security Services - Security examples – scenarios and solutions (products) that might be used http://public.dhe.ibm.com/common/ssi/ecm/en/sec03016gben/SEC03016GBEN.PDF • Demystifying the cloud: The new economics of cloud computing https://www-304.ibm.com/events/wwe/grp/grp004.nsf/vLookupPDFs/FINAL--Demystifying%20Cloud--Defining %20a%20Path%20Forward/$file/FINAL--Demystifying%20Cloud--Defining%20a%20Path%20Forward.pdf • IBM Cloud Security ftp://ftp.software.ibm.com/software/th/downloads/03_Virtualization_Cloud_Security_How_to_de-risk_Se curity_in_a_Cloud_Virtual_environment.pdf • Cloud Security: Who do you trust? http://www.ibm.com/ibm/files/I581626T50867W87/IBM_Cloud_Security_Who_do_you_trust_LR.pdf • • Additional Links and used materials 45 • Cloud Security Alliance - generall https://cloudsecurityalliance.org/ https://cloudsecurityalliance.org/education/white-papers-and-educational-material/white-papers/ •Security Considerations for Private vs. Public Clouds https://downloads.cloudsecurityalliance.org/assets/research/collaborative/Security-Considerations-f or-Private-vs-Public-Clouds.pdf •Security Guidance for Critical Areas of Focus in Cloud Computing V3.0 http://www.cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf • •Building multi-tenancy applications with IBM middleware https://www6.software.ibm.com/developerworks/offers/techbriefings/cc4d-replays/session2_dcarew.pdf 46 BACKUP SLIDES Security risks associated with cloud computing that must be adequately addressed 47 • Loss of governance. • Responsibility ambiguity. • Isolation failure. • Vendor lock‐in. • Compliance and legal risks. • Handling of security incidents. • Management interface vulnerability. • Data protection. • Malicious behavior of insiders.. • Business failure of the provider. • Service unavailability. • Insecure or incomplete data deletion Source and details description on http://www.cloudstandardscustomercouncil.org/security-d.htm http://www.cloudstandardscustomercouncil.org/security-d.htm Security challenges and questions in nutshell 48 Governance Achieving and maintaining governance and compliance in cloud environments brings new challenges to many organizations. (This paper should not be seen as legal advice or guidance specific to any one organization.) Things you might need to consider include: Jurisdiction and regulatory requirements • Can data be accessed and stored at rest within regulatory constraints? • Are development, test and operational clouds managing data within the required jurisdictions including backups? Complying with Export/Import controls •Applying encryption software to data in the cloud, are these controls permitted in a particular country/jurisdiction? •Can you legally operate with the security mechanisms being applied? • Compliance of the infrastructure •Are you buying into a cloud architecture/infrastructure/ service which is not compliant? Audit and reporting •Can you provide the required evidence and reports to show compliance to regulations such as PCI and SOX? •Can you satisfy legal requirements for information when operating in the cloud? Security challenges and questions in nutshell 49 Other key issues include: Data location and segregation •Where does the data reside? How do you know? •What happens when investigations require access to servers and possibly other people’s data? Data footprints •How do you ensure that the data is where you need it when you need it, yet not left behind? •How is it deleted? •Can the application code be exposed in the cloud? Backup and recovery •How can you retrieve data when you need it? •Can you ensure that the backup is maintained securely, in geographically separated locations? Administration •How can you control the increased access administrators have working in a virtualized model? •Can privileged access be appropriately controlled in cloud environments? Data Cloud places data in new and different places, not just the user data but also the application (source) code. Who has access, and what is left behind when you scale down a service? Security challenges and questions in nutshell 50 Looking at the underlying architecture and infrastructure, some of the considerations include: Protection •How do you protect against attack when you have a standard infrastructure and the same vulnerability exists in many places across that infrastructure? • Hypervisor vulnerabilities •How can you protect the hypervisor (a key component for cloud infrastructures) which interacts and manages multiple environments in the cloud? The hypervisor being a potential target to gain access to more systems, and hosted images. Multi-tenant environments •How do you ensure that systems and applications are appropriately and sufficiently isolated and protecting against malicious server to server communication? Security policies •How do you ensure that security policies are accurately and fully implemented across the cloud architectures you are using and buying into? Identity Management •How do you control passwords and access tokens in the cloud? •How do you federate identity in the cloud? •How can you prevent userids / passwords being passed and exposed in the cloud unnecessarily, increasing risk? Architecture Standardized infrastructure and applications; increased commoditization leading to more opportunity to exploit a single vulnerability many times. Security challenges and questions in nutshell 51 Applications There has been a significant increase in web application vulnerabilities, so much so that these vulnerabilities make up more than half of the disclosed vulnerabilities over the past 4 years. Software Vulnerabilities •How do you check and manage vulnerabilities in applications? •How do you secure applications in the cloud that are increasing targets due to the large user population? Patch management •How do you secure applications where patches are not available? •How do you ensure images are patched and up to date when deployed in the cloud? Application devices • How do you manage the new access devices using their own new application software? • How do you ensure they are not introducing a new set of vulnerabilities and ways to exploit your data? Security challenges and questions in nutshell 52 Operational oversight •When logs no longer just cover your own environment do you need to retrieve and analyze audit logs from diverse systems potentially containing information with multiple customers? Audit and assurance •What level of assurance and how many providers will you need to deal with? •Do you need to have an audit of every cloud service provider? Investigating an incident •How much experience does your provider have of audit and investigation in a shared environment? •How much experience do they have of conducting investigations without impacting service or data confidentiality? Experience of new cloud providers •What will the security of data be if the cloud providers are no longer in business? •Has business continuity been considered for this eventuality? Assurance Challenges exist for testing and assuring the infrastructure, especially when there is no easy way for data centre visits or penetration (pen) tests.