1 / 36

Cloud Security

Cloud Security. John Spaid, CISA, CISM, CISSP Central OK ISACA Chapter, 2 May 2014. Agenda. Cloud basics Primary security concerns Control objectives overview Control Technologies. Cloud Basics.

kentaro-saitou
Télécharger la présentation

Cloud Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cloud Security John Spaid, CISA, CISM, CISSP Central OK ISACA Chapter, 2 May 2014

  2. Agenda • Cloud basics • Primary security concerns • Control objectives overview • Control Technologies

  3. Cloud Basics

  4. On-demand self-service…Broad network access…Resource pooling…Rapid elasticity…Measured service… National Institute of Standards and Technology The NIST Definition of Cloud Computing

  5. Cloud Service Models Conventional IT Infrastructure-as-a-Service (IaaS) Platform-as-a-Service (PaaS) Software-as-a-Service (SaaS) Applications Applications Applications Applications Data Data Data Data Runtime Runtime Runtime Runtime Middleware Middleware Middleware Middleware OS OS OS OS Virtualization Virtualization Virtualization Virtualization Servers Servers Servers Servers Storage Storage Storage Storage Network Network Network Network

  6. Cloud Service Models Service Model Target Users Examples SaaS Business & End Users Salesforce, Office 365, Dropbox PaaS IT Developers Google App Engine IT Infrastructure & Operations Azure, VMware, Amazon IaaS

  7. Cloud Deployment Models

  8. Primary Security Concerns

  9. Risk • Unavailability • Loss • Theft • Disclosure

  10. Availability

  11. Visibility Conventional IT Infrastructure-as-a-Service (IaaS) Platform-as-a-Service (PaaS) Software-as-a-Service (SaaS) Applications Applications Applications Applications Data Data Data Data Runtime Runtime Runtime Runtime Middleware Middleware Middleware Middleware OS OS OS OS Virtualization Virtualization Virtualization Virtualization Servers Servers Servers Servers Storage Storage Storage Storage Network Network Network Network

  12. Visibility

  13. Risks by Cloud Service Model

  14. IaaS Risks • Physical Security • Trans-border Requirements • Multi-tenancy & Isolation Failure • Disaster Recovery Plan & Backup • Data Disposal

  15. PaaS Risks • Application Mapping • SOA-related Vulnerabilities • Application Disposal

  16. SaaS Risks • Data Ownership • Data Disposal • Identity & Access Management • Exit Strategy • Ease to Contract

  17. Risks by Cloud Deployment Model

  18. Public Cloud Risks • Multi-tenancy • Collateral Damage WE SAVED THE CITY WITH NO COLLATORAL DAMAGE SAID NO SUPERHERO EVER

  19. Community Cloud Risks • Sharing the Cloud

  20. Private Cloud Risks • Upfront costs • Application compatibility • Skillset requirements

  21. Hybrid Cloud Risks • Cloud inter-dependency • Public & Private cloud risks

  22. Control Objectives Overview Cloud Security Assessment Toolkit

  23. Cloud Security Alliance: Cloud Controls Matrix • Latest version released in September 2013 • Available at CSA website • Free

  24. CSA’s CCM: Controls Addressed • "AICPA TS Map" • "AICPA Trust Service Criteria (SOC 2SM Report)" • "BITS Shared Assessments AUP v5.0" • "BITS Shared Assessments SIG v6.0" • BSI Germany • CCM V1.X • COBIT 4.1 • CSA Enterprise Architecture / Trust Cloud Initiative • CSA Guidance V3.0 • ENISA IAF • "FedRAMP Security Controls(Final Release, Jan 2012)--LOW IMPACT LEVEL--" • "FedRAMP Security Controls(Final Release, Jan 2012)--MODERATE IMPACT LEVEL--" • GAPP (Aug 2009) • HIPAA / HITECH Act • ISO/IEC 27001-2005 • Jericho Forum • NERC CIP • NIST SP800-53 R3 • NZISM • PCI DSS v2.0

  25. Control Technologies

  26. IaaS Control Technologies • Hypervisor Proxy • Whole-Disk Encryption • Logical Firewall Automation • Compliance/Vulnerability Scan Automation • Log Monitoring & Backup • Vendor Selection • Technology – Application Compatibility • Compliance Requirements

  27. PaaS Control Technologies • Cloud Security Gateway • Automated Code Vulnerability Scans NONE SHALL PASS

  28. SaaS Control Technologies • Cloud Security Gateway • Identity Federation • Data Backup • Proper configuration of CSP-provided controls

  29. Cloud Identity & Access Management

  30. By 2020, 60% of all digital identities interacting with enterprises will come from external identity providers through a competitive marketplace, up from less than 10% today. Gartner Predicts 2014: Identity and Access Management

  31. By year-end 2020, 80% of user access will be shaped by new mobile and non-PC architectures that service all identity types regardless of origin. Gartner Predicts 2014: Identity and Access Management

  32. RBAC to ABAC • Traditional access has been role-based • Market forces will push toward attribute-based access control

  33. Cloud Identity Management Technologies • Security Assertion Markup Language (SAML) • Principle (user) • Identity Provider (IdP) • Service Provider (SP)

  34. Summary • Cloud services have risks based on: • Service Model • Deployment Model • Visibility into risk is key for cloud • The Cloud Security Alliance’s Cloud Control Matrix maps controls to regulations • Cloud identity management is a high-risk category for enterprises • SAML is a protocol that enables enterprises to control user identity & access control

  35. John Spaid

More Related