1 / 58

Cloud Computing - Security

Cloud Computing - Security. Steven C. Markey , MSIS, PMP, CISSP, CIPP, CISM, CISA, STS-EV, CCSK Principal, nControl, LLC Adjunct Professor, Philadelphia University. Cloud Security. Risk & Cloud Security Guidance SPI Security Offerings Identity & Access Mgmt (IAM) Explained

enrico
Download Presentation

Cloud Computing - Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cloud Computing - Security Steven C. Markey, MSIS, PMP, CISSP, CIPP, CISM, CISA, STS-EV, CCSK Principal, nControl, LLC Adjunct Professor, Philadelphia University

  2. Cloud Security Risk & Cloud Security Guidance SPI Security Offerings Identity & Access Mgmt (IAM) Explained Public Key Infrastructure (PKI) Explained Virtualization Security Explained Securing Your Public Cloud Secure Cloud Options Service-Level Agreements (SLAs)

  3. Risk & Cloud • The Cloud is Perceived as Risky Business • Lack of Control • Immature Vendors/Technologies • Hacks, Outages, Natural Disasters….Oh My! Source: Youtube

  4. Risk & Cloud • Things to Look for in a Cloud Provider • Industry Experience • Process Alignment • Business Model/Technical Strategy

  5. Industry Experience Industry Vertical Jurisdictional Mandates Business Ecosystem Scalability

  6. Process Alignment Change/Configuration Management Incident Response BCM/DR Litigation Support Right to Audit

  7. Business Model/Technical Strategy Platform Geographic/Demographic Market Core Competency Pricing

  8. Security Guidance • CSA Guide v2.1 • ENISA Cloud Computing Risk Assessment • NIST SP 800-144 Guidelines Sec/Privacy Public

  9. Cloud Security Alliance (CSA) Guide • CSA Guide v2.1 Domains • Governance & Enterprise Risk • Legal and Electronic Discovery • Information Lifecycle Management • Portability & Interoperability • Traditional Security, BCM/DR • Data Center Operations • Incident Response • Application Security • Encryption & Key Management • Identity and Access Management • Virtualization

  10. ENISA Risk Assessment • ENISA Information Assurance Requirements • Personnel Security • Supply-Chain Assurance • Operational Security • Identity and Access Management • Asset Management • Data and Service Portability • Business Continuity Management • Physical Security • Environmental Controls • Legal Requirements

  11. NIST SP 800-144 • NIST SP 800-144 Domains • Governance • Compliance • Trust • Architecture • Identity and Access Management • Software Isolation • Data Protection • Availability • Incident Response

  12. SaaS Security • IAM • Built As Needed/Requested • Federated • 3rd Party SFA/2FA/MFA • PKI • Built As Needed/Requested • Database/Table/Field-Level

  13. PaaS Security • IAM • Built Into Application • Federated • OpenID • OAuth • SAML • WS-Trust • REST • Active Directory Federation Services (ADFS) • Windows Identity Foundation (WIF) • Windows Security Token Service (STS) • 3rd Party SFA/2FA/MFA • Google Has Native Offering (Probably Reselling)

  14. PaaS Security • PKI • General • SSL/TLS Support • Force.com • Spring ‘11 • Encryption and Key Management • Windows/SQL Azure • Crypto Services • Transparent Data Encryption (TDE) • Cryptographic Service Providers (CSPs)

  15. IaaS Security • PKI • General • Supported, Build It And They Will Come • Storage • Encrypt First, Then Upload

  16. IAM Explained • IAM Technologies • Kerberos • RADIUS • SSO • Federated

  17. IAM Explained • IAM Technologies • Kerberos • Created at MIT • Internal Network Authentication • Implementations • Linux • Windows/Active Directory

  18. IAM Explained • IAM Technologies • Kerberos (Continued)

  19. IAM Explained • IAM Technologies • RADIUS • Remote Access Dial-In User Service • External Network Authentication & Authorization • VPN • WLANs • Implementations • Linux • OpenRADIUS • FreeRADIUS • Microsoft • Forefront TMG • IAS Server

  20. IAM Explained • IAM Technologies • SSO • Single Sign-On • Allows User to Gain Access to Multiple Systems/Apps • Negates Password Fatigue • Implementations • Externally • OTP: One-Time Password • Smart Card • Internally • Kerberos • LDAP: Lightweight Directory Access Protocol • Windows Integrated Authentication (Through LDAP)

  21. IAM Explained • IAM Technologies • Federated • OpenID • OAuth • SAML • WS-Trust • REST • ADFS • WIF • STS

  22. IAM Explained • IAM Technologies • Federated • OpenID • OAuth • SAML • WS-Trust • REST • ADFS • WIF • STS

  23. OpenID

  24. OpenID

  25. IAM Explained • IAM Technologies • Federated • OpenID • OAuth • SAML • WS-Trust • REST • ADFS • WIF • STS

  26. IAM Technologies • Federated • OAuth • Authorization Only • Through Tokens

  27. IAM Explained • IAM Technologies • Federated • OpenID • OAuth • SAML • WS-Trust • REST • ADFS • WIF • STS

  28. IAM Explained • IAM Technologies • Federated • OpenID • OAuth • SAML • WS-Trust • REST • ADFS • WIF • STS

  29. IAM Explained

  30. IAM Explained

  31. IAM Explained • IAM Technologies • Federated • OpenID • OAuth • SAML • WS-Trust • REST • ADFS • WIF • STS

  32. IAM Explained

  33. IAM Explained • IAM Technologies • Federated • OpenID • OAuth • SAML • WS-Trust • REST • ADFS • WIF • STS

  34. IAM Explained

  35. IAM Explained • IAM Technologies • Federated • OpenID • OAuth • SAML • WS-Trust • REST • ADFS • WIF • STS

  36. IAM Explained

  37. IAM Explained • IAM Technologies • Federated • OpenID • OAuth • SAML • WS-Trust • REST • ADFS • WIF • STS

  38. IAM Explained

  39. PKI Explained • Crypto Terms • Encryption • Takes input data and a secret key and outputs data that appears to bear no relation to the input data. • Hashing • Takes input data and outputs a fixed size chunk of data that uniquely represents the input data. • Symmetric Key • Same key to encrypt/decrypt data – known receiver • Asymmetric Key • Different key to encrypt/decrypt data – unknown receiver

  40. PKI Explained • Crypto Examples • Symmetric Key • Deployment: IPSec (AH, ESP), Database, Tape, DRM • Asymmetric Key • Deployment: HTTPS (HTTP & SSL/TLS), WLAN, IPSec (IKE), S-MIME, SSH, SFTP • Hash Functions • HMAC: MD5, SHA1/2 • Encryption • Symmetric Algorithms: AES, Twofish, Serpent, DES, Triple DES (TDES) • Asymmetric Algorithms: Diffie-Hellman, RSA, ECC, DSA, El Gamal

  41. PKI Explained • PKI: 50,000 Feet • Asymmetric Key & HMAC • Public & Private Key • Leverages Symmetric Algorithm for Plaintext • Architecture • Sender: Private—Public  Receiver: Public—Private • Analogy • Sender: Cipher—USPS  Receiver: USPS—Cipher

  42. PKI Explained Ciphertext

  43. PKI Explained • Digital Signature • Digital Certificate • X.509

  44. Virtualization Best Practice

  45. Securing Your Public Cloud • AWS – Virtual Firewall Source: Amazon

  46. Securing Your Public Cloud

  47. Securing Your Public Cloud Source: VPN-Cubed

  48. Source: VPN-Cubed

More Related