1 / 15

Security, Privacy and the Cloud

Security, Privacy and the Cloud. Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services. Agenda. Introduction to Cloud Computing Models Top Threats Categorical Approach to Cloud Security Technology Areas of Focus Encryption.

keitha
Download Presentation

Security, Privacy and the Cloud

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services

  2. Agenda • Introduction to Cloud Computing Models • Top Threats • Categorical Approach to Cloud Security • Technology Areas of Focus • Encryption

  3. Definitions – Cloud Computing • Cloud Computing is: • A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications & services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. • This cloud model promotes availability and is composed of: • 5 essential characteristics • 3 service models • 4 deployment models • National Institute of Standards and Technology http://csrc.nist.gov/groups/SNS/cloud-computing

  4. Cloud Definitions Cont’d • Cloud Characteristics • On-demand Self-Service – User provisions their services • Ubiquitous Network Access – Standard network or mobile access • Resource Pooling – Shared resources and location independence • Elasticity – Capabilities scaled or released “rapidly” • Measured Service – Metered, monitored and billed as utility

  5. Cloud Definitions Cont’d • Cloud Service Models • Software as a Service (SaaS) – User access to the application layer • Platform as a Service – User deployment using providers’ tools • Infrastructure as a Service (IaaS)– User access to IT infrastructure

  6. Cloud Definitions Cont’d • Cloud Deployment Models • Private Cloud – Deployed for a single organization or company • Community Cloud – Shared by organizations with similar needs • Public Cloud – Cloud services available to all and shared • Hybrid Cloud – Two or more clouds with operational relationship

  7. Cloud Layers Business Services SaaS Application Logic Customer Provided PaaS Middleware/DB Cloud Provided IaaS Infrastructure

  8. Top Cloud Security Threats • Data Breaches • Data Loss • Account or Service Traffic Hijacking • Insecure Interfaces and API • Denial of Service Attacks • Malicious Insiders • Abuse of Cloud Services • Insufficient Due Diligence • Shared Technology Vulnerabilities Source: Cloud Security Alliance cloudsecurityalliance.org

  9. Approach to Security in the Cloud • Governance • Assessing the Risk • Managing and Measuring Posture and Response • Compliance • Direct policy and technology requirements to meet regulations • Architecture • The technical components and their inherent strength and weaknesses • Resiliency • The ability to withstand and/or recover from an incident • Process • Established, regular, IT practices that ensure policy adherence • Access • Identity and authentication

  10. Security in the Cloud

  11. Technical Focus • Architecture • Provisioning Process and Capability • Software / Network Isolation • Multi-tenancy vs Dedicated • Hypervisor structure • Network structure • Security Infrastructure • Resiliency/Availability • Business Continuity and Disaster Recovery • Data Integrity • Identity and Access Management • Authentication tie-ins to customer, stand alone • Data Protection • Backups and Recovery • Data Location and Encryption • Physical Security

  12. A Few Words On Encryption • Encryption Built into Cloud Service vs Encrypting at the Source • SaaS and PaaS: • SSL based transfer prior to encryption in the cloud • Read and Understand the Privacy Policy • Cloud Storage • Encrypt locally, then store in the cloud (e.g. DropBox) • Viivo, Sookasa, BoxCryptor, CloudFogger • Use an integrated hybrid cloud storage solution • Wualu, SpiderOak, Tresorit • Use Appliance Based Backups & BC • Walker/Datto

  13. Encryption (cont’d) • Cloud Storage features to Look for: • Granularity: File vs Container vs Volume • Key Management • Administrative Features to meet your needs (e.g. compliance) • Does it work with the service(s) you use? • Dropbox, Box.com, Google Drive, Microsoft SkyDrive, Amazon S3

  14. Sources • Cloud Security Alliance • http://cloudsecurityalliance.org • NIST Cloud Computing Definition http://csrc.nist.gov/groups/SNS/cloud-computing CSA Top Nine Cloud Computing Threats White Paper https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf • HIPAA Guidelines Simplified from HHS • http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf • NIST Cloud Security for Federal Agencies White Paper • http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909494

  15. Thank You. 860.678.3530 | TheWalkerGroup.com | info@thewalkergroup.com

More Related