150 likes | 328 Views
Security, Privacy and the Cloud. Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services. Agenda. Introduction to Cloud Computing Models Top Threats Categorical Approach to Cloud Security Technology Areas of Focus Encryption.
E N D
Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services
Agenda • Introduction to Cloud Computing Models • Top Threats • Categorical Approach to Cloud Security • Technology Areas of Focus • Encryption
Definitions – Cloud Computing • Cloud Computing is: • A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications & services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. • This cloud model promotes availability and is composed of: • 5 essential characteristics • 3 service models • 4 deployment models • National Institute of Standards and Technology http://csrc.nist.gov/groups/SNS/cloud-computing
Cloud Definitions Cont’d • Cloud Characteristics • On-demand Self-Service – User provisions their services • Ubiquitous Network Access – Standard network or mobile access • Resource Pooling – Shared resources and location independence • Elasticity – Capabilities scaled or released “rapidly” • Measured Service – Metered, monitored and billed as utility
Cloud Definitions Cont’d • Cloud Service Models • Software as a Service (SaaS) – User access to the application layer • Platform as a Service – User deployment using providers’ tools • Infrastructure as a Service (IaaS)– User access to IT infrastructure
Cloud Definitions Cont’d • Cloud Deployment Models • Private Cloud – Deployed for a single organization or company • Community Cloud – Shared by organizations with similar needs • Public Cloud – Cloud services available to all and shared • Hybrid Cloud – Two or more clouds with operational relationship
Cloud Layers Business Services SaaS Application Logic Customer Provided PaaS Middleware/DB Cloud Provided IaaS Infrastructure
Top Cloud Security Threats • Data Breaches • Data Loss • Account or Service Traffic Hijacking • Insecure Interfaces and API • Denial of Service Attacks • Malicious Insiders • Abuse of Cloud Services • Insufficient Due Diligence • Shared Technology Vulnerabilities Source: Cloud Security Alliance cloudsecurityalliance.org
Approach to Security in the Cloud • Governance • Assessing the Risk • Managing and Measuring Posture and Response • Compliance • Direct policy and technology requirements to meet regulations • Architecture • The technical components and their inherent strength and weaknesses • Resiliency • The ability to withstand and/or recover from an incident • Process • Established, regular, IT practices that ensure policy adherence • Access • Identity and authentication
Technical Focus • Architecture • Provisioning Process and Capability • Software / Network Isolation • Multi-tenancy vs Dedicated • Hypervisor structure • Network structure • Security Infrastructure • Resiliency/Availability • Business Continuity and Disaster Recovery • Data Integrity • Identity and Access Management • Authentication tie-ins to customer, stand alone • Data Protection • Backups and Recovery • Data Location and Encryption • Physical Security
A Few Words On Encryption • Encryption Built into Cloud Service vs Encrypting at the Source • SaaS and PaaS: • SSL based transfer prior to encryption in the cloud • Read and Understand the Privacy Policy • Cloud Storage • Encrypt locally, then store in the cloud (e.g. DropBox) • Viivo, Sookasa, BoxCryptor, CloudFogger • Use an integrated hybrid cloud storage solution • Wualu, SpiderOak, Tresorit • Use Appliance Based Backups & BC • Walker/Datto
Encryption (cont’d) • Cloud Storage features to Look for: • Granularity: File vs Container vs Volume • Key Management • Administrative Features to meet your needs (e.g. compliance) • Does it work with the service(s) you use? • Dropbox, Box.com, Google Drive, Microsoft SkyDrive, Amazon S3
Sources • Cloud Security Alliance • http://cloudsecurityalliance.org • NIST Cloud Computing Definition http://csrc.nist.gov/groups/SNS/cloud-computing CSA Top Nine Cloud Computing Threats White Paper https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf • HIPAA Guidelines Simplified from HHS • http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf • NIST Cloud Security for Federal Agencies White Paper • http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909494
Thank You. 860.678.3530 | TheWalkerGroup.com | info@thewalkergroup.com