1 / 31

Securing the Cloud: Masterclass 1

Securing the Cloud: Masterclass 1. Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013. Agenda. Introduction. Establishing a common point of view. Cloud Threats – who may attack your services?. Cloud Risks. And Benefits?. ?.

lucius
Download Presentation

Securing the Cloud: Masterclass 1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing the Cloud: Masterclass 1 Lee Newcombe (lee.newcombe@capgemini.com) Infrastructure Services April 2013

  2. Agenda • Introduction • Establishing a common point of view • Cloud Threats – who may attack your services? • Cloud Risks. And Benefits? ? • An approach to secure adoption of cloud services • Conclusions

  3. Introduction • Capgemini’s lead on Cloud Security since 2009 • Named contributor to versions 2 and 3 of the Cloud Security Alliance Security Guidance on Critical Areas of Focus in Cloud Computing • Member of the Editorial Board of the Springer Journal of Cloud Computing • Member of the Program Committee for the CLOSER academic conference • Author of numerous articles: Computer Weekly, SC Magazine, Data Centre Solutions, Computing… • Regular speaker, e.g. CloudCamp, Cloud Circle Forum, sponsored Breakfast Briefings etc • Sole industry security SME on the HMG Data Centre Consolidation Strategy project – which gave rise to the G-cloud • Extensive shared services background – e.g. security lead for the Police National Database (PND) from inception to operation

  4. Agenda • Introduction • Establishing a common point of view • Cloud Threats – who may attack your services? • Cloud Risks. And Benefits? ? • An approach to secure adoption of cloud services • Conclusions

  5. Cloud Computing – NIST Cloud Computing:“…a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction…” csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf Essential Characteristics of Cloud Computing • On-demand self-service • Broad network access • Resource pooling • Rapid elasticity; and • Measured service.

  6. Service Models Software as a Service Platform as a Service Infrastructure as a Service Cloud Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g. web-based e-mail), or a program interface… Cloud Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider… Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications…

  7. NIST Deployment Models and Jericho Cloud Cube The Jericho Forum® Cloud Model represents an alternative mechanism to represent deployment models. http://www.opengroup.org/jericho/cloud_cube_model_v1.0.pdf

  8. A little about you… Are you are currently using cloud-based services within your organisation? Are you currently using cloud-based services for production? IaaS? PaaS? SaaS? Combination of the above? How many of you have tried the cloud but reverted to a more traditional approach?

  9. Agenda • Introduction • Establishing a common point of view • Cloud Threats – who may attack your services? • Cloud Risks. And Benefits? ? • An approach to secure adoption of cloud services • Conclusions

  10. Cloud Threats

  11. National Security Letters (NSL) - Microsoft However… Judge Susan Illston of the US District Court in San Francisco found that the "gag order" provision of the NSL law violates the First Amendment protections on freedom of speech https://www.eff.org/document/nsl-ruling-march-14-2013 http://www.microsoft.com/about/corporatecitizenship/en-us/reporting/transparency/

  12. CSA “Notorious Nine” http://www.cloudsecurityalliance.org/topthreats/

  13. Agenda • Introduction • Establishing a common point of view • Cloud Threats – who may attack your services? • Cloud Risks. And Benefits? ? • An approach to secure adoption of cloud services • Conclusions

  14. Cloud Risks • Compliance • Multi-tenancy • Assurance • Supply chain – cloud, on cloud, on cloud, on… ? • Lock-in • Standard Terms and Conditions

  15. PCI-DSS (Payment Card Industry – Data Security Standard) Penalties $25 for each account reissued $5 for each account monitored but not reissued Severity of fine will depend upon Acquirer / Merchant progress, co-operation, number of accounts at risk, what sensitive data has been stored i.e. CSC, Track 2 Failure by Acquirer to comply with ‘Acquirer Responsibilities’ defined in the Rules can incur a further $25k per day until compliant. The assessments for Wrongful Disclosure and Failure to Secure Data are up to USD 100,000 per violation. The assessments for Retention of Prohibited Data (mag stripe, CVC 2) are up to USD 100,000 per violation. http://ask.barclaycard.co.uk/business/allfaqs/1_fraud_security/fines_2 “A sports apparel retailer is fighting back against the arbitrary multi-million-dollar penalties that credit card companies impose on banks and merchants for data breaches by filing a first-of-its-kind $13 million lawsuit against Visa. … Visa is not the only card company to go after Genesco and its banks. MasterCard did as well. The two companies combined imposed $15.6 million in fines and assessments, but Genesco has so far only sued Visa.” http://www.wired.com/threatlevel/2013/03/genesco-sues-visa

  16. Compliance Process Include stamp of approval from Legal here…

  17. Cloud Risks • Compliance • Multi-tenancy • Assurance • Supply chain – cloud, on cloud, on cloud, on… ? • Lock-in • Standard Terms and Conditions

  18. Cloud Benefits? • Cost-effective datacentre security • Improved resilience • More efficient security patching • Improved security expertise, including application-specific expertise, at the centre ? • Cloud data storage and sharing vs removable media • Encourages adoption of Jericho principles

  19. Agenda • Introduction • Establishing a common point of view • Cloud Threats – who may attack your services? • Cloud Risks. And Benefits? ? • An approach to secure adoption of cloud services • Conclusions

  20. Example Security Architecture

  21. Example Security Architecture X

  22. Security Architecture “The fundamental security organization of a system, embodied in its components, their relationships to each other and the environment, and the security principles governing its design and evolution” Adapted from: ISO/IEC 42010:2007

  23. Security Reference Model

  24. Modelling Different Delivery Responsibilities The delivery responsibilities for the security services shifts from the consumer to the provider as you move from IaaS to SaaS. Interfaces between consumer and provider present a risk of gaps in capability and poor/no/mis-communication between provider and consumer.

  25. Real World Usage (1 of 2)

  26. Real World Usage (2 of 2)

  27. Agenda • Introduction • Establishing a common point of view • Cloud Threats – who may attack your services? • Cloud Risks. And Benefits? ? • An approach to secure adoption of cloud services • Conclusions

  28. Conclusions • All delivery models are unique. Cloud computing models have unique security challenges. So do other delivery models including on-premise and traditional outsourcing. • Cloud is an evolution not a revolution. • The threat actors remain mostly the same, cloud or on-premise • The risks remain mostly the same, whether your applications are hosted on-premise or on-cloud, however • increased sharing of resources due to multi-tenancy introduces new attack surfaces • assurance difficulties can cause compliance issues (data residency, data deletion, segregation etc)

  29. Conclusions • The security architecture approach can help to enable cloud adoption: • Architecture methodologies help to enforce consistency across an enterprise, no matter the IT delivery model. • Architecture methodologies help to identify the security services required from a Provider • Architecture helps to identify areas of overlap or interface (or confusion or omission) between Provider and Consumer • Architecture helps to inform service procurement

  30. Securing the Cloud: Workshops! Security preparation: Getting ready for cloud adoption Security planning: Architecting for cloud services Security in practice: Operating in the cloud John Arnold Lee Newcombe John Martinez

More Related