230 likes | 414 Views
How to Gain Comfort in Losing Control to the Cloud. Randolph Barr CSO - Qualys, Inc SourceBoston , 23. April 2010. At a Glance. NIST Definition Cloud Challenge Cloud Concern Added Security Concerns Security Transition Is Cloud ready for you Available Resources Where to start.
E N D
How to GainComfort in LosingControl to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23. April 2010
At a Glance • NIST Definition • Cloud Challenge • Cloud Concern • Added Security Concerns • Security Transition • Is Cloud ready for you • Available Resources • Where to start
NIST Definition Cloud http://csrc.nist.gov/groups/SNS/cloud-computing/
“In our February 2010 survey of 518 business technology pros, security concerns again led the list of reasons not to use cloud services, while on the roster of drivers, 77% cited cost savings.” -- Information Week http://www.informationweek.com/news/security/management/showArticle.jhtml?articleID=224202319
Cloud Security Incident “In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google.” • Make Shift Data Center • Perimeter Security • Incident Response • Product Security • Features • Interpretation • Sold as a premium feature • Attackers are ignoring the front door • Current Anti-Virus Solutions are not working • Patching sometimes is not enough • You might be playing in the big leagues • http://googleblog.blogspot.com/2010/01/new-approach-to-china.html • http://www.qualys.com/aurora
Added Security Concerns • Business Unit bypass IT and Security • Individuals using cloud • How can IT / Security get in front of decisions to use cloud • Must do a better job managing risk
Cloud Security Shift • Customer Options • Security is a business enabler • Raise cloud user comfort • Provide transparency • Collaboration • Focus on business and not security • Business disabler • Cloud Provider knows how to implement security • Not transparent
Security Transition • Lessons Learned • Customer Concerns • Security Questionnaires • Response to questions varied • Increased of questionnaires • Request of evidence
Staffing/ Resources Security Budgets Questionnaires Follow up Reviews Customer Reviews External and Internal Reviews Regulatory Compliance Critical Challenges for Cloud Security Reduce Confusion Security Program
Enterprise CIO Strategies — IT Security Needs to be Aligned • Link Business and IT strategies and plans • Deliver projects and enable business growth • Cloud Computing • Web 2.0 • Virtulization (February 2010)
Is Cloud Ready for You • Determine business need • Will the Cloud Provider be around • What data will be stored • Where will it be stored • What is your classification and control requirements for that data
Is Cloud Ready for You • What controls does the provider implement • Who is responsible for security • Are there third party validations • Right to Audit • Process for removing data • Incident Response • How often do you need to review?
Resources Available to Cloud Users • Cloud Security Alliance • CSA Guide (guide your approach internal legal / business UNIT) also recommendations for users and providers • Top Threats to Cloud Security (underwritten by HP) • ENISA • Security Benefits of Cloud and Risks • Make recommendations on risks and maximize the benefits
Resources Available to Cloud Users • Shared Assessments • Target Data Tracker • Self Information Gathering (SIG) – Level I, Level II • AUP • Business Continuity Questions, Privacy Questions, Other tools • Jericho Forum • Cloud Cube Model • Self-Assessment
What Will Be Stored • Know your provider • Ask them what data is required to be stored • Verify with your internal business team
Where Will it be Stored • Request for their locations • Validate that all locations are accounted for • Request they describe the types of controls in place
How to Verify • Target your questionnaire • Questions should clearly identify internal versus production questions • No and N/A should have comments section completed
Assessment www.jerichoforum.org/SAS_Guide.pdf
Other Options • Security Questionnaires • OnSite Review • ISO 27002 • SAS-70 Type II • ISAE 3402 • SysTrust • PCI • Third Party Penetration Test • Emerging Cloud Certifications / Assessments
Moving Forward • Provider security maturing • Continuous Assessment • Transparency • Vendor Cooperation • Collaboration • Community
Available to Cloud Users • Qualys • http://www.qualys.com/products/qg_suite/malware_detection/ • http://www.qualys.com/aurora • Cloud Security Alliance • http://www.cloudsecurityalliance.org/ • JERICHO Forum • http://www.opengroup.org/jericho/ • Shared Assessments • http://www.sharedassessments.org/ • ISAE 3402 • http://www.ifac.org/MediaCenter/?q=node/view/687
Thank you rbarr@qualys.com