Distributed computing

1609 days ago, 446 views
PowerPoint PPT Presentation
most noteworthy extensibility and minimum measure of security obligation tackled by the cloud supplier

Presentation Transcript

Slide 1

Distributed computing Critical Areas of Focus To Manage Risk Tom Witwicki CIPP INFOSEC Jan 13, 2010 Tom Witwicki CIPP

Slide 2

Needing cautious thought of the dangers to be overseen: Acknowlegement: Cloud Security Alliance Cloud Architecture and Delivery Models Risk Management Legal Compliance and Audit Information Lifecycle Management Portability and Interoperability Incident Response Business Continuity Data Center Operations Encryption and Key Management Identity and Access Management Storage Virtualization . Tom Witwicki CIPP

Slide 3

Control Disconnect The tenets for overseeing hazard still apply, yet the diversion has changed Enterprise Security Policy Enterprise Control Requirements Controls Compliance/Auditing Cloud Vendor Control Design & Implementation Control Monitoring Tom Witwicki CIPP

Slide 4

Characteristics of Cloud Computing Abstraction of Infrastructure Opaque from the application's point of view High levels of Virtualization (OS, File Systems) Democratization of Resources Pooled assets (shared, committed) Services Oriented Architecture Focus on conveyance of administrations, not administration Elasticity/Dynamism quickly grow or contract asset usage Utility Consumption Model "everything you-can-eat" yet "pay-by-the-chomp" Tom Witwicki CIPP

Slide 5

Service Delivery Models SaaS (Software as a Service) slightest extensibility and most prominent measure of security obligation gone up against by the cloud supplier PaaS (Platform as a Service) lies some place in the center, with extensibility and security highlights which must be utilized by the client IaaS (Infrastructure as a Service) most noteworthy extensibility and minimum measure of security duty gone up against by the cloud supplier "Arrange" the support of decide security duties of the client Tom Witwicki CIPP

Slide 6

Deployment Modalities Private Single inhabitant working environment On or off premises "Trusted" shoppers Public Single or multi-occupant environment Infrastructure claimed and oversaw by administration supplier Consumers considered "untrusted" Managed Single or multi-occupant Infrastructure on premises oversaw and controlled by administration supplier Consumers trusted or untrusted Hybrid Combination of open and private offerings Application convenientce Information trade crosswise over unique cloud offerings Tom Witwicki CIPP

Slide 7

Cloud Reference Model Saas Paas Iaas Tom Witwicki CIPP

Slide 8

Mapping the Cloud to the Security Model Saas SDLC, App Firewalls Data Classification, DLP, Audit Logging, encryption Paas Config and Patch Mgt, Pen Testing Iaas Firewall rules, QoS, Anti-DDos Multi-level Security, Certificates and Key Mgt HIDS/HIPS, Log Mgt, Encryption Data Center Security, Redundancy, DR Tom Witwicki CIPP

Slide 9

Tom Witwicki CIPP

Slide 10

Risk Management Issues Ability of the client association to survey chance Limited value of affirmations (e.g. SAS 70, ISO27001) Many cloud administrations suppliers acknowledge no duty regarding information put away (no hazard transference) User has no perspective of supplier techniques represented by direction or statute Access and character mgt, isolation of obligations Lack of clarity on information controls Data reinforcement and recuperation, offsite capacity, virtual provisioning (where is the information?), information evacuation Tom Witwicki CIPP

Slide 11

Risk Management Guidance top to bottom due persistence preceding executing authoritative terms, SLA Examine making Private or Hybrid Cloud that gives proper level of controls Comprehensive due industriousness before utilizing Public Cloud for mission basic segments of business Request documentation on how the administration is surveyed for hazard and inspected for control shortcomings and if results are accessible to clients Listing of every one of the 3 rd party suppliers What controls and statutes oversee site and how consistence is accomplished Tom Witwicki CIPP

Slide 12

Legal Compliance Liabilities Organizations are caretakers of the individual information depended to them (in-cloud or off-cloud) State (information break), Federal (FTC act), global (EU Data Protection) scope Mandates that association force suitable efforts to establish safety on it's administration suppliers (HIPAA, GLBA, MA 201 CMR 17.00, PCI) Company surrenders most controls over information in the cloud Contract might be as a "tick wrap" assention which is not arranged Data encryption prerequisites!!! Tom Witwicki CIPP

Slide 13

Legal Location determination Understand in which nation it's information will be facilitated (neighborhood laws have purview) – EU information exchange arrangements Contractually restrict the administration supplier to subcontract May need to guarantee against information mixing together Technical/calculated breaking points to the greater part of the above Ensuring Privacy Protection Align with Privacy Notices Data not utilized for auxiliary purposes Not revealed to 3 rd parties Comply with individual Opt-in/Opt decisions Disclosure of security rupture May not be develop enough for directed data! Tom Witwicki CIPP

Slide 14

Legal Responding to Litigation asks for Identify consistence with E-disclosure arrangements – routinely excluded in cloud benefit contracts 3 rd party subpoena ask for notice Monitoring Ability to lead consistence checking and testing for vulnerabilities Termination Must recover the information or guarantee it's pulverization Tom Witwicki CIPP

Slide 15

EPIC – Electronic Privacy Information Center March 09 – documented a dissension with FTC Urged examination concerning Cloud Computing Services, for example, Google Docs Determine sufficiency of Privacy and Security Safeguards Computer specialists sent letter to Google CEO Uphold protection guarantees HTTPS not default security setting Forces clients to "select in" for security Tom Witwicki CIPP

Slide 16

Audit Data Classification an absolute necessity Identify and isolate that information which needs the most stringent controls (in light of effect appraisal) Match controls to information characterization (not all information is made equivalent) Protected (directed) Confidential (need to know) Public (endorsement to make open) Recommended control: Encrypt every single managed dat In travel and very still Network isolation at times practical Tom Witwicki CIPP

Slide 17

Portability and Interoperability What happens when the cloud supplier isn't sufficient? Unsatisfactory cost increment Provide leaves business at least one cloud administrations ended Service quality debased Onus on client to have conveyability as an outline objective Tom Witwicki CIPP

Slide 18

Portability and Interoperability Saas Ensure simple access to information in an organization that is archived Keep normal reinforcements outside the cloud Consider best-of-breed suppliers whose contenders have abilities to move information IaaS Application arrangement on top of the virtual machine picture Backups kept in a cloud-autonomous configuration (e.g. autonomous of the machine picture) Copies of reinforcements moved out of the cloud consistently PaaS Application improvement engineering utilized to make a deliberation layer Also information reinforcements off-cloud Tom Witwicki CIPP

Slide 19

Business Continuity Obtain particular composed duties from the supplier on recuperation destinations Understand your information and it's recuperation goals (RTO, RPO) Identify interdependencies in the supplier's framework Site chance (quake, surge, air terminal) Infrastructure hazard (excess of utilities, correspondence lines) Onsite assessments Integrate supplier DR arranges into your association's BCP Tom Witwicki CIPP

Slide 20

Data Center Operations You have neighbors! Who are they? Potential to devour unreasonable measure of assets which impacts your execution? Suppliers look to augment asset use For IaaS and PaaS Understand suppliers fix mgt strategies (warning, rollbacks, testing) Compartmentalization of assets (Data blending) and isolation of obligations Logging rehearses (what, to what extent?) Test client benefit work consistently Indicator for operational quality – nearness of organizing offices for both supplier and client Tom Witwicki CIPP

Slide 21

Incident Response Cloud Computing Community occurrence database: Malware disease Data Breach Man-in-the-center revelation User pantomime Detection Application firewalls, intermediaries and logging devices are key no standard application level logging structure Notification Requires a registry of Application proprietors by interface Application shutdown is typically first act taken fitting remediation? Supplier and clients require characterized procedure to work together on choices Criminal examination – prove catch? Tom Witwicki CIPP

Slide 22

Application Security What security controls should the application give far beyond intrinsic cloud controls? How should an undertaking SDLC change to suit distributed computing? Issues: Multi-inhabitant environment Lack of direct control over environment Access to information by cloud merchant Managing application "mystery keys" which recognize substantial records Tom Witwicki CIPP

Slide 23

Application Security Iaas demonstrate Virtual picture ought to experience security confirmation and solidifying Confirm to big business trusted host baselines Alternative to utilize trusted 3 rd party for virtual picture Inter-have correspondence Assume an untrusted organize Authentication and encryption Codify trust with SLA Security measures Security testing Tom Witwicki CIPP

Slide 24

Application Security Paas show Enterprise Service Bus (ESB) Asynchronous informing Message steering Where multi-rented, the ESB will be shared Segmenting in view of orders not accessible Securing messages the obligation of the application Tom Witwicki CIPP

Slide 25

Application Security SaaS display SDLC Verify/review the development of the seller's SDLC Custom code augmentations Data trade by means of APIs Tom Witwicki CIPP

Slide 26

Encryption and Key Management Encryption for Confidentiality and Integrity Data very still (IaaS, PaaS, SaaS) Data in travel (inside the supplier's system) On reinforcement media Key Management Secur