Losing Control to the Cloud
-
Upload
rochester-security-summit -
Category
Technology
-
view
1.061 -
download
1
description
Transcript of Losing Control to the Cloud
How to Gain Comfort in Using the Cloud
by Jason Falciola, GCIH, GAWN!Technical Account Manager, Northeast October 20th 2010
Agenda
What Perspective does Qualys bring to this discussion? − Security & Compliance Software as a Service (SaaS) provider since 1999 − Continuously expanding platform to address evolving challenges
Rapid Market and Technology Changes The Security & Compliance Conundrum Cloud Definition Cloud Questions Reliance on Existing Frameworks Tackling the Cloud Moving Forward Q&A
COMPANY CONFIDENTIAL 1!
Private Clouds"
SaaS" PaaS IaaS"
Internet"
COMPANY CONFIDENTIAL 2!
Technology and Market Trends "Cloud Computing a disruptive technology
Accelerated Industry " Consolidation
Moving toward thin clients and a Data Center centric model
Security moving into the " Infrastructure and toward " Cloud Services
QualysGuard Service"
“In our February 2010 survey of 518 business technology pros, security
concerns again led the list of reasons not to use cloud services, while on the roster
of drivers, 77% cited cost savings.”
-‐-‐ InformaPon Week
hSp://www.informaPonweek.com/news/security/management/showArPcle.jhtml?arPcleID=224202319
Survey Says… (Information Week)
Key Findings: • Sixty percent (60%) more survey respondents are willing to use soaware as a service (SaaS) for sensiPve data than are willing to use tradiPonal outsourcing.
• The quesPonnaire is the most common form of external party risk assessment, with half of the quesPonnaires based on industry-‐standard frameworks and the other half being organizaPonally unique.
Recommenda1ons: • Develop internal experPse on external risk assessment, and on the contractual clauses that address security, privacy, regulatory compliance, conPnuity and disaster recovery.
• Take an organized approach to SaaS and public cloud purchases, and build a team and processes to work with the business to address all security, compliance, integraPon and contractual needs so that a decision can be made on whether a potenPal seller can meet those requirements.
-‐-‐ Gartner “Assessment Prac1ces for Cloud, SaaS and Partner Risks”, April 2010
hSp://www.gartner.com/DisplayDocument?doc_cd=175916
Survey Says… (Gartner)
Agenda
What Perspective does Qualys bring to this discussion? − Security & Compliance Software as a Service (SaaS) provider since 1999 − Continuously expanding platform to address evolving challenges
Rapid Market and Technology Changes The Security & Compliance Conundrum Cloud Definition Cloud Questions Reliance on Existing Frameworks Tackling the Cloud Moving Forward Q&A
COMPANY CONFIDENTIAL 5!
Security & Compliance Conundrum "Having to address the New and Old Challenges
New and multiplying attack vectors Authentication still an!
unresolved issue Security & compliance
silos, fragmented tools & data
Lack of enterprise/agency wide visibility and policy enforcement!
COMPANY CONFIDENTIAL 6!
Private Clouds
SaaS PaaS/ IaaS
Regulations, Industry Standards, Internal Policies
PCI HIPAA SOX FISMA NERC
FFIEC
Agenda
What Perspective does Qualys bring to this discussion? − Security & Compliance Software as a Service (SaaS) provider since 1999 − Continuously expanding platform to address evolving challenges
Rapid Market and Technology Changes The Security & Compliance Conundrum Cloud Definition Cloud Questions Reliance on Existing Frameworks Tackling the Cloud Moving Forward Q&A
COMPANY CONFIDENTIAL 7!
What is the Cloud? Definition
8
Defini1on:
“The cloud is a model for enabling convenient, on-‐demand network access to a shared pool of configurable compuPng resources (e.g., networks, servers, storage, applicaPons, and services) that can be rapidly provisioned and released with minimal management effort or service provider interacPon”
– NIST Informa,on Technology Laboratory
What is the Cloud? Essentials
9
Five Essential Characteristics:!
1. On-demand, self-service – Ability to unilaterally provision computing capabilities
2. Broad network access – Available over the network and accessed through standard mechanisms that promote heterogonous thin or thick client platforms
3. Resource pooling – Resources are pooled to serve multiple consumers using a multi tenant model (location independence)
4. Rapid elasticity – capabilities can be rapidly and elastically provisioned
5. Measured service – Resource usage can be monitored, controlled and reported
What is the Cloud? Service Models
Three Service Models 1. Software As A Service (SaaS) – Managed application/service where customers
consume application resources as needed, without impact to internal computing resources. Security provided by cloud vendor
2. Platform as a Service (PaaS) - Developers build and manage their own custom applications on top of platform provided by the cloud vendor. Application and data security managed by cloud customer.
3. Infrastructure as a Service (IaaS) - Cloud vendor provides storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software which can include operating systems and applications. Cloud vendor protects infrastructure, but operating systems, applications, and content is managed and secured by the cloud consumer.
10
Key Takeaway - The lower down the stack the cloud service provider goes, the more security capabilities and management enterprises are responsible for.
What is the Cloud? Deployment Models
Four Deployment Models 1. Public: Made available to the general public or large industry group and is
owned by an organization selling cloud services.
2. Private: Operated solely for a single or group of organizations isolated among peers. May be managed by the organization or a third party and may exist on-premise or off-premise.
3. Community: Shared by several organizations and supports a specific community that has shared concerns. May be managed by the organization or a third party and may exist on-premise or off-premise.
4. Hybrid: Composed of two or more clouds (Private, Community, or Public) that remain unique, but are bound together standardized or proprietary technology that enables data and application portability (cloud bursting for load balancing between clouds).
11
What is the Cloud? Visual Definition
Agenda
What Perspective does Qualys bring to this discussion? − Security & Compliance Software as a Service (SaaS) provider since 1999 − Continuously expanding platform to address evolving challenges
Rapid Market and Technology Changes The Security & Compliance Conundrum Cloud Definition Cloud Questions Reliance on Existing Frameworks Tackling the Cloud Moving Forward Q&A
COMPANY CONFIDENTIAL 13!
Cloud Questions
New technology combined with un-proven vendors / service providers
Innovative technology in the hands of the users Data leaving the perimeter Growing number of third parties requiring
connectivity Control validation changes to trust Transparency limited to what you know Challenging to report Risk back to the business
Critical Challenges for Security Professionals
Security Program
Ques1onnaires On-‐Site Review Third Party
15!
Security Budgets
Staffing/ Resources
Reduce Confusion
Audit Activities and Costs
Up to 5 man days of work to complete Hotel Transportation Any Corrective Actions Hidden costs (e.g., require pen test, out of
office work, regulatory) What would the average cost be
Multiple Reviews
Cloud User
SaaS SP 1
IaaS SP
SaaS SP 2
PaaS SP
SaaS SP 3
SaaS SP 4
No standard Scalability After the fact Custom
Reviews
S-P-I Framework
IaaS Infrastructure as a Service
You build security in
You “RFP” security in
PaaS Plajorm as a Service
SaaS Soaware as a Service
Source: hSp://www.cloudsecurityalliance.org
Agenda
What Perspective does Qualys bring to this discussion? − Security & Compliance Software as a Service (SaaS) provider since 1999 − Continuously expanding platform to address evolving challenges
Rapid Market and Technology Changes The Security & Compliance Conundrum Cloud Definition Cloud Questions Reliance on Existing Frameworks Tackling the Cloud Moving Forward Q&A
COMPANY CONFIDENTIAL 19!
Existing Frameworks in Use
Security Questionnaires OnSite Review ISO 27002 SAS-70 Type II SysTrust PCI Third Party Penetration Test
Agenda
What Perspective does Qualys bring to this discussion? − Security & Compliance Software as a Service (SaaS) provider since 1999 − Continuously expanding platform to address evolving challenges
Rapid Market and Technology Changes The Security & Compliance Conundrum Cloud Definition Cloud Questions Reliance on Existing Frameworks Tackling the Cloud Moving Forward Q&A
COMPANY CONFIDENTIAL 21!
Available Resources for Cloud Users – NIST & ENISA NIST − Cloud Definition − SCAP – Security Content Automation Protocol!
http://scap.nist.gov − Continuous Monitoring!
ENISA − Report: “Cloud Computing: Benefits,!
Risks and Recommendations for !Information Security”
− http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment
Available Resources (cont’d)" - Cloud Security Alliance (CSA) Cloud Security Alliance − CSA Guide − Research Papers!
Initiatives in Progress/Released − CSA Guidance V2.1 – Released Dec 2009!
http://cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf
− CSA Top Threats Research – Released March 2010 − CSA Cloud Controls Matrix – Released April 2010 − Trusted Cloud Initiative – Release Q4 2010 − CSA Cloud Metrics Working Group − Consensus Assessment Initiative
Available Resources (cont’d) "- CSA Guidance Research
Guidance > 100k downloads: cloudsecurityalliance.org/guidance
Governance and Enterprise Risk Management
Legal and Electronic Discovery
Compliance and Audit
Information Lifecycle Management
Portability and Interoperability
Security, Bus. Cont,, and Disaster Recovery
Data Center Operations
Incident Response, Notification, Remediation
Application Security
Encryption and Key Management
Identity and Access Management
Virtualization
Cloud Architecture
Ope
ratin
g in
the
Clo
ud
Governing the
Cloud
Available Resources (cont’d) "– CSA Cloud Controls Matrix Tool
Controls derived from guidance
Rated as applicable to S-P-I Customer vs Provider role Mapped to ISO 27001,
COBIT, PCI, HIPAA Help bridge the gap for IT & IT
auditors between existing controls and cloud controls
www.cloudsecurityalliance.org/cm.html
Available Resources (cont’d) – CAMM, Shared Assessments Common Assurance Maturity Model (CAMM)!
Shared Assessments − Target Data Tracker − Self Information Gathering (SIG) – Level I, Level II − AUP – Agreed upon Procedures − Business Continuity Questions, Privacy
Questions, Other tools − Mapped to ISO 27002:2005, COBIT 4.0 / 4.1,
PCI 1.1 / 1.2, FFIEC
Available Resources (cont’d) – Jericho Forum Cloud Cube Model
Available Resources (cont’d) – Jericho Forum Self-Assessment
29
Proprietary, Blended Approach
PCI
CoBIT
ISO-‐27001
CAMM
ENISA
CSA
Recommendation: Use a Proprietary, Blended Approach
One size does not fit all
Same if not stronger controls
Reliance on periodic audits
Agenda
What Perspective does Qualys bring to this discussion? − Security & Compliance Software as a Service (SaaS) provider since 1999 − Continuously expanding platform to address evolving challenges
Rapid Market and Technology Changes The Security & Compliance Conundrum Cloud Definition Cloud Questions Reliance on Existing Frameworks Tackling the Cloud Moving Forward Q&A
COMPANY CONFIDENTIAL 30!
Moving Forward
Collaborative effort amongst associations required
Joint Paper with CSA, CloudAudit/A6, ISACA, and ISF
Hope to include NIST, PCI and BITS Cloud Users will continue to use
available resources for assessments
Assessing Cloud Security: References
Cloud Audit / A6 (Automated Audit, Assertion, Assessment, and Assurance API) – Now a project of CSA − http://www.cloudaudit.org
Cloud Security Alliance - CSA − http://www.cloudsecurityalliance.org/
Common Assurance Maturity Model − http://common-assurance.com/
JERICHO Forum − http://www.opengroup.org/jericho/
Shared Assessments − http://www.sharedassessments.org/
Qualys − http://www.qualys.com/efficient_ciso - Strategies for the Efficient CISO − http://www.qualys.com/products/qg_suite/malware_detection/ - Free Tool − http://www.qualys.com/aurora - Research by iSec Partners
QualysGuard Freemium Services"More than just “free” services – leverage the cloud
www.qualys.com/stopmalware
www.ssllabs.com
https://browsercheck.qualys.com
Other Freemium services in the making: Malware Research Portal HoneyNet Research Portal Automated Generation of IDS Signatures COMPANY CONFIDENTIAL 33!
https://community.qualys.com/docs/DOC-1351
Thank You
Thanks! Q&A?
Jason Falciola, GCIH, GAWN jfalciola AT qualys.com
+1 973-464-5659
http://www.qualys.com