Secure Cloud Hosting: Real Requirements to Protect your Data
Chris Hinkley Senior Security Architect
Great Wide Open – Atlanta, GA
April 2 – 3, 2014
Locking Down the Cloud – A Holistic View
Agenda
• The Specialization of IT
• Challenges Facing Cloud Consumers and Providers
• A To-Do List for Cloud Consumers and Providers
• The Secure Cloud is Not a Myth
• Physical Security
• Perimeter Security
• Virtual Server Security
• Supporting Security Services
• Secure Administrative Access
• Business Continuity and DR
• Compliance for Cloud
The Specialization of IT • Complexities of IT has meant more specialists than generalists,
each responsible for a small piece of the puzzle
• New tools and technologies has led to increased staffing levels, with specific experience on implementation and management
• Rapid change in technology means nearly continuous training for specialists
• High cost to implement and maintain IT infrastructure have many companies looking for ways to offload as much as possible
Locking Down the Cloud – A Holistic View
Challenges Facing Cloud Consumers and Providers
• Consumers want to outsource both technology and compliance responsibilities
• Consumers cannot abdicate their compliance responsibility
• Providers do not adequately define the division of responsibilities between themselves and customers
• Providers often do not clearly articulate how they can help customers meet compliance requirements
• All can lead to confusion in the purchasing decision and create conflicts during an audit
Locking Down the Cloud – A Holistic View
A To-Do List For Cloud Consumers and Providers • Consumers need to fully understand all of their security and
compliance responsibilities
• Consumers need to effectively evaluate and understand the various cloud provider models
• Consumers need to ask for clear definition of all services, the division of their responsibilities and those of their providers
• Consumers must put programs in place to ensure that their providers are meeting their responsibilities.
• Providers must become transparent about their security programs and deliver adequate details about offered services
• Providers must clearly articulate the delineation of responsibilities between themselves and customers
• Providers must be clear about how their offered services can assist consumers in meeting compliance requirements
Locking Down the Cloud – A Holistic View
The Secure Cloud is Not a Myth
• Build for security not compliance
• Follow security best practices vs. chasing compliance guidelines
• Use a common controls approach
• Deploy multiple security countermeasures using a layered approach
Locking Down the Cloud – A Holistic View
Physical Security
• Locate data center in area at low risk to natural disasters
• No identifying signage
• 24X7 manned security, roving patrols
• Multi-factor authentication for entry
• Comprehensive CCTV coverage
• Log all entries, monitor systems, securely store logs and video
Locking Down the Cloud – A Holistic View
Attackers need Targets
Verizon DBR Data • 92% of breaches were perpetrated by outsiders
• 78% of initial intrusions rated as low difficulty
• Attack Targeting
• Opportunistic – 75%
• Targeted – 25%
FireHost Superfecta • 47,917,145 of IPRM blocks in 2013
• 14,057,093 of blocked attacks via WAF
Locking Down the Cloud – A Holistic View
• Cross-Site Request Forgery – 3,347,515
• Cross-Site Scripting – 4,904,651
Broken down into the 4 categories
• Directory Traversal – 3,269,680
• SQL Injection – 2,535,247
Vulnerability Trends
Locking Down the Cloud – A Holistic View
Source: Secunia Vulnerability Review 2014
Vulnerability Trends
Locking Down the Cloud – A Holistic View
Source: Secunia Vulnerability Review 2014
Locking Down the Cloud – A Holistic View
Routers w/IP Reputation FilteringRedundant
DoS/DDoS MitigationRedundant
Web Application FirewallsRedundant
Public Traffic
Intrusion Detection
Perimeter Security
Locking Down the Cloud – A Holistic View
SECURITY ZONE
ApplicationServers
DatabaseServers
LoadBalancers
VMware Hypervisor (Hardened)Blade/SAN ArchitectureHigh Availability Architecture20 Gbps Network (Public & Private)Per VM Firewall PoliciesUnlimited Security Zones
Web Servers
SECURITY ZONE
Secure SAN StoragePhysically Isolated Secure Storage Area Network Secure Data Deletion and Destruction Complete Data Obfuscation
VM
VM VM VM VM
LB LB
VM VM VM VM VM
SAN
Virtual Server Security
Locking Down the Cloud – A Holistic View
Data Leakage Protection
Antimalware/Antivirus
File IntegrityMonitoring
VulnerabilityManagement
LogManagement
PatchManagement
ConfigurationManagement
Supporting Security Services
Locking Down the Cloud – A Holistic View
Protecting from the Outside In
Locking Down the Cloud – A Holistic View
Secure Administrative AccessPhysically Isolated Network Secure Jump HostsPrivileged Access Management Full Session Recording
Multi-Factor Authentication
SSLVPN/L2LVPN Secure Access
MPLS Termination
Secure Customer Access
Secure Administrative Access
Locking Down the Cloud – A Holistic View
Putting It All Together
Locking Down the Cloud – A Holistic View
Isol
ated
Cus
tom
er E
nviro
nmen
t Isolated Customer Environm
ent
Data Leakage Protection
Antimalware/Antivirus
File IntegrityMonitoring
VulnerabilityManagement
LogManagement
PatchManagement
ConfigurationManagement
Secure Administrative AccessPhysically Isolated Network Secure Jump HostsPrivileged Access Management Full Session Recording
SECURITY ZONE
ApplicationServers
DatabaseServers
LoadBalancers
VMware Hypervisor (Hardened)Blade/SAN ArchitectureHigh Availability Architecture20 Gbps Network (Public & Private)Per VM Firewall PoliciesUnlimited Security Zones
Web Servers
SECURITY ZONE
Secure SAN StoragePhysically Isolated Secure Storage Area Network Secure Data Deletion and Destruction Complete Data Obfuscation
VM
VM VM VM VM
LB LB
VM VM VM VM VM
SAN
Multi-Factor Authentication
SSLVPN/L2LVPN Secure Access
MPLS Termination
Secure Customer Access
Routers w/IP Reputation FilteringRedundant
DoS/DDoS MitigationRedundant
Web Application FirewallsRedundant
Public Traffic
Intrusion Detection
Business Continuity & DR
• Lessons (supposedly) learned from Katrina and other recent disasters
• Did we really learn? What about Sandy and Nemo? • Location of data centers, loss of transportation, large scale power and other critical
service outage, employees worrying more about personal and family safety
• Didn’t fully learn from the past
• BCDR Solutions
• Focus on business continuity part of BCDR
• Build for high availability
• Implement redundant sites with geographic load balancing
• At minimum replicate data to another location
Full Infrastructure Geographic Location 1
Full Infrastructure Geographic Location 2
Primary Infrastructure
File/Database Backups
Regular Backups
Real-Time Replication
Locking Down the Cloud – A Holistic View
Managing Compliance for Cloud
• Treat all data as sensitive (after all, it’s just 1’s and 0’s to the systems)
• Develop a common controls framework (CCF) of controls based on industry standard frameworks; enabling efficient compliance adoption and validation reporting
• Use existing industry standards like ISO 27001 and NIST 800-53 as a baseline and add specific requirements based on your needs (PCI, HIPAA, GLBA, etc.)
• Future proof compliance iterations by keeping your CCF updated
• Implement a continuous monitoring and audit program
Locking Down the Cloud – A Holistic View
Continuous Monitoring for Compliance
• Confusing term and application depending on who you talk to
• What is the definition of “real-time?”
• Define the appropriate monitoring interval for each control
• Patching – 30 days upon release
• Log reviews - daily
• Malware scans – real-time alerting and reporting
• Access reviews – privileged accounts monthly, others quarterly
• Implement tools to monitor the controls at the defined interval
• Centralize all monitoring results in a secure system
• Build dashboard to track compliance based on results
Locking Down the Cloud – A Holistic View
What about data sovereignty and regional regulation?
• Ensure you understand what regulations apply to your business
• Engage with your customers to understand their requirements
• Take these regulations and customer requirements into account within your CCF
• Architect your cloud to enable data sovereignty and allow customers to select the location(s) for their servers and data
• Provide monitoring/reporting that allows customers to validate where their data is at any time
• Keep up with changes to the regulations
Locking Down the Cloud – A Holistic View
Thank You
Phone
Chris Hinkley Senior Security Architect
1-877-262-3473 x8032
Questions?
Locking Down the Cloud – A Holistic View
Top Related