20 Critical Security Controls for the Cloud John Leek, CTO NetStandard
Jun 08, 2015
20 Critical Security Controls for the Cloud
John Leek, CTO NetStandard
How Much Security Is Enough?
Risk Types:
• Strategy
• Demand
• Market
• Implementation
• Performance
Cost Drivers:
• Price
• Service levels
• Specifications
• Policies
• Velocity
20 Security Controls for the Cloudhttp://www.sans.org/critical-security-controls/
#1: Know Your Physical Devices
Your Physical Devices
Source: SANS Institute
1. Review cloud provider’s SSAE 16 to understand controls in place and note 3rd party auditors’ assessment of the effectiveness of these controls.
2. Where IaaS or PaaS is engaged, implement controls to monitor performance and review logs to ensure services remain secure.
Hardware: The Nightmare to Come… the Internet of Things
#2: Know Your Software
Company 1
Company 2Manufacturing
Company 3 Media Company
Company 1 Cloud Voice
Businesses now have many cloud apps
1. Document known business application inventory2. Empowered users require extra effort to identify.
all known applications in use.3. Maintain whitelist of applications.4. Create alerts for new applications that are used
outside the inventory.5. Create an “application authorization process,”
including a process to evaluate application security requirements.
#3: Secure All DevicesBuild secure configurations on each of the devices (servers, desktops, laptops, mobile devices).
1. Review cloud provider’s SSAE 16 to understand controls in place and note 3rd
party auditors’ assessment of the effectiveness of these controls.
2. Where Infrastructure-as-a-Service cloud services are engaged, implement standards to deploy secure configurations.
3. Coordinate with cloud provider to see if they have pre-hardened server images.
Secure Devices:Responsibility Matrix
MSP IaaS SaaS
Patching Customer Hosting Provider
Removing Unnecessary Services, Applications and Network
Customer Hosting Provider
Configure OS User Authentication, Enforce Password/ Password Complexity Rules
Customer Hosting Provider Coordinated with Customer
Configure Resource Controls
Customer Hosting Provider
Source: SANS Institute
#4: Continuously Scan for Vulnerabilities and Remediate Them
1. Review cloud provider’s SSAE16 to understand controls in place and note 3rd
party auditors’ assessment of the effectiveness of these controls.
2. Where IaaS or PaaS is in place, implement controls to scan for vulnerabilities.
3. Coordinate scans with your cloud hoster to ensure their tools don’t highlight the scans as an attack.
#5: Implement Malware Defenses
Source: SANS Institute
1. Review the SSAE 16 to understand the cloud provider’s antimalware defense offerings.
2. Ensure your cloud agreement includes antimalware defenses.
3. Implement mitigating controls.
Source: SANS Institute
#6: Implement Application Security 1. Review cloud services; understand
controls placed by cloud provider (if any).2. Review application and data risks.3. Analyze risks.4. Mitigate residual risks.
Source: SANS Institute
#7: Wireless Access Control
1. Cloud-based Wi-Fi controllers are emerging as part of virtual networking strategies.
2. Remote offices may receive Wi-Fi services from WAN providers.
3. Ensure security controls are enforced.
Source: Fortinet
Wireless Access Control
Wireless Access Control
#8: Data Recovery Capability
1. Review the cloud provider’s controls.2. Analyze risks.3. Understand data backup and replication.4. Design mitigating controls.
#9: Security Skill Gap Assessment and Training
• Follow same process whether in the cloud or on premise.
•Review cloud provider’s SSAE 16 controls to ensure controls you require are in place.
• If controls are missing at the cloud provider, work with them to address through SLA adjustments.
For information on the skill gap analysis, see:http://www.counciloncybersecurity.org/practice-areas/people
Source: SANS Institute
#10: Secure Network Configurations
1. Review roster of cloud-based services.2. Secure all devices that may access cloud services.3. Work with cloud provider to understand their
security posture and mitigate risks as necessary.
#11: Control Network Ports, Protocols and Services
Source: SANS Institute
1. Review roster of cloud-based services.2. Document required network ports,
protocols and services that must be in use.3. Review the risks and apply controls to
mitigate those risks.
#12: Control Use of Privileged Accounts
1. Review roster of cloud-based services.2. Document privileged accounts and who
must have access. 3. Understand cloud provider’s controls and
work with them to reduce risk. In some cases, cloud provider will maintain control.
#13: Boundary Defense
1. Understand the cloud application’s security.
2. Manage what can be controlled.
3. Identify gaps.4. Review gaps with
hosting provider.5. Address residual risk.
#14: Maintenance, Monitoring and Analysis of Audit Logs
1. Understand the cloud application’s security.
2. Manage what can be controlled.3. Identify gaps.4. Review gaps with hosting provider.5. Address residual risk.
Security Event and Correlation Management
Internet
Firewall
IntrusionPreventionEvent Correlation
Engine (SIEM)
SIEM TECHNOLOGY aggregates event data produced by security devices, network infrastructures, systems and applications. The primary data source is log data, but SIEM technology can also process other forms of data. Event data is combined with contextual information about users, assets, threats and vulnerabilities. The data is normalized, so that events, data and contextual information from disparate sources can be correlated and analyzed for specific purposes, such as network security event monitoring, user activity monitoring and compliance reporting. The technology provides real-time security monitoring, historical analysis and other support for incident investigation and compliance reporting.
DOS SHIELD DETECTS WHEN ACTIVE ATTACKS BEGIN TO CONSUME LARGE AMOUNTS OF THE NETWORK'S BANDWIDTH, AND IMMEDIATELY BLOCK THEM. LEGITIMATE TRAFFIC PROCEEDS NORMALLY.
BGP Router
WAFS
DataBase Server
WEBServer
With Anti-Malware
DoS PatternFilter
1. Engineer how you will review/aggregate logs across all cloud environments associated with your company.
2. Work with cloud provider to understand reports and services that can be provided and/or recommended.
Maintenance, Monitoring and Analysis of Audit Logs
#15: Control Access Based on “Need to Know”
1. Review roster of cloud applications and establish granular access controls based upon data classification matrix.
2. Work with cloud provider to understand reporting or rights review tools that may be available.
#16: Account Monitoring and Control
1. Review roster of cloud applications and document account monitoring and control procedures.
2. Work with cloud provider to understand reports that can be provided.
Account Monitoring and Control
#17: Data Loss Prevention
1. Ensure controls are in place, including rules for encrypting data that is commonly shared outside the organization.
2. Understand the cloud provider’s offering to ensure it complies with standards. If it doesn’t, work with cloud provider to improve controls.
#18: Incident Response2014 Common Attack Sources
Incident Response and Management
1. Review the cloud provider’s Security Incident Response Plan.
2. Contact cloud provider to discuss how customers will be engaged in incident response.
#19: Engineer Security
1. Review the SSAE 16 for all cloud providers.2. Perform vendor management.3. Understand the security of the hosted
application and how it will be accessed.
#20: Penetration Tests and Red Team Exercises
1. Review the SSAE 16 for all cloud providers to obtain 3rd party verification of the effectiveness of the control.
2. Do not use hosters who do not have this control.
Next Steps
• Review your security programs and enhance them to address cloud controls.
• Review SAN’s Institute’s data to look at suggested metrics and detailed process steps.
• Encourage your company leaders to engage the security team for assessment before they implement a cloud-based application.
• The cloud is hear to stay; we must adapt our processes and controls.
• For a copy of the presentation, please leave your card with me.