20 Security Controls for the Cloud

20 Critical Security Controls for the Cloud

John Leek, CTO NetStandard

How Much Security Is Enough?

Risk Types:

• Strategy

• Demand

• Market

• Implementation

• Performance

Cost Drivers:

• Price

• Service levels

• Specifications

• Policies

• Velocity

20 Security Controls for the Cloudhttp://www.sans.org/critical-security-controls/

#1: Know Your Physical Devices

Your Physical Devices

Source: SANS Institute

1. Review cloud provider’s SSAE 16 to understand controls in place and note 3rd party auditors’ assessment of the effectiveness of these controls.

2. Where IaaS or PaaS is engaged, implement controls to monitor performance and review logs to ensure services remain secure.

Hardware: The Nightmare to Come… the Internet of Things

#2: Know Your Software

Company 1

Company 2Manufacturing

Company 3 Media Company

Company 1 Cloud Voice

Businesses now have many cloud apps

1. Document known business application inventory2. Empowered users require extra effort to identify.

all known applications in use.3. Maintain whitelist of applications.4. Create alerts for new applications that are used

outside the inventory.5. Create an “application authorization process,”

including a process to evaluate application security requirements.

#3: Secure All DevicesBuild secure configurations on each of the devices (servers, desktops, laptops, mobile devices).

1. Review cloud provider’s SSAE 16 to understand controls in place and note 3rd

party auditors’ assessment of the effectiveness of these controls.

2. Where Infrastructure-as-a-Service cloud services are engaged, implement standards to deploy secure configurations.

3. Coordinate with cloud provider to see if they have pre-hardened server images.

Secure Devices:Responsibility Matrix

MSP IaaS SaaS

Patching Customer Hosting Provider

Removing Unnecessary Services, Applications and Network

Customer Hosting Provider

Configure OS User Authentication, Enforce Password/ Password Complexity Rules

Customer Hosting Provider Coordinated with Customer

Configure Resource Controls

Customer Hosting Provider

Source: SANS Institute

#4: Continuously Scan for Vulnerabilities and Remediate Them

1. Review cloud provider’s SSAE16 to understand controls in place and note 3rd

party auditors’ assessment of the effectiveness of these controls.

2. Where IaaS or PaaS is in place, implement controls to scan for vulnerabilities.

3. Coordinate scans with your cloud hoster to ensure their tools don’t highlight the scans as an attack.

#5: Implement Malware Defenses

Source: SANS Institute

1. Review the SSAE 16 to understand the cloud provider’s antimalware defense offerings.

2. Ensure your cloud agreement includes antimalware defenses.

3. Implement mitigating controls.

Source: SANS Institute

#6: Implement Application Security 1. Review cloud services; understand

controls placed by cloud provider (if any).2. Review application and data risks.3. Analyze risks.4. Mitigate residual risks.

Source: SANS Institute

#7: Wireless Access Control

1. Cloud-based Wi-Fi controllers are emerging as part of virtual networking strategies.

2. Remote offices may receive Wi-Fi services from WAN providers.

3. Ensure security controls are enforced.

Source: Fortinet

Wireless Access Control

Wireless Access Control

#8: Data Recovery Capability

1. Review the cloud provider’s controls.2. Analyze risks.3. Understand data backup and replication.4. Design mitigating controls.

#9: Security Skill Gap Assessment and Training

• Follow same process whether in the cloud or on premise.

•Review cloud provider’s SSAE 16 controls to ensure controls you require are in place.

• If controls are missing at the cloud provider, work with them to address through SLA adjustments.

For information on the skill gap analysis, see:http://www.counciloncybersecurity.org/practice-areas/people

Source: SANS Institute

#10: Secure Network Configurations

1. Review roster of cloud-based services.2. Secure all devices that may access cloud services.3. Work with cloud provider to understand their

security posture and mitigate risks as necessary.

#11: Control Network Ports, Protocols and Services

Source: SANS Institute

1. Review roster of cloud-based services.2. Document required network ports,

protocols and services that must be in use.3. Review the risks and apply controls to

mitigate those risks.

#12: Control Use of Privileged Accounts

1. Review roster of cloud-based services.2. Document privileged accounts and who

must have access. 3. Understand cloud provider’s controls and

work with them to reduce risk. In some cases, cloud provider will maintain control.

#13: Boundary Defense

1. Understand the cloud application’s security.

2. Manage what can be controlled.

3. Identify gaps.4. Review gaps with

hosting provider.5. Address residual risk.

#14: Maintenance, Monitoring and Analysis of Audit Logs

1. Understand the cloud application’s security.

2. Manage what can be controlled.3. Identify gaps.4. Review gaps with hosting provider.5. Address residual risk.

Security Event and Correlation Management

Internet

Firewall

IntrusionPreventionEvent Correlation

Engine (SIEM)

SIEM TECHNOLOGY aggregates event data produced by security devices, network infrastructures, systems and applications. The primary data source is log data, but SIEM technology can also process other forms of data. Event data is combined with contextual information about users, assets, threats and vulnerabilities. The data is normalized, so that events, data and contextual information from disparate sources can be correlated and analyzed for specific purposes, such as network security event monitoring, user activity monitoring and compliance reporting. The technology provides real-time security monitoring, historical analysis and other support for incident investigation and compliance reporting.

DOS SHIELD DETECTS WHEN ACTIVE ATTACKS BEGIN TO CONSUME LARGE AMOUNTS OF THE NETWORK'S BANDWIDTH, AND IMMEDIATELY BLOCK THEM. LEGITIMATE TRAFFIC PROCEEDS NORMALLY.

BGP Router

WAFS

DataBase Server

WEBServer

With Anti-Malware

DoS PatternFilter

1. Engineer how you will review/aggregate logs across all cloud environments associated with your company.

2. Work with cloud provider to understand reports and services that can be provided and/or recommended.

Maintenance, Monitoring and Analysis of Audit Logs

#15: Control Access Based on “Need to Know”

1. Review roster of cloud applications and establish granular access controls based upon data classification matrix.

2. Work with cloud provider to understand reporting or rights review tools that may be available.

#16: Account Monitoring and Control

1. Review roster of cloud applications and document account monitoring and control procedures.

2. Work with cloud provider to understand reports that can be provided.

Account Monitoring and Control

#17: Data Loss Prevention

1. Ensure controls are in place, including rules for encrypting data that is commonly shared outside the organization.

2. Understand the cloud provider’s offering to ensure it complies with standards. If it doesn’t, work with cloud provider to improve controls.

#18: Incident Response2014 Common Attack Sources

Incident Response and Management

1. Review the cloud provider’s Security Incident Response Plan.

2. Contact cloud provider to discuss how customers will be engaged in incident response.

#19: Engineer Security

1. Review the SSAE 16 for all cloud providers.2. Perform vendor management.3. Understand the security of the hosted

application and how it will be accessed.

#20: Penetration Tests and Red Team Exercises

1. Review the SSAE 16 for all cloud providers to obtain 3rd party verification of the effectiveness of the control.

2. Do not use hosters who do not have this control.

Next Steps

• Review your security programs and enhance them to address cloud controls.

• Review SAN’s Institute’s data to look at suggested metrics and detailed process steps.

• Encourage your company leaders to engage the security team for assessment before they implement a cloud-based application.

• The cloud is hear to stay; we must adapt our processes and controls.

• For a copy of the presentation, please leave your card with me.