Cloud Security Assessment
Apr 01, 2015
Cloud Security Assessment
2 CoE IT Leadership.- Progress report
Introduction
» Cloud computing is an approach in which infrastructure and software resources are provided by an external vendor or by your internal IT department over the Internet. These resources are highly scalable and at competitive costs, which make Cloud services highly attractive in a business environment in which organisations are trying to reduce their IT capital expenditure and costs and improve the flexibility of their IT services delivery.
The Cloud, a revolution on several levels…
3 CoE IT Leadership.- Progress report
Reasons for using Cloud Computing
Source: Flying Blind in the Cloud, Ponemon Institute, April 2010
Introduction
4 CoE IT Leadership.- Progress report
Adopting Cloud computing can bring significant benefits and challenges for organisations in building trust and confidence in Cloud Computing services, including:
Benefits and risks
Benefits
• significantly lower application service costs – currently as low as $20/month for entry level web applications;
• dramatically reduced capital expenditure funding, with services charged for mainly by use;
• improved service agility, where requirements for IT services can be much more quickly met;
• improved productivity through cost-effective business-wide collaboration applications; and
• new opportunities for exploiting and sharing information, in support of business model innovation
Risks
• concern over maintaining data privacy and security;
• unproven service level agreements;• the difficulty of integration of existing
applications and data.
Introduction
5 CoE IT Leadership.- Progress report
Atos Sphere
Advisory Services
SAP Regression
Testing (SaaS)
Product Lifecycle Mgmt.
(PLM) on Demand
Data Mgmt. on demand (PaaS)
Atos in a box Workplace
(DaaS)
Infra-structure Services (IaaS)
Atos Worldline (BPaaS)
IntroductionAtos Sphere™ Security and Compliance
Opportunity Assessment
Awareness Workshop
Security and Compliance
Business Case
Pilot Project
Governance
Business Innovation
Transition
6 CoE IT Leadership.- Progress report
Cloud Services as a mix of consumer commodities and enterprise applications have to meet costumer needs for confidentiality and compliance to legal directives. This package provides: Set of core security principals to assure users and customers of
a trustworthy cloud computing environment Increased level of security to support sensible enterprise
applications and data in a cloud environment Customer adopted best practice rules to handle ignorance of
data, processing and application location
Introduction
7 CoE IT Leadership.- Progress report
Legal Recommendations » European Commission
» Data Protect Directive (Article 29)» Customer notification of data security breaches» eCommerce Directive (Article 12-15)» Minimum data protection standards and privacy certification schemes common across all
stated
» Country local directives» Germany: TKG, Datenschutzgesetz
» Areas of attention1. Data Security, Protection and Transfer2. Law Enforcement Access3. Confidentiality and non-disclosure4. Intellectual property5. Risk allocation and limitation of liability6. Change of control
Business issues
8 CoE IT Leadership.- Progress report
Security Benefits Security and the benefits of scale
» All security measures are cheaper when implemented in a large scale
» Same amount of investment in security buys better protection for all kinds of defensive measures e.g.» Filtering» Patch management» Hardening of virtual machines and hypervisors
» Multiple locations
» Edge networks
» timeliness of response to incidents, treat management
» Standardized interface for managed security services (open and readily available market)
» Dynamic reallocation of filtering, traffic shaping, authentication, encryption, etc.
» Audit and evidence gathering (less downtime for forensic analysis, lower log storage cost)
» More timely effective and efficient updates and default
» Benefits of resource concentration, beside the risk security is cheaper
Business issues
9 CoE IT Leadership.- Progress report
Protection of sensitive information in the Cloud
» Only a few organizations have taken proactive steps to protect sensitive information
Source: Flying Blind in the Cloud, Ponemon Institute, April 2010
Business issues
10 CoE IT Leadership.- Progress report
Security RisksTop Risks
» Loss of Governance
» Lock-In
» Isolation Failure
» Compliance Risk
» Management interface compromise
» Data protection
» Insecure or incomplete data deletion
» Malicious insider
Business issues
11 CoE IT Leadership.- Progress report
Security Risks by category
• Lock-in • Loss of governance• Compliance Challenges
• No evidence for provider compliance• Provider do not permit audits
• Loss of business reputation due to co-tenant activities
• Cloud Service Termination Or Failure• Cloud Provider Acquisition• Supply chain failure
Policy and Organizational
• Subpoena and e-discovery• Changing jurisdiction• Data protection• licensing
Legal
• Resource exhaustion (over/under provisioning • Isolation failure• Provider malicious insider – abuse of high
privileges • Management interface compromise• Intercepting data in transfer
Technical
• Data leakage on/upload intra-cloud• Insecure and inefficient deletion of data• Distributed denial of service attack (DDoS)• Economic denial of service (EDoS)• Loss of encryption keys • Undertaking malicious probes and scans• Compromise service engine • Conflicts between customers hardening
procedures
Technical
• Network breaks• Modifying network traffic• Privilege escalation• Social engineering attacks• Loss or compromise of operation and security
logs• Backup lost• Unauthorized access to premises • Theft of Computer equipment• Natural disaster
Not Cloud specific
Business issues
12 CoE IT Leadership.- Progress report
Areas of Vulnerabilities Cloud relevant
AAA User de/provisioningRemote access to
management interface
Hypervisor Resource & Reputation Isolation
Communication Encryption
Weak encryption of archives and data
transit
Impossibility to process encrypted
data
Poor key management
Key generation random number
generation
Lack of standard technology and
solutions
No source escrow agreement
Inaccurate modeling of resource usage
No control on vulnerability
assessment process
Co-Residence checks might be performed
Lack of forensic readiness
Sensitive media sanitization
Synchronizing Responsibilities or
contractual obligations external to
cloud
Cross cloud applications create
hidden dependencies
SLA Clauses with conflicting promises to different stakeholders
SLA Clauses containing excessive
business risk
Audit or certification not available for the
customer
Certification schemes not adapted to cloud
infrastructure
Inadequate resource provisioning and investments in infrastructure
No policies for resource capping
(Quotas)
Storage of data in multiple jurisdiction
and lack of transparency
Lack on information on Jurisdictions
Lack of completeness and transparency in
terms of use
Business issues
13 CoE IT Leadership.- Progress report
7. Research RecommendationsCategories
» Building trust in the cloud» Effects on different forms of breach reporting on security» End-to-end data confidentiality in the cloud and beyond» Higher assurance clouds, virtual private clouds etc.
» Data protection in large scale cross-organizational systems» Forensics and evidence gathering mechanisms» Incident handling, monitoring and traceability» International differences in relevant regulations including data protection and
privacy
» Large scale computer engineering» Resource isolation mechanisms – data, processing, logs, etc» Interoperability between cloud providers» Resilience of cloud computing How can cloud improve resilience.
Business issues
14 CoE IT Leadership.- Progress report
Compliance and Certifications
Standards• ISO 20000 (IT service management)• ISO 27002 (IT security )• Sox• TBC
Certification methods• CoBit (Control Objectives for Information and related
Technology)• CMMI (Capability Maturity Model Integration ) • ITIL (IT infrastructure library)
Business issues
15 CoE IT Leadership.- Progress report
Our Approach
Cloud Security Assessment
Certification Services (ISMS,BS25999,,.)
Data Loss Prevention Identity
Management Perimeter protection
Built in Security controls at Atosphere Services
Cloud Security services
16 CoE IT Leadership.- Progress report
Customer benefits and business outcomes
• Customer benefits
• Knowledge of what your digital security weaknesses really are
• Knowledge of the legislative and regulatory requirements you really face
• Clarity on your cost v risk balance
Our Approach
Cloud Security Assessment
17 CoE IT Leadership.- Progress report
High Costs
Hig
h S
ec
uri
ty B
en
efi
tL
ow
Se
cu
rity
Be
ne
fit
Low Costs
Priority:
High
Medium
Low
Third Party
Security
ClassificationGuideline
Responsibilites
Awareness
Changes
Logging/Archiving
Server Policy
Secure Media
HandlingSecurity Incident
Management
Business Continuity
Firewall Ruleset
Clean Desk
Defintion of security
requirements
Legislation
Check Security Controls
fig 2
Our Approach
Cloud Security Assessment
18 CoE IT Leadership.- Progress report
Interviews
• Interviews with CIO/CISO/Sysadmins
•Document the findings using the Cloud Security Maturity Assessment Tool
Vulnerability Assessment
•Assess the technical vulnerabilities using scanning tools
Analysis
•Analysis of feedback•Defining security controls that do not meet the required maturity level
•Risk modeling using the Cloud Security Assessment Tool
Reporting
•Draft report and roadmap writing
Workshop
•Business Risks v Costs Workshop
Final Report
•Finalization of report and delivery of report and roadmap
Our Approach
Cloud Security Assessment
High Costs
Hig
h S
ec
uri
ty B
en
efi
tL
ow
Sec
uri
ty B
en
efi
t
Low Costs
Priority:
High
Medium
Low
Third Party
Security
ClassificationGuideline
Responsibilites
Awareness
Changes
Logging/Archiving
Server Policy
Secure Media
HandlingSecurity Incident
Management
Business Continuity
Firewall Ruleset
Clean Desk
Defintion of security
requirements
Legislation
Check Security Controls