Cloud Security Assessment. 2 CoE IT Leadership.- Progress report Introduction »Cloud computing is an approach in which infrastructure and software resources.

Cloud Security Assessment

2 CoE IT Leadership.- Progress report

Introduction

» Cloud computing is an approach in which infrastructure and software resources are provided by an external vendor or by your internal IT department over the Internet. These resources are highly scalable and at competitive costs, which make Cloud services highly attractive in a business environment in which organisations are trying to reduce their IT capital expenditure and costs and improve the flexibility of their IT services delivery.

The Cloud, a revolution on several levels…


Reasons for using Cloud Computing

Source: Flying Blind in the Cloud, Ponemon Institute, April 2010

Introduction


Adopting Cloud computing can bring significant benefits and challenges for organisations in building trust and confidence in Cloud Computing services, including:

Benefits and risks

Benefits

• significantly lower application service costs – currently as low as $20/month for entry level web applications;

• dramatically reduced capital expenditure funding, with services charged for mainly by use;

• improved service agility, where requirements for IT services can be much more quickly met;

• improved productivity through cost-effective business-wide collaboration applications; and

• new opportunities for exploiting and sharing information, in support of business model innovation

Risks

• concern over maintaining data privacy and security;

• unproven service level agreements;• the difficulty of integration of existing

applications and data.

Introduction


Atos Sphere

Advisory Services

SAP Regression

Testing (SaaS)

Product Lifecycle Mgmt.

(PLM) on Demand

Data Mgmt. on demand (PaaS)

Atos in a box Workplace

(DaaS)

Infra-structure Services (IaaS)

Atos Worldline (BPaaS)

IntroductionAtos Sphere™ Security and Compliance

Opportunity Assessment

Awareness Workshop

Security and Compliance

Business Case

Pilot Project

Governance

Business Innovation

Transition


Cloud Services as a mix of consumer commodities and enterprise applications have to meet costumer needs for confidentiality and compliance to legal directives. This package provides: Set of core security principals to assure users and customers of

a trustworthy cloud computing environment Increased level of security to support sensible enterprise

applications and data in a cloud environment Customer adopted best practice rules to handle ignorance of

data, processing and application location

Introduction


Legal Recommendations » European Commission

» Data Protect Directive (Article 29)» Customer notification of data security breaches» eCommerce Directive (Article 12-15)» Minimum data protection standards and privacy certification schemes common across all

stated

» Country local directives» Germany: TKG, Datenschutzgesetz

» Areas of attention1. Data Security, Protection and Transfer2. Law Enforcement Access3. Confidentiality and non-disclosure4. Intellectual property5. Risk allocation and limitation of liability6. Change of control

Business issues


Security Benefits Security and the benefits of scale

» All security measures are cheaper when implemented in a large scale

» Same amount of investment in security buys better protection for all kinds of defensive measures e.g.» Filtering» Patch management» Hardening of virtual machines and hypervisors

» Multiple locations

» Edge networks

» timeliness of response to incidents, treat management

» Standardized interface for managed security services (open and readily available market)

» Dynamic reallocation of filtering, traffic shaping, authentication, encryption, etc.

» Audit and evidence gathering (less downtime for forensic analysis, lower log storage cost)

» More timely effective and efficient updates and default

» Benefits of resource concentration, beside the risk security is cheaper

Business issues


Protection of sensitive information in the Cloud

» Only a few organizations have taken proactive steps to protect sensitive information

Source: Flying Blind in the Cloud, Ponemon Institute, April 2010

Business issues


Security RisksTop Risks

» Loss of Governance

» Lock-In

» Isolation Failure

» Compliance Risk

» Management interface compromise

» Data protection

» Insecure or incomplete data deletion

» Malicious insider

Business issues


Security Risks by category

• Lock-in • Loss of governance• Compliance Challenges

• No evidence for provider compliance• Provider do not permit audits

• Loss of business reputation due to co-tenant activities

• Cloud Service Termination Or Failure• Cloud Provider Acquisition• Supply chain failure

Policy and Organizational

• Subpoena and e-discovery• Changing jurisdiction• Data protection• licensing

Legal

• Resource exhaustion (over/under provisioning • Isolation failure• Provider malicious insider – abuse of high

privileges • Management interface compromise• Intercepting data in transfer

Technical

• Data leakage on/upload intra-cloud• Insecure and inefficient deletion of data• Distributed denial of service attack (DDoS)• Economic denial of service (EDoS)• Loss of encryption keys • Undertaking malicious probes and scans• Compromise service engine • Conflicts between customers hardening

procedures

Technical

• Network breaks• Modifying network traffic• Privilege escalation• Social engineering attacks• Loss or compromise of operation and security

logs• Backup lost• Unauthorized access to premises • Theft of Computer equipment• Natural disaster

Not Cloud specific

Business issues


Areas of Vulnerabilities Cloud relevant

AAA User de/provisioningRemote access to

management interface

Hypervisor Resource & Reputation Isolation

Communication Encryption

Weak encryption of archives and data

transit

Impossibility to process encrypted

data

Poor key management

Key generation random number

generation

Lack of standard technology and

solutions

No source escrow agreement

Inaccurate modeling of resource usage

No control on vulnerability

assessment process

Co-Residence checks might be performed

Lack of forensic readiness

Sensitive media sanitization

Synchronizing Responsibilities or

contractual obligations external to

cloud

Cross cloud applications create

hidden dependencies

SLA Clauses with conflicting promises to different stakeholders

SLA Clauses containing excessive

business risk

Audit or certification not available for the

customer

Certification schemes not adapted to cloud

infrastructure

Inadequate resource provisioning and investments in infrastructure

No policies for resource capping

(Quotas)

Storage of data in multiple jurisdiction

and lack of transparency

Lack on information on Jurisdictions

Lack of completeness and transparency in

terms of use

Business issues


7. Research RecommendationsCategories

» Building trust in the cloud» Effects on different forms of breach reporting on security» End-to-end data confidentiality in the cloud and beyond» Higher assurance clouds, virtual private clouds etc.

» Data protection in large scale cross-organizational systems» Forensics and evidence gathering mechanisms» Incident handling, monitoring and traceability» International differences in relevant regulations including data protection and

privacy

» Large scale computer engineering» Resource isolation mechanisms – data, processing, logs, etc» Interoperability between cloud providers» Resilience of cloud computing How can cloud improve resilience.

Business issues


Compliance and Certifications

Standards• ISO 20000 (IT service management)• ISO 27002 (IT security )• Sox• TBC

Certification methods• CoBit (Control Objectives for Information and related

Technology)• CMMI (Capability Maturity Model Integration ) • ITIL (IT infrastructure library)

Business issues


Our Approach


Certification Services (ISMS,BS25999,,.)

Data Loss Prevention Identity

Management Perimeter protection

Built in Security controls at Atosphere Services

Cloud Security services


Customer benefits and business outcomes

• Customer benefits

• Knowledge of what your digital security weaknesses really are

• Knowledge of the legislative and regulatory requirements you really face

• Clarity on your cost v risk balance

Our Approach



High Costs

Hig

h S

ec

uri

ty B

en

efi

tL

ow

Se

cu

rity

Be

ne

fit

Low Costs

Priority:

High

Medium

Low

Third Party

Security

ClassificationGuideline

Responsibilites

Awareness

Changes

Logging/Archiving

Server Policy

Secure Media

HandlingSecurity Incident

Management

Business Continuity

Firewall Ruleset

Clean Desk

Defintion of security

requirements

Legislation

Check Security Controls

fig 2

Our Approach



Interviews

• Interviews with CIO/CISO/Sysadmins

•Document the findings using the Cloud Security Maturity Assessment Tool

Vulnerability Assessment

•Assess the technical vulnerabilities using scanning tools

Analysis

•Analysis of feedback•Defining security controls that do not meet the required maturity level

•Risk modeling using the Cloud Security Assessment Tool

Reporting

•Draft report and roadmap writing

Workshop

•Business Risks v Costs Workshop

Final Report

•Finalization of report and delivery of report and roadmap

Our Approach


High Costs

Hig

h S

ec

uri

ty B

en

efi

tL

ow

Sec

uri

ty B

en

efi

t

Low Costs

Priority:

High

Medium

Low

Third Party

Security

ClassificationGuideline

Responsibilites

Awareness

Changes

Logging/Archiving

Server Policy

Secure Media

HandlingSecurity Incident

Management

Business Continuity

Firewall Ruleset

Clean Desk

Defintion of security

requirements

Legislation

Check Security Controls

Cloud Security Assessment. 2 CoE IT Leadership.- Progress report Introduction »Cloud computing is an approach in which infrastructure and software resources.

Documents

progress report cloud

progress report security

cloud computing services

risk security

security measures

cloud computing source

cloud environment customer

data privacy