Controlling Clouds: Beyond Safety

CONTROLLING CLOUDS:BEYOND SAFETY

GORDON HAFF (@ghaff)CLOUD EVANGELIST

NOVEMBER 2013

ABOUT MERed Hat Cloud EvangelistTwitter: @ghaff

Google+: Gordon Haff

Email: [email protected]

Blog: http://bitmason.blogspot.com

Flickr: http://www.flickr.com/photos/bitmason/

Formerly: Illuminata (industry analyst), Data General (minicomputers/Unix/NUMA/etc.), shareware developer

IS IT SAFE?

CreditJackman Chiu cc/flickrhttp://www.flickr.com/photos/lewolf011/7283101824

SAFETY =~

INTEGRITYPRIVACY

CONTINUITY

SECURITY

BUT IN THE WORDS OF INIGO MONTOYO

THE REALITY (IN TWITTER SHORTHAND)

WHAT I’LL COVERWhat’s newWhat isn’t newCertificationsThe broader view—examples from the Cloud Security Alliance

WHAT’S NEW-ISHShared responsibility modelNew (higher) levels of abstraction“Rules of the road” still developing

SHARED RESPONSIBILITY:CLOUD PROVIDER VIEW

Source: Cloud Security Alliance

ABSTRACTIONS HIDE (BY DESIGN)

STORAGE(RHS)

HARDWARE(x86)

VIRTUALIZATION(RHEV)

OPERATING SYSTEM(RHEL)

APPLICATION PLATFORM(JBOSS, PHP, RUBY, ETC)

APPLICATION

Automated and Managed by the Public or Private Cloud Offering

Managed and Controlled by Customer (IT, Dev, or User)

IaaS PaaS SaaS

Increased Control

Increased Automation

PERVASIVESELF-SERVICE

CONSUMERIZEDEXPECTATIONS

SCALE

CreditJulie Blaustein, cc/flickrhttp://www.flickr.com/photos/25138992@N00/4960914218

BROADLY: CLOUD IS SHIFT TO DELIVERY OF SERVICES RATHER THAN INFRASTRUCTURE

BUT MUCH DOESN’T CHANGE

If your security practices suck in the physical realm, you’ll be delighted by the surprising lack of change when you move to cloud.

Chris Hoff

Credit: Michael Rosenstein, cc/flickrhttp://www.flickr.com/photos/michaelcr/1508784073/

ITIL BEST PRACTICES HIGHLY RELEVANT TO SERVICE DELIVERY THROUGH CLOUDITIL Service Strategy provides guidance on generating a strategy for a major shift in service delivery ITIL practices can help design cloud computing as appropriate end-to-end services

COST/BENEFIT STILL APPLIESRISK = LIKELIHOOD * IMPACT

Source: ENISA

EXAMPLE: COMPLIANCE CHALLENGES

THE NICE THING ABOUT CERTIFICATIONS IS THAT THERE ARE SO MANY OF THEMSAS 70

Specifically created for financial auditors of service organizations

ISO/IEC 27001Information security management system standard published in 2005

PCI DSSFor organizations processing credit card transactions

FedRAMP Security ControlsFramework for US Federal agencies

HIPAAUS healthcare

SOC 2 AND 3Report can be issued on one or more Trust Services Principles

SecurityAvailabilityProcessing integrityConfidentialityPrivacy

Type 1: Suitability of design

Type 2: Suitability of design and effectiveness

SOC 3 is a condensed public version of SOC 2

Mostly in the US today

See www.webtrust.org

CSA CLOUD CONTROLS MATRIX

98 “control areas” in 11 categoriesExample: Security Architecture - Production / Non-Production Environments

Each mapped to areas of relevanceExamples: IaaS, PaaS, SaaS, corporate governance, and supplier relationships

Each mapped to relevant regulations and certifications

Examples: NIST, PCI DSS

11 DOMAINSCompliance (CO)

Data Governance (DG)

Facility Security (FS)

Human Resources (HR)

Information Security (IS)

Legal (LG)

Operations Management (OM)

Risk Management (RI)

Release Management (RM)

Resiliency (RS)

Security Architecture (SA)

Some examples…

COMPLIANCE

Audit controlsLimitations of third-party auditability can be a concern for public cloud users

Regulatory mappingCan be especially important to understand where data resides

CreditEvan Long, cc/flickrhttp://www.flickr.com/photos/clover_1/1178035169/

DATA GOVERNANCE

Controls to prevent data leaks in a multi-tenant environment

Red Hat uses SELinux as part of Red Hat Enterprise Linux and OpenShift security measuresSupport for Virtual Private Clouds (VPC) on Amazon Web Services

INFORMATION SECURITY

Identity and Access Control

Store and manage timely identity information about every person who accesses the cloud resources and determine their level of access Still evolving for cloud use cases, but critical to get it right

SECURITY ARCHITECTURE

Multi-factor authentication

Card keys+PIN Establishment and implementation of encryption policies

Key managementUser policies for mobile devices

SECURITY ARCHITECTURESegmentation and restricted connections in network environments

“Networks shared with external entities shall have a documented plan detailing the compensating controls used to separate network traffic between organizations”One of the reasons VPCs are interesting to many organizations

BUT IT’S NOT ABOUT BEING AN INHIBITOR

Remember the cost/benefit tradeoffYour organization is (almost certainly) using public cloudsA private cloud that doesn’t provide cloud agility isn’t a cloudAutomation, streamlined process, clearly-defined policy help users and reduce risk

SOURCES FOR A BROADER CLOUD GOVERNANCE VIEWDeloitte Cloud Computing Risk Intelligence MapCloud Computing Security Risk AssessmentCSIS 20 Critical Security ControlsCloud Security Alliance STAR and Cloud Controls MatrixLinks:

http://www.isaca.org/Groups/Professional-English/cloud-computing/GroupDocuments/Deloitte%20Risk%20Map%20for%20Cloud%20Computing.pdf

http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment

http://www.cloudsecurityallia nce.org

http://www.sans.org/critical-security-controls/guidelines.php

FOR A GOOD VIEW OFINFOSEC IN A DEVOPS AGE

The DevOps revolution is the moment that every information security practitioner has been waiting for. The death spiral can be broken, and this book shows you how.

JOSHUA CORMAN

QUESTIONS?

THANK YOU.

Gordon [email protected]: @ghaffGoogle+: Gordon HaffBlog: bitmason.blogspot.com