CONTROLLING CLOUDS: BEYOND SAFETY GORDON HAFF (@ghaff) CLOUD EVANGELIST NOVEMBER 2013
Aug 29, 2014
CONTROLLING CLOUDS:BEYOND SAFETY
GORDON HAFF (@ghaff)CLOUD EVANGELIST
NOVEMBER 2013
ABOUT MERed Hat Cloud EvangelistTwitter: @ghaff
Google+: Gordon Haff
Email: [email protected]
Blog: http://bitmason.blogspot.com
Flickr: http://www.flickr.com/photos/bitmason/
Formerly: Illuminata (industry analyst), Data General (minicomputers/Unix/NUMA/etc.), shareware developer
IS IT SAFE?
CreditJackman Chiu cc/flickrhttp://www.flickr.com/photos/lewolf011/7283101824
SAFETY =~
INTEGRITYPRIVACY
CONTINUITY
SECURITY
BUT IN THE WORDS OF INIGO MONTOYO
THE REALITY (IN TWITTER SHORTHAND)
WHAT I’LL COVERWhat’s newWhat isn’t newCertificationsThe broader view—examples from the Cloud Security Alliance
WHAT’S NEW-ISHShared responsibility modelNew (higher) levels of abstraction“Rules of the road” still developing
SHARED RESPONSIBILITY:CLOUD PROVIDER VIEW
Source: Cloud Security Alliance
ABSTRACTIONS HIDE (BY DESIGN)
STORAGE(RHS)
HARDWARE(x86)
VIRTUALIZATION(RHEV)
OPERATING SYSTEM(RHEL)
APPLICATION PLATFORM(JBOSS, PHP, RUBY, ETC)
APPLICATION
Automated and Managed by the Public or Private Cloud Offering
Managed and Controlled by Customer (IT, Dev, or User)
IaaS PaaS SaaS
Increased Control
Increased Automation
PERVASIVESELF-SERVICE
CONSUMERIZEDEXPECTATIONS
SCALE
CreditJulie Blaustein, cc/flickrhttp://www.flickr.com/photos/25138992@N00/4960914218
BROADLY: CLOUD IS SHIFT TO DELIVERY OF SERVICES RATHER THAN INFRASTRUCTURE
BUT MUCH DOESN’T CHANGE
If your security practices suck in the physical realm, you’ll be delighted by the surprising lack of change when you move to cloud.
Chris Hoff
Credit: Michael Rosenstein, cc/flickrhttp://www.flickr.com/photos/michaelcr/1508784073/
ITIL BEST PRACTICES HIGHLY RELEVANT TO SERVICE DELIVERY THROUGH CLOUDITIL Service Strategy provides guidance on generating a strategy for a major shift in service delivery ITIL practices can help design cloud computing as appropriate end-to-end services
COST/BENEFIT STILL APPLIESRISK = LIKELIHOOD * IMPACT
Source: ENISA
EXAMPLE: COMPLIANCE CHALLENGES
THE NICE THING ABOUT CERTIFICATIONS IS THAT THERE ARE SO MANY OF THEMSAS 70
Specifically created for financial auditors of service organizations
ISO/IEC 27001Information security management system standard published in 2005
PCI DSSFor organizations processing credit card transactions
FedRAMP Security ControlsFramework for US Federal agencies
HIPAAUS healthcare
SOC 2 AND 3Report can be issued on one or more Trust Services Principles
SecurityAvailabilityProcessing integrityConfidentialityPrivacy
Type 1: Suitability of design
Type 2: Suitability of design and effectiveness
SOC 3 is a condensed public version of SOC 2
Mostly in the US today
See www.webtrust.org
CSA CLOUD CONTROLS MATRIX
98 “control areas” in 11 categoriesExample: Security Architecture - Production / Non-Production Environments
Each mapped to areas of relevanceExamples: IaaS, PaaS, SaaS, corporate governance, and supplier relationships
Each mapped to relevant regulations and certifications
Examples: NIST, PCI DSS
11 DOMAINSCompliance (CO)
Data Governance (DG)
Facility Security (FS)
Human Resources (HR)
Information Security (IS)
Legal (LG)
Operations Management (OM)
Risk Management (RI)
Release Management (RM)
Resiliency (RS)
Security Architecture (SA)
Some examples…
COMPLIANCE
Audit controlsLimitations of third-party auditability can be a concern for public cloud users
Regulatory mappingCan be especially important to understand where data resides
CreditEvan Long, cc/flickrhttp://www.flickr.com/photos/clover_1/1178035169/
DATA GOVERNANCE
Controls to prevent data leaks in a multi-tenant environment
Red Hat uses SELinux as part of Red Hat Enterprise Linux and OpenShift security measuresSupport for Virtual Private Clouds (VPC) on Amazon Web Services
INFORMATION SECURITY
Identity and Access Control
Store and manage timely identity information about every person who accesses the cloud resources and determine their level of access Still evolving for cloud use cases, but critical to get it right
SECURITY ARCHITECTURE
Multi-factor authentication
Card keys+PIN Establishment and implementation of encryption policies
Key managementUser policies for mobile devices
SECURITY ARCHITECTURESegmentation and restricted connections in network environments
“Networks shared with external entities shall have a documented plan detailing the compensating controls used to separate network traffic between organizations”One of the reasons VPCs are interesting to many organizations
BUT IT’S NOT ABOUT BEING AN INHIBITOR
Remember the cost/benefit tradeoffYour organization is (almost certainly) using public cloudsA private cloud that doesn’t provide cloud agility isn’t a cloudAutomation, streamlined process, clearly-defined policy help users and reduce risk
SOURCES FOR A BROADER CLOUD GOVERNANCE VIEWDeloitte Cloud Computing Risk Intelligence MapCloud Computing Security Risk AssessmentCSIS 20 Critical Security ControlsCloud Security Alliance STAR and Cloud Controls MatrixLinks:
http://www.isaca.org/Groups/Professional-English/cloud-computing/GroupDocuments/Deloitte%20Risk%20Map%20for%20Cloud%20Computing.pdf
http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment
http://www.cloudsecurityallia nce.org
http://www.sans.org/critical-security-controls/guidelines.php
FOR A GOOD VIEW OFINFOSEC IN A DEVOPS AGE
The DevOps revolution is the moment that every information security practitioner has been waiting for. The death spiral can be broken, and this book shows you how.
JOSHUA CORMAN
QUESTIONS?
THANK YOU.
Gordon [email protected]: @ghaffGoogle+: Gordon HaffBlog: bitmason.blogspot.com