- 1. Jirasek Consulting ServicesClassification: Public
1Supporting Business AgilitySecure your cloud applications by
buildingsolid foundations with enterprise (security)
architectureVladimir Jirasek, Managing directorJirasek Consulting
Services&Research Director, Cloud Security Alliance, UK
chapter
2. Jirasek Consulting ServicesClassification: Public 2About me
MBA (MSc) degree 20 years experience in IT 13 years experience in
InfoSec Worked in various companies in diversesectors Engaged in
security organisations as projectssuch as CAMM, CSA Technical
editor of a cloud security book Present at security and IT
conferences 3. Jirasek Consulting ServicesClassification: Public
3Agenda Enterprise architecture crash course Security architecture
overview Cloud security models Governance in Cloud Data security in
Cloud Identity and Access in Cloud 4. Supporting Business
AgilityJirasek Consulting ServicesClassification: Public
4ENTERPRISE ARCHITECTURE 5. Jirasek Consulting
ServicesClassification: Public 5What is Enterprise
ArchitectureEnterprise architecture (EA) is theprocess of
translating business visionand strategy into effective
enterprisechange by creating, communicatingand improving the key
requirements,principles and models that describethe enterprises
future state andenable its evolution.WikipediaCommon sense to
ensure everyone ina company is pulling in one direction,maximising
ROI, reducing waste,increasing efficiency, effectiveness,agility,
maintaining strategic focus anddelivering tactical
solutions.Vladimir JirasekEnterprise architecture is about
strategy, notabout engineering.Gartner 6. Jirasek Consulting
ServicesClassification: Public 6EA is a business support
functionShould be discussed here Is commonly discussed here 7.
Jirasek Consulting ServicesClassification: Public 7EA
frameworksSource:
http://msdn.microsoft.com/en-us/library/bb466232.aspx 8. Jirasek
Consulting ServicesClassification: Public 8One of the most used
architectureframeworks: TOGAF 9. Supporting Business AgilityJirasek
Consulting ServicesClassification: Public 9ENTERPRISE
SECURITYARCHITECTURE 10. Jirasek Consulting ServicesClassification:
Public 10Security model business drives
securityInformationSecuritypoliciesInputBusinessobjectivesCompliancerequirementsLaws
&RegulationsBusinessimpactBusiness
&informationrisksDefineDefineDefineSecuritythreatsInternationalsecuritystandardsInformationSecuritystandardsInformationSecurityguidelinesSecurityintelligenceInputLineManagementAuditorsSecuritymanagementRisk
&ComplianceGovernanceProductManagementProgramManagementAssuranceSecurityServicesSecurityProfessionalsIT
GRCInformInformationSecurityProcessesTechnologyPolicy
frameworkSecurity managementPeopleServicesDefine
securitycontrolsExecute
securitycontrolsInformationSecurityMetricsobjectivesMetrics
frameworkMeasure securitymaturityExternalsecuritymetricsMandate
MeasuredbyInputCorrection of security processesFeedback: update
business requirementsProcess framework 11. Jirasek Consulting
ServicesClassification: Public 11Security architecture domains
Security architectwork across alldomains Stakeholder in EA Works
with domainarchitects (dependson the size of anorganisation) 12.
Jirasek Consulting ServicesClassification: Public 12Cloud model
maps to Security modelCloud modelDirect map 13. Jirasek Consulting
ServicesClassification: Public 13Responsibilities for areas in
securitymodel compared to delivery modelsPhysical securityNetwork
securityHost securityApplication sec.Data securitySIEMIdentity,
AccessCryptographyBusiness continuityGRCProvider responsible
Customer responsibleIaaS PaaS SaaS IaaS PaaS SaaS 14. Jirasek
Consulting ServicesClassification: Public 14PresenttimeFutureShould
data security be on CIOsagendas? Why only CIO?Not many security
breachesso far. Why?Will become targeted as more enterprises rely
onpublic Cloud computingMandatory reading!Cloud
providerreputation/costsYour companyreputation/costs Consolidation
ofCloud providersCost savings inEnterprisesPaaS/SaaSSaaSSaaS 15.
Supporting Business AgilityJirasek Consulting
ServicesClassification: Public 15CLOUD DEPLOYMENTGOVERNANCE 16.
Jirasek Consulting ServicesClassification: Public 16Governance
related to Cloud Setting company policyfor Cloud computing Risk
based decisionwhich Cloud provider, ifany, to engage
Assigningresponsibilities forenforcing and monitoringof the policy
compliance Set corrective actions fornon-compliance 17. Jirasek
Consulting ServicesClassification: Public 17Cloud
governance::Policy Cloud adopted typically bya) IT directors
managed relatively consistently andmostly [I|P]aaSb) Business
managers less governance; typicallySaaS Policy should state: It is
a policy of . to managethe usage of external Cloud computing
services,taking into account risks to business processes,legal and
regulatory compliance when usingexternal services Cloud services.
CIO isresponsible for creating and communicatingexternal Cloud
computing strategy andstandards. 18. Jirasek Consulting
ServicesClassification: Public 18Cloud standard structure General
statements Governance requirements for Cloud Enterprise
architecture to be ready forCloud and Cloud services to
plug-in(IAM, SIEM, Data architecture,Forensic) Discovery of Cloud
service use Before Cloud project Cloud service to comply with
dataclassification Encrypting all sensitive data in Cloud Identity
and Access management(AAA) link to Cloud service During Cloud
project Due diligence to be performed Do not forget right to audit
Know locations of PII During Cloud project (cont) Assess
availability (SLA and DR) ofCloud provider Assess Cloud provider
security controls Assess potential for forensicinvestigation by
companys team Running a Cloud service Limit use of live data for
developmentand testing Monitor cloud providers securitycontrols
Link Companys SIEM with Cloudprovider and monitor for incidents
Moving out of Cloud Data cleansing Data portability 19. Jirasek
Consulting ServicesClassification: Public 19Examples:I have 1TB of
CSV files, now what? Customer uses well know CRM in Cloud SaaS
designed to immerse clients into welldefined, bespoke CRM No known
data mode Export of data in CSV.Tip: Portability is the key in SaaS
applications.Think about leaving the Cloud provider upfront.How
will you take your data? 20. Jirasek Consulting
ServicesClassification: Public 20Example:Scaling up/down
development Large manufacture and service company Requirement to
support developmentneeds with seasonal demands idealcase for
[I|P]aaS Security team approached up-front toperform review Live
data not uploaded to the providerbefore on-site sanitising 21.
Supporting Business AgilityJirasek Consulting
ServicesClassification: Public 21DATA SECURITY IN CLOUD 22. Jirasek
Consulting ServicesClassification: Public 22Cloud provider: AES-128
so itmust be secure! Trust
me!PDFSecretPDFSecret010100011010101010110101010010101010101100110101Cloud
serviceuserJust because it is encrypted does notmake it secure Look
end to end.CloudServiceProvider 23. Jirasek Consulting
ServicesClassification: Public 23However not all data in the
cloudare secret! 24. Jirasek Consulting ServicesClassification:
Public 24Sometimes too much encryption isbad though.Who holds
encryption keys? Are they available? 25. Jirasek Consulting
ServicesClassification: Public 25Data protection options in
cloudmodelsInfrastructure as aServicePlatform as a Service Software
as a ServiceEncryption appliance(e.g. Safe-Net ProtectV)Application
encryption (customer retains keys)NetworkNetwork VPN (could extend
to SaaS)Web TLS (for IaaS operated by customer)HostProvider
dependent and operated host encryptionApplicationTokenisation and
anonymisationDataExtend company file or
objectencryptionEncrypting/tokenising reverseproxy engines (e.g.
CipherCloud)SIEMExtend company SIEM Plug-in to Providers SIEMExtend
DLP or eDRM Provider operated data/database encryption 26. Jirasek
Consulting ServicesClassification: Public 26Example of SaaS Use of
Gmailinside and outside an organisation SaaS web basedapplication.
Other standardinterfaces IMAP, POP3,SMTP, Web API Data in Gmail
available toanyone with properauthentication TLS used on transport
layer Consider using CipherCloudlike product but be mindfulof
traffic flows with externalcustomersSenderRecipientIntra
companyRecipientProxySender 27. Jirasek Consulting
ServicesClassification: Public 27Example of IaaS Cloud provider
offers virtualcomputing resources for Internal apps deployment
Cloud provider cantheoretically access alldata, if
decryptionhappens on the virtualmachine! But would they? Use two
possible models: Local crypto operationswith remote keymanagement.
ConsiderSafeNet ProtectV Remote crypto operationsover VPN speed
penaltyInternaluserAdministratorIntra companyVPNVirtual
serversTravelling userKey managementData encryptedLocal
encryptionoperationsData encryptedRemoteencryptionoperationsHSM 28.
Supporting Business AgilityJirasek Consulting
ServicesClassification: Public 28IDENTITY AND ACCESSMANAGEMENT IN
CLOUD 29. Jirasek Consulting ServicesClassification: Public 29IAM
is a complex domain::closer toinformation management then
security!IdentitymanagementAccessmanagementFederation
EntitlementsThese capabilities can be and are mixed between on-site
managed by organisationsor provided as a service by Cloud
providers. 30. Jirasek Consulting ServicesClassification: Public
30Identity management::mostlyinformation management Principal
management Credential management Attribute management Group
memberships Business and IT roles Directory Link to HR
dataProvision and de-provisionusers from cloud
servicesautomatically 31. Jirasek Consulting
ServicesClassification: Public 31Entitlements and
AccessmanagementEntitlements Managing access policies XACML
policies (Subject, Rule, Resource) Bespoke policies Based on
attributes orgroupsConnects subjects andresourcesAccess management
Uses identity information,entitlement policies andcontext to make
accessdecisions: Grant Deny Grant but limitDecision closer to
resource 32. Jirasek Consulting ServicesClassification: Public
32Identity Federation::Lets trust identityproviders Not everyone
wantsto have thousands ofusername/passwords Cloud services areideal
for identityfederation SAML 2.0 OAUTH 2.0 (do notconfuse with OATH)
33. Jirasek Consulting ServicesClassification: Public 33Summary
Create Enterprise Architecture function with dotted line toCEO
Appoint Security Architect as part of Enterprise
architecturefunction Have a Cloud policy/standard and update risk
managementclassification Always think of exit from Cloud first!
Discover usage of Cloud services Prepare you enterprise
architecture to plug Cloud services inIAM, SIEM, Key management
Build IAM that supports changing business. Federate andFederate Do
not fear Cloud sophisticated form of outsourcing: usesupplier
management techniques. 34. Jirasek Consulting
ServicesClassification: Public 34Links A Comparison of the Top Four
Enterprise-Architecture Methodologies
-http://msdn.microsoft.com/en-us/library/bb466232.aspx TOGAF 9 -
http://www.opengroup.org/togaf/ CipherCloud -
http://www.ciphercloud.com/ Amazon AWS Security
-https://aws.amazon.com/security/ Dropbox security incidents
-http://www.zdnet.com/dropbox-gets-hacked-again-7000001928/ 35.
Jirasek Consulting ServicesClassification: Public 35Contact
Vladimir Jirasek [email protected]
www.jirasekconsulting.com @vjirasek About.me/Jirasek