Security, Privacy and the Cloud

Security, Privacy and the CloudConnecticut Community Providers’ AssociationJune 20, 2014

Steven R Bulmer, VP of Professional Services

Agenda

• Introduction to Cloud Computing Models

• Top Threats

• Categorical Approach to Cloud Security

• Technology Areas of Focus

• Encryption

3

Definitions – Cloud ComputingCloud Computing is:

A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications & services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

This cloud model promotes availability and is composed of:

5 essential characteristics 3 service models 4 deployment models

- National Institute of Standards and Technologyhttp://csrc.nist.gov/groups/SNS/cloud-computing

4

Cloud Definitions Cont’dCloud Characteristics

1. On-demand Self-Service – User provisions their services

2. Ubiquitous Network Access – Standard network or mobile access

3. Resource Pooling – Shared resources and location independence

4. Elasticity – Capabilities scaled or released “rapidly”

5. Measured Service – Metered, monitored and billed as utility

5

Cloud Definitions Cont’dCloud Service Models

1. Software as a Service (SaaS) – User access to the application

layer

2. Platform as a Service – User deployment using providers’ tools

3. Infrastructure as a Service (IaaS)– User access to IT

infrastructure

6

Cloud Definitions Cont’dCloud Deployment Models

1. Private Cloud – Deployed for a single organization or company

2. Community Cloud – Shared by organizations with similar needs

3. Public Cloud – Cloud services available to all and shared

4. Hybrid Cloud – Two or more clouds with operational relationship

7

Business Services

Cust

omer

Pro

vide

d

Cloud Provided

Application Logic

Middleware/DB

Infrastructure

Cloud Layers

SaaS

PaaS

IaaS

Top Cloud Security Threats

1. Data Breaches

2. Data Loss

3. Account or Service Traffic Hijacking

4. Insecure Interfaces and API

5. Denial of Service Attacks

6. Malicious Insiders

7. Abuse of Cloud Services

8. Insufficient Due Diligence

9. Shared Technology

Vulnerabilities

Source: Cloud Security Alliance

cloudsecurityalliance.org

9

Approach to Security in the CloudGovernance

• Assessing the Risk

• Managing and Measuring Posture and Response

Compliance

• Direct policy and technology requirements to meet regulations

Architecture

• The technical components and their inherent strength and weaknesses

Resiliency

• The ability to withstand and/or recover from an incident

Process

• Established, regular, IT practices that ensure policy adherence

Access

• Identity and authentication

10

Security in the CloudCategory Focus Areas Tasks Applicability

Governance • Regulations• Data Location• eDiscovery• Evaluation

• Risk Assessment / Analysis• Audit Controls• Audits

• PCI 5, 6, 11• HIPAA (C) 164.308, 312, 314

Compliance • Data Location• eDiscovery• Device & Media Control

• Policy Development• Policy Enforcement• eMail Archiving

• PCI DSS, PA-DSS• HIPAA 160.203, 164.308, • SEC Rule 17a-3,4

Architecture • Attack Surface• Isolation/Separation• Network Security

• Systems and Application Configuration Policy

• PCI 1,2• PA-DSS• HIPAA 164.312

Resiliency • Availability• Data Protection• Disaster Recovery

• Contingency Planning• Encryption• Media Management

• PCI 3,4• FISMA• HIPAA 164.308, 310

Process • Incident / Change Mgmt• Security Mgmt / • Monitoring

• Response Reporting• Proactive Monitoring

• PCI 10,11• HIPAA 164.316

Access • Identity / Authentication• Access Controls

• Unique User ID• Access Policies• Remote Access Policy

• PCI 7, 8 , 9• HIPAA 164.308

11

Technical FocusArchitecture

• Provisioning Process and Capability

• Software / Network Isolation

• Multi-tenancy vs Dedicated

• Hypervisor structure

• Network structure

• Security Infrastructure

Resiliency/Availability

• Business Continuity and Disaster Recovery

• Data Integrity

Identity and Access Management

• Authentication tie-ins to customer, stand alone

Data Protection

• Backups and Recovery

• Data Location and Encryption

• Physical Security

12

A Few Words On EncryptionEncryption Built into Cloud Service vs Encrypting at the Source

• SaaS and PaaS:

• SSL based transfer prior to encryption in the cloud

• Read and Understand the Privacy Policy

• Cloud Storage

• Encrypt locally, then store in the cloud (e.g. DropBox)

o Viivo, Sookasa, BoxCryptor, CloudFogger

• Use an integrated hybrid cloud storage solution

o Wualu, SpiderOak, Tresorit

• Use Appliance Based Backups & BC

o Walker/Datto

13

Encryption (cont’d)

Cloud Storage features to Look for:

• Granularity: File vs Container vs Volume

• Key Management

• Administrative Features to meet your needs (e.g. compliance)

• Does it work with the service(s) you use?

• Dropbox, Box.com, Google Drive, Microsoft SkyDrive, Amazon S3

14

SourcesCloud Security Alliancehttp://cloudsecurityalliance.org

NIST Cloud Computing Definitionhttp://csrc.nist.gov/groups/SNS/cloud-computing

CSA Top Nine Cloud Computing Threats White Paperhttps://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdf

HIPAA Guidelines Simplified from HHShttp://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf

NIST Cloud Security for Federal Agencies White Paperhttp://www.nist.gov/customcf/get_pdf.cfm?pub_id=909494

15

860.678.3530 | TheWalkerGroup.com | [email protected]

Thank You.