Cloud Security Alliance

صفحه 1:
Cloud Security Alliance 

صفحه 2:
About the Cloud Security Alliance ¢ Global, not-for-profit organization ¢ Inclusive membership, supporting broad spectrum of subject matter expertise: cloud experts, security, legal, compliance, virtualization, and on and on... * We believe Cloud Computing has a robust future, we want to make it better “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.” cloud ‏م دجم‎ < security Copyright © 2009 Cloud Security Alliance alliance 

صفحه 3:
Getting Involved © Individual Membership (free) © Subject matter experts for research * Interested in learning about the topic ¢ Administrative & organizational help * Corporate Members ٠ Help fund outreach, events * Participate in Solution Provider Advisory Council ¢ Affiliated Organizations (free) ¢ Joint projects in the community interest cloud ‏م دجم‎ < security Copyright © 2009 Cloud Security Alliance alliance 

صفحه 4:
Members * Over 4,000 members ¢ Broad Geographical Distribution * Active Working Groups ٠ Editorial * New Working Groups ° Educational Outreach ٠ Healthcare ° Architecture ۱ ۱ ۱ ٠ Cloud Threat Analysis ٠ Governance, Risk Mgt, Compliance, Business © Government Continuity ٠ Legal & E-Discovery ٠ Financial Services ٠ Portability, Interoperability and Application Security ٠ Identity and Access Mgt, Encryption & Key Mgt * Data Center Operations and Incident Response ٠ Information Lifecycle Management & Storage * Virtualization and Technology Compartmentalization cloud ‏م دجم‎ CSA Security Copyright © 2009 Cloud Security alliance Alliance 

صفحه 5:
Project Roadmap * April 2009: Security Guidance for Critical Areas of Focus for Cloud Computing - Version 1 * October 2009: Security Guidance for Critical Areas of Focus for Cloud Computing - Version 2 * October 2009: Top Ten Cloud Threats (monthly) ٠ November 2009: Provider & Customer Checklists * December 2009: eHealth Guidance * December 2009: Cloud Threat Whitepaper * Global CSA Executive Summits ۰ Q1 2010 - Europe * Q1 or Q2 2010 - US cloud ‏م دجم‎ < security Copyright © 2009 Cloud Security Alliance alliance 

صفحه 6:
Not “One Cloud”: Nuanced definition critical to understanding risks & mitigation Working definition: Cloud describes the evolutionary development of many existing technologies and approaches to computing that separates application and information resources from the underlying infrastructure and mechanisms used to deliver them. This separation of resources from infrastructure combined with a utility- like, elastic allocation model creates a compelling model for Internet scale computing. cloud security Copyright © 2009 Cloud Security alliance Alliance Pee FIA 

صفحه 7:
Defining the Cloud On demand usage of compute and storage 5 principal characteristics (abstraction, sharing, SOA, elasticity, consumption/allocation) 3 delivery models e Infrastructure as a Service (laaS) ٠ Platform as a Service (PaaS) ‎Software as a Service (SaaS)‏ و ‎deployment models: Public, Private, Hybrid,‏ 4 ‎Community‏ ‎cloud ‎security Copyright © 2009 Cloud Security alliance Alliance ‎ ‎Pee ‎FIA 

صفحه 8:
You “RFP” security in 5 Software as a Service Platform as a Service S-P-| Model <You build <~ — security in > PaaS laaS Infrastructure as a Service cloud ‏م دجم‎ CSA Security Copyright © 2009 Cloud Security alliance Alliance 

صفحه 9:
Key Challenges ¢ We aren’t moving to the cloud.. We are reinventing within the cloud * Confluence of technology and economic innovation * Disrupting technology and business relationships e Pressure on traditional organizational boundaries * “Gold Rush” mentality, backing into 20 year platform choice * Challenges traditional thinking * How do we build standards? ٠ How do we create architectures? * What is the ecosystem required to managed, operate, assess and audit cloud systems? cloud Pee CSA Security Copyright © 2009 Cloud Security alliance Alliance 

صفحه 10:
overnance ¢ Cloud Provider going out of business ¢ Provider not achieving SLAs ¢ Provider having poor business continuity planning ¢ Data Centers in countries with unfriendly laws ‎Proprietary lock-in with technology, data formats‏ و ‎e Mistakes made by internal IT security - several orders of magnitude more serious ‎cloud ‏م دجم‎ 6 security Copyright © 2009 Cloud Security ‘alliance alliance 

صفحه 11:
Thinking about Threats ¢ Technology ¢ Unvetted innovations within the S-P-I stack © Well known cloud architectures ¢ Business * How cloud dynamism is leveraged by customers/providers ۰ E.g. provisioning, elasticity, load management * Old threats reinvented: “must defend against the accumulation of all vulnerabilities ever recorded”, Dan Geer- ism © Malware in the cloud, for the cloud ¢ Lots of blackbox testing cloud Pee CSA Security Copyright © 2009 Cloud Security alliance Alliance 

صفحه 12:
Evolving Threats 1/2 ¢ Unprotected APIs / Insecure Service Oriented Architecture © Hypervisor Attacks e L1/L2 Attacks (Cache Scraping) ° Trojaned AMI Images ¢ VMDK / VHD Repurposing ¢ Key Scraping ¢ Infrastructure DDoS cloud ‏م دجم‎ < security Copyright © 2009 Cloud Security Alliance alliance 

صفحه 13:
Evolving Threats 2/2 ¢ Web application (mgt interface!) « ٠ 5 © SQL Injection ¢ Data leakage © Poor account provisioning ¢ Cloud provider insider abuse ¢ Financial DDoS ¢ "Click Fraud” cloud Pee 6 security Copyright © 2009 Cloud Security Alliance alliance 

صفحه 14:
CSA Guidance Domains 1. Understand Cloud Architecture Governing in the Cloud Operating in the Cloud Traditional, BCM, DR Data Center Operations Incident Response Application Security Encryption & Key Mgt Identity & Access Mgt Storage Virtualisation 8 9 10 11 2. Governance & Risk Mgt . Legal . Electronic Discovery . Compliance & Audit . Information Lifecycle Mgt 7. Portability & Interoperability ou BW cloud es. JA security Copyright © 2009 Cloud Security alliance Alliance 

صفحه 15:
Governance & ERM ¢ A portion of cloud cost savings must be invested into provider scrutiny ¢ Third party transparency of cloud provider ¢ Financial viability of cloud provider. ¢ Alignment of key performance indicators * Increased frequency of 3% party risk assessments cloud ‏م دجم‎ < security Copyright © 2009 Cloud Security Alliance alliance 

صفحه 16:
۷۹2 ¢ Plan for both an expected and unexpected termination of the relationship and an orderly return of your assets. ¢ Find conflicts between the laws the cloud provider must comply with and those governing the cloud customer * Gain a clear expectation of the cloud provider's response to legal requests for information. * Secondary uses of data * Cross-border data transfers cloud ‏م دجم‎ < security Copyright © 2009 Cloud Security Alliance alliance 

صفحه 17:
Electronic Discovery * Cloud Computing challenges the presumption that organizations have control over the data they are legally responsible for. * Cloud providers must assure their information security systems are capable to preserve data as authentic and reliable. Metadata, logfiles, etc. ¢ Mutual understanding of roles and responsibilities: litigation hold, discovery searches, expert testimony, etc. cloud ‏م دجم‎ < security Copyright © 2009 Cloud Security Alliance alliance 

صفحه 18:
Compliance & Audit * Classify data and systems to understand compliance requirements ¢ Understand data locations, copies ¢ Maintain a right to audit on demand * Need uniformity in comprehensive certification scoping to beef up SAS 70 II, ISO 2700X cloud ‏م دجم‎ 6 security Copyright © 2009 Cloud Security ‘alliance alliance 

صفحه 19:
Information Litecycie ¢ Understand the logical segregation of information and protective controls implemented ¢ Understand the privacy restrictions inherent in data entrusted to your company, how it impacts legality of using cloud provider. ¢ Data retention assurance easy, data destruction may be very difficult. e Recovering true cost of a breach: penalties vs risk transference cloud ‏م دجم‎ CSA Security Copyright © 2009 Cloud Security Alliance alliance 

صفحه 20:
۰ ۱806۲5۲۵۲۴۵ 200 ۱۳۱۵۱۵۴۸۵۲۱۲ ۱۵۷۵۲5 6 ¢ For Software as a Service (SaaS), perform regular data extractions and backups to a usable format ° For Infrastructure as a Service (laaS), deploy applications in runtime in a way that is abstracted from the machine image. ¢ For Platform as a Service (PaaS), careful application development techniques and thoughtful architecture should be followed to minimize potential lock-in for the customer. “loose coupling” using SOA principles ¢ Understand who the competitors are to your cloud providers and what their capabilities are to assist in migration. ¢ Advocate open standards. cloud ree CSA Security Copyright © 2009 Cloud Security alliance Alliance 

صفحه 21:
Traditional, BCM/DR ¢ Greatest concern is insider threat © Cloud providers should adopt as a security baseline the most stringent requirements of any customer. ٠ Compartmentalization of job duties and limit knowledge of customers. * Onsite inspections of cloud provider facilities whenever possible. * Inspect cloud provider disaster recovery and business continuity plans. ¢ Identify physical interdependencies in provider infrastructure. cloud ree CSA Security Copyright © 2009 Cloud Security alliance Alliance 

صفحه 22:
Data Center Operations * Compartmentalization of systems, networks, management, provisioning and personnel. ¢ Know cloud provider's other clients to assess their impact on you © Understand how resource sharing occurs within your cloud provider to understand impact during your business fluctuations. ¢ For laaS and PaaS, the cloud provider’s patch management policies and procedures have significant impact * Cloud provider’s technology architecture may use new and unproven methods for failover. Customer’s own BCP plans should address impacts and limitations of Cloud computing. © Test cloud provider's customer service function regularly to determine their level of mastery in supporting the services. cloud ‏م دجم‎ CSA Security Copyright © 2009 Cloud Security alliance Alliance 

صفحه 23:
Incident Response ¢ Any data classified as private for the purpose of data breach regulations should always be encrypted to reduce the consequences of a breach incident. * Cloud providers need application layer logging frameworks to provide granular narrowing of incidents to a specific customer. * Cloud providers should construct a registry of application owners by application interface (URL, SOA service, etc.). ¢ Cloud providers and customers need defined collaboration for incident response. cloud ‏م دجم‎ < security Copyright © 2009 Cloud Security Alliance alliance 

صفحه 24:
Application Security ¢ Importance of secure software development lifecycle maganified * laaS, PaaS and Saa&S create differing trust boundaries for the software development lifecycle, which must be accounted for during the development, testing and production deployment of applications. * For laaS, need trusted virtual machine images. * Apply best practices available to harden DMZ host systems to virtual machines. * Securing inter-host communications must be the rule, phere can be no assumption of a secure channel between osts ¢ Understand how malicious actors are likely to adapt their attack techniques to cloud platforms cloud ree CSA Security Copyright © 2009 Cloud Security alliance Alliance 

صفحه 25:
Encryption & Key Mgt * From a risk management perspective, unencrypted data existent in the cloud may be considered “lost” by the customer. * Application providers who are not controlling backend systems should assure that data is encrypted when being stored on the backend. * Use encryption to separate data holding from data usage. 9 ‏و‎ the key management from the cloud provider hosting the data, creating a chain of separation. ¢ When stipulating standard encryption in contract language cloud ‏م دجم‎ < security Copyright © 2009 Cloud Security Alliance alliance 

صفحه 26:
Identity & Access Mgt * Must have a robust federated identity management architecture and strategy internal to the organization. * Insist upon standards enabling federation: primarily SAML, WS- Federation and Liberty ID-FF federation * Validate that cloud provider either support strong authentication natively or via delegation and support robust password policies that meet and exceed internal policies. * Understand that the current state of granular application authorization on the part of cloud providers is non-existent or proprietary. * Consider implementing Single Sign-on (SSO) for internal applications, and leveraging this architecture for cloud applications. ۰ Using cloud-based “Identity as a Service” providers may be a useful tool for abstracting and managing complexities such as differing versions of SAML, etc. cloud ‏م دجم‎ CSA Security Copyright © 2009 Cloud Security alliance Alliance 

صفحه 27:
Storage ¢ Understand the storage architecture and abstraction layers to verify that the storage subsystem does not span domain trust boundaries. ¢ Ascertain if knowing storage geographical location is possible. ¢ Understand the cloud provider’s data search capabilities. © Understand cloud provider storage retirement processes. ¢ Understand circumstances under which storage can be seized by a third party or government entity. ¢ Understand how encryption is managed on multi-tenant storage. * Can the cloud proviver support long term archiving, will the data be available several years later? cloud ree CSA Security Copyright © 2009 Cloud Security alliance Alliance 

صفحه 28:
Virtualization * Virtualized operating systems should be augmented by third party security technology. ¢ The simplicity of invoking new machine instances from a VM platform creates a risk that insecure machine images can be created. Secure by default configuration needs to be assured by following or exceeding available industry baselines. * Virtualization also contains many security advantages such as creating isolated environments and better defined memory space, which can minimize application instability and simplify recovery. ¢ Need granular monitoring of traffic crossing VM backplanes ¢ Provisioning, administrative access and control of virtualized operating systems is crucial cloud ree CSA Security Copyright © 2009 Cloud Security alliance Alliance 

صفحه 29:
Lots of work to do ¢ New cloud providers ° Easy to bypass IT ° Need agile view of systems ¢ Need executive involvement * Need standards * Need to learn from past mistakes cloud ‏م دجم‎ 6 security Copyright © 2009 Cloud Security ‘alliance alliance 

صفحه 30:
Contact * www.cloudsecurityalliance.org * info@cloudsecurityalliance.org » Twitter: @cloudsa, #csaguide ¢ LinkedIn: www.linkedin.com/groups? gid=1864210 cloud Pee 6 security Copyright © 2009 Cloud Security Alliance alliance 

صفحه 31:
Thank You! cloud ‎www.cloudsecurityalliance.org‏ روي و 

Cloud Security Alliance The Cloud Computing Threat Vector Jim Reavis, Executive Director September 2009 About the Cloud Security Alliance • Global, not-for-profit organization • Inclusive membership, supporting broad spectrum of subject matter expertise: cloud experts, security, legal, compliance, virtualization, and on and on… • We believe Cloud Computing has a robust future, we want to make it better “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.” Copyright © 2009 Cloud Security Alliance www.cloudsecurityalliance.org Getting Involved • Individual Membership (free) • Subject matter experts for research • Interested in learning about the topic • Administrative & organizational help • Corporate Members • Help fund outreach, events • Participate in Solution Provider Advisory Council • Affiliated Organizations (free) • Joint projects in the community interest Copyright © 2009 Cloud Security Alliance www.cloudsecurityalliance.org Members • Over 4,000 members • Broad Geographical Distribution • Active Working Groups • • • • Editorial Educational Outreach Architecture Governance, Risk Mgt, Compliance, Business Continuity • Legal & E-Discovery • Portability, Interoperability and Application • New Working Groups • • • • Healthcare Cloud Threat Analysis Government Financial Services Security • • • • Identity and Access Mgt, Encryption & Key Mgt Data Center Operations and Incident Response Information Lifecycle Management & Storage Virtualization and Technology Compartmentalization Copyright © 2009 Cloud Security Alliance www.cloudsecurityalliance.org Project Roadmap • April 2009: Security Guidance for Critical Areas of Focus for Cloud Computing – Version 1 • October 2009: Security Guidance for Critical Areas of Focus for Cloud Computing – Version 2 • October 2009: Top Ten Cloud Threats (monthly) • November 2009: Provider & Customer Checklists • December 2009: eHealth Guidance • December 2009: Cloud Threat Whitepaper • Global CSA Executive Summits • • Q1 2010 – Europe Q1 or Q2 2010 - US Copyright © 2009 Cloud Security Alliance www.cloudsecurityalliance.org What is Cloud Computing? • Not “One Cloud”: Nuanced definition critical to understanding risks & mitigation • Working definition: Cloud describes the evolutionary development of many existing technologies and approaches to computing that separates application and information resources from the underlying infrastructure and mechanisms used to deliver them. This separation of resources from infrastructure combined with a utilitylike, elastic allocation model creates a compelling model for Internet scale computing. Copyright © 2009 Cloud Security Alliance www.cloudsecurityalliance.org Defining the Cloud • On demand usage of compute and storage • 5 principal characteristics (abstraction, sharing, SOA, elasticity, consumption/allocation) • 3 delivery models • Infrastructure as a Service (IaaS) • Platform as a Service (PaaS) • Software as a Service (SaaS) • 4 deployment models: Public, Private, Hybrid, Community Copyright © 2009 Cloud Security Alliance www.cloudsecurityalliance.org S-P-I Model You “RFP” security in SaaS Software as a Service You build security in PaaS Platform as a Service IaaS Infrastructure as a Service Copyright © 2009 Cloud Security Alliance www.cloudsecurityalliance.org Key Challenges • We aren’t moving to the cloud.. We are reinventing within the cloud • Confluence of technology and economic innovation • Disrupting technology and business relationships • Pressure on traditional organizational boundaries • “Gold Rush” mentality, backing into 20 year platform choice • Challenges traditional thinking • How do we build standards? • How do we create architectures? • What is the ecosystem required to managed, operate, assess and audit cloud systems? Copyright © 2009 Cloud Security Alliance www.cloudsecurityalliance.org Lots of Governance Issues • Cloud Provider going out of business • Provider not achieving SLAs • Provider having poor business continuity planning • Data Centers in countries with unfriendly laws • Proprietary lock-in with technology, data formats • Mistakes made by internal IT security – several orders of magnitude more serious Copyright © 2009 Cloud Security Alliance www.cloudsecurityalliance.org Thinking about Threats • Technology • Unvetted innovations within the S-P-I stack • Well known cloud architectures • Business • How cloud dynamism is leveraged by customers/providers • E.g. provisioning, elasticity, load management • Old threats reinvented: “must defend against the accumulation of all vulnerabilities ever recorded”, Dan Geerism • Malware in the cloud, for the cloud • Lots of blackbox testing Copyright © 2009 Cloud Security Alliance www.cloudsecurityalliance.org Evolving Threats 1/2 • Unprotected APIs / Insecure Service Oriented Architecture • Hypervisor Attacks • L1/L2 Attacks (Cache Scraping) • Trojaned AMI Images • VMDK / VHD Repurposing • Key Scraping • Infrastructure DDoS Copyright © 2009 Cloud Security Alliance www.cloudsecurityalliance.org Evolving Threats 2/2 • Web application (mgt interface!) • • • XSRF XSS SQL Injection • Data leakage • Poor account provisioning • Cloud provider insider abuse • Financial DDoS • "Click Fraud” Copyright © 2009 Cloud Security Alliance www.cloudsecurityalliance.org CSA Guidance Domains 1. Understand Cloud Architecture Governing in the Cloud Operating in the Cloud 2. Governance & Risk Mgt 8. 3. Legal 9. 4. Electronic Discovery Traditional, BCM, DR Data Center Operations 5. Compliance & Audit 10. Incident Response 6. Information Lifecycle Mgt 11. Application Security 12. Encryption & Key Mgt 13. Identity & Access Mgt 14. Storage 15. Virtualisation 7. Portability & Interoperability Copyright © 2009 Cloud Security Alliance www.cloudsecurityalliance.org Governance & ERM • A portion of cloud cost savings must be invested into provider scrutiny • Third party transparency of cloud provider • Financial viability of cloud provider. • Alignment of key performance indicators • Increased frequency of 3rd party risk assessments Copyright © 2009 Cloud Security Alliance www.cloudsecurityalliance.org Legal • Plan for both an expected and unexpected termination of the relationship and an orderly return of your assets. • Find conflicts between the laws the cloud provider must comply with and those governing the cloud customer • Gain a clear expectation of the cloud provider’s response to legal requests for information. • Secondary uses of data • Cross-border data transfers Copyright © 2009 Cloud Security Alliance www.cloudsecurityalliance.org Electronic Discovery • Cloud Computing challenges the presumption that organizations have control over the data they are legally responsible for. • Cloud providers must assure their information security systems are capable to preserve data as authentic and reliable. Metadata, logfiles, etc. • Mutual understanding of roles and responsibilities: litigation hold, discovery searches, expert testimony, etc. Copyright © 2009 Cloud Security Alliance www.cloudsecurityalliance.org Compliance & Audit • Classify data and systems to understand compliance requirements • Understand data locations, copies • Maintain a right to audit on demand • Need uniformity in comprehensive certification scoping to beef up SAS 70 II, ISO 2700X Copyright © 2009 Cloud Security Alliance www.cloudsecurityalliance.org Information Lifecycle Mgt • Understand the logical segregation of information and protective controls implemented • Understand the privacy restrictions inherent in data entrusted to your company, how it impacts legality of using cloud provider. • Data retention assurance easy, data destruction may be very difficult. • Recovering true cost of a breach: penalties vs risk transference Copyright © 2009 Cloud Security Alliance www.cloudsecurityalliance.org Portability & Interoperability • • Understand and implement layers of abstraction • For Infrastructure as a Service (IaaS), deploy applications in runtime in a way that is abstracted from the machine image. • For Platform as a Service (PaaS), careful application development techniques and thoughtful architecture should be followed to minimize potential lock-in for the customer. “loose coupling” using SOA principles • Understand who the competitors are to your cloud providers and what their capabilities are to assist in migration. • Advocate open standards. For Software as a Service (SaaS), perform regular data extractions and backups to a usable format Copyright © 2009 Cloud Security Alliance www.cloudsecurityalliance.org Traditional, BCM/DR • Greatest concern is insider threat • Cloud providers should adopt as a security baseline the most stringent requirements of any customer. • Compartmentalization of job duties and limit knowledge of customers. • Onsite inspections of cloud provider facilities whenever possible. • Inspect cloud provider disaster recovery and business continuity plans. • Identify physical interdependencies in provider infrastructure. Copyright © 2009 Cloud Security Alliance www.cloudsecurityalliance.org Data Center Operations • Compartmentalization of systems, networks, management, provisioning and personnel. • Know cloud provider’s other clients to assess their impact on you • Understand how resource sharing occurs within your cloud provider to understand impact during your business fluctuations. • For IaaS and PaaS, the cloud provider’s patch management policies and procedures have significant impact • Cloud provider’s technology architecture may use new and unproven methods for failover. Customer’s own BCP plans should address impacts and limitations of Cloud computing. • Test cloud provider’s customer service function regularly to determine their level of mastery in supporting the services. Copyright © 2009 Cloud Security Alliance www.cloudsecurityalliance.org Incident Response • Any data classified as private for the purpose of data breach regulations should always be encrypted to reduce the consequences of a breach incident. • Cloud providers need application layer logging frameworks to provide granular narrowing of incidents to a specific customer. • Cloud providers should construct a registry of application owners by application interface (URL, SOA service, etc.). • Cloud providers and customers need defined collaboration for incident response. Copyright © 2009 Cloud Security Alliance www.cloudsecurityalliance.org Application Security • Importance of secure software development lifecycle maganified • IaaS, PaaS and SaaS create differing trust boundaries for the software development lifecycle, which must be accounted for during the development, testing and production deployment of applications. • For IaaS, need trusted virtual machine images. • Apply best practices available to harden DMZ host systems to virtual machines. • Securing inter-host communications must be the rule, there can be no assumption of a secure channel between hosts • Understand how malicious actors are likely to adapt their attack techniques to cloud platforms Copyright © 2009 Cloud Security Alliance www.cloudsecurityalliance.org Encryption & Key Mgt • From a risk management perspective, unencrypted data existent in the cloud may be considered “lost” by the customer. • Application providers who are not controlling backend systems should assure that data is encrypted when being stored on the backend. • Use encryption to separate data holding from data usage. • Segregate the key management from the cloud provider hosting the data, creating a chain of separation. • When stipulating standard encryption in contract language Copyright © 2009 Cloud Security Alliance www.cloudsecurityalliance.org Identity & Access Mgt • Must have a robust federated identity management architecture and strategy internal to the organization. • Insist upon standards enabling federation: primarily SAML, WSFederation and Liberty ID-FF federation • Validate that cloud provider either support strong authentication natively or via delegation and support robust password policies that meet and exceed internal policies. • Understand that the current state of granular application authorization on the part of cloud providers is non-existent or proprietary. • Consider implementing Single Sign-on (SSO) for internal applications, and leveraging this architecture for cloud applications. • Using cloud-based “Identity as a Service” providers may be a useful tool for abstracting and managing complexities such as differing versions of SAML, etc. Copyright © 2009 Cloud Security Alliance www.cloudsecurityalliance.org Storage • Understand the storage architecture and abstraction layers to verify that the storage subsystem does not span domain trust boundaries. • Ascertain if knowing storage geographical location is possible. • • • Understand the cloud provider’s data search capabilities. • Understand how encryption is managed on multi-tenant storage. • Can the cloud provider support long term archiving, will the data be available several years later? Understand cloud provider storage retirement processes. Understand circumstances under which storage can be seized by a third party or government entity. Copyright © 2009 Cloud Security Alliance www.cloudsecurityalliance.org Virtualization • Virtualized operating systems should be augmented by third party security technology. • The simplicity of invoking new machine instances from a VM platform creates a risk that insecure machine images can be created. Secure by default configuration needs to be assured by following or exceeding available industry baselines. • Virtualization also contains many security advantages such as creating isolated environments and better defined memory space, which can minimize application instability and simplify recovery. • Need granular monitoring of traffic crossing VM backplanes • Provisioning, administrative access and control of virtualized operating systems is crucial Copyright © 2009 Cloud Security Alliance www.cloudsecurityalliance.org Lots of work to do • New cloud providers • Easy to bypass IT • Need agile view of systems • Need executive involvement • Need standards • Need to learn from past mistakes Copyright © 2009 Cloud Security Alliance www.cloudsecurityalliance.org Contact • www.cloudsecurityalliance.org • info@cloudsecurityalliance.org • Twitter: @cloudsa, #csaguide • LinkedIn: www.linkedin.com/groups? gid=1864210 Copyright © 2009 Cloud Security Alliance www.cloudsecurityalliance.org Thank You! www.cloudsecurityalliance.org