Cloud Security Alliance
اسلاید 1: Cloud Security AllianceThe Cloud Computing Threat VectorJim Reavis, Executive DirectorSeptember 2009
اسلاید 2: About the Cloud Security AllianceGlobal, not-for-profit organizationInclusive membership, supporting broad spectrum of subject matter expertise: cloud experts, security, legal, compliance, virtualization, and on and on…We believe Cloud Computing has a robust future, we want to make it better“To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.”
اسلاید 3: Getting InvolvedIndividual Membership (free)Subject matter experts for researchInterested in learning about the topicAdministrative & organizational helpCorporate MembersHelp fund outreach, eventsParticipate in Solution Provider Advisory CouncilAffiliated Organizations (free)Joint projects in the community interest
اسلاید 4: MembersOver 4,000 membersBroad Geographical DistributionActive Working GroupsEditorialEducational OutreachArchitectureGovernance, Risk Mgt, Compliance, Business ContinuityLegal & E-DiscoveryPortability, Interoperability and Application SecurityIdentity and Access Mgt, Encryption & Key MgtData Center Operations and Incident ResponseInformation Lifecycle Management & StorageVirtualization and Technology CompartmentalizationNew Working GroupsHealthcareCloud Threat AnalysisGovernmentFinancial Services
اسلاید 5: Project RoadmapApril 2009: Security Guidance for Critical Areas of Focus for Cloud Computing – Version 1October 2009: Security Guidance for Critical Areas of Focus for Cloud Computing – Version 2October 2009: Top Ten Cloud Threats (monthly)November 2009: Provider & Customer ChecklistsDecember 2009: eHealth GuidanceDecember 2009: Cloud Threat WhitepaperGlobal CSA Executive SummitsQ1 2010 – EuropeQ1 or Q2 2010 - US
اسلاید 6: What is Cloud Computing?Not “One Cloud”: Nuanced definition critical to understanding risks & mitigationWorking definition:Cloud describes the evolutionary development of many existing technologies and approaches to computing that separates application and information resources from the underlying infrastructure and mechanisms used to deliver them. This separation of resources from infrastructure combined with a utility-like, elastic allocation model creates a compelling model for Internet scale computing.
اسلاید 7: Defining the CloudOn demand usage of compute and storage5 principal characteristics (abstraction, sharing, SOA, elasticity, consumption/allocation)3 delivery modelsInfrastructure as a Service (IaaS)Platform as a Service (PaaS)Software as a Service (SaaS)4 deployment models: Public, Private, Hybrid, Community
اسلاید 8: S-P-I ModelIaaSInfrastructure as a ServiceYou buildsecurity inYou “RFP”security inPaaSPlatform as a ServiceSaaSSoftware as a Service
اسلاید 9: Key ChallengesWe aren’t moving to the cloud.. We are reinventing within the cloudConfluence of technology and economic innovationDisrupting technology and business relationshipsPressure on traditional organizational boundaries“Gold Rush” mentality, backing into 20 year platform choiceChallenges traditional thinkingHow do we build standards?How do we create architectures?What is the ecosystem required to managed, operate, assess and audit cloud systems?
اسلاید 10: Lots of Governance Issues Cloud Provider going out of businessProvider not achieving SLAsProvider having poor business continuity planningData Centers in countries with unfriendly lawsProprietary lock-in with technology, data formatsMistakes made by internal IT security – several orders of magnitude more serious
اسلاید 11: Thinking about Threats TechnologyUnvetted innovations within the S-P-I stackWell known cloud architecturesBusiness How cloud dynamism is leveraged by customers/providersE.g. provisioning, elasticity, load managementOld threats reinvented: “must defend against the accumulation of all vulnerabilities ever recorded”, Dan Geer-ismMalware in the cloud, for the cloudLots of blackbox testing
اسلاید 12: Evolving Threats 1/2 Unprotected APIs / Insecure Service Oriented ArchitectureHypervisor AttacksL1/L2 Attacks (Cache Scraping)Trojaned AMI ImagesVMDK / VHD RepurposingKey ScrapingInfrastructure DDoS
اسلاید 13: Evolving Threats 2/2 Web application (mgt interface!)XSRFXSSSQL InjectionData leakagePoor account provisioning Cloud provider insider abuseFinancial DDoS Click Fraud”
اسلاید 14: CSA Guidance DomainsGoverning in the CloudGovernance & Risk MgtLegalElectronic DiscoveryCompliance & AuditInformation Lifecycle MgtPortability & InteroperabilityOperating in the CloudTraditional, BCM, DRData Center OperationsIncident ResponseApplication SecurityEncryption & Key MgtIdentity & Access MgtStorageVirtualisationUnderstand Cloud Architecture
اسلاید 15: Governance & ERMA portion of cloud cost savings must be invested into provider scrutinyThird party transparency of cloud providerFinancial viability of cloud provider.Alignment of key performance indicatorsIncreased frequency of 3rd party risk assessments
اسلاید 16: LegalPlan for both an expected and unexpected termination of the relationship and an orderly return of your assets.Find conflicts between the laws the cloud provider must comply with and those governing the cloud customerGain a clear expectation of the cloud provider’s response to legal requests for information.Secondary uses of dataCross-border data transfers
اسلاید 17: Electronic DiscoveryCloud Computing challenges the presumption that organizations have control over the data they are legally responsible for.Cloud providers must assure their information security systems are capable to preserve data as authentic and reliable. Metadata, logfiles, etc.Mutual understanding of roles and responsibilities: litigation hold, discovery searches, expert testimony, etc.
اسلاید 18: Compliance & AuditClassify data and systems to understand compliance requirementsUnderstand data locations, copiesMaintain a right to audit on demandNeed uniformity in comprehensive certification scoping to beef up SAS 70 II, ISO 2700X
اسلاید 19: Information Lifecycle MgtUnderstand the logical segregation of information and protective controls implementedUnderstand the privacy restrictions inherent in data entrusted to your company, how it impacts legality of using cloud provider.Data retention assurance easy, data destruction may be very difficult.Recovering true cost of a breach: penalties vs risk transference
اسلاید 20: Portability & InteroperabilityUnderstand and implement layers of abstractionFor Software as a Service (SaaS), perform regular data extractions and backups to a usable formatFor Infrastructure as a Service (IaaS), deploy applications in runtime in a way that is abstracted from the machine image.For Platform as a Service (PaaS), careful application development techniques and thoughtful architecture should be followed to minimize potential lock-in for the customer. “loose coupling” using SOA principlesUnderstand who the competitors are to your cloud providers and what their capabilities are to assist in migration.Advocate open standards.
اسلاید 21: Traditional, BCM/DRGreatest concern is insider threatCloud providers should adopt as a security baseline the most stringent requirements of any customer.Compartmentalization of job duties and limit knowledge of customers.Onsite inspections of cloud provider facilities whenever possible.Inspect cloud provider disaster recovery and business continuity plans.Identify physical interdependencies in provider infrastructure.
اسلاید 22: Data Center OperationsCompartmentalization of systems, networks, management, provisioning and personnel.Know cloud provider’s other clients to assess their impact on youUnderstand how resource sharing occurs within your cloud provider to understand impact during your business fluctuations.For IaaS and PaaS, the cloud provider’s patch management policies and procedures have significant impactCloud provider’s technology architecture may use new and unproven methods for failover. Customer’s own BCP plans should address impacts and limitations of Cloud computing.Test cloud provider’s customer service function regularly to determine their level of mastery in supporting the services.
اسلاید 23: Incident ResponseAny data classified as private for the purpose of data breach regulations should always be encrypted to reduce the consequences of a breach incident. Cloud providers need application layer logging frameworks to provide granular narrowing of incidents to a specific customer.Cloud providers should construct a registry of application owners by application interface (URL, SOA service, etc.).Cloud providers and customers need defined collaboration for incident response.
اسلاید 24: Application SecurityImportance of secure software development lifecycle maganified IaaS, PaaS and SaaS create differing trust boundaries for the software development lifecycle, which must be accounted for during the development, testing and production deployment of applications.For IaaS, need trusted virtual machine images. Apply best practices available to harden DMZ host systems to virtual machines. Securing inter-host communications must be the rule, there can be no assumption of a secure channel between hosts Understand how malicious actors are likely to adapt their attack techniques to cloud platforms
اسلاید 25: Encryption & Key MgtFrom a risk management perspective, unencrypted data existent in the cloud may be considered “lost” by the customer.Application providers who are not controlling backend systems should assure that data is encrypted when being stored on the backend.Use encryption to separate data holding from data usage.Segregate the key management from the cloud provider hosting the data, creating a chain of separation. When stipulating standard encryption in contract language
اسلاید 26: Identity & Access MgtMust have a robust federated identity management architecture and strategy internal to the organization.Insist upon standards enabling federation: primarily SAML, WS-Federation and Liberty ID-FF federationValidate that cloud provider either support strong authentication natively or via delegation and support robust password policies that meet and exceed internal policies.Understand that the current state of granular application authorization on the part of cloud providers is non-existent or proprietary.Consider implementing Single Sign-on (SSO) for internal applications, and leveraging this architecture for cloud applications.Using cloud-based “Identity as a Service” providers may be a useful tool for abstracting and managing complexities such as differing versions of SAML, etc.
اسلاید 27: StorageUnderstand the storage architecture and abstraction layers to verify that the storage subsystem does not span domain trust boundaries.Ascertain if knowing storage geographical location is possible.Understand the cloud provider’s data search capabilities.Understand cloud provider storage retirement processes. Understand circumstances under which storage can be seized by a third party or government entity.Understand how encryption is managed on multi-tenant storage.Can the cloud provider support long term archiving, will the data be available several years later?
اسلاید 28: VirtualizationVirtualized operating systems should be augmented by third party security technology.The simplicity of invoking new machine instances from a VM platform creates a risk that insecure machine images can be created. Secure by default configuration needs to be assured by following or exceeding available industry baselines.Virtualization also contains many security advantages such as creating isolated environments and better defined memory space, which can minimize application instability and simplify recovery.Need granular monitoring of traffic crossing VM backplanesProvisioning, administrative access and control of virtualized operating systems is crucial
اسلاید 29: Lots of work to do New cloud providersEasy to bypass ITNeed agile view of systemsNeed executive involvementNeed standardsNeed to learn from past mistakes
اسلاید 30: Contact www.cloudsecurityalliance.orginfo@cloudsecurityalliance.orgTwitter: @cloudsa, #csaguideLinkedIn: www.linkedin.com/groups?gid=1864210
اسلاید 31: Thank You!
نقد و بررسی ها
هیچ نظری برای این پاورپوینت نوشته نشده است.