Академический Документы
Профессиональный Документы
Культура Документы
SanjayW (v1.1)
Cloud computing
Where were you when cloud computing took over?
I was..
on
Agenda
Cloud The birth of.. Define cloud The general fears and perceptions Cloud security considerations Conclusion
When it existed?
It existed long before the term coined Typical cloud examples
Hosted (a lot of them are free) email Online applications
Office365 Salesforce.com Skype (VoIP) Social media (Youtube, Facebook, Twitter)
And.and.and
Hype or not?
Network stance
Indifferent except
It may be hosted outside your environment Probably better (quicker) scale factor Takes away CAPEX quite a bit
Security Stance
It is (still) as strong as the weakest link (yet again) It may as well ENHANCE security Nonetheless, if its public facing raises RED flag
Takes away CAPEX quite a bit
Why?
Fear of known unknowns Fear of new unknowns Lack of tangibility Lack of visibility
Transparency of operations
Responsibility segregation
SaaS Mostly them PaaS You and moderately them IaaS You and little them
A wise man once said.. Its okay to believe, just as long as you know!
Know!...
Using {insert provider here}
Where they are deployed How they are deployed Type of built-in controls Compliance
Technical Factors
Information/Data LifeCycle
Confidentiality, Integrity, Availability, Authenticity, Authorization, Authentication, and Non-Repudiation
Technical Factors
Security, DR and BCP
Since cloud is relatively new, legacy security implementation should be used
See their network and security devices physically See their NOC/team hierarchy
This also include legacy DR and BCP Legacy includes physical security Go visit them
Technical Factors
Data center
With cloud at a boom, come more Data Centers They may have certification of compliance some sort
But still request possibility of audit
Customer service
Technical Factors
Application security SDLC Based Apps Hardening of prebuilt OSes Inter-host communication policy Credential storage Where logs are stored should have similar quality as the actual data itself Backdoor accounts for support? Auditing rights Blackbox testing evasion Vulnerability assessment
Technical Factors
Encryption and key management Should we encrypt?
Keep private keys out where possible (use your own) Exposure of key files risk analysis in case keys cannot be separated
Ensure the encryption complies to industrial strengths and standards Data transmitted should also be encrypted
Technical Factors
Identity and access management Proprietary solutions for provisioning
i.e. do not use defaults
Authentication
Consider federation instead of decentralized Consider authentication means provided by the big boys like LIVE-ID, Yahoo, OpenID etc.. Use VPNs as pre-authentication OATH compliance if you want to write your own..
Technical Factors
Virtualization Identify the type, do your research
Take advantage of quality VM platforms security and controls
Prebuilt VMs Identify their built in IDS/IPS, antivirus, vulnerability management Get a compliancy for Secure by Default Protect admin user/interfaces, use strong authentication Validate VMs pedigree and integrity of the OS templates Segment and group security boundaries, dmz servers vs data servers
Conclusion
Adopt cloud technology after much research Use credible providers You have the right to question Do not compromise, instead write the contracts of what you NEED Plan, plan plan
Cloud security