Cloud Security Alliance - PowerPoint PPT Presentation


PPT – Cloud Security Alliance PowerPoint presentation | free to view - id: 1f6509-ZDc1Z


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Cloud Security Alliance


Cloud providers should construct a registry of application owners by application ... to verify that the storage subsystem does not span domain trust boundaries. ... – PowerPoint PPT presentation

Number of Views:136
Avg rating:3.0/5.0
Slides: 32
Provided by: jrea7


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Cloud Security Alliance

Cloud Security Alliance
  • The Cloud Computing Threat Vector
  • Jim Reavis, Executive Director
  • September 2009

About the Cloud Security Alliance
  • Global, not-for-profit organization
  • Inclusive membership, supporting broad spectrum
    of subject matter expertise cloud experts,
    security, legal, compliance, virtualization, and
    on and on
  • We believe Cloud Computing has a robust future,
    we want to make it better
  • To promote the use of best practices for
    providing security assurance within Cloud
    Computing, and provide education on the uses of
    Cloud Computing to help secure all other forms of

Getting Involved
  • Individual Membership (free)
  • Subject matter experts for research
  • Interested in learning about the topic
  • Administrative organizational help
  • Corporate Members
  • Help fund outreach, events
  • Participate in Solution Provider Advisory Council
  • Affiliated Organizations (free)
  • Joint projects in the community interest

  • Over 4,000 members
  • Broad Geographical Distribution
  • Active Working Groups
  • Editorial
  • Educational Outreach
  • Architecture
  • Governance, Risk Mgt, Compliance, Business
  • Legal E-Discovery
  • Portability, Interoperability and Application
  • Identity and Access Mgt, Encryption Key Mgt
  • Data Center Operations and Incident Response
  • Information Lifecycle Management Storage
  • Virtualization and Technology Compartmentalization
  • New Working Groups
  • Healthcare
  • Cloud Threat Analysis
  • Government
  • Financial Services

Project Roadmap
  • April 2009 Security Guidance for Critical Areas
    of Focus for Cloud Computing Version 1
  • October 2009 Security Guidance for Critical
    Areas of Focus for Cloud Computing Version 2
  • October 2009 Top Ten Cloud Threats (monthly)
  • November 2009 Provider Customer Checklists
  • December 2009 eHealth Guidance
  • December 2009 Cloud Threat Whitepaper
  • Global CSA Executive Summits
  • Q1 2010 Europe
  • Q1 or Q2 2010 - US

What is Cloud Computing?
  • Not One Cloud Nuanced definition critical to
    understanding risks mitigation
  • Working definition
  • Cloud describes the evolutionary development of
    many existing technologies and approaches to
    computing that separates application and
    information resources from the underlying
    infrastructure and mechanisms used to deliver
    them. This separation of resources from
    infrastructure combined with a utility-like,
    elastic allocation model creates a compelling
    model for Internet scale computing.

Defining the Cloud
  • On demand usage of compute and storage
  • 5 principal characteristics (abstraction,
    sharing, SOA, elasticity, consumption/allocation)
  • 3 delivery models
  • Infrastructure as a Service (IaaS)
  • Platform as a Service (PaaS)
  • Software as a Service (SaaS)
  • 4 deployment models Public, Private, Hybrid,

S-P-I Model
You RFP security in
SaaS Software as a Service
You build security in
PaaS Platform as a Service
  • IaaS
  • Infrastructure as a Service

Key Challenges
  • We arent moving to the cloud.. We are
    reinventing within the cloud
  • Confluence of technology and economic innovation
  • Disrupting technology and business relationships
  • Pressure on traditional organizational boundaries
  • Gold Rush mentality, backing into 20 year
    platform choice
  • Challenges traditional thinking
  • How do we build standards?
  • How do we create architectures?
  • What is the ecosystem required to managed,
    operate, assess and audit cloud systems?

Lots of Governance Issues
  • Cloud Provider going out of business
  • Provider not achieving SLAs
  • Provider having poor business continuity planning
  • Data Centers in countries with unfriendly laws
  • Proprietary lock-in with technology, data formats
  • Mistakes made by internal IT security several
    orders of magnitude more serious

Thinking about Threats
  • Technology
  • Unvetted innovations within the S-P-I stack
  • Well known cloud architectures
  • Business
  • How cloud dynamism is leveraged by
  • E.g. provisioning, elasticity, load management
  • Old threats reinvented must defend against the
    accumulation of all vulnerabilities ever
    recorded, Dan Geer-ism
  • Malware in the cloud, for the cloud
  • Lots of blackbox testing

Evolving Threats 1/2
  • Unprotected APIs / Insecure Service Oriented
  • Hypervisor Attacks
  • L1/L2 Attacks (Cache Scraping)
  • Trojaned AMI Images
  • VMDK / VHD Repurposing
  • Key Scraping
  • Infrastructure DDoS

Evolving Threats 2/2
  • Web application (mgt interface!)
  • XSRF
  • XSS
  • SQL Injection
  • Data leakage
  • Poor account provisioning
  • Cloud provider insider abuse
  • Financial DDoS
  • "Click Fraud

CSA Guidance Domains
  • Understand Cloud Architecture
  • Governing in the Cloud
  • Governance Risk Mgt
  • Legal
  • Electronic Discovery
  • Compliance Audit
  • Information Lifecycle Mgt
  • Portability Interoperability
  • Operating in the Cloud
  • Traditional, BCM, DR
  • Data Center Operations
  • Incident Response
  • Application Security
  • Encryption Key Mgt
  • Identity Access Mgt
  • Storage
  • Virtualisation

Governance ERM
  • A portion of cloud cost savings must be invested
    into provider scrutiny
  • Third party transparency of cloud provider
  • Financial viability of cloud provider.
  • Alignment of key performance indicators
  • Increased frequency of 3rd party risk assessments

  • Plan for both an expected and unexpected
    termination of the relationship and an orderly
    return of your assets.
  • Find conflicts between the laws the cloud
    provider must comply with and those governing the
    cloud customer
  • Gain a clear expectation of the cloud providers
    response to legal requests for information.
  • Secondary uses of data
  • Cross-border data transfers

Electronic Discovery
  • Cloud Computing challenges the presumption that
    organizations have control over the data they are
    legally responsible for.
  • Cloud providers must assure their information
    security systems are capable to preserve data as
    authentic and reliable. Metadata, logfiles, etc.
  • Mutual understanding of roles and
    responsibilities litigation hold, discovery
    searches, expert testimony, etc.

Compliance Audit
  • Classify data and systems to understand
    compliance requirements
  • Understand data locations, copies
  • Maintain a right to audit on demand
  • Need uniformity in comprehensive certification
    scoping to beef up SAS 70 II, ISO 2700X

Information Lifecycle Mgt
  • Understand the logical segregation of information
    and protective controls implemented
  • Understand the privacy restrictions inherent in
    data entrusted to your company, how it impacts
    legality of using cloud provider.
  • Data retention assurance easy, data destruction
    may be very difficult.
  • Recovering true cost of a breach penalties vs
    risk transference

Portability Interoperability
  • Understand and implement layers of abstraction
  • For Software as a Service (SaaS), perform regular
    data extractions and backups to a usable format
  • For Infrastructure as a Service (IaaS), deploy
    applications in runtime in a way that is
    abstracted from the machine image.
  • For Platform as a Service (PaaS), careful
    application development techniques and thoughtful
    architecture should be followed to minimize
    potential lock-in for the customer. loose
    coupling using SOA principles
  • Understand who the competitors are to your cloud
    providers and what their capabilities are to
    assist in migration.
  • Advocate open standards.

Traditional, BCM/DR
  • Greatest concern is insider threat
  • Cloud providers should adopt as a security
    baseline the most stringent requirements of any
  • Compartmentalization of job duties and limit
    knowledge of customers.
  • Onsite inspections of cloud provider facilities
    whenever possible.
  • Inspect cloud provider disaster recovery and
    business continuity plans.
  • Identify physical interdependencies in provider

Data Center Operations
  • Compartmentalization of systems, networks,
    management, provisioning and personnel.
  • Know cloud providers other clients to assess
    their impact on you
  • Understand how resource sharing occurs within
    your cloud provider to understand impact during
    your business fluctuations.
  • For IaaS and PaaS, the cloud providers patch
    management policies and procedures have
    significant impact
  • Cloud providers technology architecture may use
    new and unproven methods for failover.
    Customers own BCP plans should address impacts
    and limitations of Cloud computing.
  • Test cloud providers customer service function
    regularly to determine their level of mastery in
    supporting the services.

Incident Response
  • Any data classified as private for the purpose of
    data breach regulations should always be
    encrypted to reduce the consequences of a breach
  • Cloud providers need application layer logging
    frameworks to provide granular narrowing of
    incidents to a specific customer.
  • Cloud providers should construct a registry of
    application owners by application interface (URL,
    SOA service, etc.).
  • Cloud providers and customers need defined
    collaboration for incident response.

Application Security
  • Importance of secure software development
    lifecycle maganified
  • IaaS, PaaS and SaaS create differing trust
    boundaries for the software development
    lifecycle, which must be accounted for during the
    development, testing and production deployment of
  • For IaaS, need trusted virtual machine images.
  • Apply best practices available to harden DMZ host
    systems to virtual machines.
  • Securing inter-host communications must be the
    rule, there can be no assumption of a secure
    channel between hosts
  • Understand how malicious actors are likely to
    adapt their attack techniques to cloud platforms

Encryption Key Mgt
  • From a risk management perspective, unencrypted
    data existent in the cloud may be considered
    lost by the customer.
  • Application providers who are not controlling
    backend systems should assure that data is
    encrypted when being stored on the backend.
  • Use encryption to separate data holding from data
  • Segregate the key management from the cloud
    provider hosting the data, creating a chain of
  • When stipulating standard encryption in contract

Identity Access Mgt
  • Must have a robust federated identity management
    architecture and strategy internal to the
  • Insist upon standards enabling federation
    primarily SAML, WS-Federation and Liberty ID-FF
  • Validate that cloud provider either support
    strong authentication natively or via delegation
    and support robust password policies that meet
    and exceed internal policies.
  • Understand that the current state of granular
    application authorization on the part of cloud
    providers is non-existent or proprietary.
  • Consider implementing Single Sign-on (SSO) for
    internal applications, and leveraging this
    architecture for cloud applications.
  • Using cloud-based Identity as a Service
    providers may be a useful tool for abstracting
    and managing complexities such as differing
    versions of SAML, etc.

  • Understand the storage architecture and
    abstraction layers to verify that the storage
    subsystem does not span domain trust boundaries.
  • Ascertain if knowing storage geographical
    location is possible.
  • Understand the cloud providers data search
  • Understand cloud provider storage retirement
  • Understand circumstances under which storage can
    be seized by a third party or government entity.
  • Understand how encryption is managed on
    multi-tenant storage.
  • Can the cloud provider support long term
    archiving, will the data be available several
    years later?

  • Virtualized operating systems should be augmented
    by third party security technology.
  • The simplicity of invoking new machine instances
    from a VM platform creates a risk that insecure
    machine images can be created. Secure by default
    configuration needs to be assured by following or
    exceeding available industry baselines.
  • Virtualization also contains many security
    advantages such as creating isolated environments
    and better defined memory space, which can
    minimize application instability and simplify
  • Need granular monitoring of traffic crossing VM
  • Provisioning, administrative access and control
    of virtualized operating systems is crucial

Lots of work to do
  • New cloud providers
  • Easy to bypass IT
  • Need agile view of systems
  • Need executive involvement
  • Need standards
  • Need to learn from past mistakes

  • Twitter _at_cloudsa, csaguide
  • LinkedIn

Thank You!