CloudSecurity Cloud Security

sameerparadia sameer paradia

Goals

1.BriefonCloudComputing 2.SecurityThreats 2 Security Threats 3.Framework 4.Controls 4. Controls

http://www.flickr.com/photos/tomhaymes/3212 92834/

Understand

Cloud Cl d

EssentialCharacteristic
OnDemand Loweredrequirementtoforecasts Lowered requirement to forecasts Demandtrendsarepredictedbythe provider Usagemetered Usage metered Paybytherealtime use Selfservicefrompoolofresources Resourcesmanagedbyconsumer Resources managed by consumer withaGUIorAPI ElasticScalability Groworshrinkresourcesasrequired Grow or shrink resources as required UbiquitousNetwork Thenetworkisessentialtousethe service ser i e

Beyond basic..

Modes of
Deployment models
Public cloud Hybrid cloud Private cloud Pi t l d Community cloud

Deployment p S i Services
Types IaaS
Compute Network Storage Datacentre Web2.0Applications Runtime Business Middleware Database Developmenttools JavaRuntime

PaaS S

Saa aS

Collaboratio n Business Processes

ERP/CRM Enterprise Applications

Security

Threat Thr t

Lots of noise on....

Cloud Security?
...how do we simplify it how it...

http://www.flickr.com/photos/purpleslog/2870445256/in/photostream/

It is

same
As current InfoSec practice
You have to take the ha e same approach as current ISMS
http://www.flickr.com/photos/pheckaboolala/341063811 9

Cloud
Whatisit?

Security

Protection of your information in Protectionofyourinformationin cloud

Whyiscritical?
Yourinformationisatcentral unknownplaceincloud No visibility of security measures in Novisibilityofsecuritymeasuresin Publiccloud

Impactofbreachonbusiness?
LackofCompliance k f li Legalissue Breach of privacy Breachofprivacy
http://www.flickr.com/photos/nigeljohnson73/6788941421

ThreatsinXaaS Threats in XaaS Models

SaaS:
Built in security functionality Builtinsecurityfunctionality Leastconsumerextensibility Relativelyhighlevelofintegratedsecurity

PaaS
Enabledeveloperstobuildtheirownapplicationsontopoftheplatform M MoreextensiblethanSaaS,attheexpenseofcustomerreadyfeatures ibl h S S h f d f Builtincapabilitiesarelesscomplete,butthereismoreflexibilitytolayeronadditional security

IaaS
Fewapplicationlikefeatures, Enormousextensibility Lessintegratedsecuritycapabilitiesandfunctionalitybeyondprotectingthe infrastructureitself Assetstobemanagedandsecuredbythecloudconsumer

Security

Framework Fr rk

1.Identifyasset to c oud y tocloudify a)Data b)Applications

2.Assessimpact o ta se g oftransferring assetsoncloud onbusinessin caseofbreach case of breach

3.Maptheasset topotential to potential cloud deployment models

Security

Framework
5.Evaluatethe Dataflow,to ata o , to understandthe flow

4.Evaluate controlsin eachofIaas/ Paas/Saas layer y depending uponasset

Cloud

Controls C tr l

3 Dimensions of cloud security

Business Criticality C iti lit

ITAssets incloud i l d

Risk Assessment A t

For achieving robust and practical security consider all 3 perspective

TypesofControls Types of Controls

Governance G (Strategic) RiskManagement Legal&Electronic Discovery Compliance/Audit InformationLife cyclemanagement Portability and Portabilityand Interoperability Operational O ti l (Tactical) BCP/DR Datacentre Operations Incident Management M t Applicationsecurity Encryption Encryption Identity&Access Management Management Virtualization

Implement

Controls

Possiblecontrols Layeredsecurity
facilities(physicalsecurity) networkinfrastructure(network t ki f t t ( t k security) ITsystems(systemsecurity) informationandapplications (applicationsecurity).

IaaS Cloud provider : IaaSCloudprovider:

addresssecuritycontrolssuchas physicalsecurity,environmental security,andvirtualizationsecurity it d i t li ti it

SaaS
Addresses upto Application layer AddressesuptoApplicationlayer
http://www.flickr.com/photos/telstar/2816038167

Summary
Considerthreeperspective Assets,Riskmanagementand Businesscriticality Cloudasanoperationalmodel neitherprovidefornorprevent p p achievingcompliance Selectionofcontroldependson theserviceanddeploymentmodel the service and deployment model Controlvariesdependingonthe design,deployment,and managementoftheresources f h MostofSecuritycontrolsincloud are,sameasnormalIT environment
http://www.flickr.com/photos/isadocafe/2095153000/

Sameer Paradia CGEIT, CISM, CISSP (sameer_m_paradia@yahoo.com) Practicing IT Security for 12+ y g y years out of 20+ y years of IT Services/ Outsourcing work experience. g p

http://www.flickr.com/photos/forgetmeknottphotography/7003899183/sizes/l/in/photostream/