Cloud Computing

Critical Areas of Focus To Manage Risk

Tom Witwicki CIPP INFOSEC Jan 13, 2010
1/13/2010 Tom Witwicki CIPP 1

Needing careful consideration of the risks to be managed:

Acknowlegement: Cloud Security Alliance
Cloud Architecture and Delivery Models Risk Management Legal Compliance and Audit Information Lifecycle Management Portability and Interoperability Incident Response Business Continuity Data Center Operations Encryption and Key Management Identity and Access Management Storage Virtualization.
3/11/2012 Tom Witwicki CIPP 2

Control Disconnect
The rules for managing risk still apply, but the game has changed
Enterprise Security Policy Enterprise Control Requirements Controls Compliance/Auditing Cloud Vendor Control Design & Implementation Control Monitoring

3/11/2012

Tom Witwicki CIPP

Characteristics of Cloud Computing

Abstraction of Infrastructure
Opaque from the application s perspective High levels of Virtualization (OS, File Systems)

Democratization of Resources
Pooled resources (shared, dedicated)

Services Oriented Architecture

Focus on delivery of services, not management

Elasticity/Dynamism
rapidly expand or contract resource utilization

Utility Consumption Model

all-you-can-eat but pay-by-the-bite
3/11/2012 Tom Witwicki CIPP 4

Service Delivery Models

SaaS (Software as a Service)
least extensibility and greatest amount of security responsibility taken on by the cloud provider

PaaS (Platform as a Service)

lies somewhere in the middle, with extensibility and security features which must be leveraged by the customer

IaaS (Infrastructure as a Service)

greatest extensibility and least amount of security responsibility taken on by the cloud provider

Classify the service to determine security responsibilities of the customer

3/11/2012

Tom Witwicki CIPP

Deployment Modalities
Private
Single tenant operating environment On or off premises Trusted consumers

Public
Single or multi-tenant environment multiInfrastructure owned and managed by service provider Consumers considered untrusted

Managed
Single or multi-tenant multiInfrastructure on premises managed and controlled by service provider Consumers trusted or untrusted

Hybrid
Combination of public and private offerings Application portability Information exchange across disparate cloud offerings

3/11/2012

Tom Witwicki CIPP

Cloud Reference Model

Saas Paas Iaas

3/11/2012 Tom Witwicki CIPP 7

Mapping the Cloud to the Security Model

SDLC, App Firewalls Data Classification, DLP, Audit Logging, encryption

Saas
3/11/2012

Config and Patch Mgt, Pen Testing

Firewall rules, QoS, Anti-DDos Multi-level Security, Certificates and Key Mgt HIDS/HIPS, Log Mgt, Encryption Data Center Security, Redundancy, DR

Paas

Iaas
Tom Witwicki CIPP

3/11/2012

Tom Witwicki CIPP

Risk Management
Issues
Ability of the user organization to assess risk Limited usefulness of certifications (e.g. SAS 70, ISO27001) Many cloud services providers accept no responsibility for data stored (no risk transference) User has no view of provider procedures governed by regulation or statute
Access and identity mgt, segregation of duties

Lack of clarity on data controls

Data backup and recovery, offsite storage, virtual provisioning (where is the data?), data removal

3/11/2012

Tom Witwicki CIPP

10

Risk Management
Guidance
In depth due diligence prior to executing contractual terms, SLA Examine creating Private or Hybrid Cloud that provides appropriate level of controls Comprehensive due diligence before using Public Cloud for mission critical components of business Request documentation on how the service is assessed for risk and audited for control weaknesses and if results are available to customers Listing of all 3rd party providers What regulations and statutes govern site and how compliance is achieved

3/11/2012

Tom Witwicki CIPP

11

Legal
Compliance Liabilities
Organizations are custodians of the personal data entrusted to them (in-cloud or off-cloud) (inoffState (data breach), Federal (FTC act), international (EU Data Protection) scope Mandates that organization impose appropriate security measures on it s service providers (HIPAA, GLBA, MA 201 CMR 17.00, PCI) Company relinquishes most controls over data in the cloud Contract may be in the form of a click-wrap agreement which clickis not negotiated Data encryption requirements!!!

3/11/2012

Tom Witwicki CIPP

12

Legal
Location diligence
Understand in which country it s data will be hosted (local laws have jurisdiction) EU data transfer provisions Contractually limit the service provider to subcontract May want to ensure against data comingling Technical/logistical limits to all of the above

Ensuring Privacy Protection

Align with Privacy Notices Data not used for secondary purposes Not disclosed to 3rd parties Comply with individual Opt-in/Opt choices OptDisclosure of security breach May not be mature enough for regulated information!
3/11/2012 Tom Witwicki CIPP 13

Legal
Responding to Litigation requests
Identify compliance with E-discovery provisions Eroutinely not included in cloud service contracts 3rd party subpoena request notification

Monitoring
Ability to conduct compliance monitoring and testing for vulnerabilities

Termination
Must retrieve the data or ensure it s destruction
3/11/2012 Tom Witwicki CIPP 14

EPIC Electronic Privacy Information Center

March 09 filed a complaint with FTC
Urged investigation into Cloud Computing Services such as Google Docs Determine adequacy of Privacy and Security Safeguards

Computer researchers sent letter to Google CEO

Uphold privacy promises HTTPS not default security setting Forces users to opt-in for security opt3/11/2012 Tom Witwicki CIPP 15

Audit
Data Classification a must
Identify and segregate that data which needs the most stringent controls (based on impact assessment) Match controls to data classification (not all data is created equal)
Protected (regulated) Confidential (need to know) Public (approval to make public)

Recommended control: Encrypt all regulated data

In transit and at rest Network segregation seldom feasible
3/11/2012 Tom Witwicki CIPP 16

Portability and Interoperability

What happens when the cloud provider isn t good enough?
Unacceptable cost increase Provide goes out of business One or more cloud services discontinued Service quality degraded Onus on customer to have portability as a design goal
3/11/2012 Tom Witwicki CIPP 17

Portability and Interoperability

Saas
Ensure easy access to data in a format that is documented Keep regular backups outside the cloud Consider best-of-breed providers whose competitors have capabilities to best-ofmigrate data

IaaS
Application deployment on top of the virtual machine image Backups kept in a cloud-independent format (e.g. independent of the cloudmachine image) Copies of backups moved out of the cloud regularly

PaaS
Application development architecture employed to create an abstraction layer Also data backups off-cloud off-

3/11/2012

Tom Witwicki CIPP

18

Business Continuity
Obtain specific written commitments from the provider on recovery objectives
Understand your data and it s recovery objectives (RTO, RPO)

Identify interdependencies in the provider s infrastructure

Site risk (earthquake, flood, airport) Infrastructure risk (redundancy of utilities, communication lines)

Onsite inspections Integrate provider DR plans into your organization s BCP

3/11/2012

Tom Witwicki CIPP

19

Data Center Operations

You have neighbors! Who are they?
Potential to consume inordinate amount of resources which impacts your performance? Providers seek to maximize resource utilization

For IaaS and PaaS

Understand providers patch mgt policies (notification, rollbacks, testing)

Compartmentalization of resources (Data mixing) and segregation of duties Logging practices (what, how long?) Test customer service function regularly Indicator for operational quality presence of staging facilities for both provider and customer

3/11/2012

Tom Witwicki CIPP

20

Incident Response
Cloud Computing Community incident database:
Malware infection Data Breach Man-in-the-middle discovery Man-in-theUser impersonation

Detection
Application firewalls, proxies and logging tools are key no standard application level logging framework

Notification
Requires a registry of Application owners by interface

Application shutdown is normally first act taken

appropriate remediation? Provider and customers need defined process to collaborate on decisions

Criminal investigation

evidence capture?

3/11/2012

Tom Witwicki CIPP

21

Application Security
What security controls must the application provide over and above inherent cloud controls? How must an enterprise SDLC change to accommodate cloud computing? Issues:
Multi-tenant environment MultiLack of direct control over environment Access to data by cloud vendor Managing application secret keys which identify valid accounts

3/11/2012

Tom Witwicki CIPP

22

Application Security Iaas model

Virtual image
should undergo security verification and hardening Confirm to enterprise trusted host baselines Alternative to use trusted 3rd party for virtual image

InterInter-host communication
Assume an untrusted network Authentication and encryption

Codify trust with SLA

Security measures Security testing

3/11/2012

Tom Witwicki CIPP

23

Application Security Paas model

Enterprise Service Bus (ESB)
Asynchronous messaging Message routing Where multi-tenanted, the ESB will be shared multiSegmenting based on classifications not available Securing messages the responsibility of the application
3/11/2012 Tom Witwicki CIPP 24

Application Security SaaS model

SDLC
Verify/audit the maturity of the vendor s SDLC

Custom code extensions Data exchange via APIs

3/11/2012

Tom Witwicki CIPP

25

Encryption and Key Management

Encryption for Confidentiality and Integrity
Data at rest (IaaS, PaaS, SaaS) Data in transit (within the provider s network) On backup media

Key Management
Secure key stores Access to key stores Key backup and recoverability OASIS Key Management Interoperability Protocol (KMIP) emerging standard
3/11/2012 Tom Witwicki CIPP 26

Encryption and Key Management Recommendations

Assure regulated and/or sensitive customer data is encrypted in transit over the cloud provider s internal network, in addition to being encrypted at rest Segregate the key management from the cloud provider hosting the data, creating a chain of separation
Protects both when compelled by legal mandate

Contractual assurance that encryption adheres to industry or government standards Understand how cloud providers provide role management and separation of duties (key mgt) In IaaS environments, understand how sensitive information and key material otherwise protected by traditional encryption may be exposed during usage.
E.g. virtual machine swap files and other temporary data storage locations may also need to be encrypted

3/11/2012

Tom Witwicki CIPP

27

Encryption and Key Management Recommendations continued

If cloud provider must perform key management
the provider has defined processes for a key management lifecycle: how keys are generated, used, stored, backed up, recovered, rotated, and deleted.

Key sets should be unique per customer

3/11/2012

Tom Witwicki CIPP

28

Identity Management
Federated Identity Management
needed to leverage the Enterprise IM and SSO SAML the leading standard Many Cloud vendors are immature in adoption of federation standards With Iaas and Paas, integration will have to be built
3/11/2012 Tom Witwicki CIPP 29

Identity Management
User Management
Understand cloud provider s capabilities Provisioning De-Provisioning De-

Authentication
Password controls Password strength

Authorization
Usually proprietary Urge XACML compliant entitlement

Consider Identity as a Service

3/11/2012 Tom Witwicki CIPP 30

Some Parting Thoughts

New Technology, old vulnerabilities remain and new ones arise Loss of security by default trust boundaries Commingling challenges integrity and confidentiality Jurisdiction control and regulatory issues Virtualization
Security through isolation but.. Virtual infrastructure increases the risk

Assesses risk, mitigate, formally accept http://csrc.nist.gov/groups/SNS/cloudhttp://csrc.nist.gov/groups/SNS/cloud-computing/

3/11/2012

Tom Witwicki CIPP

31