Transcription
Cloud Computing Governance& SecuritySecurity Risks in the CloudThe top ten questions you have to askMike Small CEng, FBCS, CITPFellow Analyst, KuppingerColeThis Webinar is supported by
Agenda What is the Problem? Ten Cloud Security Questions to Ask Summary3Security Risks in the Cloud
WHAT’S THE PROBLEM?4Security Risks in the Cloud
Cloud – Top Security Benefits Benefits of Scale The same investment buys better protection Standard Interfaces for Security Services Creates a more open market for security services. Rapid, smart scaling of resources Dynamic reallocation of resources improves resilience. Audit and Evidence Gathering provide dedicated, pay-per-use forensic images of VMs Better updates and defaults Default VM images with best configuration and patchesENISA - Cloud Computing - Benefits, risks and recommendations for information y Risks in the Cloud
Cloud – Top Threats ENISA Cloud RiskAssessment Cloud SecurityAlliance -Top ThreatsLoss of GovernanceCompliance ChallengesChanges of JurisdictionIsolation FailureCloud provider – maliciousinsider – privilege abuseManagement InterfacecompromiseData Deletion RisksNetwork ManagementENISA - Cloud Computing - Benefits, risksand recommendations for nt6Security Risks in the Cloud Abuse and Nefarious Use ofCloud ComputingInsecure ApplicationProgramming InterfacesMalicious InsidersShared TechnologyVulnerabilitiesData Loss/LeakageAccount, Service & TrafficHijackingCloud Security Alliance - Top Threats toCloud Computing s/csathreats.v1.0.pdf
Risk - Who is responsible?CustomerCloud ProviderLawfulness of contentFull liabilityIntermediary liabilityEuropean DataProtection Law statusData ControllerData Processor (external)Identity &AuthenticationOwn users and federationagreements with partnersUsers required to managethe provided infrastructureInfrastructureOwn infrastructureCloud serviceinfrastructure (server,storage, bandwidth etc)Security ManagementGuest systems (IaaS)Host systems andapplications security policy,hardening, patching andmonitoring7Security Risks in the Cloud
Cloud - Managing Risk Due Diligence by Customer Ask QuestionsFully specify Security Service Levels Clear Division of Liabilities Example: Customer Data Controller,Provider Data Processor (External) Clear Division of Responsibilities Depends upon Service Model(SaaS, PaaS or IaaS) Certification of Providers8Security Risks in the Cloud
?TEN CLOUD SECURITYQUESTIONS TO ASK9Security Risks in the Cloud
Q1: How is Identity andAccess Managed in theCloud?10Security Risks in the Cloud
Risk: Impersonation11Security Risks in the CloudProbabilityMediumImpactHigh
Risk: ManagementInterfaceProbabilityHighImpactHighISO 27001 Control 11.2: Objective: To ensure authorized useraccess and to prevent unauthorized accessto information systems.Risk – management interface compromise. Questions: 12What extra security is provided to protectremote management capabilities?Business OwnerWhat forms of authentication areRequest ApprovalAccess Certificationused for management interfaces?How is the management interfacemonitored?Security Risks in the ice
Identity FederationISO 27001 Control 11.2: Federation makes it possible touse the organizational identityservice to access the Cloudservice 13A Trusted Identity Provider makesa “claim” of identity to the Cloudsystem which relies upon thisBusiness Ownerclaim.Request ApprovalAccess Certificat s in the CloudPrivileged UserOS SecurityApplicationSecurityCustomer DataCritical servicesFiles & Logs
Key Questions:Segregation of DutiesISO 27001 Control 10.1: Segregation of duties should beimplemented, where appropriate, toreduce the risk of negligent or deliberatesystem misuse. Questions for the provider: 28Are any high-privilege roles allocated tothe same person? Does this allocationbreak the segregation of duties or leastprivilege rules?Do you use role-based access control(RBAC)?Is the principle of least privilege followed?Security Risks in the CloudPrivileged UserOS SecurityApplicationSecurityCustomer DataCritical servicesFiles & Logs
Key Questions:Monitoring User of PrivilegeISO 27001 Control 10.10.2: Procedures for monitoring use ofinformation processing facilities shouldbe established.especially all privileged operations. Can the provider detail? 29How are privileged actions monitored andlogged?What recorded events result in action beingtaken?What controls are employed to protect logsfrom unauthorised access or tampering?What method is used to check and protectthe integrity of audit logs?Security Risks in the CloudPrivileged UserOS SecurityApplicationSecurityCustomer DataCritical servicesFiles & Logs
Q6: What levels of isolationare supported?30Security Risks in the Cloud
Risk: Isolation FailureProbabilityMediumImpactVery High “This class of risk includes the failure ofmechanisms separating storage, memory, routingand even reputation between different tenants. Malicious activities carried out by onetenant may affect the reputation ofanother tenant.The impact can be a loss of valuableor sensitive data, reputation damageand service interruption for cloudproviders and their clients.”ENISA - Cloud Computing - Benefits, risks and recommendations for information ty Risks in the Cloud
Key Questions:Separation/IsolationISO 27001 Control 11.6.2: Sensitive systems should have adedicated (isolated) computingenvironment. Questions for the provider: 32What levels of isolation are used for virtualmachines, physical machines, network,storage, management networks andmanagement support systems, etc.Provide information on how multi-tenantedapplications are isolated from each other.Security Risks in the Cloud
Q7: How is my dataprotected in virtualenvironments?33Security Risks in the Cloud
Risks - VirtualizationProbabilityMediumImpactVery High PCI DSS specifies “one function perserver”. This is taken by someauditors to limit virtualization. A VM Image is completelytransportable and can be installed onany machine!Source: Payment Card Industries Data Security Standard.34Security Risks in the Cloud
Key Questions:Protection of VM ImagesISO 27001 Control 10.7: Appropriate operating procedures shouldbe established to protect documents,computer media, .from unauthorizeddisclosure, modification, removal, anddestruction. Questions: 35Are virtual images hardened by default?Is the hardened virtual image protected fromunauthorized access?Confirm that the virtualised image does notcontain the authentication credentials?Security Risks in the Cloud
Q8: How are the systemsprotected against internetthreats?36Security Risks in the Cloud
Risk: Economic Denialof Service37Security Risks in the CloudProbabilityLowImpactHigh
Key Questions:Network SecurityISO 27001 Control 10.6.2: Security features, service levels, andmanagement requirements of all networkservices should be identified and included inany network services agreement. Questions for the provider: 38Define the controls used to mitigate DDoS(distributed denial–of-service) attacks.Do you have defences against internal as wellas external threats?Does architecture support continuous operation?Is the network infrastructure secured to best practicespecific standards (e.g., are MAC spoofing, ARPpoisoning attacks, etc, prevented)Security Risks in the Cloud
Q9: How are activitiesmonitored and logged?39Security Risks in the Cloud
Risk: Loss orCompromise of Logs40Security Risks in the CloudProbabilityLowImpactMedium
Key Questions:Monitoring and LoggingISO 27001 Control 10.10: Systems should be monitored andinformation security events should berecorded. Can the provider detail: 41What information is recorded in audit logs?For what period is this data retained?How data is segmented within audit logs sothey can be made available to the endcustomer and/or law enforcement withoutcompromising other customers?How are audit logs reviewed? What recordedevents result in action being taken?How is accurate event time stamping provided?Security Risks in the Cloud
Q10: What kind ofinformation securitycertification do you have?42Security Risks in the Cloud
Risk:Loss of GovernanceProbabilityVery HighImpactHigh “Certain organizations migrating tocloud have made considerableinvestments in achieving certificationeither for competitive advantage orregulatory requirements – (e.g. PCIDSS)”ENISA - Cloud Computing - Benefits, risks and recommendations for information ty Risks in the Cloud
Best Practice and Certification Does the Cloud provider complywith best practice? Are theycertified? CSA Mapping of Cloud Best Practiceto: COBIT, ISO/IEC 27002-5, NISTSP800-53, PCI-DSSCloud Security Alliance Cloud Controls e/CSA-ccm-v1.00.xlsx CSA (CCSK) Certificate of CloudSecurity KnowledgeCloud Security Alliance Certificate of Cloud Security ifyme.html44Security Risks in the Cloud
SUMMARY45Security Risks in the Cloud
Summary Key Risks CSA and ENISA Risk Assessments Managing Risk in the Cloud Due Diligence by CustomerClear Division of LiabilitiesClear Division of ResponsibilitiesCertification of Providers Ten Key Questions to Ask46Security Risks in the Cloud
For More InformationMike Small CEng, FBCS, CITPFellow AnalystEmail: Mike.Small@kuppingercole.comMobile: 44 7777 697 30047Security Risks in the Cloud
QUESTIONS?48Security Risks in the Cloud
specific standards (e.g., are MAC spoofing, ARP poisoning attacks, etc, prevented) 38 Security Risks in the Cloud . Q9: How are activities monitored and logged? 39 Security Risks in the Cloud . 40 Security Risks in the Cloud Probability Low Impact Medium Risk: Loss or
