cloud security ciso club -april 2011 v2
DESCRIPTION
Cloud Security: risks and awareness. CISO club -April 2011TRANSCRIPT
Shahar Geiger Maor, Senior Analyst
www.shaharmaor.blogspot.com http://www.facebook.com/shahar.maor http://twitter.com/shaharmaor
Cloud Security: Risks and Awareness
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 2
We Should Know, by now, What Cloud
Means
http://www.opengroup.org/jericho/cloud_cube_model_v1.0.pdf
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 3
Game Changer #7
Hybrid Clouds
Private Clouds
Public Clouds – BPaaS
– PaaS
– SaaS
– IaaS
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 4
4 types: Enterprise Clouds
http://www.readwriteweb.com/cloud/2011/04/the-cloud-stratosphere-infogra.php
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 5
Cloudy IT: the hybrid world
By 2014 : 80% of Israeli companies Will run hybrid clouds
Developers are now doing most of their development work for public cloud versions. But will have private cloud versions 2015
ISPs will become strategic
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 6
How does a private “cloud” looks Like ?
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 7
Enterprise Benefits from Cloud Computing
Server/Storage
Utilization 10-20%
Self service None
Test
Provisioning Weeks
Change
Management Months
Release
Management Weeks
Time to market bad
Metering/Billing Fixed cost
model
Focus on the
Core Not really
70-90%
Unlimited
Minutes
Days/Hours
Minutes
Better
Granular
Much better
Legacy environments Cloud enabled enterprise
Cloud accelerates
business value
across a wide
variety of
domains.
Capability From To
Source: IBM STKI modifications
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 8
Technologies Categorization 2010\2011
Using Implementing Looking
Mar
ket
Cu
rio
sity
Market Maturity
Major
Changes
IT Project
Cyber Warfare
Size of figure =
complexity/
cost of project
Mobile Sec
DLP \IRM
“Social” Security
Cloud Security
Network Security
Application Security
Endpoint Security
Security
Management
Source: STKI
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 9
Cloud Security
http://securosis.com/research
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 10
Top Threats To Cloud Computing
http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf
Abuse and Nefarious Use of Cloud Computing
Malicious Insiders
Shared Technology
Issues
Insecure Interfaces and
APIs
Data Loss or Leakage
Account or Service Hijacking
Unknown Risk Profile
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 11
Cloud Provider Vs. Organization
Governance Compliance Trust
Architecture
Identity and Access
Management
Software Isolation
Data Protection Availability Incident
Response
http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 12
Division of Liabilities in the Cloud
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-information-assurance-framework/
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 13
How to Secure the Cloud? –Provider’s Side
http://www.ca.com/files/IndustryResearch/security-cloud-computing-users_235659.pdf
Technologies believed to be most important in securing the cloud computing environment
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 14
Cloud Services Concerns –Client’s Side
Security (especially access issues) is still
considered a top concern
Source: InformationWeek, State of Cloud, Jan 2011
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 15
Cloud Services Concerns –Client’s Side
Source: InformationWeek, State of Cloud, Jan 2011
“We won’t be involving our security team in this project until the last possible moment, because the answer will be ‘no.’” -VP at one of the largest retailers in the world
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 16
Lack of Confidence in IT?
http://www.ca.com/files/IndustryResearch/security-cloud-computing-users_235659.pdf
Who is responsible for ensuring a secure cloud computing environment?
Isn't cloud security an IT responsibility??? -So why is it 3rd?
Don’t let it scatter
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 17
Regulations, Standards and Certifications
Regulations?????
-Nothing (so far…)
Looking for regulations?
…Please wait for the next disaster
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 18
Regulations, Standards and Certifications
• Standards: – AICPA: SAS 70:
• there is no published list of SAS 70 standards (Recommendation: ask to review your cloud provider’s SAS 70 type Ⅰ/Ⅱ report!!!)
• Certifications: – NIST (National Institute of Standards and Technology)
• Recommended Security Controls for Federal Information Systems and Organizations* === > FISMA (Federal Information Security Management Act) ATO (Authorization to Operate).
– CSA: • CCSK –Certified Cloud Security Knowledge
* Not related directly to cloud security
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 19
Regulations, Standards and Certifications
• Guidelines:
– CSA (Cloud Security Alliance):
• CCM -Cloud Controls Matrix
– NIST (National Institute of Standards and Technology):
• DRAFT Guidelines on Security and Privacy in Public Cloud Computing
– ENISA (European Network and Information Security Agency):
• Cloud Security Information Assurance Framework
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 20
Addressing Cloud Issues in the Israeli Government
?
http://www.justice.gov.il/NR/rdonlyres/1FB266DE-95A0-4C31-939B-3796DCB0C232/23065/positionmikurhuz.pdf
בישראל במיקור חוץ עקרונות להגנת הפרטיות במידע אישי : מתוך נייר עמדה בנושא 2010/10
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 21
Look for standards
Find yourself a solid
partner
In Short
The cloud is here to stay
Security is an EASY
showstopper
…”We put our money in
the cloud” No rush!
Shahar Maor’s work Copyright 2011 @STKI Do not remove source or attribution from any graphic or portion of graphic 22
Thank you!