cloud security - accelrysmedia.accelrys.com/.../sciencecloud-security-workshop-bioit-ton-van... ·...
TRANSCRIPT
3DS
.CO
M/B
IOV
IA ©
Das
saul
t Sys
tèm
es| C
onfid
entia
l Inf
orm
atio
n | 4
/7/2
016
| ref
.: 3D
S_D
ocum
ent_
2014
3DS
.CO
M/B
IOV
IA ©
Das
saul
t Sys
tèm
es| C
onfid
entia
l Inf
orm
atio
n | 4
/7/2
016
| ref
.: 3D
S_D
ocum
ent_
2014 Cloud Security
Darrin Powell, Sr. Manager, Information Security
Frederic Bost, ScienceCloud Product Director
Ton van Daelen, ScienceCloud Product Director
BIOVIA
3DS
.CO
M/B
IOV
IA ©
Das
saul
t Sys
tèm
es| C
onfid
entia
l Inf
orm
atio
n | 4
/7/2
016
| ref
.: 3D
S_D
ocum
ent_
2014
Outline• Cloud drivers
• How secure is the cloud?
• Cloud collaboration
• Cloud architecture options
• Security certification (ISO27001)
• Service-level agreements (SLA)
3DS
.CO
M/B
IOV
IA ©
Das
saul
t Sys
tèm
es| C
onfid
entia
l Inf
orm
atio
n | 4
/7/2
016
| ref
.: 3D
S_D
ocum
ent_
2014
Industry Challenges Driving Cloud Adoption
Accelerate Innovation
• Leverage collaboration to address innovation mandate
Lower TCO
• Budget reductions – do more with (a lot) less
Increase Agility
• ‘Get me up and running by tomorrow’
3DS
.CO
M/B
IOV
IA ©
Das
saul
t Sys
tèm
es| C
onfid
entia
l Inf
orm
atio
n | 4
/7/2
016
| ref
.: 3D
S_D
ocum
ent_
2014
Cloud Adoption Challenges
3DS
.CO
M/B
IOV
IA ©
Das
saul
t Sys
tèm
es| C
onfid
entia
l Inf
orm
atio
n | 4
/7/2
016
| ref
.: 3D
S_D
ocum
ent_
2014
s
AAA
Transfer,
Translate,
Transform
A
Science Data
Documents
Context
A secure, cloud-based, data sharing, communication, and
application platform to support networked scientific projects for all
forms of external research collaborations
Integrated Apps
API
3DS
.CO
M/B
IOV
IA ©
Das
saul
t Sys
tèm
es| C
onfid
entia
l Inf
orm
atio
n | 4
/7/2
016
| ref
.: 3D
S_D
ocum
ent_
2014
Document and Data Sharing
3DS
.CO
M/B
IOV
IA ©
Das
saul
t Sys
tèm
es| C
onfid
entia
l Inf
orm
atio
n | 4
/7/2
016
| ref
.: 3D
S_D
ocum
ent_
2014
Social
3DS
.CO
M/B
IOV
IA ©
Das
saul
t Sys
tèm
es| C
onfid
entia
l Inf
orm
atio
n | 4
/7/2
016
| ref
.: 3D
S_D
ocum
ent_
2014
Integrated Apps• Capture data from external partners based on collaboration needs and
according to corporate validation rules
Projects
Register chemical & assay results
Capture project documents Capture all experiment details
Notebook Biologics
Register biologics
Analyze biologics sequence
Assay Inventory
Capture & process assay raw data Capture material availability & location
3DS
.CO
M/B
IOV
IA ©
Das
saul
t Sys
tèm
es| C
onfid
entia
l Inf
orm
atio
n | 4
/7/2
016
| ref
.: 3D
S_D
ocum
ent_
2014
Cloud Architecture Options
Perceived Risk
3DS
.CO
M/B
IOV
IA ©
Das
saul
t Sys
tèm
es| C
onfid
entia
l Inf
orm
atio
n | 4
/7/2
016
| ref
.: 3D
S_D
ocum
ent_
2014
Security Risks With Non-Cloud Solutions
3DS
.CO
M/B
IOV
IA ©
Das
saul
t Sys
tèm
es| C
onfid
entia
l Inf
orm
atio
n | 4
/7/2
016
| ref
.: 3D
S_D
ocum
ent_
2014
Amazon’s Shared Responsibility Model
3DS
.CO
M/B
IOV
IA ©
Das
saul
t Sys
tèm
es| C
onfid
entia
l Inf
orm
atio
n | 4
/7/2
016
| ref
.: 3D
S_D
ocum
ent_
2014
Cloud Provider Versus Internal IT• Cloud service providers are targeted far more than traditional enterprises and
learn from being involved in these cyber attacks. As a result, they implement
controls which are much more stringent than those typically used by enterprise
IT departments.
• IT security experts are expensive and can be deployed to help multiple
companies utilizing a service provider model
• Cloud providers have the ability to leverage security best practices developed
with one customer across their entire customer base
• Cost to develop security models and tools is spread across multiple customers.
3DS
.CO
M/B
IOV
IA ©
Das
saul
t Sys
tèm
es| C
onfid
entia
l Inf
orm
atio
n | 4
/7/2
016
| ref
.: 3D
S_D
ocum
ent_
2014
Cloud Benefits• More segmentation (separation)
• Cloud vendors provide great flexibility
• More encryption
• Encryption inside organizations often ignored
• Stronger authentication
• Remote VPN has risks
• Strong authentication in-grained in cloud solutions (e.g. multi-factor)
• More logging and monitoring
• Often a lower priority inside organizations
• Must-have for cloud solutions (SLA)
3DS
.CO
M/B
IOV
IA ©
Das
saul
t Sys
tèm
es| C
onfid
entia
l Inf
orm
atio
n | 4
/7/2
016
| ref
.: 3D
S_D
ocum
ent_
2014
ISO27001• Confidentiality: Information is not made available or disclosed to unauthorized
individuals, entities, or processes
• Integrity: Safeguarding the accuracy and completeness of assets
• Availability: Being accessible and usable upon demand by an authorized entity
3DS
.CO
M/B
IOV
IA ©
Das
saul
t Sys
tèm
es| C
onfid
entia
l Inf
orm
atio
n | 4
/7/2
016
| ref
.: 3D
S_D
ocum
ent_
2014
ISO 27001:2013
10 - IMPROVEMENT
6 - PLANNING
8 - OPERATION
9 – PERFORMANCE EVALUATION
MONITOR & MEASURE
BUSINESS
CONTINUITY
PLAN
AUDIT PROGRAM
RISK MANAGEMENT
ASSET
INVENTORY
RISK
ASSESSMENT
BUSINESS
CONTINUITY PLAN
SERVICE
AGREEMENTS
(OLA / SLA)
POLICIES
PROCESSES
PROCEDURES
TRAINING
&
AWARENESSOBJECTIVES
PREVIOUS
AUDITS &
REVIEWS
SERVICE
AGREEMENTS
(OLA / SLA)
MANAGEMENT
REVIEW
RISK
ASSESSMENT
APPROACH
POLICIES
PROCESSES
PROCEDURES
CORRECTIVE
ACTION
PROCEDURE
CORRECTIVE
ACTION
RECORD
DO
PH
AS
E D
IAG
RA
M (
D)
RISK
TREATMENT
OPTIONS
5 - LEADERSHIP & COMMITMENT
INFORMATION
SECURITY
POLICY
&
OBJECTIVES
ROLES,
RESPONSIBILITIES
&
AUTHORITIES
4 - CONTEXT OF THE ORGANIZATION
SCOPE
&
BOUNDARIES
LEGAL
REGULATORY
CONTRACTUAL
RISK
TREATMENT
PLAN
INTERNAL
AUDITS
EXTERNAL
AUDITS
LEGAL
REGULATORY
CONTRACTUAL
ISMS
METRICS
STATEMENT
OF
APPLICABILITY 7 - SUPPORT
RESOURCES
COMPETENCE
TRAINING & AWARENESS
COMMUNICATION
CONTROL OF DOCUMENTS
CONTROL OF RECORDS
ISO 27001 (2013)
FRAMEWORK
3DS
.CO
M/B
IOV
IA ©
Das
saul
t Sys
tèm
es| C
onfid
entia
l Inf
orm
atio
n | 4
/7/2
016
| ref
.: 3D
S_D
ocum
ent_
2014
The Weakest Link
3DS
.CO
M/B
IOV
IA ©
Das
saul
t Sys
tèm
es| C
onfid
entia
l Inf
orm
atio
n | 4
/7/2
016
| ref
.: 3D
S_D
ocum
ent_
2014
Multi-Layered Approach to Security
Network
ApplicationPhysical
Personnel
3DS
.CO
M/B
IOV
IA ©
Das
saul
t Sys
tèm
es| C
onfid
entia
l Inf
orm
atio
n | 4
/7/2
016
| ref
.: 3D
S_D
ocum
ent_
2014
Multi Layered Approach• Physical Security
• Hosted by
• Disaster recovery
• Network Security
• 256-bit SSL encryption (RSA 2048 Bit Verisign EV certificates)
• Firewall, DMZ, Egress Filtering
• Intrusion detection / prevention (IDS/IPS), HIDS/HIPS
• OSSEC, Snort, SumoLogic, Security Monkey, Remote Syslog, CloudWatch, CloudTrail
• Access control
• Policies, Procedures, Access Control Matrix, Daily Security Access Reports, AWS IAM
3DS
.CO
M/B
IOV
IA ©
Das
saul
t Sys
tèm
es| C
onfid
entia
l Inf
orm
atio
n | 4
/7/2
016
| ref
.: 3D
S_D
ocum
ent_
2014
Multi Layered Approach• Application Security
• Project, functionalities and data restrictions
• Agile-Security Development Lifecycle methodology with security built into all stages
• Peer code review and Veracode Analysis
• Annual training on secure coding practices
• Physical Personnel Security
• Process management governed by SOPs
• Employee Security (confidentiality agreement, training, background checks…)
• Behavior based activity monitoring and alerting
3DS
.CO
M/B
IOV
IA ©
Das
saul
t Sys
tèm
es| C
onfid
entia
l Inf
orm
atio
n | 4
/7/2
016
| ref
.: 3D
S_D
ocum
ent_
2014
Penetration Testing• Performed by reputable trusted external 3rd party
o XMCO (2015-2016)
o Previously Tangible which wrote the book on hacking
• Real world hacking both electronic and physical including social engineering
• 3 Week Engagement
• First week black box testing (external, social engineering.)
• Two weeks white box testing (full access, Web App,..)
• Collaborative remediation
• Internal Penetration Testing
• Tools (Qualys, Burp Suite Pro, Samurai Web Testing)
3DS
.CO
M/B
IOV
IA ©
Das
saul
t Sys
tèm
es| C
onfid
entia
l Inf
orm
atio
n | 4
/7/2
016
| ref
.: 3D
S_D
ocum
ent_
2014
The Service Level Agreement (SLA)• A contract between a service provider and its internal or external customers that
documents what services the provider will furnish.
• Availability and uptime -- the percentage of the time services will be available
• The number of concurrent users that can be served
• Specific performance benchmarks to which actual performance will be periodically
compared
• Application response time
• The schedule for notification in advance of network changes that may affect users
• Help desk response time for various classes of problems
• Usage statistics that will be provided.
3DS
.CO
M/B
IOV
IA ©
Das
saul
t Sys
tèm
es| C
onfid
entia
l Inf
orm
atio
n | 4
/7/2
016
| ref
.: 3D
S_D
ocum
ent_
2014
Availability• SLA
• 99% availability
• Planned downtime during weekend with 3 days notice minimum
• Backup
• Off site encrypted backup tested every 6 months
• Real time synchronization with Disaster Recovery DB
• Disaster Recovery
• In separate geographical zone
• Can be activated in a minute with global load balancing
• Tested every 6 months
• Incident Response Procedure
3DS
.CO
M/B
IOV
IA ©
Das
saul
t Sys
tèm
es| C
onfid
entia
l Inf
orm
atio
n | 4
/7/2
016
| ref
.: 3D
S_D
ocum
ent_
2014
Cloud Monitoring• OS and Application monitoring (Nagios,
CloudWatch, CloudTrail)
• Security monitoring and Intrusion Detection
(OSSEC, Qualys,Security Monkey,
CloudWatch, CloudTrail, SumoLogic,
Selenium)
• Performance and Availability monitoring
(Nagios, AWS Metrics, CloudWatch,
SumoLogic, PP,
Selenium)
3DS
.CO
M/B
IOV
IA ©
Das
saul
t Sys
tèm
es| C
onfid
entia
l Inf
orm
atio
n | 4
/7/2
016
| ref
.: 3D
S_D
ocum
ent_
2014
Monitoring Automation• Too much data for a human being to examine
• Process and procedures are in place for automatic and manual review of
monitoring events, potentially generating:
• Improvement tickets
• Real Time Alerts to DevOps
• Automatic failover and fail back
• Maintenance Page
• Incident Response Tickets
• Root cause Analysis
3DS
.CO
M/B
IOV
IA ©
Das
saul
t Sys
tèm
es| C
onfid
entia
l Inf
orm
atio
n | 4
/7/2
016
| ref
.: 3D
S_D
ocum
ent_
2014
Network Segmentation
Zone Purpose Typical user Data
Production Production Customer users Customer data
Sandbox Development of Pipeline
Pilot protocols
Customer developers plus
few testing users
Test data
DR Disaster Recovery, activated
only when Production down
Customer users Customer data
Staging Impact analysis before
production
SC DevOps Customer
sample data
QA App on-boarding and
upgrade
App owner and possibly
customer validation
Test data
3DS
.CO
M/B
IOV
IA ©
Das
saul
t Sys
tèm
es| C
onfid
entia
l Inf
orm
atio
n | 4
/7/2
016
| ref
.: 3D
S_D
ocum
ent_
2014
Auditing Your Software Vendor• Critical part of evaluation process
• Can include on site visit(s)
• Look for industry standard certifications (ISO 27001, ISC2/CISSP, SANS/GIAC)
• Do this early!
3DS
.CO
M/B
IOV
IA ©
Das
saul
t Sys
tèm
es| C
onfid
entia
l Inf
orm
atio
n | 4
/7/2
016
| ref
.: 3D
S_D
ocum
ent_
2014
Conclusion• Existing environment not as secure as it seems
• Cloud environments more secure than organizations think
• Adding new controls in the cloud is easier than adding new controls on-
premises
• Whether environments exist on-premises or in the cloud, organizations can't
ignore the risk
• Organizations can be, and probably will be, more secure in the cloud
3DS
.CO
M/B
IOV
IA ©
Das
saul
t Sys
tèm
es| C
onfid
entia
l Inf
orm
atio
n | 4
/7/2
016
| ref
.: 3D
S_D
ocum
ent_
2014
Other Talks of Interest (Tomorrow)
3DS
.CO
M/B
IOV
IA ©
Das
saul
t Sys
tèm
es| C
onfid
entia
l Inf
orm
atio
n | 4
/7/2
016
| ref
.: 3D
S_D
ocum
ent_
2014