The last presentation of the day was by Rich Mogull on "Everything you need to know about cloud security in 30 minutes or less". It all started with all of the presentations and diagrams having pictures of clouds so some guy decides to sell that. Makes security practitioners sad.
Why the cloud is a problem for security
- Poor understanding of cloud taxonomies and definitions
- A generic term, frequently misused to refer to anything on the Internet
- Lack of visibility into cloud deployments
- Organic consumption
Couldn't have talked about this stuff 6 months ago because nobody knew about it and it wasn't discussed.
- Variable control
- Variable visibility
- Variable simplicity/complexity
- Variable resources
Control, visibility, and resources goes down as simplicity and management goes up
Is the cloud more or less secure than we are now? It depends. Something are more secure and some things are less secure because of all of the variability.
- Most constrained
- Most security managed by your provider
- Least flexible
- Less constrained
- Security varies tremendously based on provider and application-shared responsibility
- Security responsibility
- Most flexible
- Most security managed by your developers
- Spillage and data security
- Capability to apply traditional security controls in a dynamic environment
- Lack of visibility into cloud usage
- Changing development patterns/cycles
How do you use your static and dynamic analysis testing tools in the cloud?
Where do you roll your cloud when it fails?
Your Top 2 Cloud Security Defenses
Understand Your SLAs
- Are there security-specific SLAs?
- Can you audit against those SLAs?
- Are there contractual penalties for non-compliance?
- Do your SLAs meet your risk tolerance requirements?
- Security audits - including third party
- Data security/encryption
- Personal security
- Security controls (depend based on service)
- User account management
- Infrastructure changes
Understand Your Cloud
- What security controls are in your cloud?
- How can you manage and integrate with the controls?
- What security documentation is available?
- What contingency plans are available?
Cloud Security Controls to Look For
- Data encryption/security (key management)
- Perimeter defenses
Cloud Security Macro Layers
- SAS70 Audits
- Documentation without verification
- Non-contractual SLAs
What to Do
- Educate yourself
- Engage with developers
- Develop cloud security requirements
Next up at the Cloud Computing and Virtualization Security half-day seminar was a Cloud Computing Panel moderated by Rich Mogull (Analyst/CEO at Securosis) with Josh Zachary (Rackspace), Jim Rymarczk (IBM), and Phil Agcaoili (Dell) participating in the panel. My notes from the panel discussion are below:
Phil: Little difference between outsources of the past and today's Cloud Computing. All of that stuff is sitting outside of your environment and we've been evolving toward that for a long time.
Rich: My impression is that there are benefits to outsourced hosting, but there are clearly areas that make sense and areas that don't. This is fundamentally different from shared computing resources. Very different applications for this. Complexity goes up very quickly very quickly for security controls. Where do you see the most value today? Where do people need to be most cautious?
Jim: Internal virtualization is almost necessary, but it impacts almost every IT process. Technology is still evolving and is far from advanced state. Be pragmatic and find particular applications with a good ROI.
Josh: Understand what you are putting into a cloud environment. Have a good understanding of what a provider can offer you in terms of sensitive data. Otherwise you're putting yourself in a very bad situation. A lot of promise. Great for social networking and web development. Not appropriate with enterprises with large amounts of IP and sensitive data.
Jim: We'll get there in 4-5 years.
Phil: Let supply chain experts do it for you and then interact with them. Access their enviornment from anywhere. Use a secure URL with a federated identity. Your business will come back to you and say "We need to do this" and IT will be unable to assist them. Use it as an opportunity to mobilize compliance and InfoSec and get involved. It's going to come to use and we're just going to have to deal with it. There's a long line of people with a "right to audit". Don't think that someone is doing the right thing in this space, you have to ask.
Audience: What is the most likely channel for standards?
Phil: Cloud Security Alliance is a step in the right direction. Want to come up with PCI DSS like checklists. CSA is working with IEEE and NIST to work along with them. Goal is to be able to feed the standards process, not become a standards body.
Rich: The market is anti-standards based. If we get standardized, then all of the providers are only competing based on cost.
Jim: I think it'll happen. We will see ISO groups for standards on cloud quality.
Audience: Moving data between multiple clouds. How do you determine who gets paid?
Jim: There are proposals for doing that. All of the resource parameters.
Phil: Should see standards based on federated identity. Who is doing what and where. That's where I've seen the most movement. There is no ISO for SaaS. Remapping how 27001 and 27002 apply to us as a software provider.
Audience: Two things that drive standards. The market or monopoly (BetaMax).
Rich: We will have monopolistic ones and then 3rd parties that say they use those standards.
Audience: How can you really have an objective body create standards without being completely embedded in the technology?
Jim: You create a reference standard and the market drives that.
Phil: Gravity pulls us to things that work. Uses SAML as an example. It's the way the internet has always worked. The strongest will survive and the right standards will manifest themselves.
Rich: What are some of things that you're dealing with internally (as consumers and providers) and the top suggestions for people stuck in this situation?
Jim: People who don't have all of the requirements do public clouds. If what you want is available (salesforce.com), it may be irresistible.
Josh: Solution needs to be appropriate to the need. Consult with your attorney to make sure you contract is in line with what you're leveraging the provider for. It's really about what you agree to with that provider and their responsibilities.
Phil: The hurricane is coming. You can't scream into the wind, you gotta learn to run for cover. Find the safe spot.
Audience: What industries do you see using this? I don't see it with healthcare.
Phil: Mostly providers for us. Outsourcing service desks. Government. Large states/local.
Josh: Small and medium retail businesses. Get products out there at a significantly reduced cost.
Jim: Lots of financial institutions looking for ways to cut costs. Healthcare industry as well (Mayo Clinic). Broad interest across the whole market, but especially anywhere they're under extreme cost measures.
Rich: I run a small business that picked an elastic provider that couldn't pay for a full virtual hosting provider. Doing shared hosting right now, but capable of growing to a virtual private server. Have redundancy. Able to go full-colocation if they need it. Able to support growth, but start with the same instance to get there.
Audience: How does 3rd party transparency factor into financial uses?
Jim: Almost exclusively private clouds. There are use cases playing out right now that will be repeatable patterns. Use cases.
Phil: When the volume isn't there, offload to someone like Rackspace and they'll help you to grow.
Audience: Are there guidelines to contracts to make sure information doesn't just get outsourced to yet another party?
Phil: Your largest partners/vendors steal their contracts. Use them as templates.
Audience: What recourse do you have that an audit is used to verify that security is not an issue?
Phil: Third party assessment (ie. the right to audit). It's in our interest to verify they are secure. It's a trend and we now have a long list of people looking to audit against us as a provider. Hoping for an ISO to come up truly for the cloud.
Audience: Is cloud computing just outsourcing?
Rich: It's more than that. For example, companies have internal clouds that aren't outsourced at all.
Josh: Most of the time it's leveraging resources more efficiently at hopefully a reduced cost.
Audience: How do I know you're telling me the truth about the resources I'm using? What if I'm a bad guy who wants to exploit a competitor using the cloud?
Josh: We've seen guys create botnets using stolen credit cards. What you're billed for is in your contract.
Jim: We've had this solved for decades on mainframes. Precious resources propagated amongst users. There's no technical reason we're not doing it today.
Rich: It depends what type of cloud you're using. Some will tell you.
Josh: If you're worried about someone abusing you, why are you there in the first place?
Phil: For our service desk we meter this by how many calls, by location. Monitor servers that were accessed/patched/etc. Different service providers will have different levels.
Audience: Seeing some core issues at the heart of this. For businesses, an assessment of core competencies. Can you build a better data center with the cloud? Second issue involves risk assessment. Can you do a technical audit? Can you pay for it legally? How much market presence does the vendor have? Who has responsibility for what? Notion of transparency of control. Seems like it distills down to those core basics.
Jim: I agree.
Rich: Well said.
Phil: Yes, yes, yes.
Audience: How do you write a contract for failed nation states, volatility, etc? Do we say you can't put our stuff in these countries?
Phil: This is the white elephant in the room. How can you ensure that my data is being protected the way I'd protect it myself. It's amazing what other people do when they get a hold of that stuff. This is the underlying problem that we have to solve. "Moving from a single-family home to a multi-tenant condo. How do we build that now?
Rich: You need to be comfortable with what you're putting out there.
Audience: To what extent is the military or federal government using cloud computing?
Jim: They're interested in finding ways, but they don't talk about how they're using it.
Audience - Vern: They're doing cloud computing using an internal private cloud already. They bill back to the appropriate agency based on use.
Phil: Government is very wary of what's going on.
The next presentation at the ISSA half-day seminar was on the "Cloud Security Alliance" and Security Guidance for Critical Areas of Focus in Cloud Computing by Jeff Reich. Here are my notes from this presentation:
- About the Cloud Security Alliance
- Getting Involved
- Guidance 1.0
- Call to Action
About the Cloud Security Alliance
- Not-for-profit organization
- Inclusive membership, supporting broad spectrum of subject matter expertise: cloud experts, security, legal, compliance, virtualization, etc
- We believe in Cloud Computing, we want to make it better
- Individual membership (free)
- Subject matter experts for research
- Interested in learning about the topic
- Administrative & organizational help
- Corporate Sponsorship
- Help fund outreach, events
- Affiliated Organizations (free)
- Joint projects in the community interest
- Contact information on website
Download version 1.0 of the Security Guidance at http://www.cloudsecurityalliance.org/guidance
Overview of Guidance
- 15 domains
- #1 is Architecture & Framework
- Covers Governing in the Cloud (2-7) and Operating in the Cloud (8-15) as well
Assumptions & Objectives
- Trying to bridge gap between cloud adopters and security practitioners
- Broad "security program" view of the problem
- Not "One Cloud": Nuanced definition critical to understanding risks & mitigation
- 5 principal characteristics (abstration, sharing, SOA, elasticity, consumption/allocation)
- 3 delivery models
- Infrastructure as a Service
- Platform as a Service
- Software as a Service
- 4 deployment models: Public, Private, Managed, Hybrid
Governance & ERM
- A portion of cloud cost savings must be invested into provider security
- Third party transparency of cloud provider
- Financial viability of cloud provider
- Alignment of key performance indicators
- PII best suited in private/hybrid cloud outside of significant due diligence of public cloud provider
- Increased frequency of 3rd party risk assessments
Important thing to consider is the financial viability of your provider. You never want to have your data held hostage in a court battle.
- Contracts must have flexible structure for dynamic cloud relationships
- Plan for both an expected and unexpected termination of the relationship and an orderly return of your assets
- Find conflicts between the laws the cloud provider must comply with and those governing the cloud customer
Compliance & Audit
- Classify data and systems to understand compliance requirements
- Understand data locations, copies
Information Lifecycle Management
- Understand the logical segregation of information and protective controls imnplemented in storage, transfers, backups
- Cloud Computing is real and transformational
- Cloud Computing can and will be secured
- Broad governance approach needed
- Tactical fixes needed
- Combination of updating existing best practices and creating completely new best practices
- Common sense is not optional
Call to Action
- Join us, help make our work better
- Twitter: @cloudsa, #csaguide
Today the Austin ISSA and ISACA chapters held a half-day seminar on Cloud Computing and Virtualization Security. The introduction on cloud computing was given by Vern Williams. My notes on this topic are below:
5 Key Cloud Characteristics
- On-demand self-service
- Ubiquitous network access
- Location independent resource pooling
- Rapid elasticity
- Pay per use
3 Cloud Delivery Models
- Software as a Service (SaaS): Providers applications over a network
- Platform as a Service (PaaS): Deploy customer-created apps to a cloud
- Infrastructure as a Service (IaaS): Rent processing, storage, etc
4 Cloud Deployment Models
- Private cloud: Enterprise owned or leased
- Community cloud: Shared infrastructure for a specific community
- Public cloud: Sold to the public, Mega-scale infrastructure
- Hybrid cloud: Composition of two or more clouds
- Two types: internal and external
Common Cloud Characteristics
- Massive scale
- Free software
- Autonomic computing
- Geographically distributed systems
- Advanced security technologies
- Service oriented software
- Lower central processing unit (CPU) density
- Flexible use of resources
- Rapid deployment of new servers
- Simplified recovery
- Virtual network connections
- Potential impact of a single component failure
- Hypervisor security issues
- Keeping virtual machine (VM) images current
- Virtual network connections
Virtualization Security Concerns
- Protecting the virtual fabric
- Patching off-line VM images
- Configuration Management
- Firewall configurations
- Complicating Audit and Forensics