{"id":270,"date":"2009-06-25T17:05:31","date_gmt":"2009-06-25T22:05:31","guid":{"rendered":"http:\/\/www.webadminblog.com\/?p=270"},"modified":"2009-06-25T17:05:31","modified_gmt":"2009-06-25T22:05:31","slug":"everything-you-need-to-know-about-cloud-security-in-30-minutes-or-less","status":"publish","type":"post","link":"https:\/\/www.webadminblog.com\/index.php\/2009\/06\/25\/everything-you-need-to-know-about-cloud-security-in-30-minutes-or-less\/","title":{"rendered":"Everything You Need To Know About Cloud Security in 30 Minutes or Less"},"content":{"rendered":"<p>The last presentation of the day was by Rich Mogull on &#8220;Everything you need to know about cloud security in 30 minutes or less&#8221;.\u00a0 It all started with all of the presentations and diagrams having pictures of clouds so some guy decides to sell that.\u00a0 Makes security practitioners sad.<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Why the cloud is a problem for security<\/strong><\/span><\/p>\n<ul>\n<li>Poor understanding of cloud taxonomies and definitions<\/li>\n<li>A generic term, frequently misused to refer to anything on the Internet<\/li>\n<li>Lack of visibility into cloud deployments<\/li>\n<li>Organic consumption<\/li>\n<\/ul>\n<p>Couldn&#8217;t have talked about this stuff 6 months ago because nobody knew about it and it wasn&#8217;t discussed.<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Security Implications<\/strong><\/span><\/p>\n<ul>\n<li>Variable control<\/li>\n<li>Variable visibility<\/li>\n<li>Variable simplicity\/complexity<\/li>\n<li>Variable resources<\/li>\n<\/ul>\n<p>Control, visibility, and resources goes down as simplicity and management goes up<\/p>\n<p>Is the cloud more or less secure than we are now?\u00a0 It depends.\u00a0 Something are more secure and some things are less secure because of all of the variability.<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Saas<\/strong><\/span><\/p>\n<ul>\n<li>Most constrained<\/li>\n<li>Most security managed by your provider<\/li>\n<li>Least flexible<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>PaaS<\/strong><\/span><\/p>\n<ul>\n<li>Less constrained<\/li>\n<li>Security varies tremendously based on provider and application-shared responsibility<\/li>\n<li>Security responsibility<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>IaaS<\/strong><\/span><\/p>\n<ul>\n<li>Most flexible<\/li>\n<li>Most security managed by your developers<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Specific Issues<\/strong><\/span><\/p>\n<ul>\n<li>Spillage and data security<\/li>\n<li>Reliability\/availability<\/li>\n<li>Capability to apply traditional security controls in a dynamic environment<\/li>\n<li>Lack of visibility into cloud usage<\/li>\n<li>Changing development patterns\/cycles<\/li>\n<\/ul>\n<p>How do you use your static and dynamic analysis testing tools in the cloud?<\/p>\n<p>Where do you roll your cloud when it fails?<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Your Top 2 Cloud Security Defenses<\/strong><\/span><\/p>\n<ul>\n<li>SLA<\/li>\n<li>Contracts<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Understand Your SLAs<\/strong><\/span><\/p>\n<ul>\n<li>Are there security-specific SLAs?<\/li>\n<li>Can you audit against those SLAs?<\/li>\n<li>Are there contractual penalties for non-compliance?<\/li>\n<li>Do your SLAs meet your risk tolerance requirements?<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Suggested SLAs<\/strong><\/span><\/p>\n<ul>\n<li>Availability<\/li>\n<li>Security audits &#8211; including third party<\/li>\n<li>Data security\/encryption<\/li>\n<li>Personal security<\/li>\n<li>Security controls (depend based on service)<\/li>\n<li>User account management<\/li>\n<li>Infrastructure changes<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Understand Your Cloud<\/strong><\/span><\/p>\n<ul>\n<li>What security controls are in your cloud?<\/li>\n<li>How can you manage and integrate with the controls?<\/li>\n<li>What security documentation is available?<\/li>\n<li>What contingency plans are available?<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Cloud Security Controls to Look For<\/strong><\/span><\/p>\n<ul>\n<li>Data encryption\/security (key management)<\/li>\n<li>Perimeter defenses<\/li>\n<li>Auditing\/logging<\/li>\n<li>Authentication<\/li>\n<li>Segregation<\/li>\n<li>Compliance<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Cloud Security Macro Layers<\/strong><\/span><\/p>\n<ul>\n<li>Network<\/li>\n<li>Service<\/li>\n<li>User<\/li>\n<li>Transaction<\/li>\n<li>Data<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Don&#8217;t Trust<\/strong><\/span><\/p>\n<ul>\n<li>SAS70 Audits<\/li>\n<li>Documentation without verification<\/li>\n<li>Non-contractual SLAs<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>What to Do<\/strong><\/span><\/p>\n<ul>\n<li>Educate yourself<\/li>\n<li>Engage with developers<\/li>\n<li>Develop cloud security requirements<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>The last presentation of the day was by Rich Mogull on &#8220;Everything you need to know about cloud security in 30 minutes or less&#8221;.\u00a0 It all started with all of the presentations and diagrams having pictures of clouds so some guy decides to sell that.\u00a0 Makes security practitioners sad. Why the cloud is a problem [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[271],"tags":[39,268,298,297,622],"class_list":["post-270","post","type-post","status-publish","format-standard","hentry","category-cloud-computing-security","tag-cloud","tag-computing","tag-mogull","tag-rich","tag-security"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-4m","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/270","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=270"}],"version-history":[{"count":1,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/270\/revisions"}],"predecessor-version":[{"id":271,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/270\/revisions\/271"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=270"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=270"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=270"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}