Building Enterprise Security in Hybrid Cloud Environments
1. Building Enterprise Security in Hybrid Cloud
Lenin Aboagye - Principal Security Architect, Apollo Group
Kartik Trivedi – Co-Founder, Symosis
2. The Road Ahead…
The power of Cloud However, Security
Computing remains roadblock
The Power of Cloud
Rapid business agility However , security remains
Data loss prevention &
Computing the roadblock
protection
Reduced costs
• Business Agility • Data loss
Cost efficiencies
• Heightened Innovation Authentication, Authorization
• Authentication,
• Enhanced Innovation & Audit
Authorization and Audit
Improved IT Services
• Improved IT services Security governance
• Information governance
• Data control
Data Profiling
Compliance
2
3. Implementation on Cloud ?
Monitoring & Infrastructure
Identity &
Operational Protection
Access
Risk Services
Management
Management
Threats & Compliance,
Vulnerability Governance
Management and Risk
Info Sec
Data Lifecycle
Management
Management
3
5. Responsibility Model
SaaS PaaS IaaS
Compliance & Auditing X X X
Governance/Risk Mgmt. X X X
Legal and Electronics Discovery X X X
Operations Security X X -X
Incident Management X X
Application Security X -X
Encryption & Key Management X -X
Identity & Access Management -X -X
Virtualization Security X
DR/BCP X
Legend :
X: Provider Responsibility -X: Provider partially responsible
5
7. Identity & Access Management
Identity & Access Management
How do you securely maintain and govern identities in cloud
― Identity provisioning/de-provisioning into cloud should be tied to internal
identity management systems
―All access requests for cloud goes through centralized internal
service. {cloud is only seen as an extension of internal
environment}
―Federated Provisioning /de-provisioning for Cloud apps
―No direct access to cloud provider interface for access requests
―Policy management ( authz, role and compliance)
―Tenant applications utilize SSO Federation into SaaS application
―Maintain single system to manage user identity lifecycle for IaaS,
PaaS and SaaS
―Apply location-based and data context rules to ensure that user-
access can be properly controlled
7
8. Data Loss Prevention
Data Loss Prevention
How can you protect profile the data you have in the cloud,
data you send to the cloud and securely protect the data
based on classification and data protection policies ?
―Discover and classify data before you ship it into cloud
―Apply policies and preventative controls based on
organization policies and data classification
―Understand data flow profiles between public and private
clouds , data flow profiles between public cloud and
internet
―Deploy host-based DLP tools as agents on public cloud
VMs
―*Use tools with geo-tagging capabilities to ensure data
location can always be tracked
―Apply Egress & Ingress filtering for cloud data
―Ensure sensitive data does not leak from private cloud to
public cloud
8
9. Web and Application Security
Web and Application Security
How can you secure your applications in the cloud ?
―Security Development practices need to be extended to
cloud
―Build applications in to account for common cloud models
―E.g Abstract encryption of data to application level as opposed to
Infra/DB levels
―Utilize service automation to address performance and scalability of
app. security tools
―Embed source code analysis as part of CI(Continuous
Integration) process{code scanned when checked in}
―Apply Web Application/ XML firewalls to mitigate web
application and web services security threats
―Apply Web Filtering
―Ensure that security tests are run under the permission of
cloud service provider
9
10. Databases Protection
Databases
How can you secure data in cloud databases ?
― Secure databases and encrypt all sensitive/regulated data
―Consolidate all sensitive data into central table and schema
to simplify encryption , auditing and monitoring of sensitive
data. {Applications access databases through a common web
service}
―Deploy Database Security Activity Monitoring on host
systems to monitor for malicious database activities and
attacks as well as abstract auditing and logging functions
― Utilize networking segmentation controls and integrated
IAM to deal with access management concerns with NOSQL
databases
―Avoid Database services that do not meet your security
needs
―Data encrypted at rest in databases need to be encrypted as
well as backups/snapshots
10
11. SIEM
SIEM
How can you monitor, detect and respond to attacks to
your cloud systems ?
―Push/forward logs from
Application/Middleware/Database/Network/Infrastructure
tiers into the SIEM
―Ensure SIEM is configured to handle multi-tenancy for SaaS
tenants
―Apply App-level & System/Device level tagging to segregate
feeds and properly apply incidence response
―All Cloud logs should be accessible, needs to be in easy to
convert format and be integrated into Enterprise SIEM
―Incident response capabilities should involve the ability to
quarantine affected instances , move them into private cloud
while new instances are spurn up to avoid service
interruption
11
12. Encryption & Key Management
Encryption & Key Management
With data being moved in and out of the cloud, how do you
encrypt data at rest and in transit ?
―Encrypt any sensitive data in cloud in: Databases, VMs,
Virtual Storage, Communications data, VPN and Application
data
―Apply application-level if possible to abstract encryption
from servers and databases
―Backup encryption keys in the private cloud
―Do not store keys of cloud instances, abstract to a secure
third party service and retrieve keys only if and when needed
―Implement key rotation and replacement
―Tokenize public cloud data and perform key management in
private cloud
―Encrypt sensitive data both in transit, processing, and at rest
―Avoid performance overheads by encrypting only sensitive
data
12
13. Patch Management
Patch Management
How do you ensure your applications and systems are
patched and up to date in the cloud ?
―Perform vulnerability scanning of
OS/Appserver/Database/Application
―Utilize Cloud provider auto-patching services for OS
―Update certified images and deploy during patch cycles
―Ensure patching is embedded in all full-stack deployments
―If using third party/vendor images, have a mechanism via
repositories to be provided with updated images{always
deploy latest images}
―Monthly cloud scanning to resolve security issues
13
14. Legal & E-discovery
Legal & E-discovery
If data breaches occur in cloud, how can you perform
forensics and e-discovery in your cloud environment?
―Install Forensic software agents so that remote E-discovery
can be performed
―Quarantine affected instances and ship images to private
cloud for further investigation
―Partner with Cloud Provider for forensic and legal request
of this nature
―Ensure there is no limitations to an organizations ability to
perform such functions during contract negotiations with
cloud provider
14
15. Vulnerability Management & Assessment
Vulnerability Management & Assessment
How can you perform vulnerability management in an
effective manner in the cloud ?
―Get Cloud provider approval prior to running such
assessments and ensure that limitations are
understood
―Check with cloud provider if there are other
contracted service providers who can provide such
limited functions for your organization(e.g penetration
testing, Hypervisor testing)
―Perform Assessment of
Application/Infrastructure/Database/Network/Infrastru
cture
―Integrate and run vulnerability assessment tools from
cloud environment to limit bandwidth costs
―Ensure remediation scans after vulnerabilities are
resolved
15
16. Intrusion Detection/Prevention
Intrusion Detection/Prevention
How can you monitor, detect and prevent intrusions in
your cloud environment ?
―Deploy host-based IDS/IPS
―Install software NIDS using soft-taps in cloud
―Automatically detect and remediate policy violations
―Scale appropriately to account for increase demand
―Ensure all feeds flow into SIEM
16
17. Network Security
Network Security
How can your network be configured to prevent malicious
attacks and unauthorized attackers ?
―Deploy Web Gateways to monitor and inspect traffic for
any malware or malicious attacks
―Utilize NIDS
―Create and maintain Security groups to restrict network
access
―Restrict Subnets and apply proper Network ACL’s
―Use VPN from private cloud to public cloud so that all
Network firewalls, NIDS could simply be run from private
cloud. This way public cloud can be turned into a secure
extension of private cloud
―Configure iptables to provide extra security to virtual
instances
17
18. Conclusion/Lessons Learned
Know and understand your data before you move to the cloud
Cloud has unique challenges that still need to be addressed
Cloud can be a riskier extension of your environment if you don’t
understand what you are doing
No two clouds are the same due to lack of standardized
approaches and vendor tie-ins
Utilize tools with geo-tagging and location-based capabilities when
securing data
Ensure you drive strong security SLAs during contract time
Long term strategic partnerships, research, customization and
continuous adaption are the key to meet security standards and to
protect with evolving security threats in cloud
18
19. Thank you & References:
Lenin Aboagye / Kartik Trivedi
Referenced Material:
“SecaaS Working Group: Defined Categories of Service 2011”
https://cloudsecurityalliance.org/wp-content/uploads/2011/09/SecaaS_V1_0.pdf
“AWS Best Practices: AWS Security Best Practices”
http://d36cz9buwru1tt.cloudfront.net/Whitepaper_Security_Best_Practices_2010.
pdf
“NIST guideline for security and privacy in cloud”
http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909494
“Cloud Security Alliance: Security Guidance, TCI Reference Architecture, Cloud
Controls Matrix”
https://cloudsecurityalliance.org/
19
Editor's Notes
To achieve effective shared responsibility model , separation and teaming of various duties are critical Cloud Provider Role Infrastructure and Cloud service providerResponsibilities Access and identity management for infrastructureAuthentication servicesMonitoring servicesInfrastructure protection servicesData management and backup services Cloud Broker RoleProvides software and integration services through applications hosted on cloud ResponsibilitiesProvide the following services to Tenant Customize access and identity management Authentication and Authorization services for tenant users Information security management Compliance and risk managementData protection, leakage prevention and governance Infrastructure protection services Threats and Vulnerabilities management Tenant RoleConsumer of services offered by Cloud broker and integrates with in-house applications. ResponsibilitiesPolicies and Standards implementation set by Cloud brokerOperational Risk Management Complliance , Governance and Risk management for Services integrated with Cloud broker