Contenu connexe
Similaire à Cloud Security And Privacy (20)
Cloud Security And Privacy
- 1. Cloud Security and Privacy:
An Enterprise Perspective on Risks and Compliance
Tim Mather
Subra Kumaraswamy, Sun
Shahed Latif, KPMG
- 2. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
What We Do Not Discuss
• Existing aspects of information security
which are not impacted by ‘cloud computing’
• Consumer aspects of cloud computing
2
- 3. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
What We Do Discuss
• Infrastructure Security
• Network-level
• Host-level
• Application-level
• Data Security
• Identity and Access Management (IAM)
• Privacy Considerations
• Audit & Compliance Considerations
• Security-as-a- [Cloud] Service (SaaS)
• Impact on the Role of Corporate IT
Where Risk Has Changed: ± 3
- 4. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
Components of Information Security
Security Management Services
Management – ACL, hygiene, patching, VA, incident response
Identity services – AAA, federation, provisioning
Information Security – Data
Encryption (transit, rest, processing), lineage, provenance, remanence
Information Security – Infrastructure
Application-level
Host-level
Network-level
4
- 5. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
Cloud Computing: Evolution
5
- 6. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
Cloud Pyramid of Flexibility
6
- 7. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
Infrastructure Security – currently
• Trust boundaries have moved
• Specifically, customers are unsure where those
trust boundaries have moved to
• Established model of network tiers or zones no
longer exists
• Domain model does not fully replicate previous
model
• No viable, scalable model for host-to-host trust
• Data labeling / tagging required at application-
level
• Data separation is logical not physical
7
- 8. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
Infrastructure Security – going forward
• Need for greater transparency regarding
which party (CSP or customer) provides
which security capability
• Inter-relationships between systems,
services, and people needs to be addressed
by identity management
8
- 9. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
Data Security – currently
• Provider’s data collection efforts and
monitoring of such (e.g., IPS, NBA)
• Use of encryption
• Point-to-multipoint data-in-transit an issue
• Data-at-rest possibly not encrypted
• Data being processed definitely not encrypted
• Key management is a significant issue
• Advocated alternative methods (e.g., obfuscation,
redaction, truncation) are nonsense
• Data lineage
• Data provenance
• Data remanence
9
- 10. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
Data Security – going forward
Large-scale multi-entity key management
• Must scale past multi-enterprise to inter-cloud
• Not just hundreds of thousands of systems or even millions of
virtual machine images, but billions of files or objects
• Must not only handle key management lifecycle (per NIST
SP 800-57, Recommendation for Key Management), but also
• Key recovery
• Key archiving
• Key hierarchies / chaining for legal entities
• Fully homomorphic encryption
• Potentially huge boon to cloud computing
• Will increase need for better key management
10
- 11. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
IAM – currently
• Generally speaking, poor situation today:
• Federated identity widely not available
• Strong authentication available only through
delegation
• Provisioning of user access is proprietary to
provider
• User profiles are limited to “administrator” and
“user”
• Privilege management is coarse, not granular
11
- 12. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
IAM – going forward
• Emerging identity-as-a-service (IDaaS)
needs to evolve beyond authentication
• SAML, SPML and XACML (especially) need
to be more fully leveraged
• Increasing need for user-to-service and
service-to-service authentication and
authorization (OAuth)
12
- 13. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
Privacy – currently
• Transborder data issues may be exacerbated
• Specifically, where are cloud computing activities
occurring?
• Data governance is weak
• Encryption is not pervasive
• Data remanence receives inadequate attention
• Cusps absolve themselves of privacy concerns:
‘We don’t look at your data’
13
- 14. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
Privacy – going forward
• Privacy laws are inconsistent across
jurisdictions; need global standard
• Need specific requirements for auditing (e.g.,
AICPA/CICA Generally Accepted Privacy Principles
– GAPP)
14
- 15. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
Audit & Compliance – currently
• Effectiveness of current audit frameworks
questionable (e.g., SAS 70 Type II)
• CSP users need to define:
• their control requirements
• understand their CSP’s internal control monitor-
ing processes
• analyze relevant external audit reports
• Issue is assurance of compliance
15
- 16. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
Audit & Compliance – going forward
• Inter-cloud (i.e., cross-CSP) solutions will
demand unified compliance framework
• Volume, multi-tenancy of cloud computing,
demand that CSP compliance programs be
more real-time and have greater coverage
than most traditional compliance programs
16
- 17. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
Security-as-a-Service – currently
• Some offerings mature
• E-mail filtering, archiving
• Web content filtering
• Some offerings still emerging
• (E-mail) eDiscovery
• Identity-as-a-Service (IDaaS)
• Encryption, key management
• Today’s security-as-a-service providers sell
to CSP customers, not CSPs
• None of today’s CSPs offer security-as-a-
service as integrated offering
17
- 18. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
Security-as-a-Service – going forward
• Horizontal integration
• Pure play SaaS providers will broaden offerings
beyond e-mail + Web content filtering
• Vertical integration
• CSPs will offer SaaS as integrated offering
• IDaaS has to scale effectively for cloud
computing to truly take off
• Complexity of key management screams for
SaaS offering
18
- 19. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
Impact on Role of Corporate IT – currently
• Governance issue as internal IT becomes
“consultants” and business analysts to
business units
• Delineation of responsibilities between
providers and customers much more
nebulous than between customers and
outsourcers, collocation facilities, or ASPs
• Cloud computing likely to involve much more
direct business unit interaction with CSPs
than with other providers previously
19
- 20. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
Impact on Role of Corporate IT – going forward
• Relationship between business units and corporate
IT departments vis-à-vis CSPs will shift greater
power to business units from IT
• Number of functions performed today by corporate
IT departments will shift to CSPs, along with
corresponding job positions
• Functions performed by corporate IT departments
will shift from those who do (i.e., practitioners who
build or operate) to those who define and manage
• IT itself will become more of a commodity as
practices and skills are standardized and
automated
20
- 21. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
Conclusions
• Part of customers’ infrastructure security
moves beyond their control
• Provider’s infrastructure security may
(enterprise) or may not (SMB) be less robust
than customers’ expectations
• Data security becomes significantly more
important – yet provider capabilities are
inadequate (except for simple storage which
can be encrypted, and processing of non-
sensitive (unregulated and unclassified) data
21
- 22. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
Conclusions (continued)
• IAM is less than adequate for enterprises –
weak authentication unless delegated back
to customers or federated, weak authoriza-
tion, proprietary provisioning
• Because of above, expect significant
business unit pressure to desensitize or
anonymize data; expect this to become a
chokepoint
• No established standards for obfuscation,
redaction, or truncation
22
- 23. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
What’s Good about the Cloud?
• A lot! Both for enterprises and SMBs – for
handling of non-sensitive (unregulated and
unclassified) data
• Cost
• Flexibility
• Scalability
• Speed
23
- 24. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
Developments to Watch
• VMware’s vCloud API − submitted to DMTF
• Amazon’s Virtual Private Cloud − hybrid
cloud that extends private cloud through
“cloud bursting”
• Security-as-a-Service offered by CSPs (e.g.,
Amazon’s Multi-Factor Authentication)
• Cloud Security Alliance v2 white paper
• Slow transparency and assurance from CSP
(e.g., ISO 27002-based assurance)
• IT governance framework that blends ITIL,
ISO 27002, CObIT 24
- 25. © 2009 Tim Mather, Subra Kumaraswamy, Shahed Latif
Cloud Security and Privacy:
An Enterprise Perspective on Risks and Compliance
Continue the discussion on-line at: cloudsecurityandprivacy.com
25