Thin Air or Solid Ground? Practical Cloud Security

Thin Air or Solid Ground?
Practical Cloud SecurityThin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
1

Agenda
Thin Air or Solid Ground, Oct. 2015, Dan
2
Introduction
 Your presenter
 Service models
The Cloud Landscape Today
 Adoption
 Market for cloud security products
Tales from the Cloud (AWS & Elsewhere)
• Building a cloud security program from scratch
• Dan’s top 10 (it goes up to 11!)
• Gotchas
Looking Ahead
• Open APIs
• CASB
Wrap-Up & Discussion
• Helpful resources
• Appendices

Strategy without tactics is the slowest route to victory.
Tactics without strategy is the noise before defeat.
-Sun Tzu
3

Professional
• CISO at Uptake, a Chicago data analytics startup that
developed a cloud-based predictive analytics platform
for the IoT of global industry and infrastructure
• Started my security career in Silicon Valley in late 90s
• Accenture, PwC & Independent consulting
• Consulted for 2004 Athens Olympics and lived in Greece
• Done security work on four continents
Personal
• Live in Oak Park, grew up in NJ (go Yankees!)
• Will write great American novel one day
• Love to travel
4
About Me…

Today’s Cloud Landscape
5

6
Some Stats on Cloud Adoption
APAC will generate 2.3 zettabytes
of cloud traffic by 2018*
*Cisco Global Cloud Index 2013-2018 (2014)
**Avanade Global Study: Hybrid Cloud—From Hype to Reality (2014)
Consumer cloud storage traffic 10 exabytes
globally in 2016, 19 exabytes in 2018*
 Cloud data center traffic will represent 76% of total data center traffic by 2018, compared to 54% in 2013.
 Globally, cloud data center traffic will reach 6.5 Zettabytes per year (541 Exabytes per month) by 2018, up from
1.6 Zettabytes per year (137 Exabytes per month) in 2013.
 Non-IT C-suite executives manage 37% of IT spend decisions on cloud technology
adoption*
 55% of C-level respondents unable to identify basic attributes of hybrid cloud
 69% of respondents indicated hybrid cloud should be biggest priority for their
business**
 72% plan to adopt hybrid solutions in 2015!

7
Evolving Service Models
The Boundaries Between SaaS, PaaS, & IaaS
Are Blurring
Source: Forrester, The Forrester Wave™: Enterprise
Public Cloud Platforms, Q4 2014, December29, 2014

• Secure Email- $942m in 2015,
$1b by 2017
• IdM– $860m in 2015, $1.2b by
2017
• Multifunction Identity as a
Service (IDaaS) primary growth
• SSO also significant
• SMB sectors driving a lot of
growth, but large enterprises
also a factor
8
Huge Growth in Cloud Security Vendors

Tales from the cloud (AWS &
elsewhere)
9
My experiences and recommendations

10
Chicken Little & the Pompous Engineer
Cloud is not all that new, or that different from security in traditional IT systems or hosting
relationships, but many folks seem to lose their reason when evaluating cloud solutions
and security.
Too little Too much
Informed risk-based decisions
• No ‘one size fits all’
• Based on your business
requirements & risk appetite
• Regulatory & geographical
profile
Knowledge

11
The Shared Responsibility Concept
• AWS- specific diagram, but concepts do apply
elsewhere

• Scope is key
• 3rd party certifications should be a significant focus as you build your cloud
security program
• **Avoid the “checklist mentality”**
12
Provider Security Certifications
Source: Forrester, The Forrester Wave™: Public Cloud Platform Service Provider’s Security (2014)

Business Background
• SAAS predictive analytic platform
• Company ~1 year old
• Explosive growth
• 60 employees when I started, now 250+
• Brought on as CISO prior to internal IT team/CIO
• Target customers Fortune 500
• Low risk tolerance
• Significant customer and regulatory requirements
Technology
• AWS environment w/VPCs
• DevOps/ Agile environment, heavy development focus
• Limited knowledge of enterprise It practices
13
Building a cloud security program from scratch
Source: Cloud Security Alliance Cloud Adoption
Practices & Priorities Survey Report (2015)

1. Socializing security
• Charm & informal security awareness offensive
• Management by walking around
2. Establish core security program
• Risk assessments
• Control roadmap
• Create charter, governance framework
• Service providers
3. Conduct tactical remediation
• Technical risks/low hanging fruit
• Negotiate immediate customer requirements &
establish temporary policies
4. Secure Infrastructure Design & Build
• Vendors, vendors, vendors
14
What We Did First

15
High Level Program

16
High Level Architecture
Build out security services layer/ command centers

17
Underlying Architecture Components

Dan’s top 10
1. Embrace the changes
2. Maintain or improve your focus on risk management
• Use CSA, NIST and other resources
• Tighten up VRM posture
• How will you maintain your asset inventory?
3. Data governance, lifecycle and provenance.
• Document your data flows early and often
• Understand privacy requirements
• Call out geographical data requirements early
4. Let cloud help you
• Seize on the opportunity to refine or redo your security
infrastructure
• Embrace cloud-based security solutions
• Prepare for “beta” and integration challenges
18

Dan’s top 10
5. Partitioning & segmentation = security &
portability
• To many eggs in 1 cloud provider’s basket can increase risk
• Make sure that in the event your business moves away from a
cloud provider, your security systems won’t hamper that.
6. Plan for robust encryption & PKI
• If providing services to customers or internal LoBs, consider
BYOK models.
• Evaluate native solutions vs. third party
• Key management!
7. Shore up your endpoints
• What? Aren’t we talking about cloud?
• Weak link/ open window for attackers
19

Dan’s Top 10
8. Get familiar with DevOps &
Containerization
9. 2 factor everything & use privileged access
solutions
• Key management
10. Monitor billing and usage where feasible
• You can learn a great deal from AWS
console logs
11. Plan on physical infrastructure and
increased bandwidth. You will need it!
20

• IT partners & DevOps personnel may not be familiar with
cloud security integration requirements and vendors
• “Your security logging drove our AWS bills from $6K a
month to $40k…”
• We don’t want firewall management outsourced, but we
don’t know how to set up HA on the Palos…
• Why do we need <MPLS| physical infrastructure| more
endpoint security|> etc.?
• Many traditional security vendors are “in beta” with cloud
capabilities
• Shadow IT- business stakeholders can procure and deploy
very quickly
• Identity governance (weak at most cloud providers- Azure is
best available)
21
Gotchas

Looking ahead
22

23
Cloud Security Open APIs
Expedite cloud deployments
A well-known and standard API layer will give
enterprise developers the ability to leverage core
cloud functions quickly, thus expediting the pace of
cloud deployments.
Foster cross-cloud innovations
With the Cloud Security Open APIs, developers now
have a way to write cross-cloud functions without
having to custom integrate with each cloud that it
touches.
Extend cloud services reach to new functionality
From the perspective of a cloud service provider
(CSP), the Cloud Security Open APIs will allow a
much larger set of developers (than those within the
CSP’s own company) to leverage the CSP’s core code
base/data and deliver adjacent functionality.
Source: Cloud Security Alliance (2015)

24
Cloud Access Security Brokers (CASB)
"By 2016, 25% of enterprises will secure access to cloud-based services using a CASB
platform, up from less than 1% in 2012, reducing the cost of securing access by 30%.“
• CASBs are on-premises, or cloud-based, security policy enforcement points placed between
cloud service consumers and cloud service providers to combine and interject enterprise
security policies as the cloud-based resources are accessed.
• CASBs consolidate multiple types of security policy enforcement. Example security policies
include authentication, SSO, authorization, credential mapping, device profiling,
encryption, tokenization, logging, alerting, malware detection/prevention and so on.
3 Flavors of CASB: Direct to Cloud, Proxy, API
Protocols include: SAML, OAUTH, XACML, ICAP, OSSL, JSON, etc.
Source: Gartner, The Growing Importance of Cloud Access Security Brokers (2015)

25
CASB—API Mode
Source: Gartner, The Growing
Importance of Cloud Access
Security Brokers (2015)

26
CASB—Proxy Model
Source: Gartner, The Growing
Importance of Cloud Access
Security Brokers (2015)

 Follow the data
 Plan for ongoing risk management and VRM
 Learn ‘enough’ about new technologies/ bring in
SMEs (DevOps/Containers/ Continuous
Deployment/Etc.)
 Make your security posture & team more agile
 Change is the only constant
 Focus on fundamentals and beware of silver bullets
27
Wrapping up

28
Thank you for a great session
dwfitzgerald1@gmail.com
https://www.linkedin.com/in/danfitzgerald2

Appendices
29

30
Helpful resources
Name Description URL
Cloud Security Alliance • Great source for controls- CCM
• Certifications
• Research publications collaboration opportunities
https://cloudsecurityalliance.or
g/
AWS Security Blog • Amazing number of white papers and implementation guidelines
• FedRAMP, HIPPA, and other compliance architectures
• Just rolled out security training classes
http://blogs.aws.amazon.com/s
ecurity
Azure Security Center • MS landing page for security information https://azure.microsoft.com/en-
us/support/trust-
center/security/
NIST • Critical infrastructure guides and framework http://www.nist.gov/cyberfram
ework/
NIST • Cloud materials http://www.nist.gov/itl/cloud/
FedRAMP • Federal cloud computing standards https://www.fedramp.gov/
PCI SSC Cloud Information
Supplement
• Detailed list of responsibilities and configuration guidance for cloud & PCI
DSS compliance
• Useful for guiding principles beyond PCI
https://www.pcisecuritystandar
ds.org/pdfs/PCI_DSS_v2_Cloud
_Guidelines.pdf
ISO • Cloud security code of practice and other guidelines in development
(ISO/IEC FDIS 27017 )
• Support the STAR certifications
• Require license to obtain actual standards
• Website is kind of confusing- search for cloud
http://www.iso.org

31
Definitions
Per NIST (c2011):
 Cloud computing is a model for enabling ubiquitous,
convenient, on-demand network access to a shared
pool of configurable computing resources (e.g.,
networks, servers, storage, applications, and
services) that can be rapidly provisioned and
released with minimal management effort or service
provider interaction.
 This cloud model is composed of:
 Five essential characteristics,
 Three service models,
 Four deployment models.

32
Essential Characteristics
Per NIST (c2011):
1. On demand self service
2. Broad network access
3. Resource pooling
4. Rapid elasticity
5. Measured service

33
Service Models
 Use provider’s application
 Accessible from clients via thin interface
 Limited user configuration settings- application layer
• Deploy applications onto cloud platform
• Consumer does not manage underlying cloud infrastructure
including network, servers, operating systems, or storage
• Customers control deployed applications and may be able to
configure some application environment settings.
• Customer control over operating systems, storage, deployed
applications; and possibly select networking components.
SAAS
Software as a
service
PAAS
Platform as a
service
IAAS
Infrastructure as
a service

34
Deployment Models
 Provisioned for use by a single organization
 May be owned and managed by organization, third party or a
combination
 On-premise, hosted options
• Provisioned for exclusive use by a specific community of consumers
from organizations with shared concerns.
• May be owned or managed by one or more organizations in
community, third parties or combination.
• On-premise, hosted options
• Provisioned for use by general public
• May be owned, managed and operated by a business, academic or
governmental organization or combination.
• Hosted on premises of provider
• Combination of distinct and autonomously operated public/private and/or
community clouds
• May be tied together by management layers, APIs, cloud broker solutions or
other connectivity
Private Cloud
Community
Cloud
Public Cloud
Hybrid Cloud

Survey respondents’ primary concerns about
Shadow IT are:
• Security of corporate data in the cloud (49
percent)
• Potential compliance violations (25 percent)
• The ability to enforce policies (19 percent)
• Redundant services creating inefficiency (8
percent)
35
Shadow IT

36
Security-Related Cloud Stats

37
Security-Related Cloud Stats

Thin Air or Solid Ground? Practical Cloud Security

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Thin Air or Solid Ground? Practical Cloud Security

Similar to Thin Air or Solid Ground? Practical Cloud Security (20)

Recently uploaded

Recently uploaded (20)

Thin Air or Solid Ground? Practical Cloud Security