The rapid growth and many flavors of cloud capabilities can provide great business value. If not well planned, they may also give security professionals fits. With perspective and a deliberate approach, CISOs can not only manage cloud security effectively, but leverage the cloud to power security capabilities.
This session will introduce challenges and trends relating to the cloud for information security practitioners. Much of the session will focus on the speaker's own successes, failures, pitfalls and pratfalls as CISO for a cloud-based startup that built an AWS-based SAAS predictive analytics platform. We will also touch on private cloud concerns, architecture planning and real-world solutions.
Thin Air or Solid Ground? Practical Cloud Security
1. Thin Air or Solid Ground?
Practical Cloud SecurityThin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
1
2. Agenda
Thin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
2
Introduction
Your presenter
Service models
The Cloud Landscape Today
Adoption
Market for cloud security products
Tales from the Cloud (AWS & Elsewhere)
• Building a cloud security program from scratch
• Dan’s top 10 (it goes up to 11!)
• Gotchas
Looking Ahead
• Open APIs
• CASB
Wrap-Up & Discussion
• Helpful resources
• Appendices
3. Strategy without tactics is the slowest route to victory.
Tactics without strategy is the noise before defeat.
-Sun Tzu
Thin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
3
4. Professional
• CISO at Uptake, a Chicago data analytics startup that
developed a cloud-based predictive analytics platform
for the IoT of global industry and infrastructure
• Started my security career in Silicon Valley in late 90s
• Accenture, PwC & Independent consulting
• Consulted for 2004 Athens Olympics and lived in Greece
• Done security work on four continents
Personal
• Live in Oak Park, grew up in NJ (go Yankees!)
• Will write great American novel one day
• Love to travel
Thin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
4
About Me…
6. Thin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
6
Some Stats on Cloud Adoption
APAC will generate 2.3 zettabytes
of cloud traffic by 2018*
*Cisco Global Cloud Index 2013-2018 (2014)
**Avanade Global Study: Hybrid Cloud—From Hype to Reality (2014)
Consumer cloud storage traffic 10 exabytes
globally in 2016, 19 exabytes in 2018*
Cloud data center traffic will represent 76% of total data center traffic by 2018, compared to 54% in 2013.
Globally, cloud data center traffic will reach 6.5 Zettabytes per year (541 Exabytes per month) by 2018, up from
1.6 Zettabytes per year (137 Exabytes per month) in 2013.
Non-IT C-suite executives manage 37% of IT spend decisions on cloud technology
adoption*
55% of C-level respondents unable to identify basic attributes of hybrid cloud
69% of respondents indicated hybrid cloud should be biggest priority for their
business**
72% plan to adopt hybrid solutions in 2015!
7. Thin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
7
Evolving Service Models
The Boundaries Between SaaS, PaaS, & IaaS
Are Blurring
Source: Forrester, The Forrester Wave™: Enterprise
Public Cloud Platforms, Q4 2014, December29, 2014
8. • Secure Email- $942m in 2015,
$1b by 2017
• IdM– $860m in 2015, $1.2b by
2017
• Multifunction Identity as a
Service (IDaaS) primary growth
• SSO also significant
• SMB sectors driving a lot of
growth, but large enterprises
also a factor
Thin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
8
Huge Growth in Cloud Security Vendors
9. Tales from the cloud (AWS &
elsewhere)
Thin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
9
My experiences and recommendations
10. Thin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
10
Chicken Little & the Pompous Engineer
Cloud is not all that new, or that different from security in traditional IT systems or hosting
relationships, but many folks seem to lose their reason when evaluating cloud solutions
and security.
Too little Too much
Informed risk-based decisions
• No ‘one size fits all’
• Based on your business
requirements & risk appetite
• Regulatory & geographical
profile
Knowledge
11. Thin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
11
The Shared Responsibility Concept
• AWS- specific diagram, but concepts do apply
elsewhere
12. • Scope is key
• 3rd party certifications should be a significant focus as you build your cloud
security program
• **Avoid the “checklist mentality”**
Thin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
12
Provider Security Certifications
Source: Forrester, The Forrester Wave™: Public Cloud Platform Service Provider’s Security (2014)
13. Business Background
• SAAS predictive analytic platform
• Company ~1 year old
• Explosive growth
• 60 employees when I started, now 250+
• Brought on as CISO prior to internal IT team/CIO
• Target customers Fortune 500
• Low risk tolerance
• Significant customer and regulatory requirements
Technology
• AWS environment w/VPCs
• DevOps/ Agile environment, heavy development focus
• Limited knowledge of enterprise It practices
Thin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
13
Building a cloud security program from scratch
Source: Cloud Security Alliance Cloud Adoption
Practices & Priorities Survey Report (2015)
14. 1. Socializing security
• Charm & informal security awareness offensive
• Management by walking around
2. Establish core security program
• Risk assessments
• Control roadmap
• Create charter, governance framework
• Service providers
3. Conduct tactical remediation
• Technical risks/low hanging fruit
• Negotiate immediate customer requirements &
establish temporary policies
4. Secure Infrastructure Design & Build
• Vendors, vendors, vendors
Thin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
14
What We Did First
Source: Cloud Security Alliance Cloud Adoption
Practices & Priorities Survey Report (2015)
15. Thin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
15
High Level Program
16. Thin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
16
High Level Architecture
Build out security services layer/ command centers
17. Thin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
17
Underlying Architecture Components
18. Dan’s top 10
1. Embrace the changes
2. Maintain or improve your focus on risk management
• Use CSA, NIST and other resources
• Tighten up VRM posture
• How will you maintain your asset inventory?
3. Data governance, lifecycle and provenance.
• Document your data flows early and often
• Understand privacy requirements
• Call out geographical data requirements early
4. Let cloud help you
• Seize on the opportunity to refine or redo your security
infrastructure
• Embrace cloud-based security solutions
• Prepare for “beta” and integration challenges
Thin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
18
19. Dan’s top 10
5. Partitioning & segmentation = security &
portability
• To many eggs in 1 cloud provider’s basket can increase risk
• Make sure that in the event your business moves away from a
cloud provider, your security systems won’t hamper that.
6. Plan for robust encryption & PKI
• If providing services to customers or internal LoBs, consider
BYOK models.
• Evaluate native solutions vs. third party
• Key management!
7. Shore up your endpoints
• What? Aren’t we talking about cloud?
• Weak link/ open window for attackers
Thin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
19
20. Dan’s Top 10
8. Get familiar with DevOps &
Containerization
9. 2 factor everything & use privileged access
solutions
• Key management
10. Monitor billing and usage where feasible
• You can learn a great deal from AWS
console logs
11. Plan on physical infrastructure and
increased bandwidth. You will need it!
Thin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
20
21. • IT partners & DevOps personnel may not be familiar with
cloud security integration requirements and vendors
• “Your security logging drove our AWS bills from $6K a
month to $40k…”
• We don’t want firewall management outsourced, but we
don’t know how to set up HA on the Palos…
• Why do we need <MPLS| physical infrastructure| more
endpoint security|> etc.?
• Many traditional security vendors are “in beta” with cloud
capabilities
• Shadow IT- business stakeholders can procure and deploy
very quickly
• Identity governance (weak at most cloud providers- Azure is
best available)
Thin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
21
Gotchas
22. Looking ahead
Thin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
22
23. Thin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
23
Cloud Security Open APIs
Expedite cloud deployments
A well-known and standard API layer will give
enterprise developers the ability to leverage core
cloud functions quickly, thus expediting the pace of
cloud deployments.
Foster cross-cloud innovations
With the Cloud Security Open APIs, developers now
have a way to write cross-cloud functions without
having to custom integrate with each cloud that it
touches.
Extend cloud services reach to new functionality
From the perspective of a cloud service provider
(CSP), the Cloud Security Open APIs will allow a
much larger set of developers (than those within the
CSP’s own company) to leverage the CSP’s core code
base/data and deliver adjacent functionality.
Source: Cloud Security Alliance (2015)
24. Thin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
24
Cloud Access Security Brokers (CASB)
"By 2016, 25% of enterprises will secure access to cloud-based services using a CASB
platform, up from less than 1% in 2012, reducing the cost of securing access by 30%.“
• CASBs are on-premises, or cloud-based, security policy enforcement points placed between
cloud service consumers and cloud service providers to combine and interject enterprise
security policies as the cloud-based resources are accessed.
• CASBs consolidate multiple types of security policy enforcement. Example security policies
include authentication, SSO, authorization, credential mapping, device profiling,
encryption, tokenization, logging, alerting, malware detection/prevention and so on.
3 Flavors of CASB: Direct to Cloud, Proxy, API
Protocols include: SAML, OAUTH, XACML, ICAP, OSSL, JSON, etc.
Source: Gartner, The Growing Importance of Cloud Access Security Brokers (2015)
25. Thin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
25
CASB—API Mode
Source: Gartner, The Growing
Importance of Cloud Access
Security Brokers (2015)
26. Thin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
26
CASB—Proxy Model
Source: Gartner, The Growing
Importance of Cloud Access
Security Brokers (2015)
27. Follow the data
Plan for ongoing risk management and VRM
Learn ‘enough’ about new technologies/ bring in
SMEs (DevOps/Containers/ Continuous
Deployment/Etc.)
Make your security posture & team more agile
Change is the only constant
Focus on fundamentals and beware of silver bullets
Thin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
27
Wrapping up
28. Thin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
28
Thank you for a great session
dwfitzgerald1@gmail.com
https://www.linkedin.com/in/danfitzgerald2
30. Thin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
30
Helpful resources
Name Description URL
Cloud Security Alliance • Great source for controls- CCM
• Certifications
• Research publications collaboration opportunities
https://cloudsecurityalliance.or
g/
AWS Security Blog • Amazing number of white papers and implementation guidelines
• FedRAMP, HIPPA, and other compliance architectures
• Just rolled out security training classes
http://blogs.aws.amazon.com/s
ecurity
Azure Security Center • MS landing page for security information https://azure.microsoft.com/en-
us/support/trust-
center/security/
NIST • Critical infrastructure guides and framework http://www.nist.gov/cyberfram
ework/
NIST • Cloud materials http://www.nist.gov/itl/cloud/
FedRAMP • Federal cloud computing standards https://www.fedramp.gov/
PCI SSC Cloud Information
Supplement
• Detailed list of responsibilities and configuration guidance for cloud & PCI
DSS compliance
• Useful for guiding principles beyond PCI
https://www.pcisecuritystandar
ds.org/pdfs/PCI_DSS_v2_Cloud
_Guidelines.pdf
ISO • Cloud security code of practice and other guidelines in development
(ISO/IEC FDIS 27017 )
• Support the STAR certifications
• Require license to obtain actual standards
• Website is kind of confusing- search for cloud
http://www.iso.org
31. Thin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
31
Definitions
Per NIST (c2011):
Cloud computing is a model for enabling ubiquitous,
convenient, on-demand network access to a shared
pool of configurable computing resources (e.g.,
networks, servers, storage, applications, and
services) that can be rapidly provisioned and
released with minimal management effort or service
provider interaction.
This cloud model is composed of:
Five essential characteristics,
Three service models,
Four deployment models.
32. Thin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
32
Essential Characteristics
Per NIST (c2011):
1. On demand self service
2. Broad network access
3. Resource pooling
4. Rapid elasticity
5. Measured service
33. Thin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
33
Service Models
Use provider’s application
Accessible from clients via thin interface
Limited user configuration settings- application layer
• Deploy applications onto cloud platform
• Consumer does not manage underlying cloud infrastructure
including network, servers, operating systems, or storage
• Customers control deployed applications and may be able to
configure some application environment settings.
• Customer control over operating systems, storage, deployed
applications; and possibly select networking components.
SAAS
Software as a
service
PAAS
Platform as a
service
IAAS
Infrastructure as
a service
34. Thin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
34
Deployment Models
Provisioned for use by a single organization
May be owned and managed by organization, third party or a
combination
On-premise, hosted options
• Provisioned for exclusive use by a specific community of consumers
from organizations with shared concerns.
• May be owned or managed by one or more organizations in
community, third parties or combination.
• On-premise, hosted options
• Provisioned for use by general public
• May be owned, managed and operated by a business, academic or
governmental organization or combination.
• Hosted on premises of provider
• Combination of distinct and autonomously operated public/private and/or
community clouds
• May be tied together by management layers, APIs, cloud broker solutions or
other connectivity
Private Cloud
Community
Cloud
Public Cloud
Hybrid Cloud
35. Survey respondents’ primary concerns about
Shadow IT are:
• Security of corporate data in the cloud (49
percent)
• Potential compliance violations (25 percent)
• The ability to enforce policies (19 percent)
• Redundant services creating inefficiency (8
percent)
Thin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
35
Shadow IT
Source: Cloud Security Alliance Cloud Adoption
Practices & Priorities Survey Report (2015)
36. Thin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
36
Security-Related Cloud Stats
Source: Cloud Security Alliance Cloud Adoption
Practices & Priorities Survey Report (2015)
37. Thin Air or Solid Ground, Oct. 2015, Dan
Fitzgerald, All Rights Reserved
37
Security-Related Cloud Stats
Source: Cloud Security Alliance Cloud Adoption
Practices & Priorities Survey Report (2015)