SlideShare une entreprise Scribd logo

I apologize, I do not actually have information about a specific cloud provider's identity and access management capabilities. The questions provided would be good to ask a potential cloud services provider to understand their support for common provisioning standards and options

Télécharger en tant que PPTX, PDF
Moshe Ferber
Moshe Ferber

Software companies moving into SaaS offering should use security as an advantage. Here is how.

Technologie
1  sur  49
Cloud Security Moshe Ferber, CCSK
• Moshe Ferber, 37, lives in Modiin (+2). • Information security professional for over 15 years. • Managed the security department for Ness Technologies. • Founded Cloud7, Israel based MSSP (currently owned by Matrix). • Shareholder at Clarisite • Shareholder at FortyCloud • Member of the board at Macshava Tova • Certified instructor for the Cloud Security Alliance 2
Introduction to cloud computing Creating Trust Security in the development phase Security in the Operation phase
Introduction to cloud computing Evaluating your cloud solution Operating in the cloud Virtualization security
Hitler and Cloud Computing
“Cloud computing is nothing more than a faddish term for the established concept of computers linked by networks.” Larry Ellison, ORACLE
7 Broad Network Access Rapid Elasticity Measured Service On-Demand Self-Service Resource Pooling
8
9
11 • The lower down the stack the cloud service provider stops, the more security capabilities and management consumers are responsible for implementing and managing themselves. SaaSIaaS PaaS Security Responsibility ProviderCustomer
Public Cloud Private Cloud Community Hybrid Cloud Deployment Models 12
Introduction to cloud computing Creating Trust Operating in the cloud Virtualization security
Creating Trust Security in the development process Security in the Operation process
• Make sure that you and your customers speak the same language. • Transparency, planning and taking risks are key success factors for this process. • Standards are great way for establishing common ground for discussion. • Contracts and SLA will define the partnership.
Transparent Legal documents Know your regulationDefine who does what
Taken from: Ponemon Institute: security of cloud computing users study 2013 Research show that many organization don’t understand the shared responsibilities between customer and provider in cloud computing.
• . 20 SaaS IaaS PaaS ProviderCustomer All Guest and App security App Security Contractual controls Infrastructure & Application security Platform Security Infrastructure Only
22
• Adjust your contracts to reflect the nature of the cloud (This is not a software licensing agreement). • Do not over complicate. • Provide security policy statement. • Specify how you help customer to avoid Vendor lock-in and unexpected termination.
• Responsible for actions of his providers. • Compliance in the service. • Answer to subpoena and e-discovery • Data loss / recovery. • Conform with specification. • Fix break down. • SLA: uptime, downtime notice &POC. • Indemnity Location of services Contract jurisdiction Standard of care Applicable legislation Treaties
•ISO 27001 – Adopted by the cloud industry . Although no real reference to cloud (ISO 27017 is planned,but still a draft). •SSAE16 – Got some level of cloud details… Need to verify the scope. •FIPS140-2 - Standard for encryption on sensitive data. •PCI –Many resources on adapting PCI on cloud environment. Including PCI cloud guidelines. •ENISA– guide for cloud security recommendations. •ILITA (Israel) - guidelines for outsourcing computer data including cloud reference.
•CSA – Responsible for CSA STAR Level 1,2,3. Which is ISO27001 / SOC with additional controls from CCM. •FedRAMP – Defining the federal policy regarding the use of cloud services within the federal government. Based on NIST guidelines.
Introduction to cloud computing Creating Trust Security in the development phase Virtualization security
Design to security Integrate security into software life cycle Plan your security testing Threat modeling (including cloud threats) Access controls Coding standard (Based on relevant Regulation) Code review SDLC Checkpoint Cloud provider API’s Static analysis Dynamic analysis Vulnerability scanning Penetration test
• SDLC in the cloud requires us to integrate the cloud provider and consumer into the process. • Security referent should be present on each development team. • Threat modeling should include cloud specific threats. • SDLC can be any standard in the market, as long as you remember to adjust responsibilities. Architecture & Design Development Test Production IaaS Cloud Consumer Cloud Consumer Shared Shared PaaS Shared Cloud Consumer Shared Shared SaaS Shared Cloud Provider Cloud Provider Cloud Provider
Identity is the perimeter Identity Lifecycle Access control Authentication • Cloud consumers prefer to extend their Identities to the cloud instead of creating new ones. • Identity Providers are a growing service. • SCIM – marked as the new standard for provisioning (replacing SPML). • XACML is growing standard regarding access management. • Best practices separate between Policy Decision Point and Policy enforcement Point. • The challenge is to leverage customer current authentication mechanism. • Identity Federation is growing market. • SAML, Open ID and Oauth can help SaaS provider to meet customers requirements.
• Dynamic and Static analysis should be integrated to the SDLC. • Penetration test and vulnerability scans are a must in some standards and regulations, and should be done periodically. • Scan results and pen test should be available to customers. • Customers should have the ability to coordinate scans and penetration tests.
• Vulnerability management as a service a very popular. Just make sure they are Cloud API aware • Code review and Web Application Firewall can also used as a service. • New standards such as SAML, SCIM and XACML can assist.
Introduction to cloud computing Creating Trust Security in the development phase Security in the operation phase
Data lifecycle management Transparency in operations Incident management Encrypt, Encrypt, Encrypt Access control Clear policy and standards Monitoring what is incident? Incident life cycle
Classification Encryption Access control Archiving and Termination
File Level Database Level Volume Level Storage Level Level? By? Proxy Infrastructure Keys? Provider Customer Application level
• Customers will expect: Clear Security Policy. Change management process. DR / BC procedures. Backup and Restore procedure and testing. Notice on maintenance & service time. Clear information channel regarding malfunctions. SLA for coordinating audits / VA / Pen tests. Visibility into the operations.
42 • not just complianceLog Monitoring • Availability and more. Performance Monitoring • tie to alerting Monitoring for Malicious use • analytics helpful here Monitoring for Compromise • access control, authorized use Monitoring for policy violations
• Define what is “Incident” with your customers. • The nature of cloud makes likelihood of some kinds of incident goes up, others goes down. • Consider attacks targeted at the Cloud infrastructure provider and how that affects your systems • Legislative and Regulatory régimes may have different requirements for incident management. • Plan your containment policy in cases where attack is focused on specific customer. • Provide your customer with POC and make sure you got communication channels to address them. Preparation Detection & Analysis Containment Eradication & Recovery
44 • COBIT / ITIL can make a good framework for building correct operations standards. • Twitter turned to be great tool for information distribution. • NIST SP800-61 is great start for incident management.
Moshe Ferber, CCSK Tel. +972-52-8342313 moshe@onlinecloudsec.com
• US privacy laws are made from federal legislation, and state level regulation. • The 4th amendment is the basic pillar for privacy in US, and is not valid for cloud services. • The FISA, Patriot act and protect America act grant US government right to force Cloud provider to deliver customer data. • US laws require provide planning capability to respond to requests for legal holds on documents (FRCP) 46
• EU privacy laws prohibit transfer of EU data outside of the EU unless it will receive the same level of protection. • US based companies enjoyed Safe Harbor agreement for processing EU data. • On July 2, 2012 – Working Party 29 issued an opinion stating that safe harbor controls are not sufficient for cloud computing. 47
48 Data • Make sure that data in the cloud is secured along all data lifecycle. Application • Make sure application meets the standards and risks. Users • Make sure that users lifecycle matches standards and risks.
Create Destroy Store Share Archive Use Classify Assign Rights Content Discovery Access Controls Encryption Rights Management Activity Monitoring and Enforcement Rights Management Logical Controls Application Security DLP Encryption (SSL/HTTPS) Logical Controls Application Security Encryption Asset Management Crypto-Shredding Secure Deletion Content Discovery 49
50 Identity Management • Lifecycle management may require identity propagation and/or synchronization • Identity provisioning • User profile management Access Management • Authentication – process can occur on Cloud Consumer side or Cloud Provider side • Authorization – process can occur on Cloud Consumer side, and always occurs on the Cloud Provider side Federation • Managing relationships and policies Compliance • Dealing with regulations and audits
51
52 1.What provisioning standards do you support today? 2.Do you support SPML? What version? If so, do you have a schema? 3.Do you offer web services for automated provisioning (bulk or single)?
53 4. Do you offer on the fly (just-in-time)provisioning, where by users are provisioned using a pre-assigned token but activated at the time of online registration? 5. What language support do you offer for clients of provisioning web services? Examples include Java, .NET, Ruby on Rails, PHP, etc. 6. Do you support provisioning via transient federation(SAML)? 7. What logging of provisioning requests is performed, and how is it protected from tampering? What reconciliation mechanisms are available?

Recommandé

What the auditor need to know about cloud computing
What the auditor need to know about cloud computingWhat the auditor need to know about cloud computing
What the auditor need to know about cloud computingMoshe Ferber
 
Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Moshe Ferber
 
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferberDefcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferberMoshe Ferber
 
Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...Moshe Ferber
 
The Cloud & I, The CISO challenges with Cloud Computing
The Cloud & I, The CISO challenges with Cloud Computing The Cloud & I, The CISO challenges with Cloud Computing
The Cloud & I, The CISO challenges with Cloud Computing Moshe Ferber
 
null Bangalore meet - Cloud Computing and Security
null Bangalore meet - Cloud Computing and Securitynull Bangalore meet - Cloud Computing and Security
null Bangalore meet - Cloud Computing and Securityn|u - The Open Security Community
 
Cloud risk and business continuity v21
Cloud risk and business continuity v21Cloud risk and business continuity v21
Cloud risk and business continuity v21Jorge Sebastiao
 
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013Moshe Ferber
 

Recommandé

What the auditor need to know about cloud computing
What the auditor need to know about cloud computingWhat the auditor need to know about cloud computing
What the auditor need to know about cloud computingMoshe Ferber
 
Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Cloud security for banks - the central bank of Israel regulations for cloud s...
Cloud security for banks - the central bank of Israel regulations for cloud s...Moshe Ferber
 
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferberDefcon23 from zero to secure in 1 minute - nir valtman and moshe ferber
Defcon23 from zero to secure in 1 minute - nir valtman and moshe ferberMoshe Ferber
 
Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...Surviving the lions den - how to sell SaaS services to security oriented cust...
Surviving the lions den - how to sell SaaS services to security oriented cust...Moshe Ferber
 
The Cloud & I, The CISO challenges with Cloud Computing
The Cloud & I, The CISO challenges with Cloud Computing The Cloud & I, The CISO challenges with Cloud Computing
The Cloud & I, The CISO challenges with Cloud Computing Moshe Ferber
 
null Bangalore meet - Cloud Computing and Security
null Bangalore meet - Cloud Computing and Securitynull Bangalore meet - Cloud Computing and Security
null Bangalore meet - Cloud Computing and Securityn|u - The Open Security Community
 
Cloud risk and business continuity v21
Cloud risk and business continuity v21Cloud risk and business continuity v21
Cloud risk and business continuity v21Jorge Sebastiao
 
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013Cloud security innovation - Cloud Security Alliance East Europe Congress 2013
Cloud security innovation - Cloud Security Alliance East Europe Congress 2013Moshe Ferber
 
Cloud security what to expect (introduction to cloud security)
Cloud security what to expect (introduction to cloud security)Cloud security what to expect (introduction to cloud security)
Cloud security what to expect (introduction to cloud security)Moshe Ferber
 
Aligning Risk with Growth - Cloud Security for startups
Aligning Risk with Growth - Cloud Security for startupsAligning Risk with Growth - Cloud Security for startups
Aligning Risk with Growth - Cloud Security for startupsMoshe Ferber
 
Architect secure cloud services.
Architect secure cloud services.Architect secure cloud services.
Architect secure cloud services.Moshe Ferber
 
The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
The Notorious 9 Cloud Computing Threats - CSA Congress, San JoseThe Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
The Notorious 9 Cloud Computing Threats - CSA Congress, San JoseMoshe Ferber
 
Cloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption ExplainedCloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption ExplainedPorticor - The Cloud Security Experts
 
Cloud Security Governance
Cloud Security GovernanceCloud Security Governance
Cloud Security GovernanceShankar Subramaniyan
 
Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)أحلام انصارى
 
Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Samrat Das
 
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeCloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeHimani Singh
 
Cloud security
Cloud securityCloud security
Cloud securityBikashPokharel3
 
Cloud keybank privacy and owner authorization
Cloud keybank privacy and owner authorizationCloud keybank privacy and owner authorization
Cloud keybank privacy and owner authorizationPvrtechnologies Nellore
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security DemystifiedMichael Torres
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architectureVladimir Jirasek
 
Cloud Computing Security - Cloud Controls Security
Cloud Computing Security - Cloud Controls SecurityCloud Computing Security - Cloud Controls Security
Cloud Computing Security - Cloud Controls SecurityHari Kumar
 
CASB — Your new best friend for safe cloud adoption?
CASB — Your new best friend for safe cloud adoption? CASB — Your new best friend for safe cloud adoption?
CASB — Your new best friend for safe cloud adoption? Digital Transformation EXPO Event Series
 
Secaa s cat_10_network_security_implementation_guidance
Secaa s cat_10_network_security_implementation_guidanceSecaa s cat_10_network_security_implementation_guidance
Secaa s cat_10_network_security_implementation_guidancedrewz lin
 
Security and governance in the cloud
Security and governance in the cloudSecurity and governance in the cloud
Security and governance in the cloudJulian Knight
 
cloud security ppt
cloud security ppt cloud security ppt
cloud security ppt Devyani Vaidya
 
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...Amazon Web Services
 
INSA cloud computing_2012_final
INSA cloud computing_2012_finalINSA cloud computing_2012_final
INSA cloud computing_2012_finalGovCloud Network
 
Cloud computing security
Cloud computing securityCloud computing security
Cloud computing securityAung Thu Rha Hein
 
Cloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter PresentationCloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter PresentationVenkateswar Reddy Melachervu
 

Contenu connexe

Tendances

Cloud security what to expect (introduction to cloud security)
Cloud security what to expect (introduction to cloud security)Cloud security what to expect (introduction to cloud security)
Cloud security what to expect (introduction to cloud security)Moshe Ferber
 
Aligning Risk with Growth - Cloud Security for startups
Aligning Risk with Growth - Cloud Security for startupsAligning Risk with Growth - Cloud Security for startups
Aligning Risk with Growth - Cloud Security for startupsMoshe Ferber
 
Architect secure cloud services.
Architect secure cloud services.Architect secure cloud services.
Architect secure cloud services.Moshe Ferber
 
The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
The Notorious 9 Cloud Computing Threats - CSA Congress, San JoseThe Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
The Notorious 9 Cloud Computing Threats - CSA Congress, San JoseMoshe Ferber
 
Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Samrat Das
 
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeCloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeHimani Singh
 
Cloud keybank privacy and owner authorization
Cloud keybank privacy and owner authorizationCloud keybank privacy and owner authorization
Cloud keybank privacy and owner authorizationPvrtechnologies Nellore
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security DemystifiedMichael Torres
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architectureVladimir Jirasek
 
Cloud Computing Security - Cloud Controls Security
Cloud Computing Security - Cloud Controls SecurityCloud Computing Security - Cloud Controls Security
Cloud Computing Security - Cloud Controls SecurityHari Kumar
 
Secaa s cat_10_network_security_implementation_guidance
Secaa s cat_10_network_security_implementation_guidanceSecaa s cat_10_network_security_implementation_guidance
Secaa s cat_10_network_security_implementation_guidancedrewz lin
 
Security and governance in the cloud
Security and governance in the cloudSecurity and governance in the cloud
Security and governance in the cloudJulian Knight
 
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...Amazon Web Services
 

Tendances (19)

Cloud security what to expect (introduction to cloud security)
Cloud security what to expect (introduction to cloud security)Cloud security what to expect (introduction to cloud security)
Cloud security what to expect (introduction to cloud security)
 
Aligning Risk with Growth - Cloud Security for startups
Aligning Risk with Growth - Cloud Security for startupsAligning Risk with Growth - Cloud Security for startups
Aligning Risk with Growth - Cloud Security for startups
 
Architect secure cloud services.
Architect secure cloud services.Architect secure cloud services.
Architect secure cloud services.
 
The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
The Notorious 9 Cloud Computing Threats - CSA Congress, San JoseThe Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
The Notorious 9 Cloud Computing Threats - CSA Congress, San Jose
 
Cloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption ExplainedCloud Security & Cloud Encryption Explained
Cloud Security & Cloud Encryption Explained
 
Cloud Security Governance
Cloud Security GovernanceCloud Security Governance
Cloud Security Governance
 
Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)
 
Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB
 
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment modeCloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
Cloud security, Cloud security Access broker, CSAB's 4 pillar, deployment mode
 
Cloud security
Cloud securityCloud security
Cloud security
 
Cloud keybank privacy and owner authorization
Cloud keybank privacy and owner authorizationCloud keybank privacy and owner authorization
Cloud keybank privacy and owner authorization
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security Demystified
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architecture
 
Cloud Computing Security - Cloud Controls Security
Cloud Computing Security - Cloud Controls SecurityCloud Computing Security - Cloud Controls Security
Cloud Computing Security - Cloud Controls Security
 
CASB — Your new best friend for safe cloud adoption?
CASB — Your new best friend for safe cloud adoption? CASB — Your new best friend for safe cloud adoption?
CASB — Your new best friend for safe cloud adoption?
 
Secaa s cat_10_network_security_implementation_guidance
Secaa s cat_10_network_security_implementation_guidanceSecaa s cat_10_network_security_implementation_guidance
Secaa s cat_10_network_security_implementation_guidance
 
Security and governance in the cloud
Security and governance in the cloudSecurity and governance in the cloud
Security and governance in the cloud
 
cloud security ppt
cloud security ppt cloud security ppt
cloud security ppt
 
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
 

En vedette

INSA cloud computing_2012_final
INSA cloud computing_2012_finalINSA cloud computing_2012_final
INSA cloud computing_2012_finalGovCloud Network
 
Cloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter PresentationCloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter PresentationVenkateswar Reddy Melachervu
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing SecurityDhaval Dave
 
SAP HANA SPS12 Upgrade and Exploring New Features - Part 1
SAP HANA SPS12 Upgrade and Exploring New Features - Part 1SAP HANA SPS12 Upgrade and Exploring New Features - Part 1
SAP HANA SPS12 Upgrade and Exploring New Features - Part 1Linh Nguyen
 
SAP HANA 2 – Upgrade and Operations Part 1 - Exploring Features of the New Co...
SAP HANA 2 – Upgrade and Operations Part 1 - Exploring Features of the New Co...SAP HANA 2 – Upgrade and Operations Part 1 - Exploring Features of the New Co...
SAP HANA 2 – Upgrade and Operations Part 1 - Exploring Features of the New Co...Linh Nguyen
 

En vedette (7)

INSA cloud computing_2012_final
INSA cloud computing_2012_finalINSA cloud computing_2012_final
INSA cloud computing_2012_final
 
Cloud computing security
Cloud computing securityCloud computing security
Cloud computing security
 
Cloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter PresentationCloud Computing and Security - ISACA Hyderabad Chapter Presentation
Cloud Computing and Security - ISACA Hyderabad Chapter Presentation
 
CCSP Email 7.29.05
CCSP Email 7.29.05CCSP Email 7.29.05
CCSP Email 7.29.05
 
Cloud Computing Security
Cloud Computing SecurityCloud Computing Security
Cloud Computing Security
 
SAP HANA SPS12 Upgrade and Exploring New Features - Part 1
SAP HANA SPS12 Upgrade and Exploring New Features - Part 1SAP HANA SPS12 Upgrade and Exploring New Features - Part 1
SAP HANA SPS12 Upgrade and Exploring New Features - Part 1
 
SAP HANA 2 – Upgrade and Operations Part 1 - Exploring Features of the New Co...
SAP HANA 2 – Upgrade and Operations Part 1 - Exploring Features of the New Co...SAP HANA 2 – Upgrade and Operations Part 1 - Exploring Features of the New Co...
SAP HANA 2 – Upgrade and Operations Part 1 - Exploring Features of the New Co...
 

Similaire à I apologize, I do not actually have information about a specific cloud provider's identity and access management capabilities. The questions provided would be good to ask a potential cloud services provider to understand their support for common provisioning standards and options

Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyCloud Standards Customer Council
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Mark Williams
 
Security Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdfSecurity Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdfCiente
 
Secure Cloud Hosting: Real Requirements to Protect your Data
Secure Cloud Hosting: Real Requirements to Protect your DataSecure Cloud Hosting: Real Requirements to Protect your Data
Secure Cloud Hosting: Real Requirements to Protect your DataGreat Wide Open
 
dtechnClouologyassociatepart2
dtechnClouologyassociatepart2dtechnClouologyassociatepart2
dtechnClouologyassociatepart2Anne Starr
 
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Alan Yau Ti Dun
 
CCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewCCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewPeter HJ van Eijk
 
Guide to security patterns for cloud systems and data security in aws and azure
Guide to security patterns for cloud systems and data security in aws and azureGuide to security patterns for cloud systems and data security in aws and azure
Guide to security patterns for cloud systems and data security in aws and azureAbdul Khan
 
security and compliance in the cloud
security and compliance in the cloudsecurity and compliance in the cloud
security and compliance in the cloudAjay Rathi
 
The Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeThe Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeBen Rothke
 
gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2Anne Starr
 
Addressing Cloud Security with OPA
Addressing Cloud Security with OPAAddressing Cloud Security with OPA
Addressing Cloud Security with OPADiemShin
 
AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014KBIZEAU
 
CSA Introduction 2013 David Ross
CSA Introduction 2013 David RossCSA Introduction 2013 David Ross
CSA Introduction 2013 David RossGraeme Wood
 

Similaire à I apologize, I do not actually have information about a specific cloud provider's identity and access management capabilities. The questions provided would be good to ask a potential cloud services provider to understand their support for common provisioning standards and options (20)

Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
 
Cloud Security: A matter of trust?
Cloud Security: A matter of trust?Cloud Security: A matter of trust?
Cloud Security: A matter of trust?
 
Security Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdfSecurity Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdf
 
3.pptx
3.pptx3.pptx
3.pptx
 
Secure Cloud Hosting: Real Requirements to Protect your Data
Secure Cloud Hosting: Real Requirements to Protect your DataSecure Cloud Hosting: Real Requirements to Protect your Data
Secure Cloud Hosting: Real Requirements to Protect your Data
 
dtechnClouologyassociatepart2
dtechnClouologyassociatepart2dtechnClouologyassociatepart2
dtechnClouologyassociatepart2
 
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...
 
CCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overviewCCSK Certificate of Cloud Computing Knowledge - overview
CCSK Certificate of Cloud Computing Knowledge - overview
 
Guide to security patterns for cloud systems and data security in aws and azure
Guide to security patterns for cloud systems and data security in aws and azureGuide to security patterns for cloud systems and data security in aws and azure
Guide to security patterns for cloud systems and data security in aws and azure
 
security and compliance in the cloud
security and compliance in the cloudsecurity and compliance in the cloud
security and compliance in the cloud
 
The Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - RothkeThe Cloud is in the details webinar - Rothke
The Cloud is in the details webinar - Rothke
 
Cloud services and it security
Cloud services and it securityCloud services and it security
Cloud services and it security
 
gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2
 
Cloud Security.ppt
Cloud Security.pptCloud Security.ppt
Cloud Security.ppt
 
Addressing Cloud Security with OPA
Addressing Cloud Security with OPAAddressing Cloud Security with OPA
Addressing Cloud Security with OPA
 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
 
AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014
 
CSA Introduction 2013 David Ross
CSA Introduction 2013 David RossCSA Introduction 2013 David Ross
CSA Introduction 2013 David Ross
 
Introduction to CSA Australia 2013 by David Ross
Introduction to CSA Australia 2013 by David RossIntroduction to CSA Australia 2013 by David Ross
Introduction to CSA Australia 2013 by David Ross
 

Plus de Moshe Ferber

Cloud Security - the egregious 11 cloud security threats
Cloud Security - the egregious 11 cloud security threatsCloud Security - the egregious 11 cloud security threats
Cloud Security - the egregious 11 cloud security threatsMoshe Ferber
 
Understanding IaaS/PaaS attack vectors.pptx
Understanding IaaS/PaaS attack vectors.pptxUnderstanding IaaS/PaaS attack vectors.pptx
Understanding IaaS/PaaS attack vectors.pptxMoshe Ferber
 
Foundations of cloud security monitoring
Foundations of cloud security monitoringFoundations of cloud security monitoring
Foundations of cloud security monitoringMoshe Ferber
 
Cloud security certifications landscape
Cloud security certifications landscapeCloud security certifications landscape
Cloud security certifications landscapeMoshe Ferber
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptxMoshe Ferber
 
Cloud security for financial services
Cloud security for financial servicesCloud security for financial services
Cloud security for financial servicesMoshe Ferber
 

Plus de Moshe Ferber (6)

Cloud Security - the egregious 11 cloud security threats
Cloud Security - the egregious 11 cloud security threatsCloud Security - the egregious 11 cloud security threats
Cloud Security - the egregious 11 cloud security threats
 
Understanding IaaS/PaaS attack vectors.pptx
Understanding IaaS/PaaS attack vectors.pptxUnderstanding IaaS/PaaS attack vectors.pptx
Understanding IaaS/PaaS attack vectors.pptx
 
Foundations of cloud security monitoring
Foundations of cloud security monitoringFoundations of cloud security monitoring
Foundations of cloud security monitoring
 
Cloud security certifications landscape
Cloud security certifications landscapeCloud security certifications landscape
Cloud security certifications landscape
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
 
Cloud security for financial services
Cloud security for financial servicesCloud security for financial services
Cloud security for financial services
 

Dernier

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 

Dernier (20)

How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 

I apologize, I do not actually have information about a specific cloud provider's identity and access management capabilities. The questions provided would be good to ask a potential cloud services provider to understand their support for common provisioning standards and options

  • 2. • Moshe Ferber, 37, lives in Modiin (+2). • Information security professional for over 15 years. • Managed the security department for Ness Technologies. • Founded Cloud7, Israel based MSSP (currently owned by Matrix). • Shareholder at Clarisite • Shareholder at FortyCloud • Member of the board at Macshava Tova • Certified instructor for the Cloud Security Alliance 2
  • 3. Introduction to cloud computing Creating Trust Security in the development phase Security in the Operation phase
  • 4. Introduction to cloud computing Evaluating your cloud solution Operating in the cloud Virtualization security
  • 6. “Cloud computing is nothing more than a faddish term for the established concept of computers linked by networks.” Larry Ellison, ORACLE
  • 7. 7 Broad Network Access Rapid Elasticity Measured Service On-Demand Self-Service Resource Pooling
  • 8. 8
  • 9. 9
  • 10. 11 • The lower down the stack the cloud service provider stops, the more security capabilities and management consumers are responsible for implementing and managing themselves. SaaSIaaS PaaS Security Responsibility ProviderCustomer
  • 11. Public Cloud Private Cloud Community Hybrid Cloud Deployment Models 12
  • 12. Introduction to cloud computing Creating Trust Operating in the cloud Virtualization security
  • 13.
  • 14.
  • 15. Creating Trust Security in the development process Security in the Operation process
  • 16. • Make sure that you and your customers speak the same language. • Transparency, planning and taking risks are key success factors for this process. • Standards are great way for establishing common ground for discussion. • Contracts and SLA will define the partnership.
  • 17. Transparent Legal documents Know your regulationDefine who does what
  • 18. Taken from: Ponemon Institute: security of cloud computing users study 2013 Research show that many organization don’t understand the shared responsibilities between customer and provider in cloud computing.
  • 19. • . 20 SaaS IaaS PaaS ProviderCustomer All Guest and App security App Security Contractual controls Infrastructure & Application security Platform Security Infrastructure Only
  • 20. 22
  • 21. • Adjust your contracts to reflect the nature of the cloud (This is not a software licensing agreement). • Do not over complicate. • Provide security policy statement. • Specify how you help customer to avoid Vendor lock-in and unexpected termination.
  • 22. • Responsible for actions of his providers. • Compliance in the service. • Answer to subpoena and e-discovery • Data loss / recovery. • Conform with specification. • Fix break down. • SLA: uptime, downtime notice &POC. • Indemnity Location of services Contract jurisdiction Standard of care Applicable legislation Treaties
  • 23. •ISO 27001 – Adopted by the cloud industry . Although no real reference to cloud (ISO 27017 is planned,but still a draft). •SSAE16 – Got some level of cloud details… Need to verify the scope. •FIPS140-2 - Standard for encryption on sensitive data. •PCI –Many resources on adapting PCI on cloud environment. Including PCI cloud guidelines. •ENISA– guide for cloud security recommendations. •ILITA (Israel) - guidelines for outsourcing computer data including cloud reference.
  • 24. •CSA – Responsible for CSA STAR Level 1,2,3. Which is ISO27001 / SOC with additional controls from CCM. •FedRAMP – Defining the federal policy regarding the use of cloud services within the federal government. Based on NIST guidelines.
  • 25.
  • 26. Introduction to cloud computing Creating Trust Security in the development phase Virtualization security
  • 27. Design to security Integrate security into software life cycle Plan your security testing Threat modeling (including cloud threats) Access controls Coding standard (Based on relevant Regulation) Code review SDLC Checkpoint Cloud provider API’s Static analysis Dynamic analysis Vulnerability scanning Penetration test
  • 28. • SDLC in the cloud requires us to integrate the cloud provider and consumer into the process. • Security referent should be present on each development team. • Threat modeling should include cloud specific threats. • SDLC can be any standard in the market, as long as you remember to adjust responsibilities. Architecture & Design Development Test Production IaaS Cloud Consumer Cloud Consumer Shared Shared PaaS Shared Cloud Consumer Shared Shared SaaS Shared Cloud Provider Cloud Provider Cloud Provider
  • 29. Identity is the perimeter Identity Lifecycle Access control Authentication • Cloud consumers prefer to extend their Identities to the cloud instead of creating new ones. • Identity Providers are a growing service. • SCIM – marked as the new standard for provisioning (replacing SPML). • XACML is growing standard regarding access management. • Best practices separate between Policy Decision Point and Policy enforcement Point. • The challenge is to leverage customer current authentication mechanism. • Identity Federation is growing market. • SAML, Open ID and Oauth can help SaaS provider to meet customers requirements.
  • 30. • Dynamic and Static analysis should be integrated to the SDLC. • Penetration test and vulnerability scans are a must in some standards and regulations, and should be done periodically. • Scan results and pen test should be available to customers. • Customers should have the ability to coordinate scans and penetration tests.
  • 31. • Vulnerability management as a service a very popular. Just make sure they are Cloud API aware • Code review and Web Application Firewall can also used as a service. • New standards such as SAML, SCIM and XACML can assist.
  • 32. Introduction to cloud computing Creating Trust Security in the development phase Security in the operation phase
  • 33. Data lifecycle management Transparency in operations Incident management Encrypt, Encrypt, Encrypt Access control Clear policy and standards Monitoring what is incident? Incident life cycle
  • 35. File Level Database Level Volume Level Storage Level Level? By? Proxy Infrastructure Keys? Provider Customer Application level
  • 36.
  • 37. • Customers will expect: Clear Security Policy. Change management process. DR / BC procedures. Backup and Restore procedure and testing. Notice on maintenance & service time. Clear information channel regarding malfunctions. SLA for coordinating audits / VA / Pen tests. Visibility into the operations.
  • 38. 42 • not just complianceLog Monitoring • Availability and more. Performance Monitoring • tie to alerting Monitoring for Malicious use • analytics helpful here Monitoring for Compromise • access control, authorized use Monitoring for policy violations
  • 39. • Define what is “Incident” with your customers. • The nature of cloud makes likelihood of some kinds of incident goes up, others goes down. • Consider attacks targeted at the Cloud infrastructure provider and how that affects your systems • Legislative and Regulatory régimes may have different requirements for incident management. • Plan your containment policy in cases where attack is focused on specific customer. • Provide your customer with POC and make sure you got communication channels to address them. Preparation Detection & Analysis Containment Eradication & Recovery
  • 40. 44 • COBIT / ITIL can make a good framework for building correct operations standards. • Twitter turned to be great tool for information distribution. • NIST SP800-61 is great start for incident management.
  • 41. Moshe Ferber, CCSK Tel. +972-52-8342313 moshe@onlinecloudsec.com
  • 42. • US privacy laws are made from federal legislation, and state level regulation. • The 4th amendment is the basic pillar for privacy in US, and is not valid for cloud services. • The FISA, Patriot act and protect America act grant US government right to force Cloud provider to deliver customer data. • US laws require provide planning capability to respond to requests for legal holds on documents (FRCP) 46
  • 43. • EU privacy laws prohibit transfer of EU data outside of the EU unless it will receive the same level of protection. • US based companies enjoyed Safe Harbor agreement for processing EU data. • On July 2, 2012 – Working Party 29 issued an opinion stating that safe harbor controls are not sufficient for cloud computing. 47
  • 44. 48 Data • Make sure that data in the cloud is secured along all data lifecycle. Application • Make sure application meets the standards and risks. Users • Make sure that users lifecycle matches standards and risks.
  • 45. Create Destroy Store Share Archive Use Classify Assign Rights Content Discovery Access Controls Encryption Rights Management Activity Monitoring and Enforcement Rights Management Logical Controls Application Security DLP Encryption (SSL/HTTPS) Logical Controls Application Security Encryption Asset Management Crypto-Shredding Secure Deletion Content Discovery 49
  • 46. 50 Identity Management • Lifecycle management may require identity propagation and/or synchronization • Identity provisioning • User profile management Access Management • Authentication – process can occur on Cloud Consumer side or Cloud Provider side • Authorization – process can occur on Cloud Consumer side, and always occurs on the Cloud Provider side Federation • Managing relationships and policies Compliance • Dealing with regulations and audits
  • 47. 51
  • 48. 52 1.What provisioning standards do you support today? 2.Do you support SPML? What version? If so, do you have a schema? 3.Do you offer web services for automated provisioning (bulk or single)?
  • 49. 53 4. Do you offer on the fly (just-in-time)provisioning, where by users are provisioned using a pre-assigned token but activated at the time of online registration? 5. What language support do you offer for clients of provisioning web services? Examples include Java, .NET, Ruby on Rails, PHP, etc. 6. Do you support provisioning via transient federation(SAML)? 7. What logging of provisioning requests is performed, and how is it protected from tampering? What reconciliation mechanisms are available?

Notes de l'éditeur

  1. The first of the essential characteristics is “Broad Network Access,” which basically means the computing resources are available through pretty much any mechanism desired. These may include: Standard clients, like mobile phones, laptops and desktop computers, both internal and external to your corporate network. Traditional software services, like applications and middleware. Since the cloud provides similar capabilities to what a company would build themselves, any cloud-resident resources would need to be accessible from computing resources (both internal and external) to the organization. There shouldn’t be any restrictions in terms of access via cloud-based software services either.
  2. One of the first areas of confusion for “the cloud” is to understand how cloud services and virtualization relate to each other. And in the media grinder, the terms tend to be used synonymously, which is both factually and intrinsically incorrect. So let’s try to define virtualization and draw some specific distinctions between each: According to Wikipedia, “virtualization, in computing, is the creation of a virtual (rather than actual) version of something, such as a hardware platform, operating system, a storage device or network resources.” [1]” We say that virtualization is the platform for the cloud. Meaning that cloud service models would not be possible to build without the ability to virtualize everything (network, operating systems, storage, etc.) involved in providing a computing platform. Although it’s transparent to the customers that deploy cloud architectures, every cloud service provider makes heavy use of virtualization technology at all levels of their computing architecture to deliver the scalability and flexibility required to derive economies of scale. On the other hand, the cloud is also used by most customers as a platform for virtualization. By that we mean the easiest way for many customers to leverage the power of virtualization is to use a cloud service. Thus the customer doesn’t have to deal with deploying their own environment of computers running hypervisors and supporting a variety of guest operating systems, and offering block storage accessible by a specific API or a certain computing platform for some of their key enterprise applications. All of these capabilities can be exposed using a cloud service (as opposed to building it themselves). Thus, not only does the cloud heavily utilize virtualization, it’s provides an ability for customers to quickly start achieving the value of virtualization, without having to virtualize their existing architecture. Yes, it’s kind of recursive, but the point here is that cloud and virtualization are attached at the hip, but they are not the same.
  3. In terms of what you buy when you look at cloud services, the types of offerings tend to broken up into three different levels. We’ll go through each distinction in some detail. These offerings tend to be describe as the SPI stack. S for Software as a Service. P for Platform as a Service. And I for Infrastructure as a Service. Now the cloud stack is clearly evolving and we are seeing a lot of overlap and less clear distinction between the layers of the stack. So first, let’s get a feel for the standard definitions of each layer in the stack and then we can use some examples to show the blurring that is happening now.
  4. The statement says it all. The lower in the stack the provider stops, the more the customer has to do. So IaaS stops low in the stack, thus the customers are responsible to secure the systems and applications. PaaS is in the middle and may offer some level of security within the platform, but the customer would still be required to make the API calls within the application. SaaS is a bit of a different animal because the provider is responsible for the entire solution (from cradle to grave). Thus the onus is upon them to protect any information within their service. As you can imagine, data security is very important to the SaaS providers, since a breach or failure could result in the proverbial “run on the bank” and put the entire business in danger.
  5. Public Cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. This tends to be what most organizations view as the “cloud.” Basically a big set of computers in the sky that can be spun up or decommissioned instantly to support almost any kind of applications. Private Cloud. The cloud infrastructure is operated solely for a single organization. It may be managed by the organization or a third party, and may exist on-premises or off- premises. Any infrastructure you are responsible for managing can be termed a “private cloud.” Thus your existing data center, given some of the essential characteristics of cloud infrastructure (brad network access, rapid elasticity, etc.) is sort of a private cloud. Of course, there is a lot of work to be done to turn a traditional existing data center into a private cloud facility, but it’s definitely a direction many organizations are moving towards. Community Cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, or compliance considerations). There are many affinity groups (organized by vertical, geography, size, etc.) that tend to have very similar computing requirements. A community cloud can bring leverage and economies of scale to these environment, driving down the cost of delivering the IT service and likely increasing capabilities. The community cloud may be managed by the organizations or a third party and may exist on-premises or off-premises. Hybrid Cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds). Why have one, when you can have two for twice the price? OK, that may be a little facetious, but hybrid models are real and provide both a shorter term migration plan (so you can support your existing data centers/private cloud, while moving some or all of your infrastructure to another cloud platform).
  6. The statement says it all. The lower in the stack the provider stops, the more the customer has to do. So IaaS stops low in the stack, thus the customers are responsible to secure the systems and applications. PaaS is in the middle and may offer some level of security within the platform, but the customer would still be required to make the API calls within the application. SaaS is a bit of a different animal because the provider is responsible for the entire solution (from cradle to grave). Thus the onus is upon them to protect any information within their service. As you can imagine, data security is very important to the SaaS providers, since a breach or failure could result in the proverbial “run on the bank” and put the entire business in danger.
  7. STRIDE is a threat model that is widely used at Microsoft and across the industry. It provides six types of threats For now, we will do a brief summary of the threats to give you an idea of what a Threat Model is Spoofing occurs when an attacker assumes the identity of subject (like user or client), object (like a server, web application or database), or account. Phishing is an example of Spoofing where an attacker fools the user by spoofing a legitimate site like an online bank and tricks the user into sending their username and password to a site the attacker controls. Its also possible for an attacker to spoof the identity of the user directly Tampering occurs when message or data is altered by the attacker Repudiation occurs when the attacker repudiates an authentic event such as claiming that an ATM machine did not give any money when in fact the attacker did receive money from the ATM Information may be disclosed in number of ways, information can be sniffed off of a network communication channel, such as through packet sniffing unencrypted networks. Attackers may actively try to gather information through injecting SQL commands to the database. Denial of Service (also sometimes called “Denial of business”) means an attacker can swamp the system to deny access to legitimate users. Elevation of privilege occurs when an attacker finds a way to bypass access control that limits their privileges. An attacker may try to elevate privilege by using a normal account to run commands that are administrator only This is a brief overview of one threat model, we will now look at how countermeasures can be identified based on the threats.
  8. The value of threat modeling is to assist the problem of building security in, specifically the threat model gives a concrete set of requirements and location of the countermeasure in the system. For the six threats in STRIDE that we briefly introduced, each will be mitigated by a different countermeasure. The following list is illustrative not exhaustive, the purpose is to see that each threat will likely yield different security mechanisms Spoofing threats such as when an attacker impersonates a users, client or server, may be mitigated by authentication mechanisms which verify the authenticity of the subjects, objects and users. Tampering threats such as altering data may be mitigated by signing and hashing data to verify the integrity of the data Repudiating legitimate transactions may be mitigated through audit log that produce evidence of the transaction Information disclosure can occur in many ways, in the example of sniffing information off the wire threats, encryption can mitigate this attack. Denial of service is mitigated through availability services like clustering, and fail over Elevation of privilege is mitigated through authorization checking to see if the user has the correct rights to access the system. This table is a good example of the value of threat modeling, it shows that security is not one thing or one mechanism. Rather security can be defined as a set of mechanisms that cope with certain threats. Depending on which threats the system designers are trying to mitigate the threat model will yield different guidance for which mechanisms are necessary.
  9. Monitoring applications is a multi-faceted job. The CSA Guidance lists five distinct types of monitoring. The most fundamental being – Monitoring your logs! Not just storing them and never looking at them, aka Compliance “zombie ware.” No one looks or cares, but they are recording The other four types of monitoring services can be seen as to how much a priori knowledge is assumed. Performance and policy violation monitoring means defining a set of goals up front and then reviewing logs for those types of events and thresholds Monitoring for malicious use and compromise is more subtle and relies on careful inspection looking for outliers To achieve these goals the monitoring system should ensure that the log messages are able to be parsed automatically and that the log messages are actionable
  10. We will walk through each of these
  11. Since we don’t necessarily know what the infrastructure is, where it is located, who has access we need to account for data security as data moves into and through the cloud Goal is to reorient your security program to protect the information, not merely the network and places where it's stored. We define these 6 phases (Define – Store – Use – Share – Archival - and Destruction) Briefly introduce what each means. You can introduce the technologies that support each phase later. You want to review for Confidentiality, Integrity, Availability, Authenticity, Authorization, Authentication, and Non-Repudiation. Stress the goal is to define how data is protected at each phase. Looking at how you apply security in the cloud – ask yourself how you would do it – this should illuminate security issues and overall risks with the service
  12. Federation defines the contract between the Cloud consumer and Cloud provider at a deeper level, this is typically done through standards like SAML. Compliance activities must review and report on both the identity provisioning and review as well as the runtime access management configuration
  13. Overview of some of the key standards: SAML provides a wire level protocol that enables movement of attributes and SSO sessions from the Cloud Consumer to the Cloud Provider OAuth tokens can be used to authorize to the application. Both SAML and OAuth tokens can be digitally signed and hashed for protection, this is important because the user sessions and application access moves from domain to domain (Consumer & provider), so the tokens must be robust to deal with tampering and other attacks while still being able to move the identity data around in the system Provisioning must occur on both Cloud Consumer and Cloud Provider, this can create synchronization challenges
  14. If you are a cloud provider, these are the mechanisms you need to support for your customers: How do you provision? Do you support customer managed provisioning, some sort of synchronization, or do users have to provision within your service? Forcing users to provision within your system without integration into their environment may be too limiting. Note that SPML is included due to its prominence in the Guidance, but is somewhat stalled at this time. Instructors- be careful and remind students that SPML is on the exam, but not usually a real-world option (we will fix this for the 3.- Guidance). Automated provisioning via SAML or another mechanism is very valuable to customers. Think about it, they merely have to extend existing processes.
  15. Some other things to consider: Just in time tokens are useful for activating accounts, especially for SaaS, when you want to offer self-provisioning. What languages do users need to code their provisioning web services in? Ideally with something like SAML you are language-agnostic. Logging is key- especially if there is any sort of self provisioning or compliance requirements.