1. www.skyviewpartners.com 6/7/2012
Carol Woodbury, President
SkyView Partners, Inc.
www.skyviewpartners.com
@carolwoodbury
(c) SkyView Partners, Inc, 2012.
All Rights Reserved. 1
(c) SkyView Partners, Inc, 2012.
All Rights Reserved. 2
(c) SkyView Partners, Inc, 2012. All Rights Reserved. 1
2. www.skyviewpartners.com 6/7/2012
Benefits: However:
Hardware Must meet
Support of the requirements of
hardware security policy
Software licensing Legal requirements
Software maintenance Compliance
requirements
(c) SkyView Partners, Inc, 2012.
All Rights Reserved. 3
Depends on the type of data
(c) SkyView Partners, Inc, 2012.
All Rights Reserved. 4
(c) SkyView Partners, Inc, 2012. All Rights Reserved. 2
3. www.skyviewpartners.com 6/7/2012
EU Data Protection Laws
◦ Currently being revised
(c) SkyView Partners, Inc, 2012.
All Rights Reserved. 5
Determines
Default access
Encryption requirements
Retention requirements
Storage requirements
Disposal method (both printed and online)
While considering
Compliance requirements
Legal considerations
(c) SkyView Partners, Inc, 2012.
All Rights Reserved. 6
(c) SkyView Partners, Inc, 2012. All Rights Reserved. 3
4. www.skyviewpartners.com 6/7/2012
Data classification requirements don’t change just
because the data is now in the cloud
(c) SkyView Partners, Inc, 2012.
All Rights Reserved. 7
Carefully plan the security and privacy aspects of cloud
computing solutions before engaging them (a cloud
provider.)
Understand the public cloud computing environment
offered by the cloud provider.
Ensure that a cloud computing solution satisfies
organizational security and privacy requirements.
Ensure that the client-side computing environment meets
organizational security and privacy requirements for cloud
computing.
Maintain accountability over the privacy and security of
data and applications implemented and deployed in public
cloud computing environments.
(c) SkyView Partners, Inc, 2012.
All Rights Reserved. 8
(c) SkyView Partners, Inc, 2012. All Rights Reserved. 4
5. www.skyviewpartners.com 6/7/2012
Encryption
Auditing (logging)
No passwords in cleartext
Access controls
Reporting
Incident response handling
What will a QSA or auditor say …?
(c) SkyView Partners, Inc, 2012.
All Rights Reserved. 9
Where is the data physically located
Incident response handling
◦ Do you and provider have the same definition of a breach?
Can your SLAs be fulfilled?
◦ (think disaster-recovery)
As well as compliance requirements
(c) SkyView Partners, Inc, 2012.
All Rights Reserved. 10
(c) SkyView Partners, Inc, 2012. All Rights Reserved. 5
6. www.skyviewpartners.com 6/7/2012
Questions for providers’ security practices:
◦ Is admin (root) power limited to only those users needing it?
◦ Who/What is logged?
◦ Do administrators access systems via encrypted sessions?
◦ What is the patch management strategy?
◦ What anti-virus / anti-malware software is used?
◦ Are the servers in compliance with
PCI
SOX
HIPAA
◦ Who are you audited by and can we see the results?
(c) SkyView Partners, Inc, 2012.
All Rights Reserved. 11
User management:
◦ Process to integrate with HR to remove access?
What about immediate removal for terminated
employees/contractors?
◦ Password composition rules?
◦ Password change rules?
(c) SkyView Partners, Inc, 2012.
All Rights Reserved. 12
(c) SkyView Partners, Inc, 2012. All Rights Reserved. 6
7. www.skyviewpartners.com 6/7/2012
Logging:
◦ Invalid sign on attempts
Lock-out for excess attempts
◦ Reads and changes to HIPAA or PCI data
◦ Access attempts to data
◦ Retention of the logs
◦ Review of the logs
Network logging:
◦ Connections
◦ Data movement – what about DLP?
(c) SkyView Partners, Inc, 2012.
All Rights Reserved. 13
Because the service provider holds so much data, they
may become a victim of a targeted attack
However … provider likely has
◦ Network monitoring
◦ Trained personnel to recognize and respond to the attack
◦ Knowledge / Hardware to prevent or limit the attack
(c) SkyView Partners, Inc, 2012.
All Rights Reserved. 14
(c) SkyView Partners, Inc, 2012. All Rights Reserved. 7
8. www.skyviewpartners.com 6/7/2012
Business level objectives
Responsibilities of both parties
Business continuity/disaster recovery
Redundancy
Maintenance
Data location
Data seizure
Provider failure
Jurisdiction
Brokers and resellers
http://www.ibm.com/developerworks/cloud/library/cl-
rev2sla.html?ca=drs-
(c) SkyView Partners, Inc, 2012.
All Rights Reserved. 15
Security Incident response
Data encryption Transparency
Privacy Certification
Data retention and Performance definitions
deletion Monitoring
Hardware erasure, Auditability
destruction Metrics
Regulatory compliance Human interaction
(c) SkyView Partners, Inc, 2012. All
Rights Reserved. 16
(c) SkyView Partners, Inc, 2012. All Rights Reserved. 8
9. www.skyviewpartners.com 6/7/2012
Determine your organization’s security and compliance
requirements for the type of data going to the cloud
Put the appropriate SLA in place
◦ Terminology / Communication is key – make sure you agree to
each others’ definitions
Monitor the results to determine if SLA is being met
(c) SkyView Partners, Inc, 2012.
All Rights Reserved. 17
Find your private and confidential data
Do not assume it doesn’t exist just because it’s not
supposed to be a on specific server or in a specific
database!
(c) SkyView Partners, Inc, 2012.
All Rights Reserved. 18
(c) SkyView Partners, Inc, 2012. All Rights Reserved. 9
10. www.skyviewpartners.com 6/7/2012
Many organizations are realizing the benefits of
“private” clouds
◦ Reduced hardware / software costs
◦ Quicker patching
◦ Consolidated security expertise
Monitoring (NOC)
Recognition and response to incidents
◦ Consolidated logging (correlated events)
◦ More layers of security (depending on the data requirements)
(c) SkyView Partners, Inc, 2012.
All Rights Reserved. 19
Clouds specializing in meeting compliance needs:
◦ PCI
◦ HIPAA
Significantly more expensive but consider that with
public clouds you ‘get what you pay for.’
(c) SkyView Partners, Inc, 2012.
All Rights Reserved. 20
(c) SkyView Partners, Inc, 2012. All Rights Reserved. 10
11. www.skyviewpartners.com 6/7/2012
Service providers have been providing “cloud” services
for many years
◦ Private / Specialized cloud – typically without the dynamic
allocation of new resources
Security/Compliance/Legal requirements you make of
them are the same as what we’ve been discussing.
(c) SkyView Partners, Inc, 2012.
All Rights Reserved. 21
Best practices and Certifications for Cloud Security
https://cloudsecurityalliance.org/
Guidelines on Security and Privacy in Public Cloud Computing – National Institute of
Standards and Technology (NIST) SP 800-144
http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf
Cloud Computing Synopsis and Recommendations - – National Institute of Standards and
Technology (NIST) SP 800-146 – DRAFT
http://csrc.nist.gov/publications/drafts/800-146/Draft-NIST-SP800-146.pdf
Articles:
www.sans.org
www.isaca.org
Search ‘European cloud Computing Strategy’
Contact us at: info@skyviewpartners.com
@carolwoodbury
(c) SkyView Partners, Inc, 2012.
All Rights Reserved. 22
(c) SkyView Partners, Inc, 2012. All Rights Reserved. 11