More Related Content
Similar to Protecting What Matters...An Enterprise Approach to Cloud Security (20)
Protecting What Matters...An Enterprise Approach to Cloud Security
- 1. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Protecting what matters...
... An enterprise approach to cloud security
Ed Reynolds
HP Fellow, CISSP, CCSK
HP Enterprise Security Services
- 2. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.2
Today’s agenda
TRENDS
PERSPECTIVES
GUIDANCE
- 3. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.3
Worldwide Security Trends & Implications
Cyber threat 56%of organizations have been
the target of a cyber attack
Extended supply chain
44% of all data breach involved
third-party mistakes
Financial loss $8.6M average cost associated
with data breach
Cost of protection 8% of total IT budget
spent on security
Reputation damage 30% market cap reduction due to
recent events
Source: HP internal data, Forrester Research, Ponemon Institute, Coleman Parkes Research
Key Points
• Security is a board of
directors concern
• Security leadership is under
immense pressure
• Need for greater visibility of
business risks and to make
sound security investment
choicesReactive vs. proactive
60% of enterprises spend more time
and money on reactive measures vs.
proactive risk mgmt
- 4. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.4
Managing security challenges
Today, security is a
board-level agenda item
#1 Board Identified Risk:
Reputational Damage
Source: EisnerAmper LLP, February 2011 - Second Annual Board of Directors Survey - 2011: Concerns About Risks Confronting Boards
- 5. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.5
Managing Risk: Current Challenges
Primary Challenges
Nature & Motivation of Attacks
(Fame to national enemies)1
Transformation of Enterprise IT
(Delivery and consumption changes)2
Traditional DC Private Cloud Managed Cloud Public Cloud
Network Storage Servers
Delivery
Regulatory Pressures
(Increasing cost and complexity)3
A New Type of Adversary
Basel III
Enhanced Regulatory Environment
- 6. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.6
HP research: Top concerns for IT executives
67% 66% 63% 54%
Extremely concerned Somewhat concerned Not very concerned
Data privacy
and information
breaches
Lack of skilled
resources to effectively
manage security
Risk associated with more
consumption of apps/IT
services across public,
private & hybrid cloud
Risk associated with
more consumption of
apps/IT services
Source: HP 20:20 CIO Report, 2012
- 7. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.7
Cloud services: adoption is tempered by uncertainty
Security or related component is #1 concern/issue for most enterprises
LOB/IT CIO
Security
Performance
Reliability
Scalability
Service levels
Data security
& protection
Compliance
Auditing
Cost
Governance
Control
Availability
- 8. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.8
CSA: Cloud Computing Top Threats for 2013
Top Threats for 2013
1.Data Breaches
2.Data Loss
3.Account or Service Hijacking
4.Insecure Interfaces and APIs
5.Denial of Service
6.Malicious Insiders
7.Abuse of Cloud Services
8.Insufficient Due Diligence
9.Shared Technology Vulnerabilities
Security for
the cloud
http://cloudsecurityalliance.org/
1. HP’s Rafal Los co-chaired the CSA Top Threats working group
2. HP selected by CSA as Master Training Partner in APJ (initial region)
- 9. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.9
What do we mean by “cloud security”?
• Security for the cloud? Securely use cloud (consumers)
• Security from the cloud? Security-as-a-Service
• Security in the cloud? Embedded security (providers)
• Security across clouds? Hybrid models, interoperability
1
2
3
4
- 10. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.10
Cloud models require different security solutions…
Attack
surface
increases
composition of two
or more clouds
Hybrid cloud
Sold to the public,
mega-scale infrastructure
Public cloud
Shared infrastructure for
specific community
Community cloud
Enterprise-owned
or leased
Private cloud
- 11. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.11
... and different roles & responsibilities regarding security
Cloud
SaaS
PaaS
IaaS
SaaS: Software as a Service, generally provides
application, data and infrastructure security,
with varying degrees of compliance
PaaS: Platform as a Service, may provide some
additional security functions for IDM and secure
application development – security falls to app
developer and customer IT operations
IaaS: Infrastructure as a Service – providers generally
offer basic network & infrastructure security, firewalls,
some tools – but customer is generally responsible
for implementation,operations, monitoring
- 12. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.12
But what is really new about “cloud security”?
Many traditional security concerns are recast as a “cloud problem”. . .
• Many “cloud security incidents“ are issues with
web apps and data-hosting, but at greater scale…
- e.g. Phishing, downtime, data loss, weak passwords, compromised hosts running botnets, etc …
• Unexpected side channels and covert channels arising from shared-resource
environments in public services
- Activity patterns need to be protected in addition to apps and data
• Reputation fate sharing: possible blacklisting or service disruption due to “bad neighbors”
- Need “mutual auditability” (providers need to audit/monitor users)
• Longer trust chains: {SaaS to PaaS to IaaS}
– Y.Chen, et.al, “What’s New About Cloud Computing Security?” UC Berkeley, Jan.20, 2010
- 13. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
“It’snotaboutcloudsecurity–
it’saboutsecuringyour
enterprise’suseofcloud-based
services”
“Cloudsecuritybeginswith,
andaddsto,well-defined
enterprisesecurity”
Perspectives
- 14. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.14
Enterprise approach to cloud security
HP Enterprise Security Services Whitepaper
1. Establish a risk-based approach
2. Design applications to run in the cloud
3. Ongoing auditing and management
- 15. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.15
HP approach to complete information security
Establish a risk-based approach
Actionable
Security
Intelligence
Moving from Reactive to Proactive Information Security & Risk Management
Assess security investments and posture
Transform from silos to a comprehensive view
Optimize to proactively improve security posture
Manage security effectively
Establish a
risk based
approach
- 16. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.16
HP Cloud Security Risk and Control Assessment
Stage 1:
Assessment
Workshop
Business
Issues
Discovery
Strategic
Control Plan
Risk
Assessment
Scope
Engagement with senior management
Stage 2:
Risk
Assessment
Engagement with business-level security
Business
Risk
Assessment
Asset Risk
Assessment
Assets
Prioritized
by Risk
Stage 3:
Controls
Assessment
Cloud
Control
Measures
Consensus
Assessment
Prioritized
Security
Control Plan
Engagement with operational level security
Establish a
risk based
approach
- 17. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.17
Are your applications & data…
The path of least resistance?
Design apps to
run in cloud
- 18. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.18
Secure SDLC: protect data & IP Design apps to
run in cloud
Attacker
Software & data
Hardware
Network
Intellectual
property
Customer
data
Business
processes
Trade
secrets
- 19. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.19
The National Vulnerability Database (DHS/US-CERT)
• Lists >47,000 documented vulnerabilities
Undiscovered/unreported (0-day)
vulnerabilities are huge
• 20X1 multiplier
• 47,000 x 20 = estimated 940,000 vulnerabilities
replicated in many products
The risks
Vulnerabilities (security defects)
Quality issue: many more “underwater” than those reported “above the water”
Greater than 80% of attacks
happen at the application layer
Notes: HP research and 1“Public Vulnerabilities Are Tip of the Iceberg,” CNET News, June 1, 2007
Design apps to
run in cloud
- 20. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.20
The National Vulnerability Database (DHS/US-CERT)
• Lists >47,000 documented vulnerabilities
Undiscovered/unreported (0-day)
vulnerabilities are huge
• 20X1 multiplier
• 47,000 x 20 = estimated 940,000 vulnerabilities
replicated in many products
The risks
Vulnerabilities (security defects)
Quality issue: many more “underwater” than those reported “above the water”
But <1% of security spend is
allocated to application security !!!
Notes: HP research and 1“Public Vulnerabilities Are Tip of the Iceberg,” CNET News, June 1, 2007
Design apps to
run in cloud
- 21. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.21
Designing applications to run in the cloud
• Embed security in application architecture
• Address new attack surfaces early in design
• Encrypt “everything” by default – end-to-end
• Adopt new mindset to privacy
• Bounding processes around PII
(e.g. PCI tokenization example)
• Build in audit trails for forensics
• Conduct 3rd party reviews (CATA, Pen.Test)
Design apps to
run in cloud
- 22. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.22
Securing “data-in-process,” in addition to “at rest” and “in motion”
Encryption advances & alternatives∗
Advances
Broadcast encryption: encryption for
groups and memberships
Searchable symmetric encryption:
securely search encrypted data
Identity-based encryption: ad-hoc PKI,
user chooses his own public key
Predicate encryption: fine-grained PKI
Homomorphic encryption: emerging
techniques to compute on ciphertext
* Source: CSA Guidance v3.0Chapter 11
Alternatives*
Tokenization. Data sent to the public cloud
is altered (tokenized) and contains a reference
to the data residing in the private cloud.
Data anonymization. Personally identifiable
information (PII) is stripped before processing.
(Watch assumptions)
Utilizing cloud database controls. Using
(fine-grained) access controls at database
layer to provide segregation.
Design apps to
run in cloud
- 23. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.23
Architecting Security into Applications
Security assurance thought leadership
Requirements/
architecture & design
• Security requirements gap analysis
• Security designed in
• Dramatically reduces risk of vulnerabilities
• More complete and less expensive assurance
• Guides late lifecycle assurance
• The best response to a greater threat
Reactive
Traditional
Proactive
Extending security assurance
Higher ROI
The traditional approach is backwards.
It can never solve the problem by itself
but works great after proactively
prioritizing late life cycle
assurance focus
Post-release
First, people found
vulnerabilities,
patched, and issued
bulletins
Integration/
penetration test
• In-house, more proactive
• More expensive
in isolation
Coding
• Security code scanners
• Code review
• Better when design
supports security
Design apps to
run in cloud
- 24. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.24
Applications rationalisation
Cloud-specific
workload analysis
Risk analysis
& TCO
BPA
HP cloud applications transformation
Level 2 transformation strategy determination (x to x)
Level 1 transformation strategy determination (RE’s)
App
migration
Cloud
service
types
Cloud
deployment
models
IaaS PaaS SaaS
Public Private
Virtual
private
Dedicated/hosted
(retain, retire)
Suitable
for SaaS
Suitable for
preferred target/
public cloud
Need
modernisation
analysis
Not suitable
for cloud
Cloud suitability mapping
• Replace
• Re-architect
• Re-factor
• Re-host
App
migration
Apps
Design apps to
run in cloud
- 25. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.25
Applications modernization strategy
Re-factor Re-architect
Re-host Replace
Application
cloud
strategy
Codingeffort
New value generation potential
IaaS SaaS
PaaS
PaaS
SOA
Design apps to
run in cloud
- 26. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.26
Auditing cloud services
Continuous compliance monitoring is essential
to securely delivering cloud services and ensuring compliance
• Cloud Services are inherently dynamic. The dynamic provisioning and de-provisioning
of resources is a key part of the Cloud value proposition and business model
• Automation for operations and asset management are essential in this
dynamic environment
• Verification of compliance with policy and legislation – such as the EU Data Protection
Directive, GLBA, HIPAA, and Export compliance controls like ITAR –
requires continuously running automation
Yearly or monthly audits are irrelevant in an environment that changes
completely on a daily or hourly basis
Ongoing auditing
& management
- 27. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.27
Are we secure?
Continuous security monitoring Ongoing auditing
& management
- 28. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.28
What about infrastructure and network security?
• Infrastructure and network security are
critical areas for cloud-based solutions
• Enterprises have little or no influence on a
provider’s implementation and controls in
these areas
• A thorough review of the service provider’s
policies should be completed as part of the
due diligence process during contract
negotiation and service sourcing
- 29. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.29
5 key ways to reduce risk
1. Understand your risk profile
2. Architect for the cloud
3. Robust identity, access management
4. Confirm legal, compliance obligations, due diligence
5. “Clear Responsibility” – CSP, Customer, Both
- 30. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.30
Cloud security: guidance for critical areas
Architecture
1. Cloud computing architectural framework
Governance
2. Governance and enterprise risk management
3. Legal issues: contracts and electronic discovery
4. Compliance and audit management
5. Information management and data security
6. Interoperability and portability
Operations
7. Traditional security, business continuity,
and disaster recovery
8. Data center operations
9. Incident response
10. Application security
11. Encryption and key management
12. Identity, entitlement, and access management
13. Virtualization
Security for
the cloud
http://cloudsecurityalliance.org/
https://ccsk.cloudsecurityalliance.org/
- 31. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.31
Final thoughts
Recognize the threats have changed and become
‘industrialized’
Employ comprehensive and integrated approach to
enterprise security & risk management
Conduct security threat analyses for all critical
applications
Design in security from the beginning: essential
for public cloud usage
Be vigilant: continual compliance monitoring and
audits, intrusion testing, verifiable backups…
- 32. © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thankyou
Whitepaper: bit.ly/hpcloudsecurity
Email: ed.reynolds@hp.com
URL: hp.com/enterprise/security